Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABtNtWFzEgs5ZWnW8jTQOAvfyuOegr1Rkv_m1irymG0opxjbng@mail.gmail.com>
Date: Sat, 14 Mar 2015 22:54:11 +0800
From: Kai Zhao <loverszhao@...il.com>
To: john-dev@...ts.openwall.com
Subject: Extend AFL to fuzz as you want

AFL is good at fuzzing, but it is not very suited to John. The main reason
is that we can not control
how to mutate our hash file. In order to control how to mutate hash file, I
extended AFL in my fork:

https://github.com/loverszhaokai/JohnTheRipper/tree/add_afl

The path is: JohnTheRipper/1.55b, know more about of the changes, please
see:

https://github.com/loverszhaokai/JohnTheRipper/blob/add_afl/afl-1.55b/readme.markdown

The extension supports xml input file in AFL. I add 'john mode' in AFL, and
it is especially for john fuzz.
To use john mode, users must write xml input file which is different from
currently password file. Here
is the xml schema:

https://github.com/loverszhaokai/JohnTheRipper/blob/add_afl/afl-1.55b/docs/john.markdown#xml-schema

The extension is inspired by peach fuzzer pit file. Here is an example of
the xml file:

siemens-s7-valid.xml
------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>

<AFL case_number="90">    <!-- Totally generates 90 cases -->
    <DataElement>
        <string is_mutate="false">$siemens-s7</string>
                                                            <!--id=1-->
        <string is_mutate="false">$</string>

 <!--id=2-->
        <string is_mutate="false" length="1" type="NUM">1</string>
                                                     <!--id=3-->
        <string is_mutate="false">$</string>

 <!--id=4-->
        <string length="40"
type="HEX_STR_L">599fe00cdb61f76cc6e949162f22c95943468acb</string>
<!--id=5-->
        <string is_mutate="false">$</string>

 <!--id=6-->
        <string length="40"
type="HEX_STR_L">002e45951f62602b2f5d15df217f49da2f5379cb</string>
 <!--id=7-->
    </DataElement>
</AFL>
------------------------------------------------------------------------------------

case_numer = 90     :  AFL totally generates 90 cases
is_mutate="false"     :  The element will never be mutated
length="40"              :  The element's length must be 40 even it is
mutated
length="[40,1000]"   :  The element's length is from 40 to 1000, including
40 and 1000
type="HEX_STR_L":  The value is lower hex string

For example, the id = 7 element, will generates a lower hex string which
length is 40. All the 90 cases
this file generates are valid.

It depends on users to test which part of john, if the user fuzz
crypt_all(), this xml file is ok. If one want
to fuzz valid(), he can change the xml file as follow:

siemens-s7-invalid.xml
------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>

<AFL case_number="90">    <!-- Totally generates 90 cases -->
    <DataElement>
        <string>$siemens-s7</string>
                                                 <!--id=1-->
        <string>$</string>
                                                          <!--id=2-->
        <string type="NUM">1</string>
                                                <!--id=3-->
        <string>$</string>
                                                          <!--id=4-->
        <string
type="HEX_STR">599fe00cdb61f76cc6e949162f22c95943468acb</string>
 <!--id=5-->
        <string>$</string>
                                                         <!--id=6-->
        <string
type="HEX_STR">002e45951f62602b2f5d15df217f49da2f5379cb</string>
<!--id=7-->
    </DataElement>
</AFL>
------------------------------------------------------------------------------------

siemens-s7-invalid.xml removes the is_mutate="false", so each element can
be mutated, and finally most
of the elements are mutated, and it will failed to pass valid().

Here is the introduction of how to generate a case:

https://github.com/loverszhaokai/JohnTheRipper/blob/add_afl/afl-1.55b/docs/john.markdown#fuzz-algorithm

After mutated each elements, AFL will concat each elements to the password
file, and pass it to john to fuzz.
In conclusion, user can control how to mutate the elements---generates
whatever they want---- by the new xml
input file. This extension of AFL is also useful for many other softwares.
I think this feature is useful.

I would appreciate it if you could give me some advice on my extension of
AFL.

Thank you in advance.

--
sincerely,

Kai

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.