Ethical Hacking and Penetration Testing

Discussion on ethical hacking and penetration testing subjects.

InfoSec Institute's most popular information security and hacking training goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises . While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to hacking in this network security training course.

Some of the instructor-led hands-on hacking lab exercises in this security training experience:

* Capture the Flag hacking exercises every night
* Abusing DNS for host identification
* Leaking system information from Unix and Windows
* Stealthy Recon
* Unix, Windows and Cisco password cracking
* Remote buffer overflow exploit lab I - Smashing the Stack
* Remote buffer overflow exploit lab II - Integer Overflows
* Remote heap overflow exploit lab III - Beyond the Stack
* Desktop exploitation
* Remote keylogging
* Data mining authentication information from clear-text protocols
* Remote sniffing
* Breaking wireless security
* Malicious event log editing
* Transferring files through firewalls
* Hacking into Cisco routers
* Harvesting web application data
* Data retrieval with SQL Injection Hacking
* Calculating the Return on Investment (ROI) for an ethical hack


Click here to learn more about the most hands-on Ethical Hacking course ever!

Wednesday, December 14, 2005

Fuzzers - The ultimate list

I spent the last week performing a penetration test for a customer, and at the close of the test I usually have a one-day in person "remediation meeting". One of the "action items" for me from the meeting was to respond with a list of fuzzers (sometimes called fault injectors) that can be used for in house pen testing. If you aren't familar with fuzzers and what they are, here is my best stab at a definition:

Fuzzer: A fuzzer is a program that attempts to discover security vulnerabilities by sending random input to an application. If the program contains a vulnerability that can leads to an exception, crash or server error (in the case of web apps), it can be determined that a vulnerability has been discovered. Fuzzers are often termed Fault Injectors for this reason, they generate faults and send them to an application. Generally fuzzers are good at finding buffer overflow, DoS, SQL Injection, XSS, and Format String bugs. They do a poor job at finding vulnerabilites related to information disclosure, encryption flaws and any other vulnerability that does not cause the program to crash.

Hows that? A prerequisite for building a fuzzers, is that you have to give it a cool name. There was one called stabface (yes, stabface), that would use the Google API to do SQL Injection against .govs and .mils. The author found a lot of neat holes, but never released the tool. Ok, here is the list:

(L)ibrary (E)xploit API - lxapi - A collection of python scripts for fuzzing
Mangle - A fuzzer for generating odd HTML tags, it will also autolaunch a browser. Mangle found the infamous IFRAME IE bug.
SPIKE - A collection of many fuzzers from Immunity. Used to find the recent remote RDP kernel DoS against a firewalled XP SP2, and many others.
PROTOS WAP - A fuzzer from the PROTOS project for fuzzing WAP.
PROTOS HTTP-reply - Another fuzzer from the PROTOS dudes for attack HTTP responses, useful for broswer vulns.
PROTOS LDAP - For fuzzing LDAP, not as successful as the others from the PROTOS project
PROTOS SNMP - Classic SNMP fuzzer, found a vuln in almost every networking gear available at the time (2002).
PROTOS SIP - For fuzzing all those new VOIP SIP devices you see everywhere.
PROTOS ISAKMP - For attacking IPSec implementations
RIOT & faultmon - For attacking plain text protocols (Telnet, HTTP, SMTP). Used by Riley Hassell when he worked at eEye to discover the IIS .printer overflow and included in The Shellcoder's Handbook.
SPIKE Proxy - A semi-functional web fuzzer from the guys at Immunity that brought you the original SPIKE
Tag Brute Forcer - Awesome fuzzer from Drew Copley at eEye for attacking all of those custom ActiveX applications. Used to find a bunch of nasty IE bugs, including some really hard to reach heap overflows.
FileFuzz - A file format fuzzer for PE (Windows) binaries from iDefense. Has a pretty GUI. I've recently used it to find bugs in Word.
SPIKEFile - Another file format fuzzer for attacking ELF (Linux) binaries from iDefense. Based off of SPIKE listed above.
notSPIKFile - A ELF fuzzer closely related to FileFuzz, instead of using SPIKE as a starting point.
Screaming Cobra - Name makes the fuzzer sound better than it really is, but is good for finding CGI bugs. Also, its a perl scrpt so easy to modify or extend.
WebFuzzer - A fuzzer for (guess what?) web app vulns. Just as good as some of the cheap commercial web fuzzers.
eFuzz - A generic TCP/IP protocol fuzzer. Easy to use, but maybe not as full featured as some others on this list.
Peach Fuzzer - A great fuzzer written by Michael Eddington. Peach Fuzzer is more of a framework for building fuzzers.
Fuzz - The ORIGINAL fuzzer developed by Dr. Barton Miller at my Alma Matter, the University of Wisconsin-Madison in 1990. Go badgers!

Well, this is it for now. I'll be sure to add to this list. Email me with suggestions

~jack~

jack ~a~ InfoSecInstitute.com

21 Comments:

  • At 8:33 AM, Anonymous said…

    Hey Jack, here is a fuzzer for MSN messenger to add to the list:

    http://addict3d.org/index.php?page=viewarticle&type=security&ID=4687&title=Tiny%20MSN%20fuzzer%20(passwd%20demo)

     
  • At 3:04 PM, Scott said…

    There is a way to stop all that from happening. Theres s samll, but up and coming compnay that I have heard fo called
    multipleshiftkey.com

    The guy owns the compmay is name is Ray and he is got an awesome product that you should, at least, check out.

    www.multipleshiftkey.com
    Phone 909-816-8729

     
  • At 7:23 PM, Jamel L. Raines, Esq. said…

    Iam glad I found this blog. It came up on a google search. Iam a full time college student taking Information Security Management this semester. I will come here often to get a fresh perspective. to help keep me from becomming a knobologist.

