Fuzzing: Difference between revisions
From charlesreid1
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
Fuzzing is an excellent way to discover bugs and find ways of triggering exceptions or crashes. | Fuzzing is an excellent way to discover bugs and find ways of triggering exceptions or crashes. | ||
==Resources== | |||
Resources from Google about fuzzing: https://github.com/google/fuzzing/tree/master/docs | |||
==Types of Fuzzing== | |||
Different fuzzers will fuzz different things. Two examples of different types of fuzzers are: | |||
* File fuzzers | |||
* Network fuzzers | |||
==Tools== | |||
===American Fuzzy Lop - AFL=== | |||
Link: https://lcamtuf.coredump.cx/afl/ | |||
Readme: https://lcamtuf.coredump.cx/afl/README.txt | |||
Quickstart: https://afl-1.readthedocs.io/en/latest/quick_start.html | |||
Via: Github/Awesome/Fuzzing | |||
AFL is a fuzzing program that employs compile-time instrumentation and genetic algorithms | |||
can be used to automatically discover clean, interesting test cases triggering internal state changes in the binary | |||
designed to be practical, modest overhead, variety of highly effective fuzzing strategies | |||
there are no knobs to turn, no configuration | |||
Instructions for installing: https://afl-1.readthedocs.io/en/latest/INSTALL.html#install | |||
Guide to instrumenting programs for AFL: https://afl-1.readthedocs.io/en/latest/instrumenting.html#instrumenting | |||
Guide to fuzzing with AFL: https://afl-1.readthedocs.io/en/latest/fuzzing.html#fuzzing-with-afl | |||
===Binspector=== | |||
Github link: https://github.com/binspector/binspector | |||
Via: Github/Awesome/Fuzzing | |||
binspector is built around the idea of exposing the guts of binary formats and files | |||
BFFT - binary file format template - formalized description of binary format | |||
This allows you to test a given binary file against the BFFT | |||
This enables you to: | |||
* Verify the binary meets the requirements of format | |||
* Analyze contents of binary file and interpret raw data within | |||
* Inspect binary values in the file with context | |||
* Intelligently fuzz binary at potential weak points, auto-generate files containing attack vectors | |||
build system uses CMake | |||
===Cluster-Related Tools=== | |||
====CloudFuzzer==== | |||
Github link: https://github.com/ouspg/cloudfuzzer | |||
Via: Github/Awesome/Fuzzing | |||
cloudfuzzer is a framework for running a fuzzing cluster in the cloud. | |||
fuzzvm instances consist of one swarm master and N swarm nodes | |||
a bastion instance works as ssh gateway between outside world and fuzzing cluster | |||
bastion used to deliver docker images from user to swarm machines, and for storing fuzzing results | |||
====Clusterfuzzer==== | |||
Link: https://google.github.io/clusterfuzz/ | |||
Github link: https://github.com/google/clusterfuzz | |||
Via: Github/Awesome/Fuzzing | |||
Clusterfuzzer is a framework for scalable fuzzing infrastructure. Used by Google to fuzz Chrome browser and backend for OSS-Fuzz. | |||
====Nightmare==== | |||
Github link: https://github.com/joxeankoret/nightmare | |||
Via: Github/Awesome/Fuzzing | |||
A distributed fuzzing testing suite with web administration, supports network fuzzing | |||
Nightmare is a simple fuzzing suite that was created for an underground conference (LaCon 2013). It was later on enhanced for the conference SYSCAN 2014 (www.syscan.org), is actively maintained and was released for T2 2014 conference. | |||
===Deepstate=== | |||
Github link: https://github.com/trailofbits/deepstate | |||
Via: Github/Awesome/Fuzzing | |||
unit test-like interface for fuzzing and symbolic execution | |||
===Fuzzbench=== | |||
Link: https://google.github.io/fuzzbench/ | |||
Github link: https://github.com/google/FuzzBench | |||
Via: Github/Awesome/Blue Team | |||
fuzzbench is a free service that evaluates fuzzers based on real-world benchmarks | |||
makes it easier to rigorously evaluate fuzzing research, and make fuzzing research easier to adopt | |||
===Honggfuzz=== | |||
Link: https://honggfuzz.dev/ | |||
Github link: https://github.com/google/honggfuzz | |||
Via: Github/Awesome/Fuzzing | |||
Docker environment with honggfuzz: https://github.com/skysider/honggfuzz_docker_apps | |||
* skysider/honggfuzz_base - based on phusion/baseimage | |||
Software fuzzer; uses evolutionary, feedback-driven fuzzing based on code coverage | |||
Features: | |||
* multi-process, multi-threaded | |||
* very fast | |||
