Online Digital Forensics Courses and Labs

Funded by National Science Foundation (NSF)
Funded by Florida Center for Cybersecurity (Cyber Florida) Capacity Building Program

Automatic Security Update Removal to Create Vulnerable Windows Virtual Machine


 

Instructor: Dr. Cliff Zou, 407-823-5015, czou@cs.ucf.edu

Goals of this tutorial:

  • Learn how to set up vulnerable Windows OS virtual machine quickly using the provided script
  • Help instructor or students to quickly set up penetration testing target and environment

Software Needed:

  • VirtualBox (if you do not have VirtualBox installed please see Lab Setup).
  • Free Microsoft Windows virtual machine images provided by Microsoft (download here).
  • The Powershell script developed by my undergraduate student, Arati Banerjee (download here).

Set up Vulnerable Windows XP Virtual Machine:

Windows XP Mode Provided by Microsoft Windows 7 Virtual Machine Image

Microsoft originally provided Windows XP VM image download, but stopped providing it on its website after the company stopped service on WinXP. If you still need WinXP VM to conduct testing, you can obtain it via the WinXP mode in Windows 7 VM. We provided a lecture slides on how to do it under VirtualBox (ppt). Here is an example online tutorial webpage (link). 

However, the WinXP VM derived through this way is not suitable for OS penetration testing, because all those pre-installed security updates are not removable.

Set up Vunlerable Windows XP Virtual Machine

In our own PenTesting teaching, we always use the WinXP VM image file we downloaded many years ago when Microsoft still provided it. Instuctors have to find a way to obtain such WinXP image file by themselves. Assume that you have already obtained the original WinXP VM image. Here is the way to create vulnerable WinXP:

After all security patches being removed, you can create the vulnerable WinXP VM image for others and students to use. On VirtualBox, click menu 'File' --> 'Export appliance' to generate a single .ova image file. Since the WinXP VM is valid for 30 days, the created vulnerable WinXP VM would be good to use for PenTesting for 30 days as well.

If you want to conduct this WinXP PenTesting in the future, please use the original WinXP .ova file and repeat the security patch removal process in order to create a fresh vulnerable WinXP for the next 30-day usage.

We wanted to use the PowerShell script developed by us to automatic this patch removal process. Unfortunately, Windows XP does not support PowerShell. Another automatic way we presented in our ASEE'2019 published paper (PDF) is complicated to execute thus does not save much time compared with the above manual patch removal method.


Automatic Security Patch Removal to Create Vulnerable Windows 7 Virtual Machine:

In the Windows 7 VM image provided by Microsoft, the OS has pre-installed around 120 security patches. Thus manual patch removal is not scalable and too time consuming. Fortunately, Windows 7 supports PowerShell script execution, and we have produced a PowerShelll script that can automatically removal partial or all security patches. The script can be downloaded here. The detailed PowerShell code is shown in the following figure:

 

Figure 1: PowerShell script to remove partial or all security patches in Windows 7 Virtual Machine

In Microsoft Windows, all system patches are named starting with 'KB' followed by a unique identification number, which sequentially increases according to the patch release time.

Automatic Removal of All Security Patches:

The following is the procedure to use our PowerShell script to remove all security patches:

 
Figure 2: Run PowerShell as adminstrator in Windows 7


Figure 3: Run the patch removal script in Windows 7 Powershell

Note: We tested on both the IE8 Win7 VM and IE11 Win7 VM provided by Microsoft, and the patch removal script works on both systems. In both systems, the first run of the script will leave 8 security updates remained. If you run the script for the second run, there will be only one OS security update left in both systems, KB2884256, which cannot even be manually uninstalled.

Automatic Removal Security Updates According to Patch Timeline:

In the real world, a Windows computer may have more complicated security status, not being in either the full-patched mode or the completely unpatched mode. Therefore, to better traing students dealing with real world scenarios, we need to create a partially patched and partially vulnerable Windows system.

Since Microsoft names its security updates with a sequentially increasing number following patch release timeline, our patch removal script can automatically removing security patches up to a specific key point along the timeline. This is feasible because we can obtain the accurate patch timeline information from Microsoft Security Bulletin. For example, the following figure shows four well-documented security updates of Windows XP that patches critical security vulnerabilities, and thus we can create four different VMs with different sets of vulnerabilities by applying patch removal reversely over security patches whose KB number is larger than each of those four illustrated patch numbers. 


Figure 4: A timeline of Windows XP security updates

Security Patch Removal for Windows 8 Virtual Machine:

In Windows 8 virtual machine provided by Microsoft, the patch removal script can be simply executed by right-click the script file and select 'Run with Powershell'. There is no need to change Powershell execution policy.

The current Win8 VM has 12 security updates. After script execution, there are two 'Hotfix for Microsoft Windows' patches left, and you can manually uninstall these two hotfix to make the Windows 8 VM vulnerable.

The following figure shows how to read the 5 register values from Slave 2. Note that the 'data_address' 0 means the address 1 on ModbusPal GUI panel.

Security Patch Removal for Windows 10 Virtual Machine:

In Windows 10 virtual machine provided by Microsoft, the patch removal script can be simply executed by right-click the script file and select 'Run with Powershell'. There is no need to change Powershell execution policy.

Disabling automatic update in Windows 10 is not straightforward. You can achieve this by following the instruction here.

However, there are two security updates (KB4470788, KB4509095) in Windows 10 VM that cannot be removed by either our script or manually.