Watch video on-line: http://g0tmi1k.blip.tv/file/4828127
Download video: http://www.mediafire.com/?7nil8uh5ztzeg72
Brief Overview
This video is a brief introduction into "fuzzing". The author, sickn3ss requested a video to demonstrate his latest project called sickfuzz. You can read what he has got to say about it here.Fuzzing is sending invalid, unexpected or random data to the inputs and watching what happens to the program in question. An example; Lets say there is a question "Have you got milk?", which has the answers as either "Yes" or "No". What happens when you try "Maybe","-1" or "34c96c@23" instead? The results of the programming miss-handling the input may crash the program leading it to security issues such as (un)exploitable buffer overflows, Denial Of Service (DoS) etc.
"A fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs."~ owasp
Method
* Setup a web server* Check status
* Fuzz it
* Watch for response
* Check status
* Repeat
* Analyse captured packets
What do I need?
* sickfuzz - Download here* Python - Download here (Comes with backtrack 4 r2)
* SPIKE - Download here (Comes with backtrack 4 r2)
* tshark - Download here (Comes with wireshark that can be found in backtrack 4 r2)
* Web servers - Below are the ones used in the demostation
* Name: Savant Web Server
* Homepage: http://savant.sourceforge.net/
* Download: http://www.exploit-db.com/application/10434/
* Sickfuzz Script: 1
* Name: PMSoftware Simple Web Server
* Homepage: http://www.pmx.it/software/sws.asp
* Download: http://www.pmx.it/software/sws.asp
* Sickfuzz Script: 5
* Name: MiniShare
* Homepage: http://minishare.sourceforge.net/
* Download: http://ftp.heanet.ie/disk1/sourceforge/m/project/mi/minishare/OldFiles/minishare-1.4.1.exe
* Sickfuzz Script: 1
Walk through
The user first downloads, installs and configures a web server of their choosing, after which they scan the network for the server and checks for the open port (Default is usually 80).After downloading the latest and greatest version of sickfuzz (don't forget to add it to your svn collection, which simplifies updating it) the user extracts it, runs it for the first time and sees the help screen.
After typing in all the necessary command line options, before any fuzzing happens sickfuzz checks if the port is open, if it is then automatically starts capturing (using tshark - command line version of wireshark) allowing for the user to analyse how the web server responds.
Sickfuzz uses SPIKE to send a collection of known issues for web servers as it currently supports a mixture of techniques in URLs and header fuzzing fields:
* GET /
* GET /abc=
* HEAD /
* POST /
* GET / (HTTP/1.1)
* HEAD / (HTTP/1.1)
* POST / (HTTP/1.1)
* Authorization:
* Content-Length:
* If-Modified-Since:
* Connection:
* X-a:
During the fuzzing, sickfuzz checks to see whether the service has crashed (however sometimes this isn't until the program has closed, for example: PMSoftware's SWS, it wasn't until the user clicked "Okay" on the crashed message, did the web server stop responding). If it (the server) has crashed, sickfuzz will stop and exit.
After it has tried all the fields, depending on sickfuzz, it will either stop (-scripts x) or try the next field (--scripts all).
When sickfuzz has ended, the user can then analyse the collected packets for themselves to see what caused the crash.
Commands
nmap 192.168.0.0/24 -n -sP -sn nmap 192.168.0.104 -T5 clear tar zxvf sickfuzz_v02.tar.gz cd sickfuzz ./sickfuzz.py #Savant Web Server nmap 192.168.0.104 -p 80 -sV ./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script 1 --ip 192.168.0.104 --port 80 --iface eth0 --log /root/ nmap 192.168.0.104 -p 80 -sV clear #PMSoftware firefox -> 192.168.0.104 firefox -> http://www.exploit-db.com/exploits/945/ ./sickfuzz.py --script-show ./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script 5 --ip 192.168.0.104 --port 80 --iface eth0 --log /root/ wireshark -> Filter -> http && ip.addr == 192.168.0.104 firefox -> 192.168.0.104 clear #MiniShare ./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script all --ip 192.168.0.104 --port 80 --iface eth0 --log /root/
Notes
* For more information on fuzzing, check fuzzing on wikipedia and owasp Song: Clutch - 10001110101
Video length: 5:00
Capture length: 31:19
Blog Post: http://g0tmi1k.blogspot.com/2011/03/video-sickfuzz-v02.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38311-%5Bvideo%5D-sickfuzz-v0-2-a.html#post190745
~g0tmi1k
why do oyu dotn use the flags
ReplyDelete-p 80 --open
on nmap to list only maschines with his open port?
@Hans
ReplyDeleteBecause more than one machine was running a web server (e.g. I have three routers with web UI and a Apache server running).
(Didn't want people to get confused with why THAT machine, not the others.)
The first scan was to detect the VM with the web server, the second scan what to show what common ports were open (which was JUST a web server therefore couldn't attack anything else)
The 3rd and 4th scans were to demonstrate the just the server being open and its detected version. (I wanted to use the same command to show the different in outputs)
hi g0tmi1k..
ReplyDeletethis my first time drop comment at your webpage..
gud information that u had share.keep it going :)
i want ask about setting vmware for penetration test like u do.. i mean with the 3 router. is it that 3 router is the virtual router? if yes, i request your help..
@c4in4ble
ReplyDeleteCheers for the feedback and thanks for commenting.
For the record: I've only just converted from Virtual Box to VMware Player.
No, they are psychical routers in the house. You can create virtual ones thos, I know there is more but I'm currently trying out: http://www.vyatta.com/
thanks for reply.. i will look for it..
ReplyDeleteI'm getting "***Server closed connection!", is that means the WebServer closed connection beacuse of bad packets?
ReplyDelete@c4in4ble
ReplyDeleteI hope it works for you! =)
@Sasi
The server has stopped working for one reason or another! Try adding "usleep(50000) to every .spk script, to see whats happening.
Don't forget to also update sickfuzz!
https://code.google.com/p/sickfuzz/
*Its also in the backtrack repos now!*