Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS fuzzer

From: David Fifield <david () bamsoftware com>
Date: Mon, 29 Mar 2010 11:11:52 -0600
On Sat, Mar 27, 2010 at 03:19:02AM -0400, Michael Pattrick wrote:

On Fri, Mar 26, 2010 at 8:46 PM, David Fifield <david () bamsoftware com> wrote:

On Sun, Mar 21, 2010 at 07:28:14PM -0400, Michael Pattrick wrote:

I've been playing with Bind10 lately, I wanted to incorporate fuzz
testing in the mix but could only find one DNS fuzzer[0]. It didn't
really suit my needs and was closed source so I wrote my own. Attached
is my fuzzer.

It's a very naive fuzzer and hasn't found any flaws yet, so I'd
appreciate feedback on it or suggestions on how such a fuzzer could be
improved.


Your script needs some more documentation. I can't tell what it does
from just looking at it. In your "description" field, explain at a high
level what the script is doing and how many packets it's sending.


New version, with docs, attached.


Thanks, this is good.


I understand that since you may be making broken packets, you can't use
the dns library for everything, but if you find a place where you can
make use of it then you should.


The DNS library doesn't appear to support sending compressed DNS
queries. The basic operation of this fuzzer is to induce bit errors.
Sort of like the 'dumb fuzzers' described by Charlie Miller and used
to win this years Pwn2Own.

And just to clarify, I don't think this script should be included by
default with Nmap. Instead I'm leaving it on the mailing list to be
discovered by anyone who needs it.


On the contrary, I think there is a place for scripts like this. "vuln"
category works even though it's testing for a general, not a specific
vulnerability.

I'd like to include this script if it can be made not to run forever,
instead running some fixed number of rounds (controlled by a script
argument). I would like to see other fuzzing techniques too, though of
course those can be added incrementally. I'm thinking something like 100
rounds each of:

* Randomly swap bits (like you have now).
* Randomly drop bytes.
* Randomly duplicate bytes.
* Randomly swap bytes.
* Truncate packets at a random location.

Plus:

* A standard battery of invalid compressed names.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: