Site Network: About

Fuzzer- Penetration Testing

A Security fuzzer is a tool used by security professionals (and professional hackers :) to test a parameter of an application. Typical fuzzers test an application for buffer overflows, format string vulnerabilities, and error handling. More advanced fuzzers incorporate functionality to test for directory traversal attacks, command execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Web Vulnerability scanners typically perform all of this functionality, and can be considered an advanced fuzzer.

If the program contains a vulnerability that can leads to an exception, crash or server error (in the case of web apps), it can be determined that a vulnerability has been discovered. Fuzzers are often termed Fault Injectors for this reason, they generate faults and send them to an application. Generally fuzzers are good at finding buffer overflow, DoS, SQL Injection, XSS, and Format String bugs. They do a poor job at finding vulnerabilites related to information disclosure, encryption flaws and any other vulnerability that does not cause the program to crash.

Hows that? A prerequisite for building a fuzzers, is that you have to give it a cool name. There was one called stabface (yes, stabface), that would use the Google API to do SQL Injection against .govs and .mils. The author found a lot of neat holes, but never released the tool. Ok, here is the list:

(L)ibrary (E)xploit API - lxapi - A collection of python scripts for fuzzing.

Mangle - A fuzzer for generating odd HTML tags, it will also autolaunch a browser. Mangle found the infamous IFRAME IE bug.

SPIKE - A collection of many fuzzers from Immunity. Used to find the recent remote RDP kernel DoS against a firewalled XP SP2, and many others.

PROTOS WAP - A fuzzer from the PROTOS project for fuzzing WAP.

PROTOS HTTP-reply - Another fuzzer from the PROTOS dudes for attack HTTP responses, useful for broswer vulns.

PROTOS LDAP - For fuzzing LDAP, not as successful as the others from the PROTOS project

PROTOS SNMP - Classic SNMP fuzzer, found a vuln in almost every networking gear available at the time (2002).

PROTOS SIP - For fuzzing all those new VOIP SIP devices you see everywhere.

PROTOS ISAKMP - For attacking IPSec implementations

RIOT & faultmon - For attacking plain text protocols (Telnet, HTTP, SMTP). Used by Riley Hassell when he worked at eEye to discover the IIS .printer overflow and included in The Shellcoder's Handbook.

SPIKE Proxy - A semi-functional web fuzzer from the guys at Immunity that brought you the original SPIKE

Tag Brute Forcer - Awesome fuzzer from Drew Copley at eEye for attacking all of those custom ActiveX applications. Used to find a bunch of nasty IE bugs, including some really hard to reach heap overflows.

FileFuzz - A file format fuzzer for PE (Windows) binaries from iDefense. Has a pretty GUI. I've
recently used it to find bugs in Word.

SPIKEFile - Another file format fuzzer for attacking ELF (Linux) binaries from iDefense. Based off of SPIKE listed above.

notSPIKFile - A ELF fuzzer closely related to FileFuzz, instead of using SPIKE as a starting point.

Screaming Cobra - Name makes the fuzzer sound better than it really is, but is good for finding CGI bugs. Also, its a perl scrpt so easy to modify or extend.

WebFuzzer - A fuzzer for (guess what?) web app vulns. Just as good as some of the cheap commercial web fuzzers.

eFuzz - A generic TCP/IP protocol fuzzer. Easy to use, but maybe not as full featured as some others on this list.

Peach Fuzzer - A great fuzzer written by Michael Eddington. Peach Fuzzer is more of a framework for building fuzzers.

Fuzz - The ORIGINAL fuzzer developed by Dr. Barton Miller at my Alma Matter, the University of Wisconsin-Madison in 1990. Go badgers!


Post a Comment