Monday, August 10, 2009

Network Protocol Fuzzing

Arguably fuzzing is one leading technique hackers have leveraged over a decade to discover scores of software security issues.

For a detailed look into techniques, tools, pros & cons a look at Charlie Miller paper is worth a read.

There are two well-known fuzzing frameworks Sulley & Peach - that could be leveraged to create your own fuzzers. I haven't had had a dig at Peach as I haven't yet exhausted Sulley yet or run into major road blocks. The author of Sulley - Pedram has been quite considerate to answer my queries and the tool looks promising so far.

It is fairly straight forward to crank up your first fuzzer if your protocol is as simple as HTTP.

Following code is what I needed to write to get a basic fuzzer ready to torture an HTTP server. The intention was just to have a feel of Sulley. The real goal otherwise is to do some really complex things. But yeah - the things below had to respond to get my confidence & investment.

from sulley import *

s_initialize("HTTP VERBS BASIC")
s_group("verbs", values=["GET", "HEAD"])
if s_block_start("body", group="verbs"):
s_delim(" ")
s_delim("/")
s_string("index.html")
s_delim(" ")
s_string("HTTP")
s_delim("/")
s_string("1")
s_delim(".")
s_string("1")
s_static("\r\n\r\n")
s_block_end()

def do_http_fuzz() :
sess = sessions.session(session_filename="audits/http_session_test.txt")
target = sessions.target("127.0.0.1", 80)
sess.add_target(target)
sess.connect(s_get("HTTP VERBS BASIC"))

sess.fuzz()

print "test completed"

do_http_fuzz()

Firing this script on a latest Apache web server results in 9062 test cases and the wireshark screenshot shows some of the attack patterns that are sent to Apache.



This was simple. But then this is HTTP. How about session oriented or stateful protocols like FTP or even better with encryption SSH? And how about fuzzing deep within a protocol? Fuzzing FTP methods or the protocol methods that are reachable only after a valid secure authenticated session is created? The answer is yes, a framework that can facilitate all this would be a great asset for many security testers.

In my next post we will look at fuzzing a stateful protocol. Precisely we will look at fuzzing deep within a stateful protocol post authentication.

1 comment: