Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to SPIKE, the Fuzzer Creation Kit

Published byJake Harris Modified over 10 years ago

Similar presentations

Presentation on theme: "An Introduction to SPIKE, the Fuzzer Creation Kit"— Presentation transcript:

1 An Introduction to SPIKE, the Fuzzer Creation Kit
Insert pretty picture on this slide later Dave Aitel

2 Agenda Demo and Vulnerability Theory Questions throughout and at end
Goals Using the SPIKE API Useful samples included with SPIKE Questions throughout and at end The goals of this talk are to demonstrate how to use SPIKE in an operational setting, and not to explain the SPIKE API and how to reverse engineer a new binary protocol with the aid of SPIKE. That's a whole other talk. You should be able to use SPIKE without knowing any C and still get good things done. If you know C and a minimal amount of perl, SPIKE becomes a powerful tool to use to quickly analyse arbitrary protocols. Without C or Perl, SPIKE can be used to quickly look at applications that already have SPIKE's coded for them, including HTTP applications, Citrix servers, msrpc servers, etc The SPIKE used for this talk is version 1.9. Version 1.8 had an easy to fix memory leak in tcpstuff.c, so if you decide to still use that, then fix it first. :> <GOBBLES> i used to laugh at fuzzers, but then you changed my whole outlook on life!

3 Demo of SPIKE in Action

4 Fes: “I'm always surprised at how effective fuzzers actually are!
Theory SPIKE is a GPL'd API and set of tools that allows you to quickly create network protocol stress testers Most protocols are built around extremely similar data formatting primitives Many of these are already supported in SPIKE Others soon will be. :> Fes: “I'm always surprised at how effective fuzzers actually are!

5 The Goals of SPIKE Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol Develop a base of knowledge within SPIKE about different kinds of bugclasses affecting similar protocols Test old vulnerabilities on new programs Make it easy to manually mess with protocols

6 How the SPIKE API works Unique SPIKE data structure supports lengths and blocks s_block_start(), s_block_end(), s_blocksize_halfword_bigendian(); SPIKE utility routines make dealing with binary data, network code, and common marshalling routines easy s_xdr_string() SPIKE fuzzing framework automates iterating through all potential problem spots s_string(“Host: “); s_string_variable(“localhost”);

7 The SPIKE Datastructure
A SPIKE is a kind of First In First Out Queue or “Buffer Class” A SPIKE can automatically fill in “length fields” s_size_string(“post”,5); s_block_start(“Post”); s_string_variable(“user=bob”); s_block_end(“post”);

8 Blocks can be nested or intertwined
Length Fields Length fields come in many varieties Word/halfword/string Big endian, little endian More than one length field can “listen” for a particular block to be closed Blocks can be nested or intertwined

9 A few basic calls The main call is s_push(buffer,size) underneath everything Currently, there is no s_pop(); String calls: s_string(“hi”); s_string_variable(“hi”); s_binary(“\\x x ”); Can take in all sorts of cut and pasted hexadecimal data without choking Handles white space cleanly

10 Setting up/destroying a SPIKE
Global variables you have to deal with: set_current_spike(*struct spike); spike_clear(); Malloc fun spike_new(); spike_free();

11 Network SPIKE calls Basic TCP connectivity
spike_tcp_connect(host,port); spike_send(); spike_close_tcp(); Basic UDP Connectivity spike_udp_connect(host,port);

12 Fuzzing Framework SPIKE calls
s_string_variable(“”); s_string_repeat(“A”,5000); Equivalent to s_push("perl -e 'print “A” x 5000’”) While loop support s_incrementfuzzstring(); s_incrementfuzzvariable();

13 Advantages to using SPIKE’s fuzzing framework over a perl script
Size values will automatically get updated Can handle binary data cleanly via s_binary(); Already knows about many different types of interesting strings to use for fuzzstrings Integrates cleanly with libntlm or other GPL’d libraries in C for doing encryption or other things for which you don’t already have perl modules

14 The Process of Using SPIKE on an unknown protocol
Use Ethereal to cut and paste the packets into s_binary(); Replace as much of the protocol as possible with deeper level spike calls s_xdr_string(); s_word(); etc Find length fields and mark them out with size calls and s_block_start(), s_block_end(); Make sure protocol still works :> Integrate with fuzzing framework (2 while() loops) and let the SPIKE fuzzer do the boring work Manually mess with the packets to see if you can cause any aberrant behaviour (attach ollydebug first) Write up the exploits

15 The SPIKE scripting language
...is C. s_parse(“filename.spk”); Loads the file line by line and does limited C parsing on it Uses dlopen() and dlsym() and some demarshalling to call any functions found within printf(“Hi %s %s\n”,”dave”,”what's up?”); s_clear(); s_binary(“ ”); Typically a “generic” framework is built, then SPIKE script is used to quickly play with the protocol

16 Current Demo SPIKEs Web Focused MSRPC protocol support
Miscellaneous other demos

17 SPIKE Programs for non Web Apps
msrpcfuzz Citrixfuzz Quake,halflife (UDP demos)

18 Quickstart: msrpcfuzz
First use DCEDUMP (basically rpcinfo against Windows) Then chose a program and port to fuzz Sends valid, but random data structures to that program Watch it crash!

