SlideShare ist ein Scribd-Unternehmen logo

msutton-fuzzing.ppt

Als PPT, PDF herunterladen
K
kzyra

This document discusses various techniques for discovering software vulnerabilities, including fuzzing. It provides background on fuzzing and outlines the different phases of a fuzzing process. It then demonstrates examples of fuzzing file formats using FileFuzz and fuzzing web applications using WebFuzz. The document also discusses fuzzing COM objects using COMRaider. Throughout, it emphasizes identifying the target, inputs, generating fuzzed data, executing tests, monitoring for exceptions, and determining exploitability.

Internet
1 von 41
Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com
2 Contains VeriSign Confidential and Proprietary Information Agenda + Background ▪ What is fuzzing and who should do it? + Phases ▪ What are the various stages when fuzzing a target? + Fuzzer classes ▪ What can be fuzzed? + Automation ▪ Making the theoretical practical + Tools/Demos ▪ FileFuzz ▪ WebFuzz ▪ COMRaider + Advanced topics + The future or fuzzing
3 Contains VeriSign Confidential and Proprietary Information Vulnerability Discovery Methodologies – White Box + “Also known as glass box, structural, clear box and open box testing. A software testing technique whereby explicit knowledge of the internal workings of the item being tested are used to select the test data.” ▪ Webopedia + Source code review ▪ Static analysis ▪ Pros – Coverage ▪ Cons – Dependencies – Are we testing reality? • Compiler issues • Implementation scenarios
4 Contains VeriSign Confidential and Proprietary Information Vulnerability Discovery Methodologies – Black Box + “Also known as functional testing. A software testing technique whereby the internal workings of the item being tested are not known by the tester.” ▪ Webopedia + Reverse engineering ▪ Static analysis ▪ Pros – Complex vulnerabilities uncovered ▪ Cons – Time consuming – Deep knowledge required + Fuzzing ▪ Dynamic analysis ▪ Pros – Relatively simple – Realistic ▪ Cons – Coverage – Complex vulnerabilities missed
5 Contains VeriSign Confidential and Proprietary Information What is Fuzzing? + “Fuzz testing or fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data ("fuzz"). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.” ▪ Wikipedia + “Unexpected input causes unexpected results.” ▪ Michael Sutton
6 Contains VeriSign Confidential and Proprietary Information Who should fuzz? + Security researchers ▪ Reactive + QA Teams ▪ Proactive + Developers ▪ Proactive Design Development Quality Assurance Production Researchers QA Teams Developers
7 Contains VeriSign Confidential and Proprietary Information What can fuzzing do for you? + MS06-01 - Graphics Rendering Engine Vulnerability ▪ aka “Windows WMF Vulnerability” ▪ Appears to have been discovered through fuzzing ▪ Evidence – Google search on strings in initial exploit identified probable source file • JNK = c, Jun N, terminal, kitase • kitase  kinase – At the time, Google didn’t recognize WMF file types and therefore treated them as text allowing a search for strings within the binary – Diffing original file and exploit revealed evidence that fuzzing was used to discover the vulnerability AIF = apoptosis-inducing factor ANF = atrial natriuretic factor apaf = apoptotic protease-activating factor ARC = apoptosis repressor with caspase recruitment domain BH = bcl-2 homology CASH = caspase homologue CD = cluster of differentiation DED = death effector domain DR = death receptor ERK = extracellular signal-regulated kinase FADD = Fas-associated death domain protein FasL = Fas ligand FLAME-1 = FADD-like antiapoptotic molecule FLICE = FADD-homologous ICE/Ced-3-like protease FLIP = FLICE-inhibitory proteins I kappa B = inhibitor of NF kappa B I-FLICE = inhibitor of FLICE IAP = inhibitor of apoptosis protein ICE = interleukin-1 beta-converting enzyme IGF = insulin-like growth factor JNK = c-Jun N-terminal kinase MAPK = mitogen-activated protein kinase MEK = MAPK/ERK kinase MEKK = MEK kinase NF kappa B = nuclear factor kappa B NGF = nerve growth factor PI-3 kinase = phosphatidylinositol-3 kinase PKB, PKC = protein kinase B and C RAIDD = RIP-associated ICH-1/Ced-3- homologous death domain protein RIP = receptor-interaction protein SAPK = stress-activated protein kinase SEK = SAPK/ERK kinase TdT = terminal deoxynucleotidyltransferase TNF = tumor necrosis factor TNFR = TNF receptor TRADD = TNFR-associated death domain protein TRAF = TNFR-associated factor TRAIL = TNF-related apoptosis-inducing ligand TUNEL = TdT-mediated dUTP nick end- labeling zVAD.fmk = benzyloxycarbonyl-valine-alanine- aspartate fluoromethylketone
8 Contains VeriSign Confidential and Proprietary Information Phases Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
9 Contains VeriSign Confidential and Proprietary Information Fuzzer Classes + Command line arguments + Environment variables ▪ Sharefuzz (www.immunitysec.com) + Web applications ▪ WebFuzz (Demo) + File formats ▪ FileFuzz (Demo – labs.idefense.com) + Network protocols ▪ SPIKE (www.immunitysec.com) + Memory + COM Objects ▪ COMRaider (Demo – labs.idefense.com) + Inter-Process Communication (IPC)
10 Contains VeriSign Confidential and Proprietary Information Automation + Test cases ▪ Approach – Pre-generated test cases ▪ Tools – PROTOS Test Suites ▪ Pro – Consistency ▪ Con – Static – Time consuming
11 Contains VeriSign Confidential and Proprietary Information Automation + Brute force fuzzing ▪ Approach – Raw byte manipulation ▪ Tool(s) – FileFuzz ▪ Pro – Simple ▪ Con – Inefficient – Fails to account for dependent values (e.g. checksums)
12 Contains VeriSign Confidential and Proprietary Information Automation + ‘Intelligent’ fuzzing ▪ Approach – Templates developed based on protocol definitions ▪ Tools – SPIKE – SPIKEfile ▪ Pro – Efficient ▪ Con – Time consuming
13 Contains VeriSign Confidential and Proprietary Information FileFuzz
14 Contains VeriSign Confidential and Proprietary Information FileFuzz – Identify Target + Application vs. file type ▪ One file type  multiple targets + Vendor history ▪ Past vulnerabilities + High risk targets ▪ Default file handlers – Windows Explorer – Windows Registry ▪ Commonly traded file types – Media files – Office documents – Configuration files Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
15 Contains VeriSign Confidential and Proprietary Information FileFuzz – Identify Inputs + Proprietary vs. open formats ▪ Vendor documents ▪ Wotsit.org ▪ Google + Binary files ▪ e.g. images, video, audio, office documents, etc. ▪ Headers vs. data + Text files ▪ e.g. *.ini, *.inf, *.xml ▪ Name/value pairs Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
16 Contains VeriSign Confidential and Proprietary Information FileFuzz – Generate Fuzzed Data + Binary files ▪ Breadth (All or Range) – Identify potential weaknesses FF FF FF FF 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ÿÿÿÿ..Ûþ..Å...è. D7 FF FF FF FF 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÿÿÿÿ.Ûþ..Å...è. D7 CD FF FF FF FF DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÍÿÿÿÿÛþ..Å...è. ▪ Depth – Determine level of control/influence D7 CD FD 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íýš..Ûþ..Å...è. D7 CD FE 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íþš..Ûþ..Å...è. D7 CD FF 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íÿš..Ûþ..Å...è. + Text Files ▪ name = value file_size = 10 file_size = AAAAA file_size = AAAAAAAAAA Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
