Time
10 hours 10 minutes
Difficulty
Intermediate
CEU/CPE
15

Video Description

Fuzzing This lesson covers fuzzing which is very unique and only useful to security professionals. Fuzzing works by finding an application which takes input and starting sending data. You start fairly simply, misspelled commands, bad arguments and as you progress, you go larger by sending gigs of data or sending files with bits flipped to change the control paths. There are three types of fuzzing: - String mutation

  • Metadata/file format fuzzing
  • Malformed arguments

Participants also learn about password cracking, which is closely related to fuzzing. Password cracking involves simply trying lots of things quickly.

Video Transcription

00:04
Hello and welcome to this final video in the advanced Python section of the Pats on for security professionals. Course I miss me, Joseph. Mary. And this, as I mentioned, is the final slide video for this course. There will actually be more information
00:14
videos to cover our last project. That we're gonna do
00:17
our last couple projects there. A few to go on. Of course, they're the activity videos. However, this will be the last actual slides. Videos. So when you've completed this, you can feel comfortable in saying that you have completed this course.
00:28
Um
00:29
won't necessarily be true, but you can feel comfortable saying it. So, you know, there's that this video will be discussing buzzing the art of hitting things with sticks. So what is buzzing?
00:39
Buzzing
00:41
is unique in terms of this class. Um, well, every other topic in this class has been necessary.
00:47
Ah, for using Python Pleasant is unique in that it's only useful for security afresh in ALS,
00:52
buzzing is giving bad input.
00:56
Uh, we're giving malformed input of some sort.
00:59
In order to break a program in a meaningful way which may allow you to get executioner may allow you to bypass some sort of security.
01:06
Uh, how does FUZZING work? You find an application which takes input. That's pretty much every application you're gonna run into and you start sending it data. At first, you can do simple things, you know, misspelled commands, bad arguments, see how it breaks it breaks was saying, you know, if it openly says that's bad input That argument doesn't work
01:23
than what you're doing isn't working.
01:25
If you give it about command and suddenly it explodes, you see tons of hex across your screen.
01:29
That's a good sign.
01:30
Um, as you progress, you get into bigger stuff, could send gigs of data. That's just useless data. You could send files with random bits flipped. You can do all sorts of crazy things simply by mile, forming
01:42
the data you're sending your target.
01:46
Azad mentioned a few different times of fuzzing there. Three primary types and then everything else is sort of some sort of ah
01:53
sort of extension on these three types.
01:56
So, the first time fussing string mutation. This is the most common type of fuzzy you're going to see.
02:00
Essentially what it looks like is
02:06
python taxi.
02:16
So that's what a general
02:19
command like that will look like What you're doing is you're taking this during your letter and you're changing it to find a break condition. So what we're doing with this one is we're essentially just sending 1000 A's.
02:30
But of course, you can use
02:31
pretty easily and trivial increase that number.
02:35
I recommend against increasing it too far because it will crash your own machine.
02:39
But that's what Fuzzing looks like. It's pretty straightforward work.
02:46
There we go. And this is what
02:49
vulnerable code looks like. This is what that vulnerable code program I showed you looks like sort of,
02:54
um,
02:55
so there. This is a different type of fuzzing that it would be vulnerable to. But this is a useful sort of
03:00
idea of what vulnerable code looks like to see. There's a password, slightly toes, five points. If you get that joke,
03:07
it takes an input. 11 bites long,
03:08
and it has a bull for past except
03:12
and then it just doesn't straight store copy into input from our G V one.
03:15
The thing about that is that input is not
03:20
big. It's 11 bites. We just sent it someone that you like, 10 million
03:24
just er copy copies 11 bites
03:28
and then it copies 10 million minus 11 bites
03:30
continuing on into memory, which is like memory freaked out at us. We smash the stack. We broke everything when a court everything went terrible.
03:38
I was somewhat undramatic, you know? Hey, bad things happened. But when you plug it into about a d bugger, you see that the program is basically just gone and blown itself up.
03:47
Um, this particular code actually has an interesting vulnerability associate with it, depending on how it's compiled, where you could actually just overwrite the buffer into the past except and setting the value of that variable, however you might want it to be
04:00
not really gonna worry about that. But that's something that might work. So this is an example of a vulnerable coat. Looks like stir copy is not secure code.
04:08
Other examples of non secure code or functions like
04:12
gets,
04:14
which does not
04:15
check size
04:17
print death,
04:21
which you can give a weird format string
04:25
and break things with,
04:27
and also two other ones, which again all of these vulnerable functions air
04:30
get vulnerable to fuzzing. If your code isn't secure, fuzzing is going to be how someone finds that back.
04:36
But again, the specifics of how you're gonna do that when a tease, you get a little bit and we're gonna cover that in the
04:43
exploit development course when it comes out
04:45
and a month, maybe a couple months. It's a long course anyway.
04:48
What we are gonna look at right now that's related to Fuzzing is gonna let us get a sense of what Fuzzy actually looks like is password cracking.
04:56
This is including the fuzzing section because it's actually very very related to Fuzzy. It doesn't it might not seem to be related, but it very much is.
05:03
The reason for that is
05:04
that Fuzzing is sending random data to crash target. Where's pastor? Cracking is trying lots of different kinds of data. It's less random, but it's still kind of does the same general thing where just sends tons and tons of data until something works Because of fuzzing, something works by exploding his password cracking Something works by letting you in.
05:21
But all the real differences in implementation and result the actual code itself, the actual methodology
05:30
pretty much the same.
05:31
Well, that's for a brute force password cracking, which is what we're gonna do.
