who am i? - ncc group · pdf filefile structure • /bin - zulu ... crash • /fuzzdb -...
TRANSCRIPT
![Page 1: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/1.jpg)
![Page 2: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/2.jpg)
Who am I?
• NCC Group Research Director
• >20 years in information security
• Still very hands-on
• Enjoy testing more unusual technologies
• Also developing tools to test them
![Page 3: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/3.jpg)
What is Zulu?
• Zulu is an interactive GUI-based fuzzer
• Written in Python
• As much as possible, input and output-agnostic
• Multiple modules
• Extendible via ZuluScript
![Page 4: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/4.jpg)
Motivations behind the tool
• I had lots of unique “fuzzer scripts”
• Fuzzing frameworks have a steep learning curve
• Fuzzers should be quick and easy to setup
• Wanted a point-and-click solution
• Needed to be scriptable to add complexity where required
![Page 5: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/5.jpg)
Zulu basics – the GUI
![Page 6: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/6.jpg)
Zulu basics – typical data
![Page 7: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/7.jpg)
Zulu basics – the console
![Page 8: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/8.jpg)
File structure
• /bin - Zulu binaries and custom.py (ZuluScript Python)
• /crashfiles - When file fuzzing, files that have caused the target to crash
• /fuzzdb - the fuzzer testcase files
• /images - images used by the GUI
• /logs - log files
• /pcap - when Wireshark integration is enabled, auto-generated PCAP files
• /PoC - when a crash occurs a PoC is auto-generated
• /sessions - configuration options and captured packets
• /tempfiles - when file fuzzing, temp manipulated files are stored here
• /templates - the template used to generate the PoC files is in here
![Page 9: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/9.jpg)
Proxy-based network module
![Page 10: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/10.jpg)
Configure the proxy
![Page 11: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/11.jpg)
Use the standard network client
![Page 12: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/12.jpg)
Select some fuzz points
![Page 13: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/13.jpg)
Select mutators
![Page 14: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/14.jpg)
Select output method
![Page 15: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/15.jpg)
Start fuzzing
![Page 16: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/16.jpg)
Instrumentation and triage
![Page 17: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/17.jpg)
Other inputs: PCAP files
![Page 18: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/18.jpg)
Wireshark captures
![Page 19: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/19.jpg)
Importing a PCAP
![Page 20: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/20.jpg)
File module
![Page 21: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/21.jpg)
Select input file
![Page 22: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/22.jpg)
Select file fuzzer + fuzz process
![Page 23: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/23.jpg)
Fuzz process + debugging
![Page 24: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/24.jpg)
USB module
![Page 25: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/25.jpg)
Graphic USB
![Page 26: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/26.jpg)
Import generator script
![Page 27: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/27.jpg)
Select USB fuzzer
![Page 28: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/28.jpg)
Fuzzer running
![Page 29: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/29.jpg)
Serial module
![Page 30: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/30.jpg)
Serial settings
![Page 31: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/31.jpg)
Serial data capture
![Page 32: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/32.jpg)
Serial fuzzing
![Page 33: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/33.jpg)
Wireshark integration
![Page 34: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/34.jpg)
Point to Wireshark binary
![Page 35: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/35.jpg)
Auto-load Wireshark
![Page 36: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/36.jpg)
VMware integration
![Page 37: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/37.jpg)
Select file fuzzer + fuzz process
![Page 38: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/38.jpg)
GUI-power
![Page 39: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/39.jpg)
Adding a length field
![Page 40: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/40.jpg)
No need to watch! Email alerts
![Page 41: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/41.jpg)
Select email settings
![Page 42: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/42.jpg)
Advanced features - ZuluScript
![Page 43: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/43.jpg)
Using ZuluScript
• How do you modify a packet after the mutator but before being processed by the target?
• The answer is by using ZuluScript
• Python script stored in a special file (/bin/custom.py)
• Includes a sample UpdateContentLengthField() function
![Page 44: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/44.jpg)
Access to data
• self.packets_selected_to_send = list of packets selected to send [[packet number, data],[packet number, data]...]
• self.all_packets_captured = list of all packets captured [[[source IP,source port],data], [[source IP,source port],data]...]
• self.modified_data = list of all the data in the current packet (after any modification with fuzzpoint data) [byte1, byte2, byte3...]
• self.current_packet_number = the number of the current packet being processed (packet 0 is the first packet)
![Page 45: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/45.jpg)
Bugs that Zulu has found
• Samba 'AndX' request remote heap overflow (CVE-2012-0870)
• Oracle 11g TNS listener remote null pointer dereference
• Apple OS X USB Hub Descriptor bNbrPorts Field Handling Memory Corruption
• …and many others that haven’t been fixed yet
![Page 46: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/46.jpg)
Zulu is available on Github
Zulu can be downloaded today at:
https://github.com/nccgroup/zulu
![Page 47: Who am I? - NCC Group · PDF fileFile structure • /bin - Zulu ... crash • /fuzzdb - the fuzzer testcase files ... Import generator script . Select USB fuzzer . Fuzzer running](https://reader031.vdocuments.site/reader031/viewer/2022030505/5ab24fd37f8b9abc2f8d996f/html5/thumbnails/47.jpg)