SlideShare una empresa de Scribd logo

Awesome_fuzzing_for _pentester_red-pill_2017

M
Manich Koomsusi

This document provides an overview of fuzzing techniques and the Sulley fuzzing framework. It begins with definitions of fuzzing and different fuzzing techniques like static testing, randomized fuzzing, and mutation-based fuzzing. The rest of the document demonstrates how to setup and use the Sulley framework to fuzz protocols like HTTP and file formats. It includes explanations of the Sulley API and how to generate test cases, monitor for crashes, and analyze results. Examples are provided of fuzzing HTTP servers and file formats.

Educación
1 de 59
Descargar para leer sin conexión
start Awesome Fuzzing for Pen-tester By Manich Koomsusi, OSCP, OSCE Security Consultant
next2 #!/bin/Whoami Name = Manich Koomsusi Nick-Name = MarTy Jobs = Security Consultant, SnoopBees Co., Ltd. FB = manich.koomsusi
Agenda 0x01 What is Fuzzing ? next3 0x02 Fuzzing Techniques 0x03 Intelligent Mutation 0x05 Setup the Weapon 0x04 Sulley fuzzing framework 0x06 Demo Fuzzing HTTP and FTP 0x08 Q / A ? 0x07 Demo Fuzzing File Format
0x01 next Fuzzing is simply a software testing mechanism that sends malformed to protocol implementation such as a web application, file format PDF, MS Word etc. 4 What is Fuzzing ? Fuzzing is a useful research techniques in identifying vulnerabilities Fuzzing is an essential part of the Software Development Lifecycle (SDL)
0x02 next Static Test Case • Information collection, Analyst identifies individual tests • Test case stored as a file that can be sent to target, often binary file • Lost of up-front development time • Scope of the test limited by creativity 5 Fuzzing Techniques Randomized • Starts with a valid frame • Selected portions replaced with randomized data • Simple to develop and utilize • No protocol knowledge needed • Infinite run-time process • Difficult to pin-point cause of crash
0x02 next Mutation • No protocol analysis • Mutates one byte/short/long at a time • History of success, But limited at testing parsing flaws in string, delimiters • Quick to get started using fuzzing tools • Finite runtime stopping after it exhausts all mutations 6 Fuzzing Techniques CONT.
0x02.1 next7 Sample Fuzzing Tools Taof (The Art of Fuzzing)
0x02.2 next8 Sample Fuzzing Tools Taof (The Art of Fuzzing)
0x02.3 next9 Sample Fuzzing Tools Taof (The Art of Fuzzing)
0x03 next • Describes a protocol and tests permutations • Protocol “grammar” • Identifies fields • Lots of up-front time analyzing (Protocol is defined and uses knowledge to build a protocol “grammar” • Best method for comprehensive code- reaching tests 10 Intelligent Mutation
0x03.1 next What to test ? • Using intelligent mutation. • Analyst selects permutations, (selecting the fields and data permutations for individual test case) • Randomly inserting new data will have limited value in testing, discovering only “Surface” vulnerabilities. • For more comprehensive analysis, (such as specific header fields) 11 Intelligent Mutation
0x03.2 next What to test ? • Signed and Unsigned Integers • Signed integers => Positive(+) and Negative(-) • Unsigned integers => Positive(+) only • MSB(Most Significant Bit) +/- when signed 12 Intelligent Mutation Value Signed Unsigned 1 1 1 -1 -1 4294967295 What happens ? memcpy(destptr,srcptr,-1);
0x03.3 next What to test ? • Integer Underflow 13 Intelligent Mutation Index Other declarations -4 -3 -2 -1 <——————————————————————————— Array ———————————————————————> 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Other memory
0x03.4 next What to test ? • Strings 14 Intelligent Mutation
0x03.5 next What to test ? • Field Delimiters 15 Intelligent Mutation
0x03.6 next What to test ? • Directory Transversal 16 Intelligent Mutation What happens ? “../../../../../../../../../../etc/passwd” ?
0x04 next17 Sulley Fuzzing Framework Leveraging • Framework for describing a protocol (grammar) • Delivers protocol mutations based on grammar - Monitors process, Log traffic - Control VM’s to reset target - Assists in analysis of crashes • Written in python • Full functionality in Windows only
0x04.1 next18 Sulley Fuzzing Framework Setting Up • Integrates with VMware restart and snapshot • Control over RPC protocol • Multiple simultaneous target
