TCP Port Fuzzing: A Beginner’s Guide

TL;DR

This guide shows you how to fuzz a TCP port running an unknown application using black-box techniques. We’ll use Nmap for initial discovery, then AFL++ with a custom input generator and network socket mode to send malformed data to the target.

1. Initial Reconnaissance

1. Port Scan: Use Nmap to identify open ports on the target machine. This helps you find the service you want to fuzz.

   nmap -sV -T4 

   The -sV flag enables version detection, and -T4 sets a faster timing template (adjust as needed).

2. Service Identification: Note the service name and port number from Nmap’s output. Even if it says ‘unknown’, you have a starting point.

   PORT   STATE SERVICE VERSION

   For example, if Nmap reports port 80 running ‘http’, that’s your target.

2. Setting up AFL++

1. Installation: Install AFL++ on your system. The installation process varies depending on your operating system (Linux, macOS, etc.). Refer to the official AFL++ documentation for instructions: https://github.com/AFLplusplus/AFLplusplus
2. Environment Setup: Ensure you have a suitable environment for fuzzing, including necessary dependencies (compilers, libraries).

3. Creating an Input Generator

Since it’s black-box fuzzing, we don’t have source code. We need to create a program that generates random inputs suitable for the target service.

1. Protocol Understanding: Try to understand the protocol used by the service (e.g., HTTP, SMTP, custom binary). Use Wireshark or similar tools to capture network traffic and analyze the data format.
2. Generator Program: Write a C program that generates random byte sequences representing valid or potentially invalid packets for the target protocol. This generator will be used by AFL++ as input.

   #include <stdio.h>
   #include <stdlib.h>
   #include <time.h>
   
   int main() {
     srand(time(NULL));
     unsigned char buffer[1024]; // Adjust size as needed
     for (int i = 0; i < sizeof(buffer); ++i) {
       buffer[i] = rand() % 256;
     }
     printf("%s", buffer);
     return 0;
   }

   Compile this generator:

   gcc -o input_generator input_gen.c

4. Fuzzing with AFL++ in Network Socket Mode

1. Create a Directory: Create a dedicated directory for your fuzzing campaign.

   mkdir afl_fuzz_campaign

2. Initial Corpus: Generate a small set of initial input samples using your generator program (e.g., 10-20 files). These will be used as the starting point for AFL++’s mutation engine.

   ./input_generator > seed1
   ./input_generator > seed2
   ...

3. Run AFL++: Execute AFL++ in network socket mode, specifying the target service’s port number and the input directory.

   afl-fuzz -i afl_fuzz_campaign/inputs -o afl_fuzz_campaign/output --net :

   Replace and with the actual values.

4. Monitor: Monitor AFL++’s output to observe its progress. Pay attention to crashes, hangs, or other interesting events.

5. Analyzing Results

1. Crash Analysis: If AFL++ detects a crash, it will save the crashing input in the output/crashes directory. Analyze these inputs to understand the vulnerability and potential exploitability.
2. Unique Test Cases: Review the unique test cases generated by AFL++ (in the output/queue directory) for potentially interesting behavior.