EJABBERD MONITORING SERIES
In part 2 of this series I will cover the installation andconfiguration of the Peach fuzzing platform and how I use it in my search forsuccessful XMPP fuzzing. So I put the xmpp-fuzzer test on hold and began downloading Peach. I was aware that there are several other tools out there,including Peach and Sulley that will support fuzzing the XMPP server once the properconfiguration (magic) incantations are made. So I decided to re-evaluate my decision to go with the prototypicalxmpp fuzzing tool. Seemsthat the xmp-fuzzer wasn't as robust as the "Prototype 0.1" label led me tobelieve. But after struggling with variousconfiguration issues, I was able to get it to finally build and run.Īt this time I pointed the fuzzer towards my local versionof eJabberd and hoped for the best. What a pain in theneck it was to get this to build. So I had to download and rebuild it from source, which includedgetting the appropriate Java bits, like the SWT library.
EJABBERD MONITORING 64 BIT
However, right off the bat I ran into problemswith the xmpp-fuzzer, it seems it was not compatible with my 64 bit OS Xinstallation. Three years ago, Ava LaTrope first released thegizmo tool at DEF CON 17, you can see her presentation on YouTube, and the xml-fuzzerwas found through a google search. I downloaded the tools xmpp-fuzzerand gizmo from Google Code. So far everything seemedon the "up and up." I ran both clientssimultaneously and could send messages between them. I used two clients, iChat from Apple andAdium from the Adium Team. This would ensure that I had correctly installed the server andthat it was functioning normally.
EJABBERD MONITORING SOFTWARE
The next step was to verify that my chat software couldconnect to it. A few minutes laterI had a functioning XMPP server up and running. The latest version of the server is available from theeJabberd web site located here and it wasa matter of downloading the installer and then running it. eJabberd is written in erLang,which is an unusual choice for a chat server since most tend to be written in javaand sometimes in C\C++. The first step of this long and arduous path begins with asingle installation of the eJabberd chat server. Crashing theapplication as a result of the problematic data usually indicates that there isa defect within the program, which could possibly be exploited by a bad actor. This process will allow the security researcher to identify variousdefects in how the application handles each of those inputs. Fuzzing for those who are unaware is the process ofsubmitting invalid or random data to a server application using an automatedtool. And one way to verify that is toperform black box fuzzing. When installing the chat server on a public facing interfaceyou want to make sure that it is secure.
The ejabberd server is also supported by a for profit company. This article (along with subsequent articles) will cover thejourney I've taken in learning about the XMPP (eXtensible Messaging andPresence Protocol) standard and how I used that knowledge to fuzz variousservers, starting with the eJabberd server available from the ejabberdcommunity.
0 kommentar(er)
