Nmap Development mailing list archives
Re: DNS fuzzer
From: David Fifield <david () bamsoftware com>
Date: Fri, 26 Mar 2010 18:46:31 -0600
On Sun, Mar 21, 2010 at 07:28:14PM -0400, Michael Pattrick wrote:
I've been playing with Bind10 lately, I wanted to incorporate fuzz testing in the mix but could only find one DNS fuzzer[0]. It didn't really suit my needs and was closed source so I wrote my own. Attached is my fuzzer. It's a very naive fuzzer and hasn't found any flaws yet, so I'd appreciate feedback on it or suggestions on how such a fuzzer could be improved.
Your script needs some more documentation. I can't tell what it does from just looking at it. In your "description" field, explain at a high level what the script is doing and how many packets it's sending. What do the makeHost and nudgePacket functions do? They seem to be the heart of the fuzzer and so they need documentation. I understand that since you may be making broken packets, you can't use the dns library for everything, but if you find a place where you can make use of it then you should. A good fuzzing technique would be abuse of the DNS "compression" facility discussed in section 4.1.4 for RFC 1035. Try making compression pointers that point into the packet header, at themselves, past the end of the packet, anything you can think of. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- DNS fuzzer Michael Pattrick (Mar 21)
- Re: DNS fuzzer David Fifield (Mar 26)
- Re: DNS fuzzer David Fifield (Mar 26)
- Re: DNS fuzzer Michael Pattrick (Mar 27)
- Re: DNS fuzzer Ron (Mar 27)
- Re: DNS fuzzer Patrik Karlsson (Mar 27)
- Re: DNS fuzzer Michael Pattrick (Mar 27)
- Re: DNS fuzzer David Fifield (Mar 29)
- Re: DNS fuzzer Michael Pattrick (Mar 29)
- Re: DNS fuzzer David Fifield (Mar 26)