Security

Creating a Fuzzer with Metasploit

From now on, we will shift our focus from the two commonly used modules – payloads and exploits – and look at other modules that are frequently used in pen-testing; namely, the Post, Nop, encoders, and auxiliary modules.

Auxiliary mods are generally used to perform one-off actions post-exploitation, but you can do far more with this fascinating tool, such as creating your own vulnerability scanners and port scanners. This article will take a detailed look at the auxiliary module in particular, and learn how to create a fuzzer with it.

Step 1: Navigate to the Metasploit Directory


First, launch Kali Linux and go to the Metasploit Framework directory. Type the following in Kali interface:

$ cd /usr/share/metasploit-framework

To get a better look at the contents here, change the view of the directory by entering the following:

$ ls –l

Scroll to the subdirectory module and again, type:

$ cd modules

$ ls -l

This output shows the different types of modules in Metasploit, including:

  • Exploits
  • Payloads
  • Nod
  • Post
  • Encoders
  • Auxiliary

Now, we will examine the auxiliary module in greater detail.

Step 2: Expand Auxiliary Directory

Enter the auxiliary directory

$ cd modules/auxiliary

$ ls –l

This will compartmentalize the auxiliary module directory into several subdirectories. The output will display a comprehensive list of subdirectories, starting with the admin directory.

Creating Fuzzers

Before we proceed, we will first define what fuzzing is.

Fuzzing: A Brief Introduction

Fuzzing is a practice in software testing discipline that involves continuously putting random, unexpected inputs into a computer program to determine all possible crashes that a system might face. Putting too much data or random inputs into a variable area causes a buffer overflow, a critical vulnerability, which is what Fuzzing looks out for as an inspection technique.

Not only is buffer overflow a serious vulnerability, but it is also often the go-to method for hackers when they are trying to break into a system.

The Fuzzing Process

Go to the fuzzer directory and take a good look with the listing:

$ cd fuzzers

$ ls –l

The types of fuzzers on display will include the following: dns, ftp, http, smb, smtp, ssh, and tds.

The fuzzer of particular interest to us here is ftp.

Next, open the fuzzers directory:

$ cd ftp

$ ls –l

Out of the two types displayed here, we will use the “tp_pre_post fuzzer,” instead of “client_ft.rb.”

Open up the msfconsole, locate the “tp_pre_post fuzzer,” and run it. In the msf prompt, type the following:

$ msfconsole

$ msf > search type:auxiliary fuzzers

Msfconsole will list only those modules that are auxiliary and neglect other types. Notice that all the mods presented have the keyword ftp, requiring the process to sort out the modules as instructed by the command.

The search results show several different modules; we will only be using the “auxiliary/fuzzers/ftp/ftp_pre_post” module. You can look into the details regarding the functions this mod has by typing msf > info.

Now, load this module by typing:

$ msf > use auxiliary/fuzzers/ftp/ftp_pre_post

As you can see, the module can take several different inputs. We will be using a specific IP address. In this example, we are using a system with Windows 2003 OS as the designated target to test out our fuzzer.

Set the IP address and run the module:

$ msf > set RHOSTS (enter IP here)

$ msf > run

The fuzzer will begin with the light 10 bytes and slowly begin to overwhelm the system with more sizeable inputs, upsizing by 10 bytes with every iteration. The maximum size is 20000 bytes by default, which can be modified according to the system type.

This is a very convoluted and long process, so be patient. The fuzzer will stop at the specified size limit, or when it detects a few error messages.

Conclusion

This article described what fuzzers are: auxiliary modules that allow us to check a system for vulnerabilities, including the buffer overflow, which is the most significant as it is often overridden by its exploitation. The article also described how to perform fuzzing on a system with the tp_pre_post fuzzer. Despite being relatively simpler components of the Metasploit framework, fuzzers can be extremely valuable when it comes to pen-testing.

Obviously, this not the only thing that auxiliary modules are capable of; there are hundreds of different modules that serve a variety of different purposes for testing your system.

About the author

Younis Said

I am a freelancing software project developer, a software engineering graduate and a content writer. I love working with Linux and open-source software.