Show me your kung fuzz

1,166 views

Published on

Slides from my talk about fuzzing for No Con Name 2011,

Published in: Technology
  • Be the first to comment

Show me your kung fuzz

  1. 1. Show me your Kung Fuzz<br />No Con Name2011<br />@virtualminds_es / irodriguez at virtualminds.es<br />
  2. 2. Whoisthisguy?<br />Iñaki Rodríguez<br />CISSP, CEH<br />Security Manager at Ackstorm S.L.<br />
  3. 3. Aboutfuzzing<br />Attempting to cause a program or network to fail by feeding it randomly (or not so) generated data.<br />Generate a lot of craptocrashanapplication.<br />
  4. 4. Targets<br />Understandthemostbasicconcepts of fuzzing<br />Complexity vs Knoweldge<br />Notyourbussines<br />Real vulnerabilities<br />Commonissues<br />
  5. 5. WhyweFuzz<br />Wedon’t trust our software<br />Wedon’t trust ourproviders software<br />$$$ or €€€ <br />CorporateImage<br />
  6. 6. SDL (securitydevelopmentlifecycle)<br />
  7. 7. THE lab (I)<br />Virtual Servers<br />Lot of memory<br />Fasthard disk (SSD)<br />Snapshotshelpstorevert<br />
  8. 8. THE lab (II)<br />Physical Servers<br />Old Hardware<br />More isbetter<br />Youlostsnapshots<br />Butyouhavedeepfreezeand fssnapshots<br />
  9. 9. Software<br />Unpackers (upx, aspack, *lordpe, *importRec, PeID …)<br />(Un)Compressors (7zip)<br />Sysinternal suite<br />Api Monitor<br />InterpretedLanguages (perl y python)<br />Debuggers(gdb, radare, ImmunityDebugger, Olly, …)<br />Decompilers (Ida Free, Ida Pro $$$ y theother)<br />
  10. 10. Some FUZZERS<br />
  11. 11. process<br />
  12. 12. Choosingtheapplication<br />
  13. 13. inventory<br />CMDB<br />Nmap (-sV)<br />OcsInventory<br />Repositories<br />
  14. 14. Automatinginventory<br />Database<br />CPE Normalization<br />Stats (use, vulnerabilities, …)<br />Informationfromoutside (securitylists, osvdb, nvd, …)<br />Scripting isyourfriend<br />
  15. 15. Clasificationcriteria<br />Qualitative<br />Vulnerabilitiesimpact<br />Complexity<br />Widelyused<br />Personal preferences<br />Cuantitative<br />Number of installations<br />Number of knownvulnerabilities<br />Assetvalue<br />Visibility (local, remote)<br />Number of threats (none, few, many)<br />
  16. 16. modeling<br />
  17. 17. FuzzingModels<br />Mutation (Dumbfuzzing)<br />Generation (Smart fuzzing)<br />
  18. 18. Mutationmodel<br />
  19. 19. Generationmodel<br />
  20. 20. Generationmodel<br />
  21. 21. Knowyourenemy<br />Whatkind of applicationis?<br />Network Services<br />Web Applications<br />Libraries<br />ActiveX<br />Whatkind of inputs?<br />Command Line<br />Files<br />Network<br />Forms<br />Environment Variables<br />Url<br />…<br />
  22. 22. Files (I)<br />Ifwe are lucky, previouslydocumented<br />www.wotsit.org<br />www.fileformat.info<br />010 Editor / Hexedit / Others.<br />Ifnotdocumented<br />Throughvalid files repository<br />Google – ext:svg<br />Bing – type:svg<br />Reverse engineering<br />
  23. 23. Files (II)<br />SomeinterestingAPIs<br />CreateFile / CloseHandle / open / close<br />Lseek<br />WriteFile / ReadFile / write / read<br />
  24. 24. Files (III)<br />eax=00000000<br />cmpwordptr [eax+edx*2],0ffffh<br />
  25. 25. Network services (I)<br />Open protocols (RFC)<br />Sniffingtrafficbetweenclient and server<br />Whataboutclients?<br />Frompcaptomodel<br />
  26. 26. Network services (II)<br />
  27. 27. DEMO I – Network Services<br /><ul><li>ACTFAX FTP SERVER
  28. 28. Video: http://www.youtube.com/watch?v=yOKVIgZso4M
  29. 29. Python
  30. 30. Sulley
  31. 31. Paimei</li></li></ul><li>Libraries (I)<br />Probablywelldocumented<br />“Hidden” api<br />Exported symbols<br />Argumentsguessing<br />
  32. 32. Libraries (II)<br />
  33. 33. DEMO II – LIBRARY<br /><ul><li>ASPEMAIL
  34. 34. Video: http://www.youtube.com/watch?v=7DxXiChy_Oc
  35. 35. Perl
  36. 36. Vbscript
  37. 37. Do ityourself
  38. 38. Windbg</li></li></ul><li>Active x (I)<br />Probablywelldocumented<br />Internet Explorer only<br />ActiveX Interfaces<br />AxMan / Comraider<br />
  39. 39. Active X (II)<br />
  40. 40. Web applications (I) <br />Lot of documentation<br />Notonlyurl (Headers, cookies, methods,…)<br />Ajax / Javascript / Apptesting<br />OWASP<br />
  41. 41. Web applications (II) <br />
  42. 42. Commonproblems<br />Encryption<br />Checksum<br />Unknownformat/protocol/whatever<br />Relations<br />Conditions<br />Codecoverage<br />
  43. 43. Testing<br />
  44. 44. fuzzingstages<br />
  45. 45. AND nowwhat?<br />Responsibledisclosure<br />Sellit<br />Exploit<br />Patch (binaryorsource)<br />Full disclosure<br />IDS signature<br />
  46. 46. Improvements<br />Parallelprocessing<br />Modifiedapplication<br />In-memoryfuzzing<br />Reversingskillsneeded<br />Codecoverage<br />
  47. 47. In memoryfuzzing<br />Breakpoint<br />sub_0xC0FF33<br />Takesnapshot<br />Change input<br />Input interaction<br />Exception?<br />Jumptosnapshot<br />Restoresnapshot<br />End sub<br />Jumptosnapshot<br />
  48. 48. QUESTIONS?<br />
  49. 49. Thanks (ackstormteam)<br />Juan Carlos<br />Fer<br />Joan Carles<br />Me<br />Joan Pau<br />Xavi<br />Jordi<br />Gonzalo<br />Toni<br />Victor<br />

×