fuzzing bonjour on libpurple
97 views
Skip to first unread message
w0rd
May 16, 2011, 8:10:29 AM5/16/11
to HotFuzz project
i've been having setting up a recording on hotfuzz. My sessings are
below. Can anyone tell me where i may be going wrong? The application
starts up and i'm able to use it.
Client
Proxy IP :127.0.0.1 port 5298
Program : \director\pidgin.exe
symbols: c:\symbols
Agent IP : 127.0.0.1 port 9001
-----
Server
Target IP 192.168.1.5 port 5298 (bonjour port)
program: \directory\pidgin.exe
symbols: c:\symbols
Agent IP: 127.0.0.1 port 9002
-----
Recording
Iteration count = 2
protocol port = 5298
proxy timeout = 10
====
Recording window log:
Writing recorded data to config file....
No data were recording during recording faze. this might be caused by
incorrect config....
below. Can anyone tell me where i may be going wrong? The application
starts up and i'm able to use it.
Client
Proxy IP :127.0.0.1 port 5298
Program : \director\pidgin.exe
symbols: c:\symbols
Agent IP : 127.0.0.1 port 9001
-----
Server
Target IP 192.168.1.5 port 5298 (bonjour port)
program: \directory\pidgin.exe
symbols: c:\symbols
Agent IP: 127.0.0.1 port 9002
-----
Recording
Iteration count = 2
protocol port = 5298
proxy timeout = 10
====
Recording window log:
Writing recorded data to config file....
No data were recording during recording faze. this might be caused by
incorrect config....
Martin Žember
May 16, 2011, 8:38:20 AM5/16/11
to joelfernandezny, HotFuzz project
Hi,
so your pidgin.exe starts on your local machine (127.0.0.1) and you
are able to use it. Did you configure it to connect to HotFuzz (which
is listening on 127.0.0.1:5298)? Or does it try to discover the port
through bonjour and connects to 192.168.1.5 (which would skip
HotFuzz)?
Martin
Joel Fernandez
May 16, 2011, 10:15:59 AM5/16/11
to Martin Žember, HotFuzz project
Ok, so it's a config problem. I have reconfigured my pidgin app to comm via http proxy IP of 127.0.0.1 port 8080
I've configured hotfuzz as the following (but still don't get to record data), what else could I be doing wrong? Thanks for the assistance.
|
Client Proxy IP :127.0.0.1 port 8080 Program : \directory\pidgin.exe |
symbols: c:\symbols Agent IP : 127.0.0.1 port 9001 ----- Server Target IP 192.168.1.5 port 5298 (bonjour port) program: \directory\pidgin.exe symbols: c:\symbols Agent IP: 127.0.0.1 port 9002 |
-----+ |
Martin Žember
May 16, 2011, 10:40:15 AM5/16/11
to Joel Fernandez, HotFuzz project
Where is your bonjour running? On the other machine (192.168.1.5)? Is it the Bonjour Print Services from Apple?
Nice that you are writing a tutorial, it can help others to resolve issues you ran into.
Do you maybe have a draft of it so I could reproduce your configuration?
Martin
Nice that you are writing a tutorial, it can help others to resolve issues you ran into.
Do you maybe have a draft of it so I could reproduce your configuration?
Martin
Joel Fernandez
May 16, 2011, 11:04:59 AM5/16/11
to Martin Žember, HotFuzz project
My setup is simple so others can reproduce. I have 2 vms running pidgin with a bonjour profile setup. They can find and comm with no problem. The hotfuzz settings are the ones i mentioned. My problem is that hotfuzz doesnt record any data so i cant fuzz it.
Dusan
May 16, 2011, 4:35:20 PM5/16/11
to Joel Fernandez, hotfuzz...@googlegroups.com
Hi Joel,
I think that your problem is with the agents. You need to start your client agent on the client machine (which you did correctly) and your server agent on the server machine. So you need to do 4 thinks to make it work:
- do not start server agent on the client machine
- run hotfuzz also on the server machine and start the server agent there
- in the hotfuzz configuration (on your client machine) change the address for the server agent to the address of the server machine
- no comments regarding the current user friendliness of the configuration interface :-))
Please give it a try and let us know if it worked. I am quite tired at the moment, so my thinking might not be right.
Cheers,
Dusan
I think that your problem is with the agents. You need to start your client agent on the client machine (which you did correctly) and your server agent on the server machine. So you need to do 4 thinks to make it work:
- do not start server agent on the client machine
- run hotfuzz also on the server machine and start the server agent there
- in the hotfuzz configuration (on your client machine) change the address for the server agent to the address of the server machine
- no comments regarding the current user friendliness of the configuration interface :-))
Please give it a try and let us know if it worked. I am quite tired at the moment, so my thinking might not be right.