* low level interfaces to monitor processes | |||
* supports multiple feedback-driven fuzzing modes | |||
* program can work its way up and expand on a corpus | |||
* linux, bsd, mac, and android | |||
===Libfuzzer=== | |||
Link: https://llvm.org/docs/LibFuzzer.html | |||
===Mutiny=== | |||
Github link: https://github.com/Cisco-Talos/mutiny-fuzzer | |||
Via: Github/Awesome/Fuzzing | |||
a network fuzzer that operates by replaying PCAPs through a mutational fuzzer | |||
goal is to begin network fuzzing as quickly as possible, at the expense of being thorough | |||
takes a sample of legitimate traffic, such as a browser request, and feeds it into a prep script to generate a .fuzzer file | |||
Uses Radamsa (see below) to perform mutations | |||
===Radamsa=== | |||
Gitlab link: https://gitlab.com/akihe/radamsa | |||
Via: Github/Awesome/Fuzzing | |||
Reads a sample files of valid data and generating interestringly different outputs from them | |||
radamsa has already found a slew of bugs in programs that actually matter, it is easily scriptable and, easy to get up and running | |||
===Rmadair=== | |||
Link: https://rmadair.github.io/fuzzer/ | |||
Github link: https://github.com/rmadair/fuzzer | |||
Via: Github/Awesome/Fuzzing | |||
File fuzzer that uses mutation fuzzing and pydbg to monitor for signals of interest | |||
Client-server architecture, can run multiple clients on a single box | |||
# Client connects to server, gets copy of input file, possible mutations, and path to executable | |||
# Client enters loop, asks server for next mutation, server responds with offset into file and mutation index | |||
# Client creates mutated file, executes with pydbg | |||
# If crash occurs, client sends crash info to server, server creates local copy of file | |||
===Zzuf=== | |||
Link: http://caca.zoy.org/wiki/zzuf | |||
Github link: https://github.com/samhocevar/zzuf | |||
Tutorial: https://fuzzing-project.org/tutorial1.html | |||
Via: Github/Awesome/Fuzzing | |||
zzuf is an application fuzzer implemented in C. it works by intercepting file operations and changing random bits in the program's input | |||
zzuf behavior is deterministic, so bugs are easily reproduced | |||
Revision as of 01:47, 2 March 2022
Fuzzing is a procedure to test a program's ability to handle (or not handle) malformed inputs. If, for example, a program expects the user to provide an integer, and you provide 10 MB of raw binary data instead, what happens to the program?
Fuzzing is an excellent way to discover bugs and find ways of triggering exceptions or crashes.
Resources
Resources from Google about fuzzing: https://github.com/google/fuzzing/tree/master/docs
Types of Fuzzing
Different fuzzers will fuzz different things. Two examples of different types of fuzzers are:
- File fuzzers
- Network fuzzers
Tools
American Fuzzy Lop - AFL
Link: https://lcamtuf.coredump.cx/afl/
Readme: https://lcamtuf.coredump.cx/afl/README.txt
Quickstart: https://afl-1.readthedocs.io/en/latest/quick_start.html
Via: Github/Awesome/Fuzzing
AFL is a fuzzing program that employs compile-time instrumentation and genetic algorithms
can be used to automatically discover clean, interesting test cases triggering internal state changes in the binary
designed to be practical, modest overhead, variety of highly effective fuzzing strategies
there are no knobs to turn, no configuration
Instructions for installing: https://afl-1.readthedocs.io/en/latest/INSTALL.html#install
Guide to instrumenting programs for AFL: https://afl-1.readthedocs.io/en/latest/instrumenting.html#instrumenting
Guide to fuzzing with AFL: https://afl-1.readthedocs.io/en/latest/fuzzing.html#fuzzing-with-afl
Binspector
Github link: https://github.com/binspector/binspector
Via: Github/Awesome/Fuzzing
binspector is built around the idea of exposing the guts of binary formats and files
BFFT - binary file format template - formalized description of binary format
This allows you to test a given binary file against the BFFT
This enables you to:
- Verify the binary meets the requirements of format
- Analyze contents of binary file and interpret raw data within
- Inspect binary values in the file with context
- Intelligently fuzz binary at potential weak points, auto-generate files containing attack vectors
build system uses CMake
Cluster-Related Tools
CloudFuzzer
Github link: https://github.com/ouspg/cloudfuzzer
Via: Github/Awesome/Fuzzing
cloudfuzzer is a framework for running a fuzzing cluster in the cloud.
