Results 1 to 9 of 9

Thread: [Video] sickfuzz v0.2

Hybrid View

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] sickfuzz v0.2

    Links
    Watch video on-line (sickfuzz v0.2): http://g0tmi1k.blip.tv/file/4828127
    Download video (sickfuzz v0.2): http://www.mediafire.com/?8sa8l981w4r363d
    Notes on sickfuzz v0.3: http://www.backtrack-linux.org/forum...tml#post191486
    Install script (sickfuzz v0.3): https://code.google.com/p/sickfuzz/downloads/detail?name=sickfuzz_install.sh


    Brief Overview
    This video is a brief introduction into "fuzzing". The author, sickn3ss requested a video to demonstrate his latest project called sickfuzz. You can read what hes got to say about it here.

    Fuzzing is sending invalid, unexpected or random data to the inputs and watching what happens to the program in question. An example; Lets say there is a question "Have you got milk?", which has the answers as either "Yes" or "No". What happens when you try "Maybe","-1" or "34c96c@23" instead? The results of the programming miss-handling the input may crash the program leading it to a security issues such as (un)exploitable buffer overflows, Denial Of Service (DoS) etc.

    "A fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs."~ owasp


    Method
    * Setup a web server
    * Check status
    * Fuzz it
    * Watch for response
    * Check status
    * Repeat
    * Analyse captured packets


    What do I need?
    * sickfuzz - Download here
    * Python - Download here (Comes with backtrack 4 r2)
    * SPIKE - Download here (Comes with backtrack 4 r2)
    * tshark - Download here (Comes with wireshark that can be found in backtrack 4 r2)
    * Web servers - Below are the ones used in the demostation
    * Name: Savant Web Server
    * Homepage: http://savant.sourceforge.net/
    * Download: http://www.exploit-db.com/application/10434/
    * Sickfuzz Script: 1

    * Name: PMSoftware Simple Web Server
    * Homepage: http://www.pmx.it/software/sws.asp
    * Download: http://www.pmx.it/software/sws.asp
    * Sickfuzz Script: 5

    * Name: MiniShare
    * Homepage: http://minishare.sourceforge.net/
    * Download: http://ftp.heanet.ie/disk1/sourceforge/m/project/mi/minishare/OldFiles/minishare-1.4.1.exe
    * Sickfuzz Script: 1


    Walk through
    The user first downloads, installs and configures a web server of their choosing. After which scans the network for the server, and checks for the open port.

    After downloading the latest and greatest version of sickfuzz (Don't forget to add it to your svn collection, which simplifies updating it) the user extracts it, runs it for the first time and sees the help screen.

    After typing in all the necessity command line options, Before any fuzzing happens sickfuzz checks if the port is open, if it is then automatically starts capturing (using tshark - command line version of wireshark) allowing for the user to analyse how the web server responds.

    Sickfuzz uses SPIKE to send a collection of known issues for web servers as it currently supports a mixture of techniques in URLs and header fuzzing fields:
    * GET /
    * GET /abc=
    * HEAD /
    * POST /
    * GET / (HTTP/1.1)
    * HEAD / (HTTP/1.1)
    * POST / (HTTP/1.1)
    * Authorization:
    * Content-Length:
    * If-Modified-Since:
    * Connection:
    * X-a:

    During the fuzzing, sickfuzz checks to see whether the service has crashed (however some times this isn't until the program has closed. For example: PMSoftware's SWS, it wasn't until the user clicked "Okay" on the crashed message, did the web server stop responding). If it (the server) has crashed, sickfuzz will stop and exit.

    After it has tried all the fields, depending on sickfuzz, it will either stop (-scripts x) or try the next field (--scripts all).

    When sickfuzz has ended, the user can then analyse the collected packets for themselves to see what caused the crash.


    Commands
    Code:
    nmap 192.168.0.0/24 -n -sP -sn
    nmap 192.168.0.104 -T5
    clear
    
    tar zxvf sickfuzz_v02.tar.gz
    cd sickfuzz
    ./sickfuzz.py
    
    #Savant Web Server
    nmap 192.168.0.104 -p 80 -sV
    ./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script 1 --ip 192.168.0.104 --port 80 --iface eth0 --log /root/
    nmap 192.168.0.104 -p 80 -sV
    clear
    
    #PMSoftware
    firefox -> 192.168.0.104
    firefox -> http://www.exploit-db.com/exploits/945/
    ./sickfuzz.py --script-show
    ./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script 5 --ip 192.168.0.104 --port 80 --iface eth0 --log /root/
    wireshark -> Filter -> http && ip.addr == 192.168.0.104
    firefox -> 192.168.0.104
    clear
    
