{"id":998,"date":"2020-03-23T18:29:50","date_gmt":"2020-03-23T17:29:50","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=998"},"modified":"2023-12-20T20:44:30","modified_gmt":"2023-12-20T19:44:30","slug":"fuzzing","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=998","title":{"rendered":"Fuzzing"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">From <span class=\"caps\">SANS660<\/span>: \u201cFuzzing is not an attack; it is a fault-test\u00ading tech\u00adnique.\u201d Types&nbsp;are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Instru\u00adment\u00aded Fuzzing: \u201cMon\u00adi\u00adtor\u00ading\u201d a sys\u00adtem to learn how nor\u00admal inputs look like. No pre-knowl\u00adedge of the sys\u00adtem needed.<\/li><li>Intel\u00adli\u00adgent uta\u00adtion: A pro\u00adto\u00adcol gram\u00admar which defines paths through all the code. Inputs are mutat\u00aded accord\u00ading to the grammar.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/tools.kali.org\/vulnerability-analysis\/sfuzz\">https:\/\/tools.kali.org\/vulnerability-analysis\/sfuzz<\/a><\/li><li>See <a href=\"https:\/\/en.kali.tools\/all\/?category=fuzzer\">https:\/\/en.kali.tools\/all\/?category=fuzzer<\/a><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Sulley<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A Frame\u00adwork to describe a pro\u00adto\u00adcol which then can cre\u00adate pro\u00adto\u00adcol muta\u00adtions and tests a sys\u00adtem against it. (You can cre\u00adate a fuzzer with&nbsp;it.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Instal\u00adla\u00adtion:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>git clone https:\/\/github.com\/OpenRCE\/sulley <span class=\"amp\">&amp;<\/span><span class=\"amp\">&amp;<\/span> cd sul\u00adley <span class=\"amp\">&amp;<\/span><span class=\"amp\">&amp;<\/span> python setup.py install<\/li><li>Don\u2019t use pip or you will prob\u00ada\u00adbly install anoth\u00ader project with the same&nbsp;name!<\/li><li><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Boofuzz<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/jtpereyda\/boofuzz\">Boo\u00adfuzz<\/a> is a fork from the not-longer main\u00adtained Sul\u00adley project.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Have Wire\u00adshark enabled. Maybe some\u00adthing can be seen in the data stream. Also, Wire\u00adshark has pro\u00adto\u00adcol dis\u00adsec\u00adtor to guess protocols.<\/li><li>Appli\u00adca\u00adtion fuzzing<ul><li>Start the appli\u00adca\u00adtion with\u00adout parameters.<\/li><li>Start the appli\u00adca\u00adtion with var\u00adi\u00adous non-exist\u00ading parameters.<\/li><li>Try ltrace<\/li><li>Try strace<\/li><li>Try ldd<\/li><li>Use strings to see some\u00adthing unique<\/li><\/ul><\/li><li>Para\u00adme\u00adter fuzzing:<ul><li>wfuzz \u2011w \/usr\/share\/seclists\/Discovery\/Web-Content\/burp-parameter-names.txt <a href=\"http:\/\/10.10.11.135\/image.php?FUZZ=bla\">http:\/\/10.10.11.135\/image.php?<span class=\"caps\">FUZZ<\/span>=bla<\/a><ul><li>Same, but don\u2019t show emp\u00adty respons\u00ades: wfuzz \u2011w \/usr\/share\/seclists\/Discovery\/Web-Content\/burp-parameter-names.txt \u2013hh 0 <a href=\"http:\/\/10.10.11.135\/image.php?FUZZ=bla\">http:\/\/10.10.11.135\/image.php?<span class=\"caps\">FUZZ<\/span>=bla<\/a><\/li><\/ul><\/li><li>wfuzz \u2011w \/usr\/share\/seclists\/Discovery\/Web-Content\/burp-parameter-names.txt \u2011w \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt \u2013hh 0 <a href=\"http:\/\/10.10.11.135\/image.php?FUZZ=FUZ2Z\">http:\/\/10.10.11.135\/image.php?<span class=\"caps\">FUZZ<\/span>=<span class=\"caps\">FUZ2Z<\/span><\/a><\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">See also<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=3270\" data-type=\"post\" data-id=\"3270\">Ana\u00adlyze code cov\u00ader\u00adage to improve fuzzing<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>From <span class=\"caps\">SANS660<\/span>: \u201cFuzzing is not an attack; it is a fault-test\u00ading tech\u00adnique.\u201d Types&nbsp;are: Instru\u00adment\u00aded Fuzzing: \u201cMon\u00adi\u00adtor\u00ading\u201d a sys\u00adtem to learn how nor\u00admal inputs look like. No pre-knowl\u00ad\u00adedge of the sys\u00adtem need\u00aded. Intel\u00adli\u00adgent uta\u00adtion: A pro\u00adto\u00adcol gram\u00admar which defines paths through all the code. Inputs are mutat\u00aded accord\u00ading to the gram\u00admar. Tools https:\/\/tools.kali.org\/vulnerability-analysis\/sfuzz See https:\/\/en.kali.tools\/all\/?category=fuzzer Sulley&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[231,232],"class_list":["post-998","post","type-post","status-publish","format-standard","hentry","category-general","tag-fuzzing","tag-sfuzz"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=998"}],"version-history":[{"count":14,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/998\/revisions"}],"predecessor-version":[{"id":3511,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/998\/revisions\/3511"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}