    Jamel L. Raines, Esq.

     
  • At 2:47 PM, Juan Aurelio Naranjo said…

    Hi Jack! Here are some more fuzzers to add to the list:

    Fuzzball2 is a little fuzzer for TCP and IP options. It sends a bunch of more or less bogus packets to the host of your choice.

    Fuzzer version 1.1 is a multi protocol fuzzing tool written in Python. It can be used to find new SQL injection, format string, buffer overflow, directory traversal, and other vulnerabilities. Written with portability in mind.

    Scratch is an advanced protocol destroyer ("fuzzer") which can routinely find a wide variety of vulnerabilities from a simple packet. scratch does complex parsing of binary files to determine what to fuzz with what data. scratch also comes with a framework for fuzzing binary protocols such as SSL and SMB.

    Juan Aurelio Naranjo
    Reverse Labs
    http://www.reverselabs.com/

     
  • At 12:59 PM, Anonymous said…

    You might also want to check out the digital dwarf society website at http://www.digitaldwarf.be. It contains plenty of fault injection example code and working fuzzers.

     
  • At 12:15 PM, exceed said…

    Here's another one that works in Windows environment:

    http://software.tripbit.net/mistress/

     
  • At 5:30 PM, Anonymous said…

    A simple protocol fuzzer in perl: http://www.cirt.dk/tools/fuzzer/fuzzer.txt

     
  • At 5:19 AM, Juan Aurelio Naranjo said…

    You may want to check this entry from the Metasploit Blog: Browser Fuzzing for fun and Profit

    From the article we got more (ActiveX/COM) fuzzers to add to the list...

    AXFuzz A tool from Shane Hird for "fuzzing" the IDispatch interface of the components, as well as any IDispatch interfaces returned from the methods, by calling every method with garbage values, or overly long BSTRs.

    COMRaider David Zimmer of iDefense has released this tool designed to fuzz COM Object Interfaces. COMRaider includes:

    - capability to easily enumerate safe for scripting objects
    - ability to scan for COM objects by path, filename, or guid
    - integrated type library viewer
    - integrated debugger to monitor exceptions, close windows,log api
    - external vbs script allows you to easily edit fuzzer permutations
    - built in webserver to test exploits on the fly
    - distributed auditing mode to allow entire teams to work together
    - ability to upload crash files to central server for group analysis
    - automation tools allowing you to easily fuzz multiple libraries
    - individual classes, or specific functions.

    You can watch a video tour of COMRaider in http://labs.idefense.com/doDownload.php?downloadID=24

    Hamachi A community-developed utility for verifying browser integrity, written by H D Moore and Aviv Raff. Hamachi will look for common DHTML implementation flaws by specifying common "bad" values for method arguments and property values. Hamachi has found flaws in Firefox 1.0.7, Mozilla 1.7, Konqueror 3.5.1, Opera 8.5, Safari, and Internet Explorer!.

    Cheers

    Juan Aurelio Naranjo
    Reverse Labs

     
  • At 4:00 PM, Pk said…

  • At 1:04 PM, Tim said…

    WSFuzzer claims to test SOAP based web services.

    WSFuzzer

     
  • At 10:59 PM, Anonymous said…

    Anyone know if there is a fuzzing tool which is special for PDF fuzzing.

     
  • At 9:20 PM, Anonymous said…

    Hy there,

    Someone know a implementation of fuzzers to uncommon and OLD protocols/services? Like daytime, echo, rexec, rsh, etc ?

    Thank you

     
  • At 11:24 PM, Anonymous said…

    This company has a really cool fuzzer that I saw demo'ed at a conference. They call it a security analyzer, but I think it is a fuzzer that has a lot of automation built in.

    Definitely worth a look. Weird name though.

    www.musecurity.com

     
  • At 6:24 AM, Anonymous said…

    Scapy is one more addition.
    http://www.secdev.org/projects/scapy/

     
  • At 9:05 AM, Anonymous said…

    Here is a more recent fuzzer that automates the whole process :

    http://sourceforge.net/projects/jbrofuzz

    The current version supports a more robust set of generations, including basic cross site scripting checks (XSS) as well as basic SQL injection. A number of tests involving buffer overflows (BFO), format string errors (FSE) as well as integer overflows (INT) have been added. Also, a separate panel is present showing the definitions for each and actually what a generator performs.

     
  • At 2:00 PM, Anonymous said…

    Came across these guys at a recent trade show. Really cool stuff!

    The "Mother" of all fuzzers, original developers of "Protos"....

    www.codenomicon.com

    software only solution, 100 plus protocols supported, millions of canned testcases.

    Point and shot.

     
  • At 8:04 PM, Gouchi said…

    zzuf - multi-purpose fuzzer

    http://sam.zoy.org/zzuf/

     
  • At 8:20 AM, compn said…

    http://sam.zoy.org/zzuf/

    zzuf - multi-purpose fuzzer

     
  • At 11:26 PM, vipin said…

    sir
    i m student of computer science engg.
    & i want to the information about how to hack and blocked any account of any websites
    plz send rply fast
    i witing for ur ans.
    my emil id is vipin.zindgi@gmail.com

     
  • At 12:09 PM, Dave said…

    Check out www.fuzzware.net for a generic fuzzing framework based on XML and XML schema

     
  • At 11:05 PM, sbz said…

    Recently, i found peach is a cross-plateform framework fuzzer written in python.

    official site: peachfuzz

     

Post a Comment

<< Home