05:36
So this is what password cracking code looks like? Um,
05:41
this will try 1000 passwords. It's not necessarily, well, it's actually 1000 1 passwords. Not necessarily most common passwords, not least calm passers just
05:48
1000 passwords.
05:51
Now that's
05:53
not incredibly useful in most cases, because most people password won't correspond to a number between one and 1000.
06:00
But
06:01
if you were to get you know, a list of the top 1000 most common password, you would have access to something like 80% of the Internets passwords because people don't change passwords very often. So instead of doing just arrange, you could actually given a list of those passwords. It's pretty, it's pre computed or what have you.
06:17
But in this case, we're doing this because we want to see what it looks like to send just random data until something works. So for I arrange 1001 that's that way we'll do. We're actually not trying wonder one that was trying 0 1000 but whatever
06:30
em equal 75 that's just gonna reset M and clear it out. If we just did updates without resetting it, it would give us weird hashes m not update stir of eye in that. In other words, returning that number into a string
06:41
and we're updating the hash by calculating actual MP five. Some of that
06:45
they were doing a test hash,
06:46
which is just equal MD it mm dot hex Digest, which is just the MP five hex
06:53
string. And then we're checking that hash against the password hash, which we're receiving is an argument.
06:59
If it fails, that Prince that fails and Prince both hash is to make sure that we can kind of sanity check later on if succeeds, it prints the number. And now we know the password was really interesting about This is the fact that
07:10
you when you're cracking a password, if you're just trying every possible combination, this is how you would do it. You don't actually give it words or letters because that's that's inefficient. You've got to calculate the letter. You gotta keep calculating the letters. You gotta change. The letter is very, very difficult to do. On the other hand, you could just give it numbers
07:27
again. If you do every number between one and you know
07:30
50 million eventually you're probably going to get a hash that corresponds to the hash of the password. Because MD five isn't perfect, it has collisions. Now they're better types of hash there better, more secure functions, whatever. A lot of people still use 75 despite it being insecure, which again is where our earlier comic comes from? Fuzzing password cracking All of these exploitative techniques
07:49
are pretty much on Lee useful
07:51
because of user error. If everyone you wrote secure code all the time
07:56
Oh, people like you and me would be out of a job. Luckily, they don't you for laziness. So,
08:01
like every good TV chef,
08:03
I went ahead and just created past cracker dot pie. It's the same coach is written into a pot ah python function, and we're gonna run it. We're gonna do python
08:13
past cracker dot pie,
08:16
and we're going to say that
08:18
the password we're going to give it is gonna be
08:20
564.
08:22
So again, what we would normally do is he would give it a password hash that it wasn calculate against, but we're doing this is a demonstration rather than his actual password cracker.
08:31
And it fails. It fails, it fails. It pales, pales for a little while, is gonna fail. And bam success. It spits out 564. It reached a successful comparison and it gave us the password.
08:41
You see, it just generated over 500 results very quickly.
08:46
If we wanted to do,
08:48
we could give it a password that
08:50
probably won't even correspond. And she's gonna spit. It's gonna generate 1000 MD five hashes
08:56
in a few seconds, and none of them collected. And that wasn't correct. But if we were to do 10,000 or 100,000 or a 1,000,000 or what have you
09:03
odds are, eventually would run into a collision.
09:05
Now, the way to speed this up more than anything else isn't actually multi threading. It's not printing. If you're actually trying to write a cracker, which don't do that, that's against the Computer Fraud and Abuse Act 1974. But if you're trying to write a password cracker,
09:16
then what you want to do is you want to take away printing. You want to take away all of the things that movies say look like good hacking
09:22
and just write code that calculates. And whenever it finds the actual password. It spits on Lee that out
09:28
and, yeah, I deliberated over a few 1,000,000. If you really want to get good at it, then you're gonna, you know,
09:33
use stack list or J Python, and you're going to set multiple threads starting at different points, all of them trying to crack the password.
09:41
Nd five, despite being a relatively insecure hashing method, is still stronger than the average. You know, Python script can be.
09:50
But again, what I mentioned earlier, if you get a few 1000 of those common passwords, your increased precipitously
09:56
or if you just want to set something to crack and you know
09:58
come back to it in a few weeks, you'll probably get it most of the time.
10:01
Not ah
10:03
again. That's what password cracking looks like. It's pretty straightforward, pretty easy and is a great summary of what buzzing looks like it, how it works.
10:13
And with that, we've actually finished this final video no shorter than most of the others have been. But that's the end of the buzzing section, and therefore the interview advanced python slides.
10:20
No,
10:22
with this is with everything else, we have any questions with Contact me on that page on the cyber grey 0.80 website.
10:26
Uh,
10:28
do my best to get back to any comments, questions, concerns, queries everything else.
10:31
There's still some activity videos to do, as well as the final activity video on a couple of sort of tossed in there for your fun and learning.
10:39
So please continue. Please enjoy those.
10:41
If your donors you've already done those and came with slides afterward, which is, by the way, is a terrible way to do it. Please don't. That's about strategy. But if you did, then you're done with Advanced Python and you're done with the python for Skeeter professionals. Course.
10:52
I hope you enjoyed it. I hope you learned a lot, and I hope to see again. Until then, please get out there and break stuff.

Up Next

Python for Security Professionals

This is the archived version of our new Python course! If you would like to view our newly updated course, scroll to the bottom, and click the link.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor