nullcon 2010 - Software Fuzzing with Wireplay
2 likes798 views
Wireplay is an approach to fuzz testing that involves replaying captured TCP sessions and modifying packets using embedded Ruby hooks. It aims to overcome limitations of block-based fuzzing by not requiring knowledge of protocols. The tool Wireplay implements this approach, allowing users to write Ruby hooks to arbitrarily manipulate packet data and replay sessions to a target for finding security bugs with less code than other fuzzing methods.
nullcon 2010 - Software Fuzzing with Wireplay
- 1. Wireplay: An approach to almost Blind Fuzzing - Abhisek Datta nullcon Goa 2010 http://nullcon.net
- 2. Agenda Little Theory about fuzzing Problems & Solution Introducing Wireplay Field Testing Wireplay Hooks nullcon Goa 2010 http://nullcon.net
- 3. Fuzz Testing != Hacking Feeding random/semi-random valid/invalid data set to various input interfaces of a program and monitor for possible faults! Fuzzing does find expensive security bugs! nullcon Goa 2010 http://nullcon.net
- 4. Fuzz Testing aka. Fuzzing SELECT name FROM users WHERE id = 10 Example SELECT Server AAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA Monitored Environment AAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA FROM users WHERE id = 10 nullcon Goa 2010 http://nullcon.net
- 5. Block Based Modeling A theoretical approach to model the problem of Fuzzing. Original (valid) Input Set is tokenized (blocks) and each token is fuzzed periodically. Better approach than blind fuzzing, however you need to write a LOT of code! • SPIKE, Peach, Sully etc. nullcon Goa 2010 http://nullcon.net
- 6. Block Based Fuzzing GET /index.html HTTP/1.1 Host: foo.com User-Agent: wget/1.10.2 GET Index.html Host Wget/1.10.2 User-Agent foo.com nullcon Goa 2010 http://nullcon.net
- 7. Block Based Fuzzing for-each-token data.replace(token, get_random()) target.send(data) end nullcon Goa 2010 http://nullcon.net
- 8. Block Based Fuzzing GET <BIG-RANDOM-STRING> HTTP/1.1 Host: foo.com User-Agent: wget/1.10.2 nullcon Goa 2010 http://nullcon.net
- 9. Block Based Fuzzing: Problems Tokenization needs knowledge of protocol. Lots of protocols. Proprietary protocols. Time Consuming. ETC. nullcon Goa 2010 http://nullcon.net
- 10. Introducing Wireplay Minimalist approach to replay TCP Sessions with modifications as required. Use your valid client to connect to the server. Capture the packets (Wireshark?) Feed them to Wireplay for replay Use Wireplay hooks to modify original packets and replay nullcon Goa 2010 http://nullcon.net
- 11. Wireplay: Functional Flow Original Client Sniffer Original Server PCAP Wireplay http://code.google.com/p/wireplay nullcon Goa 2010 http://nullcon.net
- 12. Wireplay Features TCP Stream replay TCP Session reconstruction via. modified libnids (bug fixes) Plugin Subsystem Ruby Interpreter Embedded as Plugin Supports Packet Mangling hooks written in Ruby CGEN: A ruby plugin to generate a C program to reproduce a TCP Session nullcon Goa 2010 http://nullcon.net
- 13. Wireplay: Basic Usage bash$ wireplay –r client -t 172.16.0.1 -p 80 -F pcap/http.pcap -K # optional nullcon Goa 2010 http://nullcon.net
- 14. Wireplay: Fuzzing Hook Subsystem for arbitrary data manipulation. Embedded Ruby Interpreter and API set for writing packet manipulation hooks in Ruby Misc. features to repeat fuzz sessions, ignore errors, halt on connection fault etc. nullcon Goa 2010 http://nullcon.net
- 15. Wireplay: Hook System Connect To Target 1 Events 1. On Start Read Next Packet Disconnect 2. On Data 3. On Stop 3 4. On Error Is Client to Read fromServer Server Data 2 2 Send to Server nullcon Goa 2010 http://nullcon.net
- 16. Wireplay: Packet Hook in Ruby Define your arbitrary class with the following methods: on_start(pkt_desc) on_stop(pkt_desc) on_data(pkt_desc, direction, data) on_error(pkt_desc, code) Register an object of your class with Wireplay Hook Subsystem Wireplay::Hooks.register(YourClass.new) nullcon Goa 2010 http://nullcon.net
- 17. Wireplay: Sample Hooks Blind Byte Alternation (blind.rb) Alters each byte from the original payload with single or multiple bytes for fuzzing. CGEN (cgen.rb) Generates C program to replay a TCP session. Use for PoC generation. nullcon Goa 2010 http://nullcon.net
- 18. Wireplay: Demo nullcon Goa 2010 http://nullcon.net
- 19. Thank You.. svn co http://wireplay.googlecode.com/svn/trunk wireplay http://code.google.com/p/wireplay/ nullcon Goa 2010 http://nullcon.net