19 January, 2007

More Fuzzing - Details

Digg it

Fuzzing was a very popular post but I can tell from some of my emails that there are a lot of people that really, really don't get it.

They seem to think that fuzzing is some sort of new hacking or pen testing method and that you can use it to get into a remote system that you know little or nothing about.

Nothing can be further from the truth.

First of all fuzzing has been out there for quite some time and is not new. Secondly it can help you find a weakness but only if you already have visibility of what is occuring.

Wiki has a pretty good description of what it really is.

Basically in order to properly fuzz you need to have total access to the target system and application and have the ability to do verbose logging (or at least watch the processes failures). All it is is jamming random (well more often targeted random) garbage at an input interface to the application. That input interface can be a table in a Db, a entry field in a GUI form, web form, IPC Mechanism, TCP or UDP port.

What the fuzzing tools do is make it easy to get to the point where you can most effectively spue the garbage and sometimes help you choose what kind of stink you want that garbage to have and finally watch what happens to the systems and apps when you do.

I'll repeat. Fuzzing will not help you (directly at least) break into a system you do not already have access to. With a few exceptions the best you can do with it is cause a fault and even then it is often only likely if you already have a pretty good idea of how to make it happen.

If you know what you are doing, PHP and/or Perl combined with detailed protocol and application interface documentation are the best fuzzing tools out there. Near unlimited versatility is the biggest reason I say this. The tools mentioned in the Computer Defense post are all great at getting you to the point of the data entry and even helping the random spue but ultimately you have to be able to analyze the failures (if any) that occur to get any value out of it.

If you are trying to find a completely new less than zero day they can help some but even then it is kind of like the infinite monkeys meme (certainly some will write great books) unless you already have a pretty good idea of what you are looking for.

Some of the tools can also be useful in manipulating systems in other ways but that really isn't fuzzing.

Digg It

No comments: