Taof - Generic Protocol GUI Fuzzer
Table of
contents
Taof -
Generic protocol GUI Fuzzer
Introduction
Taof
is a Python generic network protocol fuzzing
framework. It has been designed for minimizing set-up time during fuzzing sessions and employs graphical user interface to
make it intuitive and easy. Even though it is a generic protocol framework, it
is not designed as a developing library and no programming skills are
necessary. It is useful for fast testing of proprietary, undocumented or
unknown network protocols.
Installation
Taof
is released in two versions, source code and binary.
Source
distribution
Taof
has been developed using python hence it can run on any environment supported
by this programming language. Taof uses a number of
libraries that need to be installed before been able to run:
-
Twisted (http://twistedmatrix.com/trac/)
-
Glade (http://glade.gnome.org/)
-
GTK (http://www.gtk.org/)
In a Linux Debian operating system
the following commands should be enough:
#apt-get install python-twisted
#apt-get install python-gtk2
#apt-get install python-glade2
After
having the libraries installed, the following line executes Taof:
# python ./taof.py
Binary
distribution
The binary
distribution can be executed in Microsoft Windows 2000/XP/2003 operating
systems.
In order
to execute Taof it is necessary to decompress the
contents of the file into a folder. No installation is necessary. After
decompressing the contents, just double-click on the taof.exe file.
How to use it
Once
executed Taof presents the main dialog
Taof
is a generic protocol fuzzer. For Taof
to work, there are a number of procedures that
requires to be done.
Settings
The settings
menu offers a number of parameters that can be changed.
Timeout from server - This is
the amount of time, in seconds, that Taof will wait
for server response.
Waiting time between requests
– This is the amount of time that Taof will wait
before sending next request during fuzzing phase.
Waiting time when connection is lost
– Amount of time that Taof will wait before retrying
to connect to a server when the connection is lost
Dictionary – Path of
a dictionary Taof will read words from in a dictionary
attack.
Data retrieval
The first
stage of fuzzing is the data retrieval phase. The
goal of this phase is that Taof retrieves information
about the protocol subject to be tested. For doing this it is necessary to
click on the "Data retrieval" button. A new dialog will be opened.
Two
options exists for data retrieval: ‘Listening mode’ and ‘Open
previous session’
During
this process, Taof sets itself as a man-in-the-middle
between the client and the server. The researcher needs to point the client to Taof and the traffic will be forwarded to the server.
For doing
this it is necessary to click on the "Network settings" button,
within the data retrieval dialog. The displayed dialog requests all the
necessary information needed for the man-in-the-middle process.
Local server – This
setting represents the IP address the listener is going to listen to
Local port – Local
port of listener
Remote server – IP
address of the remote server where the requests will be forwarded to
Remote port – Remote
port where the requests will be forwarded
When all
the settings are filled up Taof enables the ‘Start’
button in order to start forwarding requests. Then, the researcher has to use
the client program normally while Taof 'learns' the
protocol. When you are done, just click on "Stop" and close the
dialog.
Taof
offers the possibility of opening previously captured sessions. Click on Open
from the data retrieval menu and choose the session you want to open.
Boundaries
selection
After the data
retrieval stage it is necessary to determine the checking boundaries for the fuzzing session. The user is presented a list of requests
made by the client.
Fuzzing – Opens
the fuzzing dialog.
Send request “as is” – This
setting indicates whether or not the request is sent to the server after
connection, without any modification. This is very useful for protocols that
need some kind of authentication.
Set fuzzing points
– This buttons opens a new dialog for setting the fuzzing
boundaries for the selected request
The
researcher can browse through the logged requests and set fuzzing
boundaries at will. In order to set the boundaries the user has to select the
request and click on “Set fuzzing points” or
alternatively just double click on the request. That will open a new dialog for
setting fuzzing points.
From – This field, automatically
filled with the use of the mouse, indicates the first part of the boundary for fuzzing.
To - This field, automatically filled
with the mouse, indicates the ending of the boundary.
Set variable length field –
Indicates whether or not a variable length will also be included in the
request. This can be useful for, for example “Content-length” fields.
From (length) –
Indicates the boundaries where the variable length will be located
To (length) –
Indicates the boundaries where the variable length will be located
Value (length) – This
represents the value of the original length to which the length of the
signature will be added
Add – It adds the fuzzing
point
Delete – It deletes the selected fuzzing point
Stack/Heap overflows – injects
signatures for stack/heap overflows
String overflows – injects
signatures for format string overflows
Integer overflows – injects
signatures for integer overflows
Dictionary attack – injects
values from a dictionary. Useful for bruteforcing a
protocol for which there is no standard bruteforce
program.
The dialog
above can be used as many times as desired with all the requests available on
the main dialog.
Fuzzing
When all
the desired fuzzing points are set, the user is
prepared for the fuzzing phase. The button “Fuzzing”, on the main menu opens the fuzzing
dialog.
The user
needs to click on “Start” and wait for the fuzzing
session to finish.
Error detection
The error
detection consists on two mechanisms. The first one is performed by Taof, checking that the remote server is alive. The second
one should be done by the user, attaching a debugger to the process which is
being fuzzed.
Debugging
Taof
keeps a debugging file with all the requests and responses from the server. If a vulnerability is discovered, this file provides details
for better understanding.
Bugs and
comments
Taof
has been developed by Rodrigo Marcos.
If you have
any suggestion or comment (or if you want to share your 0days discovered using Taof) contact me by email.
taof@irmplc.com