19 SPIKE Programs for Web Apps
ntlm2/ntlm_brute webmitm makewebfuzz.pl webfuzz.c closed_source_web_server_fuzzer generic_web_server_fuzz

20 ntlm_brute and ntlm2 Tries to do a dictionary attack on NTLM authenticating web servers Somewhat slow but easy to parallelize Very simple to use with provided do_ntlm_brute.sh Ntlm2 useful for doing “webfuzz” activity on a page that requires NTLM authentication

21 Webmitm (SPIKE version, not dsniff Version)
Transparent proxy (originally from dsniff) Used to generate http_request files Can do SSL Rewrites Host: headers Cool with “Connection: keep-alive”

22 Makewebfuzz.pl Creates webfuzz.c files from http_request files
Superceeded by SPIKE Console wizardry and generic .spk scripts, but still useful

23 Webfuzz Sends the valid request, but incrementally goes through each variable in the request and checks it for common vulnerabilities

24 A Standard Request GET /login.asp?Username=Dave&Password=Justine
Host: bobsbagoffish.com Content-Length: 16 Server=whitebait

25 A webfuzz request GET /login.asp?Username=../../etc/hosts%00&Password=Justine Host: bobsbagoffish.com Content-Length: 16 Server=whitebait

26 Closed_source_webserver_fuzz
Uses same set of fuzz strings to locate common web server overflows, format string bugs, etc Also useful for rigorous manual testing of one CGI

27 Automating the process of finding SQL injection bugs
odbcwebfuzz.sh Make a directory of captured http_requests using webmitm Compile each of these into a webfuzz using makewebfuzz.pl Run each of these against the server Grep through results for interesting errors (such as ODBC) You just saved 20K! :>

28 When Automation Fails This is an exponential problem!
Unlike commercial alternatives to SPIKE every part of SPIKE is open SPIKE can be extended with any other GPL code I accept patches

29 Examples where automation fails
User Registration that requires a sequence of pages to be hit use SPIKE to automate hitting the first two and then fuzz every variable on a third page More complex web applications that use characters other than '&' to split up variables Page sequences that require some parsed input from a previous page to be included in a submitted request

30 The SPIKE Console wxPython
cross platform pretty Wizards enable quick utilization of SPIKE's capabilities Currently beta, but useful Under heavy development

31 The Future of SPIKE SPIKE Console Improvements
Additional SPIKE protocol demos and updates

32 Conclusion For most standard web applications SPIKE can quickly help you find SQL injection, overflow, and format string bugs SPIKE can be quickly customized for your specific needs Use SPIKE to reverse engineer and fuzz binary protocols in less time than you otherwise could Download for FREE today! Comments to

Download ppt "An Introduction to SPIKE, the Fuzzer Creation Kit"

Similar presentations

Other Web Application Development Technologies. PHP.

Other Web Application Development Technologies. PHP.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
DB Relay An Introduction. INSPIRATION Database access is WAY TOO HARD The crux.

DB Relay An Introduction. INSPIRATION Database access is WAY TOO HARD The crux.
Compiling Web Scripts for Apache Jacob Matthews Luke Hoban Robby Findler Rice University.

Compiling Web Scripts for Apache Jacob Matthews Luke Hoban Robby Findler Rice University.
SE 370: Programming Web Services Week 4: SOAP & NetBeans Copyright © Steven W. Johnson February 1, 2013.

SE 370: Programming Web Services Week 4: SOAP & NetBeans Copyright © Steven W. Johnson February 1, 2013.
Copyright ©2001-2004 SkyeyTech, Inc. BUGtrack Email Interface.

Copyright © SkyeyTech, Inc. BUGtrack Interface.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
COEN 445 Communication Networks and Protocols Lab 4

COEN 445 Communication Networks and Protocols Lab 4
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Remote mailbox access gateway Software lab project.

Remote mailbox access gateway Software lab project.
Python and Web Programming

Python and Web Programming
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Website Development with PHP and MySQL Introduction.

Website Development with PHP and MySQL Introduction.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
8/17/2015CS346 PHP1 Module 1 Introduction to PHP.

8/17/2015CS346 PHP1 Module 1 Introduction to PHP.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Similar presentations

Ads by Google