Cheers,
Dusan
Martin Žember
May 16, 2011, 5:00:45 PM5/16/11
to Joel Fernandez, hotfuzz-project
On Mon, May 16, 2011 at 8:43 PM, Joel Fernandez <joelfer...@gmail.com> wrote:
I tried the ICQ protocol in Pidgin (the easy start is to use the ICQtest template, or open the ICQ example and change paths), but Pidgin seems to ignore the "Server" value in the Advanced settings. It always queries DNS for login.icq.net and connects to that IP, whatever the "Server" value in the settings is.
I chose bonjour because it is serverless. 2 machines on a same network can communicate. The 2 vms i have are on a vlan and can chat.So does it seem that pidgin is not a good candidate for hotfuzz?
I tried the ICQ protocol in Pidgin (the easy start is to use the ICQtest template, or open the ICQ example and change paths), but Pidgin seems to ignore the "Server" value in the Advanced settings. It always queries DNS for login.icq.net and connects to that IP, whatever the "Server" value in the settings is.
What would be a port that hotfuzz owns?On Mon, May 16, 2011 at 2:39 PM, Martin Žember <zem...@gmail.com> wrote:
Wireshark shows what it actually does...
The first phase - multicasting on port 5353 - serves for exchanging the machine addresses. When they know about each other, there is the other phase, usually using ports 5298... The exchanging phase establishes communication (without HotFuzz). It has to be clear what is intended to fuzz. In case of the later phase fuzzing, pidgin must be forced to communicate through a given port (belonging to HotFuzz). It turns out to be a rather difficult than easy scenario... How do the nodes find each other if they are not on the same network?
On Mon, May 16, 2011 at 8:27 PM, Joel Fernandez <joelfer...@gmail.com> wrote:ok. thanks. i'm trying to fuzz any protocols that pidgin uses. bonjour was the easiest since it is serverless and i could do it in an enclosed vmlab.On Mon, May 16, 2011 at 2:21 PM, Martin Žember <zem...@gmail.com> wrote:
Yes, we are trying to find a solution...
Beware that the HTTP proxy communication is probably not what you want to fuzz. Is it the Bonjour protocol you want to fuzz?
I've tried to reproduce it... If you setup the Bonjour port from 5298 to something else, the mDNS protocol announces the changed port, which circumvents the proxy at the end...
Will think about it more...On Mon, May 16, 2011 at 8:09 PM, Joel Fernandez <joelfer...@gmail.com> wrote:
any idea what i may be doing wrong?
Dusan
May 16, 2011, 5:09:05 PM5/16/11
to Alexander W. Miranda, hotfuzz...@googlegroups.com
Hi Alexander,
unfortunately, at this point, you need to do exactly what you have written. So install the whole hotfuzz and start only the agent. Regarding the mDNS queries, I can not say, I have never tried that and I am afraid that I have little time now. Hopefully someone else will be able to answer that question.
Cheers,
Dusan
On 16. 5. 2011 22:54, Alexander W. Miranda wrote:
unfortunately, at this point, you need to do exactly what you have written. So install the whole hotfuzz and start only the agent. Regarding the mDNS queries, I can not say, I have never tried that and I am afraid that I have little time now. Hopefully someone else will be able to answer that question.
Cheers,
Dusan
On 16. 5. 2011 22:54, Alexander W. Miranda wrote:
Dusan,
I am also working with Hotfuzz and have done fuzzing targetting Pidgin and ichat.
I have a question about this particular configuration.
The setup is as follows
1. WinXP Machine 192.168.15.100 - Pigin Client with Bonjour Protocol - HotFuzz installed
2. WinXP Machine 192.168.15.101 - Pigin CLient with Bounjour Protocol - NO HotFuzz
To target the Pidgin application on this test, the client is the .100 machine. However, given that there is no actual server only a communication directly to the host, the .101 machine will act as the server.
The agent running on the .100 is installed as part of the Hotfuzz application.
The agent running on the .101 machine, how would this be installed? Should the HotFuzz application be completely installed and only the agent section of the screen be started?
I tell you this because it might help Joel with his configuration. Now, the Bonjour protocol is based on mDNS queries to find other users on the network. To target Pidgin, should the configuration of the xml files be changed to have target mDNS?
Do you have examples of configurations that can be used to target Instant Messaging protocols?
thanks.
Martin Žember
May 16, 2011, 7:33:31 PM5/16/11
to Joel Fernandez, hotfuzz-project
It is not as straightforward with fuzzing mDNS data as I thought before. HotFuzz does not capture any data since it does not receive multicast datagrams. It would need a fix in the code (ppaction.py). I am curious if it would work, but can't make it today anymore.
Anyway, did you have a chance to run the example project? There is an instant messaging example, too.