    #MiniShare
    ./sickfuzz.py --spike /pentest/fuzzers/spike/ --fpath /root/sickfuzz/ --script all --ip 192.168.0.104 --port 80 --iface eth0 --log /root/
    Notes
    * For more information on up on fuzzing, check fuzzing on wikipedia and owasp

    Song: Clutch - 10001110101
    Video length: 5:00
    Capture length: 31:19
    Blog Post: http://g0tmi1k.blogspot.com/2011/03/video-sickfuzz-v02.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38311-%5Bvideo%5D-sickfuzz-v0-2-a.html#post190745



    ~g0tmi1k
    Last edited by g0tmi1k; 03-13-2011 at 12:21 PM.
    Have you...g0tmi1k?

  2. #2
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    6

    Default Re: [Video] sickfuzz v0.2

    My My, you have been a busy beaver haven't you. I'll have to look into this, I haven't checked out your blog in awhile..it's on my to do list, but with everything going on, well..you know. One thing though on the topic. What does sickfuzz do that spike can't do? To me its a fuzzer that your using wireshark or tshark? to do http fuzzing. I'm going to assume the purpose of this is developing bof's..but not sure.

    Securityxxxpert

  3. #3
    Administrator sickness's Avatar
    Join Date
    Jan 2010
    Location
    Behind the screen.
    Posts
    2,921

    Default Re: [Video] sickfuzz v0.2

    Quote Originally Posted by securityxxxpert View Post
    My My, you have been a busy beaver haven't you. I'll have to look into this, I haven't checked out your blog in awhile..it's on my to do list, but with everything going on, well..you know. One thing though on the topic. What does sickfuzz do that spike can't do? To me its a fuzzer that your using wireshark or tshark? to do http fuzzing. I'm going to assume the purpose of this is developing bof's..but not sure.

    Securityxxxpert
    Hmmm, well if you check g0tmi1ks post carefully you might notice this:

    You can read what hes got to say about it here.
    Also you ask what does sickfuzz do what spike can't do, if you ever tried spike you know that it's a fuzzing framework, you have to tell it what to fuzz. sickfuzz also includes custom .spk scripts to use in the fuzzing process.
    Last edited by sickness; 03-07-2011 at 01:09 PM.
    Back|track giving machine guns to monkeys since 2007 !

    Do not read the Wiki, most your questions will not be answered there !
    Do not take a look at the: Forum Rules !

  4. #4
    Member m0j4h3d's Avatar
    Join Date
    Jan 2010
    Posts
    84

    Default Re: [Video] sickfuzz v0.2

    great work guys ,,, really like it , am gonna try
    go fw boys
    ---> 3v3RY D4y P4ss3S 1 f0uNd N3W th1NGs <---
    Knowing how 2 use BT dsnt mean that u r hacker

  5. #5
    Senior Member fnord0's Avatar
    Join Date
    Jul 2008
    Posts
    144

    Default Re: [Video] sickfuzz v0.2

    very nice! congrats both of ya (re: sickness & g0tmi1k) - enjoyed the vid and grabbin' sickfuzz now
    'see the fnords!'

  6. #6
    Senior Member
    Join Date
    May 2010
    Posts
    198

    Default Re: [Video] sickfuzz v0.2

    worked great

    got a crash on my first try - There goes the rest of my week.
    "Never do anything against conscience -- even if the state demands it."
    -- Albert Einstein

  7. #7
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] sickfuzz v0.2

    Quote Originally Posted by securityxxxpert View Post
    My My, you have been a busy beaver haven't you. I'll have to look into this, I haven't checked out your blog in awhile..it's on my to do list, but with everything going on, well..you know. One thing though on the topic. What does sickfuzz do that spike can't do? To me its a fuzzer that your using wireshark or tshark? to do http fuzzing. I'm going to assume the purpose of this is developing bof's..but not sure.

    Securityxxxpert
    sickness did all the hard work as he is the creator of it - I just made the video.
    sickfuzz controls spike which helps automate it all. Sickfuzz also comes with some custom stuff + useful features (port & statues checking for example).
    Wireshark was used during the video to show data is being sent from sickfuzz (because of spike). It can then be used to analyse in detail what cause the crash afterwords.
    and Yes, fuzzing it a method of developing exploits. Here is a good break down of it all: http://www.pentest-standard.org/index.php/Exploitation


    Quote Originally Posted by m0j4h3d View Post
    great work guys ,,, really like it , am gonna try
    go fw boys
    Quote Originally Posted by fnord0 View Post
    very nice! congrats both of ya (re: sickness & g0tmi1k) - enjoyed the vid and grabbin' sickfuzz now
    Quote Originally Posted by Scamentology View Post
    worked great

    got a crash on my first try - There goes the rest of my week.
    Thanks for the thanks!
    Great to hear feedback on it all! =)

    hehe Scamentology, sorry about that - Best of luck with it!
    Have you...g0tmi1k?