17 Contains VeriSign Confidential and Proprietary Information FileFuzz – Execute Fuzzed Data + Command line arguments ▪ Windows explorer – Tools…Folder Options…File Types Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
18 Contains VeriSign Confidential and Proprietary Information FileFuzz – Monitor for Exceptions + Visual ▪ Error messages ▪ Blue screen + Event logs ▪ System logs ▪ Application logs + Debuggers + Return codes + Debugging API Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
19 Contains VeriSign Confidential and Proprietary Information FileFuzz – Monitor for Exceptions + Execute ▪ Automated and repeated + Monitor ▪ Library - libdasm ▪ Capture – Memory location – Registry values – Exception type + Kill ▪ Set timeout Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability [*] "crash.exe" "C:Program FilesWordPerfect Office 12ProgramsUA120.exe" 2000 /qt c:fuzzast8.ast [*] Access Violation [*] Exception caught at 00403f06 mov eax,[eax+edi*4] [*] EAX:0014b1b8 EBX:00000005 ECX:00435c00 EDX:0012fbac [*] ESI:00435c00 EDI:cccccccc ESP:0012fab8 EBP:0012fae8
20 Contains VeriSign Confidential and Proprietary Information FileFuzz – Determine Exploitability + Skills ▪ Disassembly ▪ Debugging + Vulnerability types ▪ Stack overflows ▪ Heap overflows ▪ Integer handling – Overflows – Signedness ▪ DoS – Out of bounds reads – Infinite loops – NULL pointer dereferences ▪ Logic errors – Windows WMF vulnerability (MS06-001) ▪ Format strings ▪ Race conditions Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
21 Contains VeriSign Confidential and Proprietary Information FileFuzz – Demo (Breadth)
22 Contains VeriSign Confidential and Proprietary Information FileFuzz – Demo (Depth)
23 Contains VeriSign Confidential and Proprietary Information WebFuzz
24 Contains VeriSign Confidential and Proprietary Information WebFuzz – Identify Target + Server vs. Application ▪ Targeting applications can uncover server vulnerabilities + Vendor history ▪ Past vulnerabilities + High risk targets ▪ Popular applications – Download site counters – Google queries (johnny.ihackstuff.com) ▪ External applications – Wikis – Web mail – Discussion boards – Blogs Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
25 Contains VeriSign Confidential and Proprietary Information WebFuzz – Identify Inputs + Potential input vectors ▪ Method ▪ Request-URI ▪ Protocol ▪ Headers ▪ Cookies ▪ Post data + Reconnaissance ▪ Web forms ▪ Authentication ▪ Hidden fields ▪ Client side scripting + Manual Tools ▪ Proxies ▪ LiveHTTPHeaders + Automated Tools ▪ Spiders Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
26 Contains VeriSign Confidential and Proprietary Information WebFuzz – Generate Fuzzed Data + Intelligent fuzzing ▪ Start with legitimate web request ▪ Build template to mutate requests + Request format + Fuzz Template Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability [Method] [Request-URI] HTTP/[Major Version].[Minor Version] [HTTP Headers] [Post Data] [Methods] /[Traversal]/page.html?x=[SQL]&y=[XSS] HTTP/1.1 Accept: */* Accept-Language: en-us Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) Host: [Overflow] Proxy-Connection: Keep-Alive
27 Contains VeriSign Confidential and Proprietary Information WebFuzz – Execute Fuzzed Data + Fuzz classes ▪ Directory traversal ▪ Format strings ▪ Overflow ▪ SQL Injection ▪ XSS Injection Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
28 Contains VeriSign Confidential and Proprietary Information WebFuzz – Monitor for Exceptions + Execute ▪ Automated and repeated + Monitor ▪ HTML response – Error messages ▪ Raw response – User input ▪ Status codes + Kill ▪ Set timeout Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
