Fuzzing: Use all the fuzzers!

My first project with SPQR is a vulnerability assessment of an anesthesia machine. Unfortunately we do not have 24/7 access to the machine and we are still trying to schedule our first meeting. In order to get the most out of the time we do have with it I’ve been working on compiling a list of tools, their uses, and tutorials I’ve been going through to get up to speed on them.

Right now this is taking the format of a dump of urls I’ve found useful, hopefully over the next few days I’ll be adding posts specific to tools describing their use.

Fuzzing Frameworks

Peach – Fuzzing framework that uses xml “peach-pits” to “intelligently” fuzz an application. Requires prior knowledge of a protocol in order to generate and mutate fuzzing inputs. Peach is one of the few free fuzzers that is still in active development. Most of the other fuzzers have fallen by the way side over the past few years. Another benefit of Peach is that it allows for running the tests automatically (rather than causing a crash and requiring human interaction to relaunch) as well as automatic logging of debug information.
http://peachfuzzer.com/
Example file format fuzzing:
http://www.flinkd.org/2011/07/fuzzing-with-peach-part-1/
Network fuzzing (more interesting):
http://peachfuzzer.com/v2/TutorialNetworkServer.html

SPIKE – A fuzz scripting framework. More hands on than peach, scripting out each event and using the SPIKE API to define the packet structure. Downside is it lacks a way to restart crashed applications, requiring a manual restart instead. It has also been out of development for a while, it seems to have been “replaced” by Sulley.
http://resources.infosecinstitute.com/fuzzer-automation-with-spike/

Sulley – Aimed to be more powerful than SPIKE while retaining ease of use. No longer in development. Need to investigate further…
http://resources.infosecinstitute.com/sulley-fuzzing/

Web App Specific Fuzzers

Burp – Web proxy scanner/fuzzer. Fancy user interface that couples with a proxy server to inspect packets being sent/received and identify potential vulnerabilities. Requires human intuition to find potentially exploitable fields but given the fields it will automate the fuzzing. (XSS, SQL inject, brute force login)
http://portswigger.net/burp/
http://resources.infosecinstitute.com/burpsuite-tutorial/

For a more detailed comparison of fuzzing tools:
http://www.blackhat.com/presentations/bh-usa-09/EDDINGTON/BHUSA09-Eddington-DemystFuzzers-PAPER.pdf

These are only a few of the fuzzing tools out there, for more tools use your google-fu to find stuff like this:
http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html  

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s