  8. #8
    Administrator sickness's Avatar
    Join Date
    Jan 2010
    Location
    Behind the screen.
    Posts
    2,921

    Default Re: [Video] sickfuzz v0.2

    sickfuzz v0.3 is out!

    Download link: http://code.google.com/p/sickfuzz/downloads/list
    svn checkout http://sickfuzz.googlecode.com/svn/trunk/ sickfuzz

    New features:
    - Some SPIKE tweak.
    - Changed the SPIKE fuzzer.
    - Modified the .spk scripts.
    - More logs available.
    - More detailed help screen as well as output.

    Fixed bugs:
    - Fixed tailing issue, now paths don't have to end with "/".
    - Now stops when app crashes without going over the other scripts.

    Install SPIKE and sickfuzz:

    Code:
    root@bt:~# apt-get install automake
    root@bt:~# rm -rf /pentest/fuzzers/spike/
    root@bt:~# wget -P /tmp http://www.immunitysec.com/downloads/SPIKE2.9.tgz
    root@bt:~# tar xvzf /tmp/SPIKE2.9.tgz -C /pentest/fuzzers && rm /tmp/SPIKE2.9.tgz
    root@bt:~# cd /pentest/fuzzers/SPIKE/SPIKE/src/
    Before actually starting to compile SPIKE we will make a little tweak (thank master @lupin for this one!).
    Open up spike.c, there are 2 lines that look like this:
    Code:
     printf("tried to send to a closed socket!\n");
    Each of these 2 lines contains a "return 0;" instruction on the next line, we will replace this instruction with "exit(1);" save the file and proceed.
    (NOTE: ONLY REPLACE THOSE 2 INSTRUCTIONS NOT ALL!)










    Now we can proceed with SPIKE:
    Code:
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protector/g' Makefile
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make
    If you get this error:
    Code:
    configure: creating ./config.status
     cd  && /bin/sh ./config.status Makefile
    /bin/sh: ./config.status: No such file or directory
    make: *** [Makefile] Error 127
    Execute the following commands again:
    Code:
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-p$
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make
    Should have worked now.

    Code:
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# mv -f /pentest/fuzzers/SPIKE/SPIKE/src /pentest/fuzzers/spike/
    root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# cd
    root@bt:~# rm -rf /pentest/fuzzers/SPIKE/
    
    root@bt:~# cd /pentest/fuzzers/
    root@bt:/pentest/fuzzers# svn checkout http://sickfuzz.googlecode.com/svn/trunk sickfuzz
    For more info on using SPIKE check out lupin's guides:
    http://resources.infosecinstitute.com/intro-to-fuzzing/
    http://resources.infosecinstitute.co...on-with-spike/
    Last edited by sickness; 03-13-2011 at 12:27 AM.
    Back|track giving machine guns to monkeys since 2007 !

    Do not read the Wiki, most your questions will not be answered there !
    Do not take a look at the: Forum Rules !

  9. #9
    Just burned his ISO MREZA's Avatar
    Join Date
    Mar 2011
    Location
    Tehran, Iran
    Posts
    9

    Default Re: [Video] sickfuzz v0.2

    Whew!!! that was NICE !

Similar Threads

  1. Replies: 21
    Last Post: 03-02-2011, 07:06 PM
  2. Please help me get my Video working.
    By ktgohdt125 in forum Beginners Forum
    Replies: 1
    Last Post: 06-03-2010, 07:31 AM
  3. Video: Nmap Video Tutorial 2: Port Scan Boogaloo
    By Irongeek in forum OLD Tutorials and Guides
    Replies: 0
    Last Post: 05-30-2008, 08:07 PM
  4. Video: Nmap Video Tutorial 2: Port Scan Boogaloo
    By Irongeek in forum OLD BT1, Whax and Auditor Videos
    Replies: 0
    Last Post: 05-30-2008, 08:07 PM
  5. Just for fun video
    By bluster in forum OLD General IT Discussion
    Replies: 4
    Last Post: 04-29-2008, 03:14 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •