Wireplay: An approach to
          almost Blind Fuzzing


                   - Abhisek Datta




nullcon Goa 2010       ht...
Agenda
                   Little Theory
                   about fuzzing

                     Problems &
                ...
Fuzz Testing != Hacking

    Feeding random/semi-random
   valid/invalid data set to
   various input interfaces of a
   p...
Fuzz Testing aka. Fuzzing

SELECT name
   FROM users WHERE id = 10

                                                    Ex...
Block Based Modeling

    A theoretical approach to
   model the problem of Fuzzing.
        Original (valid) Input Set is...
Block Based Fuzzing

                    GET /index.html HTTP/1.1
                    Host: foo.com
                    Us...
Block Based Fuzzing


for-each-token
      data.replace(token, get_random())
       target.send(data)
end




nullcon Goa ...
Block Based Fuzzing


             GET <BIG-RANDOM-STRING> HTTP/1.1
             Host: foo.com
             User-Agent: wg...
Block Based Fuzzing: Problems

    Tokenization needs knowledge
   of protocol.
         Lots of protocols.
         Propr...
Introducing Wireplay

    Minimalist approach to replay
   TCP Sessions with modifications
   as required.
        Use you...
Wireplay: Functional Flow


   Original Client          Sniffer                  Original Server



                      ...
Wireplay Features
     TCP Stream replay
        TCP Session reconstruction via.
       modified libnids (bug fixes)
     ...
Wireplay: Basic Usage

bash$ wireplay –r client 
        -t 172.16.0.1 
        -p 80
        -F pcap/http.pcap 
        -...
Wireplay: Fuzzing

    Hook Subsystem for arbitrary
   data manipulation.
        Embedded Ruby Interpreter and API
      ...
Wireplay: Hook System
     Connect To Target         1                      Events
                                       ...
Wireplay: Packet Hook in Ruby
    Define your arbitrary class with
   the following methods:
        on_start(pkt_desc)
  ...
Wireplay: Sample Hooks

    Blind Byte Alternation
   (blind.rb)
        Alters each byte from the
       original payload...
Wireplay: Demo




nullcon Goa 2010      http://nullcon.net
Thank You.. 

svn co http://wireplay.googlecode.com/svn/trunk wireplay


     http://code.google.com/p/wireplay/




 nul...
Upcoming SlideShare
Loading in …5
×

nullcon 2010 - Software Fuzzing with Wireplay

1,838 views

Published on

nullcon 2010 - Software Fuzzing with Wireplay by Abhisek Datta

Published in: Technology
  • Be the first to comment

nullcon 2010 - Software Fuzzing with Wireplay

  1. 1. Wireplay: An approach to almost Blind Fuzzing - Abhisek Datta nullcon Goa 2010 http://nullcon.net
  2. 2. Agenda Little Theory about fuzzing Problems & Solution Introducing Wireplay Field Testing Wireplay Hooks nullcon Goa 2010 http://nullcon.net
  3. 3. Fuzz Testing != Hacking Feeding random/semi-random valid/invalid data set to various input interfaces of a program and monitor for possible faults! Fuzzing does find expensive security bugs! nullcon Goa 2010 http://nullcon.net
  4. 4. Fuzz Testing aka. Fuzzing SELECT name FROM users WHERE id = 10 Example SELECT Server AAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA Monitored Environment AAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA FROM users WHERE id = 10 nullcon Goa 2010 http://nullcon.net
  5. 5. Block Based Modeling A theoretical approach to model the problem of Fuzzing. Original (valid) Input Set is tokenized (blocks) and each token is fuzzed periodically. Better approach than blind fuzzing, however you need to write a LOT of code! • SPIKE, Peach, Sully etc. nullcon Goa 2010 http://nullcon.net
  6. 6. Block Based Fuzzing GET /index.html HTTP/1.1 Host: foo.com User-Agent: wget/1.10.2 GET Index.html Host Wget/1.10.2 User-Agent foo.com nullcon Goa 2010 http://nullcon.net
  7. 7. Block Based Fuzzing for-each-token data.replace(token, get_random()) target.send(data) end nullcon Goa 2010 http://nullcon.net
  8. 8. Block Based Fuzzing GET <BIG-RANDOM-STRING> HTTP/1.1 Host: foo.com User-Agent: wget/1.10.2 nullcon Goa 2010 http://nullcon.net
  9. 9. Block Based Fuzzing: Problems Tokenization needs knowledge of protocol. Lots of protocols. Proprietary protocols. Time Consuming. ETC. nullcon Goa 2010 http://nullcon.net
  10. 10. Introducing Wireplay Minimalist approach to replay TCP Sessions with modifications as required. Use your valid client to connect to the server. Capture the packets (Wireshark?) Feed them to Wireplay for replay Use Wireplay hooks to modify original packets and replay nullcon Goa 2010 http://nullcon.net
  11. 11. Wireplay: Functional Flow Original Client Sniffer Original Server PCAP Wireplay http://code.google.com/p/wireplay nullcon Goa 2010 http://nullcon.net
  12. 12. Wireplay Features TCP Stream replay TCP Session reconstruction via. modified libnids (bug fixes) Plugin Subsystem Ruby Interpreter Embedded as Plugin Supports Packet Mangling hooks written in Ruby CGEN: A ruby plugin to generate a C program to reproduce a TCP Session nullcon Goa 2010 http://nullcon.net
  13. 13. Wireplay: Basic Usage bash$ wireplay –r client -t 172.16.0.1 -p 80 -F pcap/http.pcap -K # optional nullcon Goa 2010 http://nullcon.net
  14. 14. Wireplay: Fuzzing Hook Subsystem for arbitrary data manipulation. Embedded Ruby Interpreter and API set for writing packet manipulation hooks in Ruby Misc. features to repeat fuzz sessions, ignore errors, halt on connection fault etc. nullcon Goa 2010 http://nullcon.net
  15. 15. Wireplay: Hook System Connect To Target 1 Events 1. On Start Read Next Packet Disconnect 2. On Data 3. On Stop 3 4. On Error Is Client to Read fromServer Server Data 2 2 Send to Server nullcon Goa 2010 http://nullcon.net
  16. 16. Wireplay: Packet Hook in Ruby Define your arbitrary class with the following methods: on_start(pkt_desc) on_stop(pkt_desc) on_data(pkt_desc, direction, data) on_error(pkt_desc, code) Register an object of your class with Wireplay Hook Subsystem Wireplay::Hooks.register(YourClass.new) nullcon Goa 2010 http://nullcon.net
  17. 17. Wireplay: Sample Hooks Blind Byte Alternation (blind.rb) Alters each byte from the original payload with single or multiple bytes for fuzzing. CGEN (cgen.rb) Generates C program to replay a TCP session. Use for PoC generation. nullcon Goa 2010 http://nullcon.net
  18. 18. Wireplay: Demo nullcon Goa 2010 http://nullcon.net
  19. 19. Thank You..  svn co http://wireplay.googlecode.com/svn/trunk wireplay http://code.google.com/p/wireplay/ nullcon Goa 2010 http://nullcon.net

×