29 Contains VeriSign Confidential and Proprietary Information WebFuzz – Determine Exploitability + Skills ▪ HTTP ▪ HTML ▪ Client side scripting ▪ SQL + Vulnerability types ▪ Denial of service ▪ Cross site scripting (XSS) ▪ SQL injection ▪ Directory traversal/Weak access control ▪ Weak authentication ▪ Weak session management (cookies) ▪ Buffer overflow ▪ Improperly supported HTTP methods ▪ Remote Command Execution ▪ Remote Code Injection ▪ Vulnerable Libraries ▪ HTTP Request Splitting ▪ Format Strings Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
30 Contains VeriSign Confidential and Proprietary Information WebFuzz - Demo
31 Contains VeriSign Confidential and Proprietary Information COMRaider
32 Contains VeriSign Confidential and Proprietary Information COMRaider – Identify Target + Client side attacks + Vendor history ▪ Past vulnerabilities + High risk targets ▪ Popular applications + Identify ActiveX controls ▪ Choose Active DLL or OCX file directly ▪ Scan a directory for registered COM servers ▪ Manually enter a GUID ▪ Choose from controls that should be loadable in IE Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
33 Contains VeriSign Confidential and Proprietary Information COMRaider – Identify Inputs + Indentify fuzzable ActiveX controls ▪ Load and parse type library files (*.tlb) to enumerate interfaces or ▪ Create a live instance of the object to query and load interface information + Scriptable ActiveX controls ▪ Accessible by web servers via Internet Explorer – Controls marked as Safe for Scripting or implementing IObjectSafety – Controls support IDispatch or IDispatchEx interfaces Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
34 Contains VeriSign Confidential and Proprietary Information COMRaider – Generate Fuzzed Data + Examine each function and identify variable types to determine fuzzing scenarios ▪ Supported – Ints – Longs – Doubles – Strings – Variants ▪ Not supported – Singles – Bytes – Bools + Dynamically created Windows Script Files (*.wsf) Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
35 Contains VeriSign Confidential and Proprietary Information COMRaider – Execute Fuzzed Data + Windows Script Host (wscript.exe) used to execute *.wsf files Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
36 Contains VeriSign Confidential and Proprietary Information COMRaider – Monitor for Exceptions + Execute ▪ Automated and repeated + Monitor ▪ Debugger - crashmon.dll – Record handled/unhandled exceptions ▪ Window logger – Record/clear error dialogs – Record modal windows + Kill ▪ 8 second timeout Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
37 Contains VeriSign Confidential and Proprietary Information COMRaider – Determine Exploitability + Skills ▪ Disassembly ▪ Debugging + Distributed auditing ▪ Audit results uploaded to and downloaded from central MySQL server + Exceptions logged ▪ Exception code ▪ SEH chain ▪ Call stack ▪ Register values ▪ Recent/future opcodes ▪ Argument dump ▪ Stack dump Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
38 Contains VeriSign Confidential and Proprietary Information COMRaider - Demo
39 Contains VeriSign Confidential and Proprietary Information Advanced Topics + Fuzzing Frameworks + Automated structure identification + Fuzzer tracking (code coverage) + Intelligent exception detection and processing
40 Contains VeriSign Confidential and Proprietary Information The Future of Fuzzing + Tools ▪ Frameworks ▪ Integrated test environments ▪ Commercial tools + People ▪ Wider audience ▪ Proactive fuzzing – the shift from offense to defense
41 Contains VeriSign Confidential and Proprietary Information Questions

