Fuzzing

Fuzzing is a procedure to test a program's ability to handle (or not handle) malformed inputs. If, for example, a program expects the user to provide an integer, and you provide 10 MB of raw binary data instead, what happens to the program?

Fuzzing is an excellent way to discover bugs and find ways of triggering exceptions or crashes.

Resources

Resources from Google about fuzzing: https://github.com/google/fuzzing/tree/master/docs

Long, extensive list of resources: https://github.com/alphaSeclab/fuzzing-stuff/blob/master/Readme_en.md

Types of Fuzzing

Different fuzzers will fuzz different things. Two examples of different types of fuzzers are:

• File fuzzers
• Network fuzzers

Tools

American Fuzzy Lop - AFL

Link: https://lcamtuf.coredump.cx/afl/

Readme: https://lcamtuf.coredump.cx/afl/README.txt

Quickstart: https://afl-1.readthedocs.io/en/latest/quick_start.html

Via: Github/Awesome/Fuzzing

AFL is a fuzzing program that employs compile-time instrumentation and genetic algorithms

can be used to automatically discover clean, interesting test cases triggering internal state changes in the binary

designed to be practical, modest overhead, variety of highly effective fuzzing strategies

there are no knobs to turn, no configuration

Instructions for installing: https://afl-1.readthedocs.io/en/latest/INSTALL.html#install

Guide to instrumenting programs for AFL: https://afl-1.readthedocs.io/en/latest/instrumenting.html#instrumenting

Guide to fuzzing with AFL: https://afl-1.readthedocs.io/en/latest/fuzzing.html#fuzzing-with-afl

Binspector

Github link: https://github.com/binspector/binspector

Via: Github/Awesome/Fuzzing

binspector is built around the idea of exposing the guts of binary formats and files

BFFT - binary file format template - formalized description of binary format

This allows you to test a given binary file against the BFFT

This enables you to:

• Verify the binary meets the requirements of format
• Analyze contents of binary file and interpret raw data within
• Inspect binary values in the file with context
• Intelligently fuzz binary at potential weak points, auto-generate files containing attack vectors

build system uses CMake

Cluster-Related Tools

CloudFuzzer

Github link: https://github.com/ouspg/cloudfuzzer

Via: Github/Awesome/Fuzzing

cloudfuzzer is a framework for running a fuzzing cluster in the cloud.

fuzzvm instances consist of one swarm master and N swarm nodes

a bastion instance works as ssh gateway between outside world and fuzzing cluster

bastion used to deliver docker images from user to swarm machines, and for storing fuzzing results

Clusterfuzzer

Link: https://google.github.io/clusterfuzz/

Github link: https://github.com/google/clusterfuzz

Via: Github/Awesome/Fuzzing

Clusterfuzzer is a framework for scalable fuzzing infrastructure. Used by Google to fuzz Chrome browser and backend for OSS-Fuzz.

Nightmare

Github link: https://github.com/joxeankoret/nightmare

Via: Github/Awesome/Fuzzing

A distributed fuzzing testing suite with web administration, supports network fuzzing

Nightmare is a simple fuzzing suite that was created for an underground conference (LaCon 2013). It was later on enhanced for the conference SYSCAN 2014 (www.syscan.org), is actively maintained and was released for T2 2014 conference.

Deepstate

Github link: https://github.com/trailofbits/deepstate

Via: Github/Awesome/Fuzzing

unit test-like interface for fuzzing and symbolic execution

Fuzzbench

Link: https://google.github.io/fuzzbench/

Github link: https://github.com/google/FuzzBench

Via: Github/Awesome/Blue Team

fuzzbench is a free service that evaluates fuzzers based on real-world benchmarks

makes it easier to rigorously evaluate fuzzing research, and make fuzzing research easier to adopt

Fuzzotron

Github link: https://github.com/denandz/fuzzotron

Via: Github/Awesome/Fuzzing

A TCP/UDP based network daemon fuzzer

Uses Radamsa (see below) and Blab for test case generation

Honggfuzz

Link: https://honggfuzz.dev/

Github link: https://github.com/google/honggfuzz

Via: Github/Awesome/Fuzzing

Docker environment with honggfuzz: https://github.com/skysider/honggfuzz_docker_apps

• skysider/honggfuzz_base - based on phusion/baseimage

Software fuzzer; uses evolutionary, feedback-driven fuzzing based on code coverage

Features:

• multi-process, multi-threaded
• very fast
• low level interfaces to monitor processes
• supports multiple feedback-driven fuzzing modes
• program can work its way up and expand on a corpus
• linux, bsd, mac, and android

Libfuzzer

Link: https://llvm.org/docs/LibFuzzer.html

Mutiny

Github link: https://github.com/Cisco-Talos/mutiny-fuzzer

Via: Github/Awesome/Fuzzing

a network fuzzer that operates by replaying PCAPs through a mutational fuzzer

goal is to begin network fuzzing as quickly as possible, at the expense of being thorough

takes a sample of legitimate traffic, such as a browser request, and feeds it into a prep script to generate a .fuzzer file

Uses Radamsa (see below) to perform mutations

Peach Fuzzer

Gitlab link: https://gitlab.com/peachtech/peach-fuzzer-community

Via: Github/Awesome/Fuzzing

(No longer maintained, last release was in 2014)

Cross-platform fuzzer, capable of smart and dumb fuzzing, includes robust monitoring system

Adaptable to fuzz any form of data consumer

Commonly used to fuzz file formats, network protocols, and APIs

Protocol Fuzzer

The Peach Fuzzer project now points to Protocol Fuzzer as the next generation version

Gitlab link: https://gitlab.com/gitlab-org/security-products/protocol-fuzzer-ce

This is the community edition of GitLab's protocol fuzzing framework. This framework is based on Peach Fuzzer Professional with some features removed

This program has pretty crummy support, no binaries, and hard-to-follow instructions

Radamsa

Gitlab link: https://gitlab.com/akihe/radamsa

Via: Github/Awesome/Fuzzing

Reads a sample files of valid data and generates "interestringly different outputs" from them

Easily scriptable and, easy to get up and running

Used by other fuzzing tools like Fuzzotron (see above)

Rmadair

Link: https://rmadair.github.io/fuzzer/

Github link: https://github.com/rmadair/fuzzer

Via: Github/Awesome/Fuzzing

File fuzzer that uses mutation fuzzing and pydbg to monitor for signals of interest

Client-server architecture, can run multiple clients on a single box

1. Client connects to server, gets copy of input file, possible mutations, and path to executable
2. Client enters loop, asks server for next mutation, server responds with offset into file and mutation index
3. Client creates mutated file, executes with pydbg
4. If crash occurs, client sends crash info to server, server creates local copy of file

Zzuf

Link: http://caca.zoy.org/wiki/zzuf

Github link: https://github.com/samhocevar/zzuf

Tutorial: https://fuzzing-project.org/tutorial1.html

Via: Github/Awesome/Fuzzing

zzuf is an application fuzzer implemented in C. it works by intercepting file operations and changing random bits in the program's input

zzuf behavior is deterministic, so bugs are easily reproduced

Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack. Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres Metasploitable Networking: Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind Metasploitable Services: distcc: Metasploitable/distcc Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...) Fuzzing  · American Fuzzy Lop Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableRedTeamFlag  · e

Kali Linux "The quieter you become, the more you are able to hear." Penetration testing Linux distribution. Kali  · Category:Kali Kali/Wireless Reboot Kali Software: Kali Tools Kali Top 10 Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · OWASP Zap Dirbuster  · Recon-ng  · Valgrind Attack Workflow: Kali/Workflow 1 Physical Attacks: Kali/Layer 1 Attacks 2 Data/MAC Attacks: Kali/Layer 2 Attacks 3 Network Attacks: Kali/Layer 3 Attacks 4 Transport Attacks: Kali/Layer 4 Attacks 5 Session Attacks: Kali/Layer 5 Attacks 6 Presentation Attacks: Kali/Layer 6 Attacks 7 Application Attacks: Kali/Layer 7 Attacks Red Team Blue Team Metasploitable - Red Team Metasploitable - Blue Team Networking: Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA Kali/IPv6 Booting: Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB Installing: Kali/Installing  · Kali/Post Install  · Kali/Fixes Kali on Raspberry Pi: Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle  · Category:Evil Twin Flags  · Template:KaliFlag  · e