American Fuzzy Lop: Difference between revisions
From charlesreid1
| Line 123: | Line 123: | ||
</pre> | </pre> | ||
Now we have compiled binaries in the <code>run/ | Now we have compiled binaries in the <code>run</code> directory, one level up: | ||
<pre> | <pre> | ||
| Line 129: | Line 129: | ||
# ./john | # ./john | ||
</pre> | </pre> | ||
Fuzz time. | |||
==Fuzzing John the Ripper== | |||
Revision as of 05:44, 2 April 2016
Fuzzer
https://necurity.co.uk/netsec/2015/03/30/Fun-With-AFL.html#sthash.h9Aurb7C.dpbs
About
American fuzzy lop is a program for fuzzing inputs. It is very sophisticated and can be instrumented with a binary to do very targeted fuzzing.
Installing
Get the latest version, and run make to make it:
$ wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz $ tar -xvf afl-latest.tgz cd afl-latest.tgz $ cd afl-* $ make $ make install
Success!
root@morpheus:~/codes/afl-2.10b# which afl-fuzz /usr/local/bin/afl-fuzz
Fuzzing a Program
Programs that can be fuzzed are those that take input files, usually binary files or unusual formats. (Think mp3, multimedia, images, etc.)
We'll be fuzzing John the Ripper to understand how AFL works.
Compiling John the Ripper
We want to download and compile John so that it will be instrumented.
Dependencies
Start with dependencies - OpenSSL development libs:
# apt-get install --fix-missing libssl-dev
Get John the Ripper
# git clone git@github.com:magnumripper/JohnTheRipper.git # cd JohnTheRipper/src # ./configure --help
Compile John the Ripper
We will compile John the Ripper using American Fuzzy Lop's own GCC:
CC=/path/to/afl-gcc ./configure
[...]
config.status: creating Makefile
config.status: creating aes/Makefile
config.status: creating aes/aesni/Makefile
config.status: creating aes/openssl/Makefile
config.status: creating escrypt/Makefile
config.status: creating autoconfig.h
config.status: linking x86-64.h to arch.h
config.status: executing default commands
configure: creating ./fmt_externs.h
afl-cc 2.10b by <lcamtuf@google.com>
configure: creating ./fmt_registers.h
afl-cc 2.10b by <lcamtuf@google.com>
afl-cc 2.10b by <lcamtuf@google.com>
afl-cc 2.10b by <lcamtuf@google.com>
Configured for building John the Ripper jumbo:
Target CPU ................................. x86_64 SSE4.1, 64-bit LE
AES-NI support ............................. depends on OpenSSL
Target OS .................................. linux-gnu
Cross compiling ............................ no
Legacy arch header ......................... x86-64.h
Optional libraries/features found:
Fuzzing test ............................... no
Experimental code .......................... no
OpenMPI support (default disabled) ......... no
Fork support ............................... yes
OpenMP support ............................. yes (not for fast formats)
CUDA support (default disabled by OpenCL) .. no
OpenCL support ............................. no
Generic crypt(3) format .................... yes
Rexgen (extra cracking mode) ............... no
GMP (PRINCE mode and faster SRP formats) ... yes
PCAP (vncpcap2john and SIPdump) ............ no
Z (pkzip format, gpg2john) ................. yes
BZ2 (gpg2john extra decompression logic) ... no
128-bit integer (faster PRINCE mode) ....... yes
Memory map (share/page large files) ........ yes
Development options (these may hurt performance when enabled):
Memdbg memory debugging settings ........... disabled
AddressSanitizer ("ASan") .................. disabled
UndefinedBehaviorSanitizer ("UbSan") ....... disabled
Install missing libraries to get any needed features that were omitted.
Configure finished. Now 'make clean && make -s' to compile.
when run make clean and make -s, see lots of output like this:
# make clean && make -s [...] [+] Instrumented 386 locations (64-bit, non-hardened mode, ratio 100%). afl-as 2.10b by <lcamtuf@google.com>
Now we have compiled binaries in the run directory, one level up:
# cd ../run/ # ./john
Fuzz time.