0x04.2 next19 Sulley Fuzzing Framework Sulley Functions with Fuzz HTTP server GET request RFC2616 - HTTP 1.1 GET /index.html HTTP/1.1 Host 192.168.1.31
0x04.3 next20 Sulley Fuzzing Framework HTTP GET Request Initialization • s_initialize() • Fuzzer name • Uses a global variable to keep track
0x04.4 next21 Sulley Fuzzing Framework HTTP GET Request Immutable Values • s_static() • Data does not change
0x04.5 next22 Sulley Fuzzing Framework HTTP GET Request Delimiters s_delim() • Specify a default value
0x04.6 next23 Sulley Fuzzing Framework HTTP GET Request Strings s_string() • Mutations include - Repetition (x2, x1000, …) - String Omission - Directory recursion(../../../) - Format strings using (%n) - Command injection(|calc) - SQL injection (1;SELECT *) - CR+LF x 1000 - NULL termination - Binary strings (xdexad)
0x04.7 next24 Sulley Fuzzing Framework HTTP GET Request Numbers • Binary or ASCII • 1/2/4/8 byte: s_byte(), s_short(), s_long(), s_double() - format = string => for ASCII output - format = binary => for Binary - endian = “<” => for little-endian - endian = “>” => for big-endian - test case +/- 10 border case near 0 - Maximum values (MAX/2, MAX/3, MAX/ 32, etc.)
0x04.8 next25 Sulley Fuzzing Framework HTTP GET Request Counting Mutations && Estimating Runtime • s_num_mutation() • Identifies the number of mutations
0x04.9 next26 Sulley Fuzzing Framework HTTP GET Request Displaying Mutations • s_render() => Return current • s_mutate() => Generate next mutation • s_hex_dump() => ASCII
0x04.A next27 Sulley Fuzzing Framework HTTP GET Request Output
0x04.B next28 Sulley Fuzzing Framework HTTP GET Request Output DEMO
0x04.C next29 Sulley Fuzzing Framework Sessions • Identify fuzzer name with s_initialize() • Can join multiple fuzzers • One or more targets with control options • Over TCP, UDP or SSL • Uses graph theory to fuzz each component
0x04.D next30 Sulley Fuzzing Framework Sessions • Add fuzzer to session using connect() • Fuzzer name returned by s_get() - Name from s_initialize() • Multiple nodes - mysess.connect(s_get(“FOO”), s_get(“BAR”), s_get(“BAZ”))
0x04.E next31 Sulley Fuzzing Framework Sessions • Specify Target with sessions.target() • Packet capture agent : netmon • Process analysis agent : procmon
0x04.F next32 Sulley Fuzzing Framework Sessions • Add target to Fuzz! add_target() • Fuzzing will perform in parallel limited by CPU • fuzz() starts!
0x04.11 next33 Sulley Fuzzing Framework Sessions Agents • netmon: capture libpcap file • procmon: monitor process for faults • vmcontrol: start, stop, and reset guest; take, delete and restore snapshots
0x04.12 next34 Sulley Fuzzing Framework Step for Running Sulley • Start procmon.py • Start netmon.py • Start Software • Start Fuzzing script • Monitor status with web UI • And !!!!!!
0x04.13 next35 Sulley Fuzzing Framework Post-Mortem Analysis • Sulley includes two tools to help in assessing session results • pcap_cleaner.py crash bin pcaps/ • crashbin_exploere.py for navigate, examine and graph crash data
0x04.14 next36 Sulley Fuzzing Framework Post-Mortem Analysis
0x04.15 next37 Sulley Fuzzing Framework Analysis With WireShark
0x05 next 1. Install Immunity-Debugger Included Python2.7 and set up Python environment 38 Setup the Weapon
0x05.1 next 2. Install Git for clone Sulley or from link download - https://github.com/OpenRCE/sulley.git - https://github.com/OpenRCE/sulley 3. Before setup Sulley need install the setuptools(Easily download, build, install, upgrade, and uninstall Python packages) from https:// pypi.python.org/pypi/setuptools => python setup.py install 4. Now to sulley and install 39 Setup the Weapon
0x05.2 next 5. Netmon Agent - Requires WinPcap/Libpcap, Impacket and pcapy - WinPcap => I Install WireShark - Impacket => https://github.com/CoreSecurity/impacket - Pcapy => https://github.com/CoreSecurity/pcapy - Install https://github.com/develersrl/gccwinbinaries/ releases/download/v1.1/gcc-mingw-4.3.3-setup.exe and install. - And now run network_monitor.py for test but Error - Re-install pcapy but Error pcap.h Not Found 40 Setup the Weapon
