Funded by National Science Foundation (NSF)
Funded by Cyber Florida
Instructor: Dr. Cliff Zou, 407-823-5015, czou@cs.ucf.edu
Microsoft originally provided Windows XP VM image download, but stopped providing it on its website after the company stopped service on WinXP. If you still need WinXP VM to conduct testing, you can obtain it via the WinXP mode in Windows 7 VM. We provided a lecture slides on how to do it under VirtualBox (ppt). Here is an example online tutorial webpage (link).
However, the WinXP VM derived through this way is not suitable for OS penetration testing, because all those pre-installed security updates are not removable.
Set up Vunlerable Windows XP Virtual Machine
In our own PenTesting teaching, we always use the WinXP VM image file we downloaded many years ago when Microsoft still provided it. Instuctors have to find a way to obtain such WinXP image file by themselves. Assume that you have already obtained the original WinXP VM image. Here is the way to create vulnerable WinXP:
After all security patches being removed, you can create the vulnerable WinXP VM image for others and students to use. On VirtualBox, click menu 'File' --> 'Export appliance' to generate a single .ova image file. Since the WinXP VM is valid for 30 days, the created vulnerable WinXP VM would be good to use for PenTesting for 30 days as well.
If you want to conduct this WinXP PenTesting in the future, please use the original WinXP .ova file and repeat the security patch removal process in order to create a fresh vulnerable WinXP for the next 30-day usage.
We wanted to use the PowerShell script developed by us to automatic this patch removal process. Unfortunately, Windows XP does not support PowerShell. Another automatic way we presented in our ASEE'2019 published paper (PDF) is complicated to execute thus does not save much time compared with the above manual patch removal method.
In the Windows 7 VM image provided by Microsoft, the OS has pre-installed around 120 security patches. Thus manual patch removal is not scalable and too time consuming. Fortunately, Windows 7 supports PowerShell script execution, and we have produced a PowerShelll script that can automatically removal partial or all security patches. The script can be downloaded here. The detailed PowerShell code is shown in the following figure:
Figure 1: PowerShell script to remove partial or all security patches in Windows 7 Virtual Machine
In Microsoft Windows, all system patches are named starting with 'KB' followed by a unique identification number, which sequentially increases according to the patch release time.
The following is the procedure to use our PowerShell script to remove all security patches:
Note: We tested on both the IE8 Win7 VM and IE11 Win7 VM provided by Microsoft, and the patch removal script works on both systems. In both systems, the first run of the script will leave 8 security updates remained. If you run the script for the second run, there will be only one OS security update left in both systems, KB2884256, which cannot even be manually uninstalled.
In Windows 8 virtual machine provided by Microsoft, the patch removal script can be simply executed by right-click the script file and select 'Run with Powershell'. There is no need to change Powershell execution policy.
The current Win8 VM has 12 security updates. After script execution, there are two 'Hotfix for Microsoft Windows' patches left, and you can manually uninstall these two hotfix to make the Windows 8 VM vulnerable.
The following figure shows how to read the 5 register values from Slave 2. Note that the 'data_address' 0 means the address 1 on ModbusPal GUI panel.In Windows 10 virtual machine provided by Microsoft, the patch removal script can be simply executed by right-click the script file and select 'Run with Powershell'. There is no need to change Powershell execution policy.
Disabling automatic update in Windows 10 is not straightforward. You can achieve this by following the instruction here.
However, there are two security updates (KB4470788, KB4509095) in Windows 10 VM that cannot be removed by either our script or manually.