I have finally started working through a few examples from a book I got a while back titled "Fuzzing: Brute Force Vulnerability Discovery" by Michael Sutton, Adam Greene, and Pedram Amini. It is an exciting read. If you added this book, a few good bags of coffee, a copy of "Penetration Tester's Open Source Toolkit, Volume 2" by Chris Hurley, and a copy of "The Monkey Wrench Gang" by Edward Abbey and you just might pee your pants.

I checked out a few fuzzing frameworks that are available and I am going to pass on some criticisms, recommendations, and offer one of my initial attempts at writing a fuzzer.

Spike and Spike Proxy - Spike is a good framework for doing some serious fuzzing. It is considered the industry standard for fuzzing. Spike Proxy, written in python, runs a proxy on your box that you point your browser to, then browse through a site, then fuzz all the arguments that were used. Both are designed to be extended to meet the needs of punishing your target. I messed around with Spike Proxy a little but and found its web interface a bit unintuitive but was impressed at the thoroughness of abuse it gave to my application. In the end I was turned off by its size, lack of documentation, and seeming inability to create reusable components.

Peach - If you are looking for a beefcake, macho, fuzzer like Spike that does allow for creating reusable components then you will like Peach. Version one is included with BackTrack v3, but requires you to write in python. Version 2, which was just released in time for Black Hat 2008, has you write the fuzzer in xml. I spent some time going through an example of fuzzing the wav file format and was pretty impressed with the robustness of this fuzzer. The one main benefit here is that there are components that are capable of attaching to all aspects of the target. For example if you are testing a three tiered system where there is a webserver on one host and a database server on another you can create a monitor to run a debugger on the target webserver process, and a separate monitor to track system stats on the database host. This is really useful when you are running a large number of automated tests on a system and you do in fact crash it or generate some useful error condition. In this situation you are left asking "What test / code path generated this error?". Using peach's monitor agents makes answering this question easy when compared to other frameworks. Additional features include the ability to do kernel level fuzzing, and run fuzzers in parallel.

RFuzz - This is a simple Ruby library that provides you a fuzzable web client, and a framework for running some simple tests against a service generating response statistics along the way. Since I have been interested in doing more testing with metaploit, just met postmodern who is working on a ruby replacement / extension of metasploit called Ronin, and wanting to share flatline's love of ruby on rails, I decided to dive in. This truly is a pretty basic framework. I wrote a simple brute force password cracker for Drupal that only uses its client, ignores its Random Generator, and doesn't use the test harness (see attachment). Basically barely uses the lib. The general ideal with this framework is that you define a web based target, run a bunch of tests using random data, then generate a bunch of statistics on the tests. By looking at the generated statistics you should be able to narrow down your attack vector.

At the end of all this I realized what I really want is a well documented fuzzing framework, with examples, a mutator and random value generator interface, allowing you to feed it some kind of libpcap file (output from tcpdump of wireshark), and that allows you to target specific components of a web application like Drupal with a quick learning curve. I am doubtful of whether this framework exists or not, but plan on continuing looking into GPF (included with backtrack), and OWASP Tools aka WebScarab (this organization is an interesting 501 3c with a non-hierarchical infrastructure).

Until next time,
with /dev/urandom all over your backups,
evoltech