0x05.3 next - Solution 1.Download WinPcap developer on https:// www.winpcap.org/devel.htm 2.pip install pcapy --global-option=build_ext —global-option="-LC:Path to WpdPack_4_1_2Lib" —global-option=“-IC:Path to WpdPack_4_1_2WpdPackInclude” 41 Setup the Weapon Ref: https://stackoverflow.com/questions/22996098/trouble-installing-pcapy-on-windows-7-cannot-open-include-file-pcap-h
0x05.4 next 6. Procmon Agent Require: - pefile (Python library for inspecting PE file format) - https://code.google.com/p/pefile/downloads/list - pydasm (Python library for disassembly binary code) - https://code.google.com/p/pefile/downloads/list - paimei (reverse engineering framework written in Python) optional - https://github.com/OpenRCE/paimei/archive/ master.zip - pydbg (pure-Python win32 debugger interface) - https://github.com/Fitblip/pydbg - Run on Windows only - And now run process_monitor.py 42 Setup the Weapon Ref: https://github.com/OpenRCE/sulley/wiki/Windows-Installation : http://www.securityaddicted.com/tag/pydbg/
0x05.5 next 7. For File Format Fuzzing Require: - WinDbg - MSEC Debugger Extension: !exploitability X86 https://msdl.microsoft.com/download/symbols/ debuggers/dbg_x86_6.11.1.404.msi X64 https://msdl.microsoft.com/download/symbols/ debuggers/dbg_amd64_6.11.1.404.msi 43 Setup the Weapon
0x06 next44 Sulley Fuzzing Framework DEMO Fuzzing HTTP
0x06.1 next45 Sulley Fuzzing Framework DEMO Fuzzing FTP
0x07 next46 Fuzzing File Formats • File Format => Very Complex Protocol • On proprietary file formats (opportunities and challenges) such as MS Word, Open Office Writer, OS X Pages.app • Leveraging Sulley file format fuzzing? • Automated and custom mutation delivery
0x07.1 next47 Fuzzing File Formats Monitoring the process • Debugger to watch exit status • Watch return status with crash.exe • Custom code with Python + Pydbg • Code must automate process termination, exception handling, logging
0x07.2 next48 Fuzzing File Formats crash.exe
0x07.3 next49 Fuzzing File Formats WinDbg Exploitability Index • WinDbg - Microsoft Security Engineering Team (MSEC) debugger, User-mode and kernel- mode debugging • Use Extensions: !exploitability measurement • Reliable for “EXPLOITABLE” Needs more analysis for “NOT EXPLOITABLE” or “UNKNOWN”
0x07.4 next50 Fuzzing File Formats !exploitable
0x07.5 next51 Fuzzing File Formats Microsoft Console Debugger • Console-based interface to WinDbg included with Debugging Tools for Windows • Report on “!exploitable” • Help for automating analysis and logging
0x07.6 next52 Fuzzing File Formats Automating CDB • WinDbg GUI tool, provides a console-base version known as “cdb” for /L %i in (0,1,1075) do @"c:Program FilesDebugging Tools for Windows (x86)cdb.exe" -aMSEC.dll -c ".logopen case-%i.pls.log; g; ! exploitable -m; .logclose" "c:Program FilesYahoo!PlayerYPlayer.exe" pls-fuzzplscase-%i.pls for /L %i in (0,0,0) do @wmic process where (name="cdb.exe") delete && ping -n 6 127.0.0.1 > null
0x07.7 next53 Fuzzing File Formats File Fuzzing with Sulley • Sulley does not automate application launch, delivery. We perform manually by custom script, shell command
0x07.7.1 next54 Fuzzing File Formats Cont.
0x08 next55 Sulley Fuzzing Framework DEMO File Format Fuzzing
0x08.1 next56 Sulley Fuzzing Framework Tip / Trick - Run as Administrator or Root - Time delay for file fuzzing can adjust it as necessary - For file fuzzing keep your mouse here while testing - For file fuzzing copy MSEC.dll to “C:Program FilesDebugging Tools for Windows (x86)winext” - Running msec.dll error because The 1.6 version of !exploitable was compiled in Visual Studio 12 using CRT 11 runtime. https://www.microsoft.com/en-us/download/confirmation.aspx? id=30679 Ref: http://webcache.googleusercontent.com/search?q=cache:WLXxWXjg6KcJ:msecdbg3.rssing.com/chan-8052127/all_p2.html+&cd=5&hl=th&ct=clnk&gl=th
next57 References: • SANS 660 Advanced Penetration Testing, Exploit Writing, and Ethical Hacking • GIAC GXPN: Exploit Researcher and Advanced Penetration Tester • https://github.com/OpenRCE/sulley • http://www.fuzzing.org/wp-content/ SulleyManual.pdf • https://stackoverflow.com/questions/22996098/ trouble-installing-pcapy-on-windows-7-cannot- open-include-file-pcap-h • https://github.com/OpenRCE/sulley/wiki/Windows- Installation • http://www.securityaddicted.com/tag/pydbg/
close Q / A
close Thank You Presenter: Manich Koomsusi

Recomendados

Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflowAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]
Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]
Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]RootedCON
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enoughSumedt Jitpukdebodin
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 

Recomendados

Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflowAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]
Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]
Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]RootedCON
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enoughSumedt Jitpukdebodin
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCanSecWest
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsPositive Hack Days
 
Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Andrey Karpov
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 

Más contenido relacionado

La actualidad más candente

Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCanSecWest
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsPositive Hack Days
 

La actualidad más candente (20)

Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion Techniques
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
 

Similar a Awesome_fuzzing_for _pentester_red-pill_2017

Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Andrey Karpov
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapalibuildersreviews
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwarebinish_hyunseok
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for MiddlewareManuel Brugnoli
 
Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)ITCamp
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processorsRISC-V International
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014Bryce Kunz
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
 
Lab 1 reference manual
Lab 1 reference manualLab 1 reference manual
Lab 1 reference manualtrayyoo
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.Sumutiu Marius
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 

Similar a Awesome_fuzzing_for _pentester_red-pill_2017 (20)

Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities?
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
CanSecWest (1)
CanSecWest (1)CanSecWest (1)
CanSecWest (1)
 
amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdf
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol software
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for Middleware
 
Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)
 
Online test program generator for RISC-V processors
Online test program generator for RISC-V processorsOnline test program generator for RISC-V processors
Online test program generator for RISC-V processors
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"
 
Lab 1 reference manual
Lab 1 reference manualLab 1 reference manual
Lab 1 reference manual
 
BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.BlackHat Hacking - Hacking VoIP.
BlackHat Hacking - Hacking VoIP.
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 

Último

Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 

Último (20)

Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 

Awesome_fuzzing_for _pentester_red-pill_2017

  • 1. start Awesome Fuzzing for Pen-tester By Manich Koomsusi, OSCP, OSCE Security Consultant
  • 2. next2 #!/bin/Whoami Name = Manich Koomsusi Nick-Name = MarTy Jobs = Security Consultant, SnoopBees Co., Ltd. FB = manich.koomsusi
  • 3. Agenda 0x01 What is Fuzzing ? next3 0x02 Fuzzing Techniques 0x03 Intelligent Mutation 0x05 Setup the Weapon 0x04 Sulley fuzzing framework 0x06 Demo Fuzzing HTTP and FTP 0x08 Q / A ? 0x07 Demo Fuzzing File Format
  • 4. 0x01 next Fuzzing is simply a software testing mechanism that sends malformed to protocol implementation such as a web application, file format PDF, MS Word etc. 4 What is Fuzzing ? Fuzzing is a useful research techniques in identifying vulnerabilities Fuzzing is an essential part of the Software Development Lifecycle (SDL)
  • 5. 0x02 next Static Test Case • Information collection, Analyst identifies individual tests • Test case stored as a file that can be sent to target, often binary file • Lost of up-front development time • Scope of the test limited by creativity 5 Fuzzing Techniques Randomized • Starts with a valid frame • Selected portions replaced with randomized data • Simple to develop and utilize • No protocol knowledge needed • Infinite run-time process • Difficult to pin-point cause of crash
  • 6. 0x02 next Mutation • No protocol analysis • Mutates one byte/short/long at a time • History of success, But limited at testing parsing flaws in string, delimiters • Quick to get started using fuzzing tools • Finite runtime stopping after it exhausts all mutations 6 Fuzzing Techniques CONT.
  • 10. 0x03 next • Describes a protocol and tests permutations • Protocol “grammar” • Identifies fields • Lots of up-front time analyzing (Protocol is defined and uses knowledge to build a protocol “grammar” • Best method for comprehensive code- reaching tests 10 Intelligent Mutation
  • 11. 0x03.1 next What to test ? • Using intelligent mutation. • Analyst selects permutations, (selecting the fields and data permutations for individual test case) • Randomly inserting new data will have limited value in testing, discovering only “Surface” vulnerabilities. • For more comprehensive analysis, (such as specific header fields) 11 Intelligent Mutation
  • 12. 0x03.2 next What to test ? • Signed and Unsigned Integers • Signed integers => Positive(+) and Negative(-) • Unsigned integers => Positive(+) only • MSB(Most Significant Bit) +/- when signed 12 Intelligent Mutation Value Signed Unsigned 1 1 1 -1 -1 4294967295 What happens ? memcpy(destptr,srcptr,-1);
  • 13. 0x03.3 next What to test ? • Integer Underflow 13 Intelligent Mutation Index Other declarations -4 -3 -2 -1 <——————————————————————————— Array ———————————————————————> 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Other memory
  • 14. 0x03.4 next What to test ? • Strings 14 Intelligent Mutation
  • 15. 0x03.5 next What to test ? • Field Delimiters 15 Intelligent Mutation
  • 16. 0x03.6 next What to test ? • Directory Transversal 16 Intelligent Mutation What happens ? “../../../../../../../../../../etc/passwd” ?
  • 17. 0x04 next17 Sulley Fuzzing Framework Leveraging • Framework for describing a protocol (grammar) • Delivers protocol mutations based on grammar - Monitors process, Log traffic - Control VM’s to reset target - Assists in analysis of crashes • Written in python • Full functionality in Windows only
  • 18. 0x04.1 next18 Sulley Fuzzing Framework Setting Up • Integrates with VMware restart and snapshot • Control over RPC protocol • Multiple simultaneous target
  • 19. 0x04.2 next19 Sulley Fuzzing Framework Sulley Functions with Fuzz HTTP server GET request RFC2616 - HTTP 1.1 GET /index.html HTTP/1.1 Host 192.168.1.31
  • 20. 0x04.3 next20 Sulley Fuzzing Framework HTTP GET Request Initialization • s_initialize() • Fuzzer name • Uses a global variable to keep track
  • 21. 0x04.4 next21 Sulley Fuzzing Framework HTTP GET Request Immutable Values • s_static() • Data does not change
  • 22. 0x04.5 next22 Sulley Fuzzing Framework HTTP GET Request Delimiters s_delim() • Specify a default value
  • 23. 0x04.6 next23 Sulley Fuzzing Framework HTTP GET Request Strings s_string() • Mutations include - Repetition (x2, x1000, …) - String Omission - Directory recursion(../../../) - Format strings using (%n) - Command injection(|calc) - SQL injection (1;SELECT *) - CR+LF x 1000 - NULL termination - Binary strings (xdexad)
  • 24. 0x04.7 next24 Sulley Fuzzing Framework HTTP GET Request Numbers • Binary or ASCII • 1/2/4/8 byte: s_byte(), s_short(), s_long(), s_double() - format = string => for ASCII output - format = binary => for Binary - endian = “<” => for little-endian - endian = “>” => for big-endian - test case +/- 10 border case near 0 - Maximum values (MAX/2, MAX/3, MAX/ 32, etc.)
  • 25. 0x04.8 next25 Sulley Fuzzing Framework HTTP GET Request Counting Mutations && Estimating Runtime • s_num_mutation() • Identifies the number of mutations
  • 26. 0x04.9 next26 Sulley Fuzzing Framework HTTP GET Request Displaying Mutations • s_render() => Return current • s_mutate() => Generate next mutation • s_hex_dump() => ASCII
  • 29. 0x04.C next29 Sulley Fuzzing Framework Sessions • Identify fuzzer name with s_initialize() • Can join multiple fuzzers • One or more targets with control options • Over TCP, UDP or SSL • Uses graph theory to fuzz each component
  • 30. 0x04.D next30 Sulley Fuzzing Framework Sessions • Add fuzzer to session using connect() • Fuzzer name returned by s_get() - Name from s_initialize() • Multiple nodes - mysess.connect(s_get(“FOO”), s_get(“BAR”), s_get(“BAZ”))
  • 31. 0x04.E next31 Sulley Fuzzing Framework Sessions • Specify Target with sessions.target() • Packet capture agent : netmon • Process analysis agent : procmon
  • 32. 0x04.F next32 Sulley Fuzzing Framework Sessions • Add target to Fuzz! add_target() • Fuzzing will perform in parallel limited by CPU • fuzz() starts!
  • 33. 0x04.11 next33 Sulley Fuzzing Framework Sessions Agents • netmon: capture libpcap file • procmon: monitor process for faults • vmcontrol: start, stop, and reset guest; take, delete and restore snapshots
  • 34. 0x04.12 next34 Sulley Fuzzing Framework Step for Running Sulley • Start procmon.py • Start netmon.py • Start Software • Start Fuzzing script • Monitor status with web UI • And !!!!!!
  • 35. 0x04.13 next35 Sulley Fuzzing Framework Post-Mortem Analysis • Sulley includes two tools to help in assessing session results • pcap_cleaner.py crash bin pcaps/ • crashbin_exploere.py for navigate, examine and graph crash data
  • 38. 0x05 next 1. Install Immunity-Debugger Included Python2.7 and set up Python environment 38 Setup the Weapon
  • 39. 0x05.1 next 2. Install Git for clone Sulley or from link download - https://github.com/OpenRCE/sulley.git - https://github.com/OpenRCE/sulley 3. Before setup Sulley need install the setuptools(Easily download, build, install, upgrade, and uninstall Python packages) from https:// pypi.python.org/pypi/setuptools => python setup.py install 4. Now to sulley and install 39 Setup the Weapon
  • 40. 0x05.2 next 5. Netmon Agent - Requires WinPcap/Libpcap, Impacket and pcapy - WinPcap => I Install WireShark - Impacket => https://github.com/CoreSecurity/impacket - Pcapy => https://github.com/CoreSecurity/pcapy - Install https://github.com/develersrl/gccwinbinaries/ releases/download/v1.1/gcc-mingw-4.3.3-setup.exe and install. - And now run network_monitor.py for test but Error - Re-install pcapy but Error pcap.h Not Found 40 Setup the Weapon