fuzzvm instances consist of one swarm master and N swarm nodes
a bastion instance works as ssh gateway between outside world and fuzzing cluster
bastion used to deliver docker images from user to swarm machines, and for storing fuzzing results
Clusterfuzzer
Link: https://google.github.io/clusterfuzz/
Github link: https://github.com/google/clusterfuzz
Via: Github/Awesome/Fuzzing
Clusterfuzzer is a framework for scalable fuzzing infrastructure. Used by Google to fuzz Chrome browser and backend for OSS-Fuzz.
Nightmare
Github link: https://github.com/joxeankoret/nightmare
Via: Github/Awesome/Fuzzing
A distributed fuzzing testing suite with web administration, supports network fuzzing
Nightmare is a simple fuzzing suite that was created for an underground conference (LaCon 2013). It was later on enhanced for the conference SYSCAN 2014 (www.syscan.org), is actively maintained and was released for T2 2014 conference.
Deepstate
Github link: https://github.com/trailofbits/deepstate
Via: Github/Awesome/Fuzzing
unit test-like interface for fuzzing and symbolic execution
Fuzzbench
Link: https://google.github.io/fuzzbench/
Github link: https://github.com/google/FuzzBench
Via: Github/Awesome/Blue Team
fuzzbench is a free service that evaluates fuzzers based on real-world benchmarks
makes it easier to rigorously evaluate fuzzing research, and make fuzzing research easier to adopt
Honggfuzz
Link: https://honggfuzz.dev/
Github link: https://github.com/google/honggfuzz
Via: Github/Awesome/Fuzzing
Docker environment with honggfuzz: https://github.com/skysider/honggfuzz_docker_apps
- skysider/honggfuzz_base - based on phusion/baseimage
Software fuzzer; uses evolutionary, feedback-driven fuzzing based on code coverage
Features:
- multi-process, multi-threaded
- very fast
- low level interfaces to monitor processes
- supports multiple feedback-driven fuzzing modes
- program can work its way up and expand on a corpus
- linux, bsd, mac, and android
Libfuzzer
Link: https://llvm.org/docs/LibFuzzer.html
Mutiny
Github link: https://github.com/Cisco-Talos/mutiny-fuzzer
Via: Github/Awesome/Fuzzing
a network fuzzer that operates by replaying PCAPs through a mutational fuzzer
goal is to begin network fuzzing as quickly as possible, at the expense of being thorough
takes a sample of legitimate traffic, such as a browser request, and feeds it into a prep script to generate a .fuzzer file
Uses Radamsa (see below) to perform mutations
Radamsa
Gitlab link: https://gitlab.com/akihe/radamsa
Via: Github/Awesome/Fuzzing
Reads a sample files of valid data and generating interestringly different outputs from them
radamsa has already found a slew of bugs in programs that actually matter, it is easily scriptable and, easy to get up and running
Rmadair
Link: https://rmadair.github.io/fuzzer/
Github link: https://github.com/rmadair/fuzzer
Via: Github/Awesome/Fuzzing
File fuzzer that uses mutation fuzzing and pydbg to monitor for signals of interest
Client-server architecture, can run multiple clients on a single box
- Client connects to server, gets copy of input file, possible mutations, and path to executable
- Client enters loop, asks server for next mutation, server responds with offset into file and mutation index
- Client creates mutated file, executes with pydbg
- If crash occurs, client sends crash info to server, server creates local copy of file
Zzuf
Link: http://caca.zoy.org/wiki/zzuf
Github link: https://github.com/samhocevar/zzuf
Tutorial: https://fuzzing-project.org/tutorial1.html
Via: Github/Awesome/Fuzzing
zzuf is an application fuzzer implemented in C. it works by intercepting file operations and changing random bits in the program's input
zzuf behavior is deterministic, so bugs are easily reproduced
 |
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|