Anyway, did you have a chance to run the example project? There is an instant messaging example, too.
On Mon, May 16, 2011 at 9:30 PM, Martin Žember <zem...@gmail.com> wrote:
Well, it is still possible to fuzz the mDNS exchange. Just look at the communication in Wireshark to see the the right broadcast IP address and the port to fill into HotFuzz (5353, actually).
The other phase is also possible, it just needs some update in the code to change the port in those mDNS packets.
On Mon, May 16, 2011 at 8:43 PM, Joel Fernandez <joelfer...@gmail.com> wrote:
I chose bonjour because it is serverless. 2 machines on a same network can communicate. The 2 vms i have are on a vlan and can chat.So does it seem that pidgin is not a good candidate for hotfuzz?
What would be a port that hotfuzz owns?
On Mon, May 16, 2011 at 2:39 PM, Martin Žember <zem...@gmail.com> wrote:
Wireshark shows what it actually does...
The first phase - multicasting on port 5353 - serves for exchanging the machine addresses. When they know about each other, there is the other phase, usually using ports 5298... The exchanging phase establishes communication (without HotFuzz). It has to be clear what is intended to fuzz. In case of the later phase fuzzing, pidgin must be forced to communicate through a given port (belonging to HotFuzz). It turns out to be a rather difficult than easy scenario... How do the nodes find each other if they are not on the same network?
On Mon, May 16, 2011 at 8:27 PM, Joel Fernandez <joelfer...@gmail.com> wrote:
ok. thanks. i'm trying to fuzz any protocols that pidgin uses. bonjour was the easiest since it is serverless and i could do it in an enclosed vmlab.
On Mon, May 16, 2011 at 2:21 PM, Martin Žember <zem...@gmail.com> wrote:
Yes, we are trying to find a solution...
Beware that the HTTP proxy communication is probably not what you want to fuzz. Is it the Bonjour protocol you want to fuzz?
I've tried to reproduce it... If you setup the Bonjour port from 5298 to something else, the mDNS protocol announces the changed port, which circumvents the proxy at the end...
Will think about it more...
On Mon, May 16, 2011 at 8:09 PM, Joel Fernandez <joelfer...@gmail.com> wrote:
any idea what i may be doing wrong?
Joel Fernandez
May 16, 2011, 7:35:18 PM5/16/11
to Martin Žember, hotfuzz-project
yes, was able to do the example project. I ended up building a peach pit and fuzzed bonjour through peach fuzzer. I would still like to get this going under hotfuzz at some point. I would like to finish up a tutorial on this.
Martin Žember
May 17, 2011, 12:20:24 PM5/17/11
to Joel Fernandez, hotfuzz-project
I got it to record some traffic (in and out). However, it is not the end. To enable multicast in Recording, you can use the attached patch. (Note that it does not influence Fuzzing, which uses the recordUdpState() function instead. It would be similar there.)
My setup (see the attached zip project) shows how it would look like, but it does not work fully since it uses only two machines. There is an agent on both (python peach.py -a 9001 or HotFuzz), launching a pidgin.exe. One has the mDNSresolver.exe running, the other has HotFuzz running (on the 5353 port) and the mDNSresolver is disabled (executed once, with the option -remove). In my setup, HotFuzz forwards the traffic to the other machine - which is probably not enough, but setup with three machines might work. Maybe I will have an opportunity to try it, later.
Martin
My setup (see the attached zip project) shows how it would look like, but it does not work fully since it uses only two machines. There is an agent on both (python peach.py -a 9001 or HotFuzz), launching a pidgin.exe. One has the mDNSresolver.exe running, the other has HotFuzz running (on the 5353 port) and the mDNSresolver is disabled (executed once, with the option -remove). In my setup, HotFuzz forwards the traffic to the other machine - which is probably not enough, but setup with three machines might work. Maybe I will have an opportunity to try it, later.
Martin
Joel Fernandez
May 17, 2011, 12:23:26 PM5/17/11
to Martin Žember, hotfuzz-project, Dan Guido
i'm going to try this after work today and report back my findings. I appreciate the assistance.
Joel Fernandez
May 20, 2011, 12:48:39 PM5/20/11
to Martin Žember, hotfuzz-project
I am still working on this (didn't want you to think i gave up)
Martin Žember
May 24, 2011, 5:17:40 AM5/24/11
to Joel Fernandez, hotfuzz-project
On Fri, May 20, 2011 at 6:48 PM, Joel Fernandez <joelfer...@gmail.com> wrote:
I am still working on this (didn't want you to think i gave up)
Thanks for letting us know... Do not hesitate to use Wireshark when diagnosing the problems.
Martin
Reply all
Reply to author
Forward
0 new messages