Nmap Development mailing list archives
Re: DNS fuzzer
From: David Fifield <david () bamsoftware com>
Date: Mon, 29 Mar 2010 11:11:52 -0600
On Sat, Mar 27, 2010 at 03:19:02AM -0400, Michael Pattrick wrote:
On Fri, Mar 26, 2010 at 8:46 PM, David Fifield <david () bamsoftware com> wrote:On Sun, Mar 21, 2010 at 07:28:14PM -0400, Michael Pattrick wrote:I've been playing with Bind10 lately, I wanted to incorporate fuzz testing in the mix but could only find one DNS fuzzer[0]. It didn't really suit my needs and was closed source so I wrote my own. Attached is my fuzzer. It's a very naive fuzzer and hasn't found any flaws yet, so I'd appreciate feedback on it or suggestions on how such a fuzzer could be improved.Your script needs some more documentation. I can't tell what it does from just looking at it. In your "description" field, explain at a high level what the script is doing and how many packets it's sending.New version, with docs, attached.
Thanks, this is good.
I understand that since you may be making broken packets, you can't use the dns library for everything, but if you find a place where you can make use of it then you should.The DNS library doesn't appear to support sending compressed DNS queries. The basic operation of this fuzzer is to induce bit errors. Sort of like the 'dumb fuzzers' described by Charlie Miller and used to win this years Pwn2Own. And just to clarify, I don't think this script should be included by default with Nmap. Instead I'm leaving it on the mailing list to be discovered by anyone who needs it.
On the contrary, I think there is a place for scripts like this. "vuln" category works even though it's testing for a general, not a specific vulnerability. I'd like to include this script if it can be made not to run forever, instead running some fixed number of rounds (controlled by a script argument). I would like to see other fuzzing techniques too, though of course those can be added incrementally. I'm thinking something like 100 rounds each of: * Randomly swap bits (like you have now). * Randomly drop bytes. * Randomly duplicate bytes. * Randomly swap bytes. * Truncate packets at a random location. Plus: * A standard battery of invalid compressed names. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- DNS fuzzer Michael Pattrick (Mar 21)
- Re: DNS fuzzer David Fifield (Mar 26)
- Re: DNS fuzzer David Fifield (Mar 26)
- Re: DNS fuzzer Michael Pattrick (Mar 27)
- Re: DNS fuzzer Ron (Mar 27)
- Re: DNS fuzzer Patrik Karlsson (Mar 27)
- Re: DNS fuzzer Michael Pattrick (Mar 27)
- Re: DNS fuzzer David Fifield (Mar 29)
- Re: DNS fuzzer Michael Pattrick (Mar 29)
- Re: DNS fuzzer David Fifield (Mar 26)