  • 41. 0x05.3 next - Solution 1.Download WinPcap developer on https:// www.winpcap.org/devel.htm 2.pip install pcapy --global-option=build_ext —global-option="-LC:Path to WpdPack_4_1_2Lib" —global-option=“-IC:Path to WpdPack_4_1_2WpdPackInclude” 41 Setup the Weapon Ref: https://stackoverflow.com/questions/22996098/trouble-installing-pcapy-on-windows-7-cannot-open-include-file-pcap-h
  • 42. 0x05.4 next 6. Procmon Agent Require: - pefile (Python library for inspecting PE file format) - https://code.google.com/p/pefile/downloads/list - pydasm (Python library for disassembly binary code) - https://code.google.com/p/pefile/downloads/list - paimei (reverse engineering framework written in Python) optional - https://github.com/OpenRCE/paimei/archive/ master.zip - pydbg (pure-Python win32 debugger interface) - https://github.com/Fitblip/pydbg - Run on Windows only - And now run process_monitor.py 42 Setup the Weapon Ref: https://github.com/OpenRCE/sulley/wiki/Windows-Installation : http://www.securityaddicted.com/tag/pydbg/
  • 43. 0x05.5 next 7. For File Format Fuzzing Require: - WinDbg - MSEC Debugger Extension: !exploitability X86 https://msdl.microsoft.com/download/symbols/ debuggers/dbg_x86_6.11.1.404.msi X64 https://msdl.microsoft.com/download/symbols/ debuggers/dbg_amd64_6.11.1.404.msi 43 Setup the Weapon
  • 46. 0x07 next46 Fuzzing File Formats • File Format => Very Complex Protocol • On proprietary file formats (opportunities and challenges) such as MS Word, Open Office Writer, OS X Pages.app • Leveraging Sulley file format fuzzing? • Automated and custom mutation delivery
  • 47. 0x07.1 next47 Fuzzing File Formats Monitoring the process • Debugger to watch exit status • Watch return status with crash.exe • Custom code with Python + Pydbg • Code must automate process termination, exception handling, logging
  • 49. 0x07.3 next49 Fuzzing File Formats WinDbg Exploitability Index • WinDbg - Microsoft Security Engineering Team (MSEC) debugger, User-mode and kernel- mode debugging • Use Extensions: !exploitability measurement • Reliable for “EXPLOITABLE” Needs more analysis for “NOT EXPLOITABLE” or “UNKNOWN”
  • 51. 0x07.5 next51 Fuzzing File Formats Microsoft Console Debugger • Console-based interface to WinDbg included with Debugging Tools for Windows • Report on “!exploitable” • Help for automating analysis and logging
  • 52. 0x07.6 next52 Fuzzing File Formats Automating CDB • WinDbg GUI tool, provides a console-base version known as “cdb” for /L %i in (0,1,1075) do @"c:Program FilesDebugging Tools for Windows (x86)cdb.exe" -aMSEC.dll -c ".logopen case-%i.pls.log; g; ! exploitable -m; .logclose" "c:Program FilesYahoo!PlayerYPlayer.exe" pls-fuzzplscase-%i.pls for /L %i in (0,0,0) do @wmic process where (name="cdb.exe") delete && ping -n 6 127.0.0.1 > null
  • 53. 0x07.7 next53 Fuzzing File Formats File Fuzzing with Sulley • Sulley does not automate application launch, delivery. We perform manually by custom script, shell command
  • 56. 0x08.1 next56 Sulley Fuzzing Framework Tip / Trick - Run as Administrator or Root - Time delay for file fuzzing can adjust it as necessary - For file fuzzing keep your mouse here while testing - For file fuzzing copy MSEC.dll to “C:Program FilesDebugging Tools for Windows (x86)winext” - Running msec.dll error because The 1.6 version of !exploitable was compiled in Visual Studio 12 using CRT 11 runtime. https://www.microsoft.com/en-us/download/confirmation.aspx? id=30679 Ref: http://webcache.googleusercontent.com/search?q=cache:WLXxWXjg6KcJ:msecdbg3.rssing.com/chan-8052127/all_p2.html+&cd=5&hl=th&ct=clnk&gl=th
  • 57. next57 References: • SANS 660 Advanced Penetration Testing, Exploit Writing, and Ethical Hacking • GIAC GXPN: Exploit Researcher and Advanced Penetration Tester • https://github.com/OpenRCE/sulley • http://www.fuzzing.org/wp-content/ SulleyManual.pdf • https://stackoverflow.com/questions/22996098/ trouble-installing-pcapy-on-windows-7-cannot- open-include-file-pcap-h • https://github.com/OpenRCE/sulley/wiki/Windows- Installation • http://www.securityaddicted.com/tag/pydbg/