Fuzzing SMB protocol

791 views
Skip to first unread message

Denis_Y

unread,
Nov 9, 2011, 6:33:50 AM11/9/11
to HotFuzz project
Hello!
At first, I want to say that HotFuzz is very "smart" fuzzer and great
test tool!
And I have one question - I want to test random network protocol - for
example SMB. How can I do recording phase? I don't have any executable
files for client and server... May be it's possible to take Wireshark
dump and give it to fuzzer for building Data Models?

--
Best regards,

Den.

Martin Žember

unread,
Nov 10, 2011, 12:21:05 PM11/10/11
to den....@gmail.com, HotFuzz project
Hello,

thank you for your feedback.

You would definitely need some executable for fuzzing since it generates traffic to be fuzzed and you will try to identify a bug in an executable, actually. You need to attach a debugger to it (actually HotFuzz/Peach will do it for you).

Regarding SMB, you can choose the client... Windows Explorer or Total commander or any of your choice. If you want to fuzz the windows native SMB server, you need to identify the process/service that handles it (I do not know which one it is, but sysinterals should be able to find out).


Enjoy,

Martin

Michael Eddington

unread,
Nov 10, 2011, 3:49:47 PM11/10/11
to zem...@gmail.com, den....@gmail.com, HotFuzz project
Smb client could just be a script that triggers a mount or other activity.   The server side will require kernel debugging.  I don't think hotfuzz can be setup that way yet.

Mike

Denis_Y

unread,
Nov 24, 2011, 8:05:59 AM11/24/11
to HotFuzz project
Thank you for your answer.
Ok, assume that I don't want to know, what caused a bug on my server,
that is I don't need in debugging...
Also assume that I don't have an executable file for server (such as
SMB - it is svchost.exe -"argument1" -"argument2" etc., but I can't to
specify it in Server field, am I right?).
But I know that SMB server receives requests on 445 port, I have
a .pcap file with SMB session and I have an executable file for
client. Are there any ways that can bring HotFuzz to do fuzzing with
this information?
Can I build Data Models only with Wireshark dump? My purpose is not
debugging, my purpose is transmitting bad SMB packets to 445 port
without SMBserver.exe file.
Is it impossible?


--
Best regards,

Den.

Jan Stanek

unread,
Nov 25, 2011, 9:57:42 AM11/25/11
to den....@gmail.com, HotFuzz project
Hi,

if you do not need to actually capture the "live" traffic and only
want to reproduce it from a pcap file and do not need to monitor the
server behaviour, then HotFuzz is not the right tool for you.

However, you can still use Peach (upon which HotFuzz is built). Just
take your pcap, convert it into PDML (this can be done using
Wireshark) and then convert the PDML to the DataModel XML using
peachshark (that comes with Peach...not quite sure whether it was not
renamed since I used it a few years back when programming HotFuzz).
Peach can then use the automatically created DataModels and replay and
fuzz the traffic for you.

Still I do not really get the reason why would you need this if you
are not interested in the servers behaviour.

Hope this helps,
Jan

Michael Eddington

unread,
Nov 29, 2011, 7:20:34 PM11/29/11
to hotfuzz...@googlegroups.com
Well, it would be a work around for the kernel debugging issue. With
SMB you typically configure the debugger monitor to kernel debug over a
serial/usb cable. If I remember correctly, much of SMB is actually in
kernel for windows machines.

Something to think about in future versions of hotfuzz would be having
the server agent capable of performing kernel debugging and the fuzzing
session ending when a fault is hit.

mike

Reply all
Reply to author
Forward
0 new messages