American Fuzzy Lop: Difference between revisions

From charlesreid1
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Fuzzer
Link to more information: https://necurity.co.uk/netsec/2015/03/30/Fun-With-AFL.html#sthash.h9Aurb7C.dpbs


https://necurity.co.uk/netsec/2015/03/30/Fun-With-AFL.html#sthash.h9Aurb7C.dpbs
American fuzzy lop is a program for [[Fuzzing]]. It is very sophisticated and can be instrumented with a binary to do very targeted fuzzing.
 
=About=
 
American fuzzy lop is a program for fuzzing inputs. It is very sophisticated and can be instrumented with a binary to do very targeted fuzzing.


=Installing=
=Installing=
Line 29: Line 25:


Programs that can be fuzzed are those that take input files, usually binary files or unusual formats. (Think mp3, multimedia, images, etc.)
Programs that can be fuzzed are those that take input files, usually binary files or unusual formats. (Think mp3, multimedia, images, etc.)
We'll be fuzzing [[John the Ripper]] to understand how AFL works.
==Compiling John the Ripper==
We want to download and compile John so that it will be instrumented.
===Dependencies===
Start with dependencies - OpenSSL development libs:
<pre>
# apt-get install --fix-missing libssl-dev
</pre>
===Get John the Ripper===


<pre>
<pre>
# git clone git@github.com:magnumripper/JohnTheRipper.git
wget http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.6.tar.gz
# cd JohnTheRipper/src
tar -xvf libressl-2.1.6.tar.gz cd libressl-2.1.6/  
# ./configure --help
CC=~/afl/afl-1.57b/afl-gcc ./configure  
make check
mkdir /root/testing
export DESTDIR=/root/testing/
make install
</pre>
</pre>


===Compile John the Ripper===
[[Image:AmericanFuzzyLoop1.png|500px]]
 
We will compile John the Ripper using American Fuzzy Lop's own GCC:
 
<pre>
CC=/path/to/afl-gcc ./configure
 
[...]
 
config.status: creating Makefile
config.status: creating aes/Makefile
config.status: creating aes/aesni/Makefile
config.status: creating aes/openssl/Makefile
config.status: creating escrypt/Makefile
config.status: creating autoconfig.h
config.status: linking x86-64.h to arch.h
config.status: executing default commands
configure: creating ./fmt_externs.h
afl-cc 2.10b by <lcamtuf@google.com>
configure: creating ./fmt_registers.h
afl-cc 2.10b by <lcamtuf@google.com>
afl-cc 2.10b by <lcamtuf@google.com>
afl-cc 2.10b by <lcamtuf@google.com>
 
Configured for building John the Ripper jumbo:
 
Target CPU ................................. x86_64 SSE4.1, 64-bit LE
AES-NI support ............................. depends on OpenSSL
Target OS .................................. linux-gnu
Cross compiling ............................ no
Legacy arch header ......................... x86-64.h
 
Optional libraries/features found:
Fuzzing test ............................... no
Experimental code .......................... no
OpenMPI support (default disabled) ......... no
Fork support ............................... yes
OpenMP support ............................. yes (not for fast formats)
CUDA support (default disabled by OpenCL) .. no
OpenCL support ............................. no
Generic crypt(3) format .................... yes
Rexgen (extra cracking mode) ............... no
GMP (PRINCE mode and faster SRP formats) ... yes
PCAP (vncpcap2john and SIPdump) ............ no
Z (pkzip format, gpg2john) ................. yes
BZ2 (gpg2john extra decompression logic) ... no
128-bit integer (faster PRINCE mode) ....... yes
Memory map (share/page large files) ........ yes
 
Development options (these may hurt performance when enabled):
Memdbg memory debugging settings ........... disabled
AddressSanitizer ("ASan") .................. disabled
UndefinedBehaviorSanitizer ("UbSan") ....... disabled
 
Install missing libraries to get any needed features that were omitted.
 
Configure finished.  Now 'make clean && make -s' to compile.


</pre>
[[Image:AmericanFuzzyLoop2.png|500px]]


when run make clean and make -s, see lots of output like this:
=Links=


<pre>
Nice overview and tutorial to causing and exploring program crashes: http://necurity.co.uk/netsec/2015-03-26-Fun-With-AFL/#sthash.h9Aurb7C.dpbs
# make clean && make -s


[...]
=Flags=


[+] Instrumented 386 locations (64-bit, non-hardened mode, ratio 100%).
{{FuzzingFlag}}
afl-as 2.10b by <lcamtuf@google.com>
</pre>


Now we have compiled binaries in the <code>run/<code> directory, one level up:
{{KaliFlag}}
 
<pre>
# cd ../run/
# ./john
</pre>

Latest revision as of 21:40, 16 April 2017

Link to more information: https://necurity.co.uk/netsec/2015/03/30/Fun-With-AFL.html#sthash.h9Aurb7C.dpbs

American fuzzy lop is a program for Fuzzing. It is very sophisticated and can be instrumented with a binary to do very targeted fuzzing.

Installing

Get the latest version, and run make to make it: 

$ wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz 
$ tar -xvf afl-latest.tgz cd afl-latest.tgz
$ cd afl-*
$ make 
$ make install

Success! 

root@morpheus:~/codes/afl-2.10b# which afl-fuzz
/usr/local/bin/afl-fuzz

Fuzzing a Program

Programs that can be fuzzed are those that take input files, usually binary files or unusual formats. (Think mp3, multimedia, images, etc.) 

wget http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.6.tar.gz 
tar -xvf libressl-2.1.6.tar.gz cd libressl-2.1.6/ 
CC=~/afl/afl-1.57b/afl-gcc ./configure 
make check 
mkdir /root/testing 
export DESTDIR=/root/testing/ 
make install

AmericanFuzzyLoop1.png

AmericanFuzzyLoop2.png

Links

Nice overview and tutorial to causing and exploring program crashes: http://necurity.co.uk/netsec/2015-03-26-Fun-With-AFL/#sthash.h9Aurb7C.dpbs

Flags


Defcon.png
Fuzzing
a brute force technique to test programs' abilities to deal with malformed inputs.


Fuzzing  · Category:Fuzzing

American Fuzzy Lop


Category:Fuzzing  · Category:Kali  · Category:Security

Flags  · Template:FuzzingFlag  · e





Defcon.png
Kali Linux
"The quieter you become, the more you are able to hear."

Penetration testing Linux distribution.


Kali  · Category:Kali

Kali/Wireless Reboot


Kali Software:

Kali Tools

Kali Top 10

Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework

Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · Commix

Dirbuster  · Valgrind


Attack Workflow:

Kali/Workflow

1 Physical Attacks: Kali/Layer 1 Attacks

2 Data/MAC Attacks: Kali/Layer 2 Attacks

3 Network Attacks: Kali/Layer 3 Attacks

4 Transport Attacks: Kali/Layer 4 Attacks

5 Session Attacks: Kali/Layer 5 Attacks

6 Presentation Attacks: Kali/Layer 6 Attacks

7 Application Attacks: Kali/Layer 7 Attacks


Red Team Blue Team

Metasploitable - Red Team

Metasploitable - Blue Team


Networking:

Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA

Kali/IPv6


Booting:

Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB


Installing:

Kali/Installing  · Kali/Post Install  · Kali/Fixes


Kali on Raspberry Pi:

Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install


Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle

Flags  · Template:KaliFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=American_Fuzzy_Lop&oldid=16524"