1 / 42

Show me your Kung Fuzz

Show me your Kung Fuzz. No Con Name 2011 @ virtualminds_es / irodriguez at virtualminds.es. Who is this guy ?. Iñaki Rodríguez CISSP, CEH Security Manager at Ackstorm S.L. About fuzzing.

dylan-gould
Download Presentation

Show me your Kung Fuzz

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Show me your Kung Fuzz No Con Name2011 @virtualminds_es / irodriguez at virtualminds.es

  2. Whoisthisguy? • Iñaki Rodríguez • CISSP, CEH • Security Manager at Ackstorm S.L.

  3. Aboutfuzzing • Attempting to cause a program or network to fail by feeding it randomly (or not so) generated data. • Generate a lot of craptocrashanapplication.

  4. Targets • Understandthemostbasicconcepts of fuzzing • Complexity vs Knoweldge • Notyourbussines • Real vulnerabilities • Commonissues

  5. WhyweFuzz • Wedon’t trust our software • Wedon’t trust ourproviders software • $$$ or €€€ • CorporateImage

  6. SDL (securitydevelopmentlifecycle)

  7. THE lab (I) • Virtual Servers • Lot of memory • Fasthard disk (SSD) • Snapshotshelpstorevert

  8. THE lab (II) • Physical Servers • Old Hardware • More isbetter • Youlostsnapshots • Butyouhavedeepfreezeand fssnapshots

  9. Software • Unpackers (upx, aspack, *lordpe, *importRec, PeID …) • (Un)Compressors (7zip) • Sysinternal suite • Api Monitor • InterpretedLanguages (perl y python) • Debuggers(gdb, radare, ImmunityDebugger, Olly, …) • Decompilers (Ida Free, Ida Pro $$$ y theother)

  10. Some FUZZERS

  11. process

  12. Choosingtheapplication

  13. inventory • CMDB • Nmap (-sV) • OcsInventory • Repositories

  14. Automatinginventory • Database • CPE Normalization • Stats (use, vulnerabilities, …) • Informationfromoutside (securitylists, osvdb, nvd, …) • Scripting isyourfriend

  15. Clasificationcriteria • Qualitative • Vulnerabilitiesimpact • Complexity • Widelyused • Personal preferences • Cuantitative • Number of installations • Number of knownvulnerabilities • Assetvalue • Visibility (local, remote) • Number of threats (none, few, many)

  16. modeling

  17. FuzzingModels • Mutation (Dumbfuzzing) • Generation (Smart fuzzing)

  18. Mutationmodel

  19. Generationmodel

  20. Generationmodel

  21. Knowyourenemy • Whatkind of applicationis? • Network Services • Web Applications • Libraries • ActiveX • Whatkind of inputs? • Command Line • Files • Network • Forms • Environment Variables • Url • …

  22. Files (I) • Ifwe are lucky, previouslydocumented • www.wotsit.org • www.fileformat.info • 010 Editor / Hexedit / Others. • Ifnotdocumented • Throughvalid files repository • Google – ext:svg • Bing – type:svg • Reverse engineering

  23. Files (II) • SomeinterestingAPIs • CreateFile / CloseHandle / open / close • Lseek • WriteFile / ReadFile / write / read

  24. Files (III) eax=00000000 cmpwordptr [eax+edx*2],0ffffh

  25. Network services (I) • Open protocols (RFC) • Sniffingtrafficbetweenclient and server • Whataboutclients? • Frompcaptomodel

  26. Network services (II)

  27. DEMO I – Network Services • ACTFAX FTP SERVER • Video: http://www.youtube.com/watch?v=yOKVIgZso4M • Python • Sulley • Paimei

  28. Libraries (I) • Probablywelldocumented • “Hidden” api • Exported symbols • Argumentsguessing

  29. Libraries (II)

  30. DEMO II – LIBRARY • ASPEMAIL • Video: http://www.youtube.com/watch?v=7DxXiChy_Oc • Perl • Vbscript • Do ityourself • Windbg

  31. Active x (I) • Probablywelldocumented • Internet Explorer only • ActiveX Interfaces • AxMan / Comraider

  32. Active X (II)

  33. Web applications (I) • Lot of documentation • Notonlyurl (Headers, cookies, methods,…) • Ajax / Javascript / Apptesting • OWASP

  34. Web applications (II)

  35. Commonproblems • Encryption • Checksum • Unknownformat/protocol/whatever • Relations • Conditions • Codecoverage

  36. Testing

  37. fuzzingstages

  38. AND nowwhat? • Responsibledisclosure • Sellit • Exploit • Patch (binaryorsource) • Full disclosure • IDS signature

  39. Improvements • Parallelprocessing • Modifiedapplication • In-memoryfuzzing • Reversingskillsneeded • Codecoverage

  40. In memoryfuzzing Breakpoint sub_0xC0FF33 Takesnapshot Change input Input interaction Exception? Jumptosnapshot Restoresnapshot End sub Jumptosnapshot

  41. QUESTIONS?

  42. Thanks (ackstormteam) Juan Carlos Fer Joan Carles Me Joan Pau Xavi Jordi Gonzalo Toni Victor

More Related