Before we get started let's start with some basic knowledge which you might or might not know:
# What is fuzzing?
So in short fuzzing is a technique used to discover coding errors in software, so it sends the specific port,app,etc. unexpected data. For example if we have a small application that asks us for a number between 1 and 10 and then divides our number to 2, what will happen if we enter "%Io&6...." ? (It's not the best example I know but I think you get the picture).
# How does this help us?
Well depending on how the application crashes we can have a number of vulnerabilities like buffer overflows, DoS, etc ...
NOTE: These definitions from above are not complete, if you want to get more details I suggest you try Google.
Before we begin some few answers to some questions that most of you will ask:
1. Why did I make a fuzzer, there are other fuzzers out there ?
Yes you are right there are a lot of other fuzzers out there, my fuzzer wasn't intended to be a public fuzzer. I started making it for personal use and to learn more about fuzzing, but some friends told me I should give it a try and publish it, maybe people will like it.
2. Why is my fuzzer more special than other fuzzers out there ?
The answer is simple, it's not! I didn't make it to be more special than other fuzzers out there, I just included some features that I needed and nothing more.
Ok now that we have covered these basic questions let's move on and see how it works and what features it has:
# What is sickfuzz?
sickfuzz is a wrapper around SPIKE written in python.
# How does it work?
It actually accepts CLI arguments and based on those it launches the SPIKE "generic_send_tcp", with custom made .spk files.
# What other features does it have?
- tshark (CLI version of wireshark support), once you start fuzzing tshark starts to capture http packets that go to your specified port for later analysis.
- checks to see if the app crashed or not, most apps usually if they receive a large number of requests, start denying them and most fuzzers see that as a crash and just stop, sickfuzz however when it encounters such a behaviour checks to see if the application did really crash or not, and if the application is still up it resumes the fuzzing process.
- It's really fast and has a lot of mutations (SPIKE rocks!)
# What do I need to run it?
- Wireshark (tshark + editcap)
- Web server victims
Also g0tmi1k made a cool video, demonstrating how to use it, check it out:
Ok not at the end I want to thank all who helped me with the fuzzer:
g0tmi1k's blog post here.