From SANS660: “Fuzzing is not an attack; it is a fault-testing technique.” Types are:
- Instrumented Fuzzing: “Monitoring” a system to learn how normal inputs look like. No pre-knowledge of the system needed.
- Intelligent utation: A protocol grammar which defines paths through all the code. Inputs are mutated according to the grammar.
Tools
Sulley
A Framework to describe a protocol which then can create protocol mutations and tests a system against it. (You can create a fuzzer with it.)
Installation:
- git clone https://github.com/OpenRCE/sulley && cd sulley && python setup.py install
- Don’t use pip or you will probably install another project with the same name!
Boofuzz
Boofuzz is a fork from the not-longer maintained Sulley project.
Notes
- Have Wireshark enabled. Maybe something can be seen in the data stream. Also, Wireshark has protocol dissector to guess protocols.
- Application fuzzing
- Start the application without parameters.
- Start the application with various non-existing parameters.
- Try ltrace
- Try strace
- Try ldd
- Use strings to see something unique
- Parameter fuzzing:
- wfuzz ‑w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.10.11.135/image.php?FUZZ=bla
- Same, but don’t show empty responses: wfuzz ‑w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt –hh 0 http://10.10.11.135/image.php?FUZZ=bla
- wfuzz ‑w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt ‑w /usr/share/seclists/Discovery/Web-Content/common.txt –hh 0 http://10.10.11.135/image.php?FUZZ=FUZ2Z
- wfuzz ‑w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.10.11.135/image.php?FUZZ=bla
Leave a Reply
You must be logged in to post a comment.