Fuzzing is sending invalid, unexpected or random data to the inputs and watching what happens to the program in question. An example; Lets say there is a question "Have you got milk?", which has the answers as either "Yes" or "No". What happens when you try "Maybe","-1" or "34c96c@23" instead? The results of the programming miss-handling the input may crash the program leading it to security issues such as (un)exploitable buffer overflows, Denial Of Service (DoS) etc.
"A fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs."~ owasp
Watch video on-line:
Download video: http://download.g0tmi1k.com/videos_archive/sickfuzz_v02.mp4
- Setup a web server
- Check status
- Fuzz it
- Watch for response
- Check status
- Analyse captured packets
- sickfuzz - Download here
- Python - Download here (Comes with backtrack 4 r2)
- SPIKE - Download here (Comes with backtrack 4 r2)
- tshark - Download here (Comes with wireshark that can be found in backtrack 4 r2)
Web servers - Below are the ones used in the demostation
- Name: Savant Web Server
- Homepage: http://savant.sourceforge.net/
- Download: http://www.exploit-db.com/application/10434/
Sickfuzz Script: 1
Name: PMSoftware Simple Web Server
- Homepage: http://www.pmx.it/software/sws.asp
- Download: http://www.pmx.it/software/sws.asp
Sickfuzz Script: 5
- Homepage: http://minishare.sourceforge.net/
- Download: http://ftp.heanet.ie/disk1/sourceforge/m/project/mi/minishare/OldFiles/minishare-1.4.1.exe
- Sickfuzz Script: 1
The user first downloads, installs and configures a web server of their choosing, after which they scan the network for the server and checks for the open port (Default is usually 80).
After downloading the latest and greatest version of sickfuzz (don't forget to add it to your svn collection, which simplifies updating it) the user extracts it, runs it for the first time and sees the help screen.
After typing in all the necessary command line options, before any fuzzing happens sickfuzz checks if the port is open, if it is then automatically starts capturing (using tshark - command line version of wireshark) allowing for the user to analyse how the web server responds.
Sickfuzz uses SPIKE to send a collection of known issues for web servers as it currently supports a mixture of techniques in URLs and header fuzzing fields:
- GET /
- GET /abc=
- HEAD /
- POST /
- GET / (HTTP/1.1)
- HEAD / (HTTP/1.1)
- POST / (HTTP/1.1)
During the fuzzing, sickfuzz checks to see whether the service has crashed (however sometimes this isn't until the program has closed, for example: PMSoftware's SWS, it wasn't until the user clicked "Okay" on the crashed message, did the web server stop responding). If it (the server) has crashed, sickfuzz will stop and exit.
After it has tried all the fields, depending on sickfuzz, it will either stop (-scripts x) or try the next field (--scripts all).
When sickfuzz has ended, the user can then analyse the collected packets for themselves to see what caused the crash.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
Song: Clutch - 10001110101
Video length: 5:00
Capture length: 31:19