Empfohlen

Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Greg Bailey
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101Arpan Raval
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plugKamal Rathaur
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows SystemsConferencias FIST
 

Empfohlen

Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Greg Bailey
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101Arpan Raval
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plugKamal Rathaur
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows SystemsConferencias FIST
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
3871778
38717783871778
3871778Christiaan Beek
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Vipin George
 
Latest presentation
Latest presentationLatest presentation
Latest presentationAdetunji Adeoje
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
L27
L27L27
L27NathannyabvureMapisa
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 

Weitere ähnliche Inhalte

Ähnlich wie msutton-fuzzing.ppt

Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Vipin George
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 

Ähnlich wie msutton-fuzzing.ppt (20)

Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
3871778
38717783871778
3871778
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
 
Latest presentation
Latest presentationLatest presentation
Latest presentation
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
L27
L27L27
L27
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 

Kürzlich hochgeladen

Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.CarlotaBedoya1
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 

Kürzlich hochgeladen (20)

Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 

msutton-fuzzing.ppt

  • 1. Contains VeriSign Confidential and Proprietary Information Fuzzing Brute Force Vulnerability Discovery Michael Sutton Director, iDefense Labs msutton@idefense.com
  • 2. 2 Contains VeriSign Confidential and Proprietary Information Agenda + Background ▪ What is fuzzing and who should do it? + Phases ▪ What are the various stages when fuzzing a target? + Fuzzer classes ▪ What can be fuzzed? + Automation ▪ Making the theoretical practical + Tools/Demos ▪ FileFuzz ▪ WebFuzz ▪ COMRaider + Advanced topics + The future or fuzzing
  • 3. 3 Contains VeriSign Confidential and Proprietary Information Vulnerability Discovery Methodologies – White Box + “Also known as glass box, structural, clear box and open box testing. A software testing technique whereby explicit knowledge of the internal workings of the item being tested are used to select the test data.” ▪ Webopedia + Source code review ▪ Static analysis ▪ Pros – Coverage ▪ Cons – Dependencies – Are we testing reality? • Compiler issues • Implementation scenarios
  • 4. 4 Contains VeriSign Confidential and Proprietary Information Vulnerability Discovery Methodologies – Black Box + “Also known as functional testing. A software testing technique whereby the internal workings of the item being tested are not known by the tester.” ▪ Webopedia + Reverse engineering ▪ Static analysis ▪ Pros – Complex vulnerabilities uncovered ▪ Cons – Time consuming – Deep knowledge required + Fuzzing ▪ Dynamic analysis ▪ Pros – Relatively simple – Realistic ▪ Cons – Coverage – Complex vulnerabilities missed
  • 5. 5 Contains VeriSign Confidential and Proprietary Information What is Fuzzing? + “Fuzz testing or fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data ("fuzz"). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.” ▪ Wikipedia + “Unexpected input causes unexpected results.” ▪ Michael Sutton
  • 6. 6 Contains VeriSign Confidential and Proprietary Information Who should fuzz? + Security researchers ▪ Reactive + QA Teams ▪ Proactive + Developers ▪ Proactive Design Development Quality Assurance Production Researchers QA Teams Developers
  • 7. 7 Contains VeriSign Confidential and Proprietary Information What can fuzzing do for you? + MS06-01 - Graphics Rendering Engine Vulnerability ▪ aka “Windows WMF Vulnerability” ▪ Appears to have been discovered through fuzzing ▪ Evidence – Google search on strings in initial exploit identified probable source file • JNK = c, Jun N, terminal, kitase • kitase  kinase – At the time, Google didn’t recognize WMF file types and therefore treated them as text allowing a search for strings within the binary – Diffing original file and exploit revealed evidence that fuzzing was used to discover the vulnerability AIF = apoptosis-inducing factor ANF = atrial natriuretic factor apaf = apoptotic protease-activating factor ARC = apoptosis repressor with caspase recruitment domain BH = bcl-2 homology CASH = caspase homologue CD = cluster of differentiation DED = death effector domain DR = death receptor ERK = extracellular signal-regulated kinase FADD = Fas-associated death domain protein FasL = Fas ligand FLAME-1 = FADD-like antiapoptotic molecule FLICE = FADD-homologous ICE/Ced-3-like protease FLIP = FLICE-inhibitory proteins I kappa B = inhibitor of NF kappa B I-FLICE = inhibitor of FLICE IAP = inhibitor of apoptosis protein ICE = interleukin-1 beta-converting enzyme IGF = insulin-like growth factor JNK = c-Jun N-terminal kinase MAPK = mitogen-activated protein kinase MEK = MAPK/ERK kinase MEKK = MEK kinase NF kappa B = nuclear factor kappa B NGF = nerve growth factor PI-3 kinase = phosphatidylinositol-3 kinase PKB, PKC = protein kinase B and C RAIDD = RIP-associated ICH-1/Ced-3- homologous death domain protein RIP = receptor-interaction protein SAPK = stress-activated protein kinase SEK = SAPK/ERK kinase TdT = terminal deoxynucleotidyltransferase TNF = tumor necrosis factor TNFR = TNF receptor TRADD = TNFR-associated death domain protein TRAF = TNFR-associated factor TRAIL = TNF-related apoptosis-inducing ligand TUNEL = TdT-mediated dUTP nick end- labeling zVAD.fmk = benzyloxycarbonyl-valine-alanine- aspartate fluoromethylketone
  • 8. 8 Contains VeriSign Confidential and Proprietary Information Phases Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 9. 9 Contains VeriSign Confidential and Proprietary Information Fuzzer Classes + Command line arguments + Environment variables ▪ Sharefuzz (www.immunitysec.com) + Web applications ▪ WebFuzz (Demo) + File formats ▪ FileFuzz (Demo – labs.idefense.com) + Network protocols ▪ SPIKE (www.immunitysec.com) + Memory + COM Objects ▪ COMRaider (Demo – labs.idefense.com) + Inter-Process Communication (IPC)
  • 10. 10 Contains VeriSign Confidential and Proprietary Information Automation + Test cases ▪ Approach – Pre-generated test cases ▪ Tools – PROTOS Test Suites ▪ Pro – Consistency ▪ Con – Static – Time consuming
  • 11. 11 Contains VeriSign Confidential and Proprietary Information Automation + Brute force fuzzing ▪ Approach – Raw byte manipulation ▪ Tool(s) – FileFuzz ▪ Pro – Simple ▪ Con – Inefficient – Fails to account for dependent values (e.g. checksums)
  • 12. 12 Contains VeriSign Confidential and Proprietary Information Automation + ‘Intelligent’ fuzzing ▪ Approach – Templates developed based on protocol definitions ▪ Tools – SPIKE – SPIKEfile ▪ Pro – Efficient ▪ Con – Time consuming
  • 13. 13 Contains VeriSign Confidential and Proprietary Information FileFuzz
  • 14. 14 Contains VeriSign Confidential and Proprietary Information FileFuzz – Identify Target + Application vs. file type ▪ One file type  multiple targets + Vendor history ▪ Past vulnerabilities + High risk targets ▪ Default file handlers – Windows Explorer – Windows Registry ▪ Commonly traded file types – Media files – Office documents – Configuration files Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 15. 15 Contains VeriSign Confidential and Proprietary Information FileFuzz – Identify Inputs + Proprietary vs. open formats ▪ Vendor documents ▪ Wotsit.org ▪ Google + Binary files ▪ e.g. images, video, audio, office documents, etc. ▪ Headers vs. data + Text files ▪ e.g. *.ini, *.inf, *.xml ▪ Name/value pairs Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 16. 16 Contains VeriSign Confidential and Proprietary Information FileFuzz – Generate Fuzzed Data + Binary files ▪ Breadth (All or Range) – Identify potential weaknesses FF FF FF FF 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ÿÿÿÿ..