Up to this point, the SEC660 course had been manageable and not too bad. The additional bonus sessions and the first night of Core NetWars made for quite a day and night. Free beverages and appetizers at night certainly helped and it was an enjoyable, but long set of days. But, there were still 3 days of instruction and a day of CTF to do yet as well as continued competition with NetWars. This day though focused on a more enjoyable aspect of InfoSec (at least for me!) of scripting and fuzzing! While it wasn't PowerShell scripting, it was working with Python and a popular Python library called Scapy. Fuzzing has always been an interest of mine to further pursue, but I had yet up to that point really done any amount of meaningful work with any fuzzer.
While it wasn't (and still isn't) mentioned on the SANS site, there has been an addition of lcamtuf's afl fuzzer. But, I'm getting ahead of myself of the day's events! Back to more of an order of the day, as the list above implies, we covered the basics of Python and how it works. While I don't feel it was a long module, doing the basics of Python and how it can be leveraged in an offense-based setting was interesting. However, I think there could have been a better usage of our time by making an intro to Python and some work to be done a course pre-req. Not necessarily shove this back into 560, but make it a "prior to class you need to accomplish" requirement. That way there can be maybe a short refresher of Python and basics to then dive into the more technical usage of Python for our class. But, going into the class without Python experience and then diving into Python heavy exercises may leave you at a disadvantage. You don't necessarily need to be writing complex Python scripts, but knowing how to read, create, edit and run scripts would help you have a running start on getting through the labs. Knowing how to work with Python IDLE is also helpful to quickly run scripts for various fuzzing, exploitation or other needs.
Python is one of the industry standard scripting tools used in InfoSec. With that, it has many, many libraries for all kinds of needs. One of those needs is doing network packet manipulation with the popular Scapy library. While I have heard of this library from various sources, it's fun to read about it, make a packet, send it along and move on from there. Without any pressing need to really use it, it's hard to better appreciate the versatility and use of the library. The module for Python and Scapy was well done and helped to better appreciate the tool with a need to use it. Also, it is very helpful in a problem in the Core NetWars challenge.
As I talked about earlier, afl is a new and already producing immediate results fuzzer. It's written by lcamtuf of Google fame and proving to be an amazing fuzzer. He gives a pretty good description for his fuzzer with, "American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary." Neat. His wall of fame (or shame?) shows some interesting ways the fuzzer has found various bugs. Well worth using when you can and there's been work the Cisco Talos team has been doing (here and here) to get that over to Windows. Fuzz all the things!
- IDA
- Scapy
To further set the frame of mind for this article, here are the topics for the third day from the course website:
- Becoming familiar with Python types
- Leveraging Python modules for real-world pen tester tasks
- Manipulating stateful protocols with Scapy
- Using Scapy to create a custom wireless data leakage tool
- Product security testing
- Using Taof for quick protocol mutation fuzzing
- Optimizing your fuzzing time with smart target selection
- Automating target monitoring while fuzzing with Sulley
- Leveraging Microsoft Word macros for fuzzing .docx files
- Block-based code coverage techniques using Paimei
Moving onto fuzzing in the day made it a bit confusing why we would do Python first and then move onto fuzzing. Looking back on the course as a whole, it does make sense to combine the two to help cement ideas and when/where to use tools. But, we first went onto fuzzing techniques and using Taof. In previous reading/exploration, I heard of Taof, but hadn't heard of anyone actually using it. The scenario that we tested Taof in was a good practice of how to use the tool and the value of fuzzing. For me, it's helpful to have an introduction to various ways to tackle a situation before choosing one way that better fits for me. Fuzzing in this day was much like that as we were introduced to Taof, PaiMei, Sulley and afl. Knowing how to use those tools and when/where to use them is pretty helpful when you want to do fuzzing. Some tools (e.g. afl) are good for Linux binaries and when you have the source. But, when you want a gentle introduction to fuzzing, Taof was a good start.
One of the more common ways to get into fuzzing would be to use Sulley. Again, having a reason to use Sulley and work with it is a good motivator to get it working and fuzzing. The class gave a good approach of how to use it on a single workstation as well as distributed if you were going to have it in a more production like environment. Seeing this approach and setting it up was pretty helpful to better appreciate the fuzzing process and how to get it up and running. Working with Sully was fun and it didn't feel like boring work to do with getting it up and running. Once it was set up and running, it was a rewarding experience seeing it try various permutations to fuzz the web input to our target application.
The next fuzzer was PaiMei and from what I had read, it was good, but difficult to get it setup and working. Luckily, we were provided with scripts to help spin up PaiMei into a ready state. This is one of the times when having snapshots was very handy. If you somehow messed up PaiMei or whatever, you could revert your VM back to when you had PaiMei fresh and good to go. The script proved to be pretty helpful, reduce downtime with getting it built and let us dive in quickly. This was also one of the more fascinating modules as well with code block based testing with IDA Pro. It just sounds cool talking about it! Working through the disassembly through IDA, using the PaiMei tools and doing analysis was a lot of fun. It was amazing seeing the fuzzing going through various code paths, verifying the blocks being tested in IDA and retesting it to hit different code blocks. Pretty fun stuff.
This class like the previous ones had a treasure trove of material and less time to go through it all. Plus, what we have learned up to that point wasn't academic use only with no real world possibilities. What we learned could be leveraged in so many other ways with our specific work use cases and wherever else. Even with the additional two hours of time for class and labs, we still didn't have time to fully explore all of the material. Again, the teachers made it abundantly clear that they were available to help you out and do what they could to help you out. It was also a night full of activities and learning. This night was the second day of the Core NetWars and two bonus SANS sessions. Many people stayed in the classroom working on materials and then went into the Core NetWars to continue competing/learning there for a few more hours. The firehouse of knowledge didn't let down nor the opportunity to continue to learn and grow. Two more days of instruction awaited and I was getting pretty excited for those two days of Linux and Windows exploitation.
Day 3 prep:
- Python and Fuzzing- IDA
- Scapy
No comments:
Post a Comment