Ûþ..Å...è. D7 FF FF FF FF 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÿÿÿÿ.Ûþ..Å...è. D7 CD FF FF FF FF DB FE 0B 00 C5 00 00 01 E8 03 ; ×ÍÿÿÿÿÛþ..Å...è. ▪ Depth – Determine level of control/influence D7 CD FD 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íýš..Ûþ..Å...è. D7 CD FE 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íþš..Ûþ..Å...è. D7 CD FF 9A 00 00 DB FE 0B 00 C5 00 00 01 E8 03 ; ×Íÿš..Ûþ..Å...è. + Text Files ▪ name = value file_size = 10 file_size = AAAAA file_size = AAAAAAAAAA Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 17. 17 Contains VeriSign Confidential and Proprietary Information FileFuzz – Execute Fuzzed Data + Command line arguments ▪ Windows explorer – Tools…Folder Options…File Types Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 18. 18 Contains VeriSign Confidential and Proprietary Information FileFuzz – Monitor for Exceptions + Visual ▪ Error messages ▪ Blue screen + Event logs ▪ System logs ▪ Application logs + Debuggers + Return codes + Debugging API Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 19. 19 Contains VeriSign Confidential and Proprietary Information FileFuzz – Monitor for Exceptions + Execute ▪ Automated and repeated + Monitor ▪ Library - libdasm ▪ Capture – Memory location – Registry values – Exception type + Kill ▪ Set timeout Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability [*] "crash.exe" "C:Program FilesWordPerfect Office 12ProgramsUA120.exe" 2000 /qt c:fuzzast8.ast [*] Access Violation [*] Exception caught at 00403f06 mov eax,[eax+edi*4] [*] EAX:0014b1b8 EBX:00000005 ECX:00435c00 EDX:0012fbac [*] ESI:00435c00 EDI:cccccccc ESP:0012fab8 EBP:0012fae8
  • 20. 20 Contains VeriSign Confidential and Proprietary Information FileFuzz – Determine Exploitability + Skills ▪ Disassembly ▪ Debugging + Vulnerability types ▪ Stack overflows ▪ Heap overflows ▪ Integer handling – Overflows – Signedness ▪ DoS – Out of bounds reads – Infinite loops – NULL pointer dereferences ▪ Logic errors – Windows WMF vulnerability (MS06-001) ▪ Format strings ▪ Race conditions Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 21. 21 Contains VeriSign Confidential and Proprietary Information FileFuzz – Demo (Breadth)
  • 22. 22 Contains VeriSign Confidential and Proprietary Information FileFuzz – Demo (Depth)
  • 23. 23 Contains VeriSign Confidential and Proprietary Information WebFuzz
  • 24. 24 Contains VeriSign Confidential and Proprietary Information WebFuzz – Identify Target + Server vs. Application ▪ Targeting applications can uncover server vulnerabilities + Vendor history ▪ Past vulnerabilities + High risk targets ▪ Popular applications – Download site counters – Google queries (johnny.ihackstuff.com) ▪ External applications – Wikis – Web mail – Discussion boards – Blogs Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 25. 25 Contains VeriSign Confidential and Proprietary Information WebFuzz – Identify Inputs + Potential input vectors ▪ Method ▪ Request-URI ▪ Protocol ▪ Headers ▪ Cookies ▪ Post data + Reconnaissance ▪ Web forms ▪ Authentication ▪ Hidden fields ▪ Client side scripting + Manual Tools ▪ Proxies ▪ LiveHTTPHeaders + Automated Tools ▪ Spiders Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 26. 26 Contains VeriSign Confidential and Proprietary Information WebFuzz – Generate Fuzzed Data + Intelligent fuzzing ▪ Start with legitimate web request ▪ Build template to mutate requests + Request format + Fuzz Template Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability [Method] [Request-URI] HTTP/[Major Version].[Minor Version] [HTTP Headers] [Post Data] [Methods] /[Traversal]/page.html?x=[SQL]&y=[XSS] HTTP/1.1 Accept: */* Accept-Language: en-us Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1) Host: [Overflow] Proxy-Connection: Keep-Alive
  • 27. 27 Contains VeriSign Confidential and Proprietary Information WebFuzz – Execute Fuzzed Data + Fuzz classes ▪ Directory traversal ▪ Format strings ▪ Overflow ▪ SQL Injection ▪ XSS Injection Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 28. 28 Contains VeriSign Confidential and Proprietary Information WebFuzz – Monitor for Exceptions + Execute ▪ Automated and repeated + Monitor ▪ HTML response – Error messages ▪ Raw response – User input ▪ Status codes + Kill ▪ Set timeout Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 29. 29 Contains VeriSign Confidential and Proprietary Information WebFuzz – Determine Exploitability + Skills ▪ HTTP ▪ HTML ▪ Client side scripting ▪ SQL + Vulnerability types ▪ Denial of service ▪ Cross site scripting (XSS) ▪ SQL injection ▪ Directory traversal/Weak access control ▪ Weak authentication ▪ Weak session management (cookies) ▪ Buffer overflow ▪ Improperly supported HTTP methods ▪ Remote Command Execution ▪ Remote Code Injection ▪ Vulnerable Libraries ▪ HTTP Request Splitting ▪ Format Strings Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 30. 30 Contains VeriSign Confidential and Proprietary Information WebFuzz - Demo
  • 31. 31 Contains VeriSign Confidential and Proprietary Information COMRaider
  • 32. 32 Contains VeriSign Confidential and Proprietary Information COMRaider – Identify Target + Client side attacks + Vendor history ▪ Past vulnerabilities + High risk targets ▪ Popular applications + Identify ActiveX controls ▪ Choose Active DLL or OCX file directly ▪ Scan a directory for registered COM servers ▪ Manually enter a GUID ▪ Choose from controls that should be loadable in IE Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 33. 33 Contains VeriSign Confidential and Proprietary Information COMRaider – Identify Inputs + Indentify fuzzable ActiveX controls ▪ Load and parse type library files (*.tlb) to enumerate interfaces or ▪ Create a live instance of the object to query and load interface information + Scriptable ActiveX controls ▪ Accessible by web servers via Internet Explorer – Controls marked as Safe for Scripting or implementing IObjectSafety – Controls support IDispatch or IDispatchEx interfaces Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 34. 34 Contains VeriSign Confidential and Proprietary Information COMRaider – Generate Fuzzed Data + Examine each function and identify variable types to determine fuzzing scenarios ▪ Supported – Ints – Longs – Doubles – Strings – Variants ▪ Not supported – Singles – Bytes – Bools + Dynamically created Windows Script Files (*.wsf) Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 35. 35 Contains VeriSign Confidential and Proprietary Information COMRaider – Execute Fuzzed Data + Windows Script Host (wscript.exe) used to execute *.wsf files Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 36. 36 Contains VeriSign Confidential and Proprietary Information COMRaider – Monitor for Exceptions + Execute ▪ Automated and repeated + Monitor ▪ Debugger - crashmon.dll – Record handled/unhandled exceptions ▪ Window logger – Record/clear error dialogs – Record modal windows + Kill ▪ 8 second timeout Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 37. 37 Contains VeriSign Confidential and Proprietary Information COMRaider – Determine Exploitability + Skills ▪ Disassembly ▪ Debugging + Distributed auditing ▪ Audit results uploaded to and downloaded from central MySQL server + Exceptions logged ▪ Exception code ▪ SEH chain ▪ Call stack ▪ Register values ▪ Recent/future opcodes ▪ Argument dump ▪ Stack dump Identify target Identify inputs Generate fuzzed data Execute fuzzed data Monitor for exceptions Determine exploitability
  • 38. 38 Contains VeriSign Confidential and Proprietary Information COMRaider - Demo
  • 39. 39 Contains VeriSign Confidential and Proprietary Information Advanced Topics + Fuzzing Frameworks + Automated structure identification + Fuzzer tracking (code coverage) + Intelligent exception detection and processing
  • 40. 40 Contains VeriSign Confidential and Proprietary Information The Future of Fuzzing + Tools ▪ Frameworks ▪ Integrated test environments ▪ Commercial tools + People ▪ Wider audience ▪ Proactive fuzzing – the shift from offense to defense
  • 41. 41 Contains VeriSign Confidential and Proprietary Information Questions