Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sulley does not capture any bytes to pcap files #64

Open
PolymathMonkey opened this issue Oct 13, 2014 · 12 comments
Open

Sulley does not capture any bytes to pcap files #64

PolymathMonkey opened this issue Oct 13, 2014 · 12 comments

Comments

@PolymathMonkey
Copy link

Hi,

i have this specific Problem happening on one of my Lab environment Machines.
First of all i did the Sulley installation like the Wiki page suggested. And also network_monitor.py
and process_monitor.py work fine. But when i come to the point where i want to do some test fuzz'es to see if it works. Sulley claims something like "stopped PCAP thread, snagged 0 bytes of data". But on the other side on the second test machine the scripts run perfectly, And the network traffic gets written to the pcap files. If this is not really an issue please just close this ticket. Thanks in advance.

Kind regards,

Monkey

@Fitblip
Copy link
Member

Fitblip commented Oct 13, 2014

Hey there,

Can you give me some more info on your setup, and some debug messages?

Thanks!

@PolymathMonkey
Copy link
Author

Hi there,

of course i can provide more details. I tried to keep as close
to the wikipage for setting up on a Windows box. So this is what i
am actually trying to run (in random order):

For the Setup i am running, it is just a WinXP SP3 Ger. in a virutal machine
running on a KVM. The VM has got about 512mb of ram and CPU has 3.3 Ghz. For
the application i want to test i used an vurnlserver fuzzer i found on:

http://resources.infosecinstitute.com/fuzzing-vulnserver-with-sulley-part-3/

I hope these Information helps to fix this issue. If i can give you any other
information, just tell me. I will try to provide them as soon as i can. Thanks in advance

Kind regards,

PolymathMonkey

@Fitblip
Copy link
Member

Fitblip commented Oct 14, 2014

Are you attempting to fuzz it locally (sulley and the vulnerable program on
the same computer)?

On Mon, Oct 13, 2014 at 11:35 PM, PolymathMonkey [email protected]
wrote:

Hi there,

of course i can provide more details. I tried to keep as close
to the wikipage for setting up on a Windows box. So this is what i
am actually trying to run (in random order):

For the Setup i am running, it is just a WinXP SP3 Ger. in a virutal
machine
running on a KVM. The VM has got about 512mb of ram and CPU has 3.3 Ghz.
For
the application i want to test i used an vurnlserver fuzzer i found on:

http://resources.infosecinstitute.com/fuzzing-vulnserver-with-sulley-part-3/

I hope these Information helps to fix this issue. If i can give you any
other
information, just tell me. I will try to provide them as soon as i can.
Thanks in advance

Kind regards,

PolymathMonkey


Reply to this email directly or view it on GitHub
#64 (comment).

@PolymathMonkey
Copy link
Author

Yes to that, but i also tied to let the network_monitor run on the linux host system. But with no success, when i run the nwmon on linux it only does one capture and then stops to iterate.

@Fitblip
Copy link
Member

Fitblip commented Oct 14, 2014

Yeah, this is a known issue :( the windows TCP stack won't let you
intercept traffic it's routing to a local interface (for some really dumb
reason).

I'd recommend either setting up 2 VMs and fuzzing one to the other, or
following some advice here ->
http://wiki.wireshark.org/CaptureSetup/Loopback

Moving forward I'm actually axing the pcap-to-get-your-payload model as
it's pretty silly, plus it doesn't work on things like SSL (even if you can
capture traffic), so this shouldn't be an issue.

On Tue, Oct 14, 2014 at 1:39 AM, PolymathMonkey [email protected]
wrote:

Yes to that, but i also tied to let the network_monitor run on the linux
host system. But with no success, when i run the nwmon on linux it only
does one capture and then stops to iterate.


Reply to this email directly or view it on GitHub
#64 (comment).

@PolymathMonkey
Copy link
Author

Okay thanks i will try your suggestions and then i will give you some feedback :)

@Fitblip
Copy link
Member

Fitblip commented Oct 15, 2014

Sweet! Let me know :)

On Tue, Oct 14, 2014 at 11:33 PM, PolymathMonkey [email protected]
wrote:

Okay thanks i will try your suggestions and then i will give you some
feedback :)


Reply to this email directly or view it on GitHub
#64 (comment).

@nixawk
Copy link

nixawk commented Mar 11, 2016

@PolymathMonkey @Fitblip Have you solved the problem? Sulley failed to log cap files.

root@lab:~/sulley# uname -a
Linux lab 4.3.0-kali1-686-pae #1 SMP Debian 4.3.5-1kali1 (2016-02-11) i686 GNU/Linux
root@lab:~/sulley# python network_monitor.py -d 0 -f "port 21" -P audit
[10:07.06] Network Monitor PED-RPC server initialized:
[10:07.06]   device:    eth0
[10:07.06]   filter:    port 21
[10:07.06]   log path:  audit
[10:07.06]   log_level: 1
[10:07.06] Awaiting requests...
[10:07.19] initializing capture for test case #3
Warning: Kernel filter failed: Bad file descriptor
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/root/sulley/sulley/pedrpc.py", line 299, in serve_forever
    ret = method_pointer(*args, **kwargs)
  File "network_monitor.py", line 178, in pre_send
    self.pcap.setfilter(self.filter)
PcapError: can't remove kernel filter: Bad file descriptor

@nixawk
Copy link

nixawk commented Mar 11, 2016

#39 network_monitor broken in linux

@PolymathMonkey
Copy link
Author

@all3g check the link @Fitblip posted. It explains the problem pretty good, in basic you have to do sniffing from a virtual LAN or such because sniffing from loopback in windows was a pain in the ass

@Fitblip
Copy link
Member

Fitblip commented Mar 11, 2016

Yup, @PolymathMonkey is correct. Sniffing locally has always been an issue due to how the networking stacks work in each platform.

@all3g your issue seems like it might actually be a configuration issue with VMWare though. Some cursory googling of your issue lead me to this -> https://communities.bmc.com/message/606551

@nixawk
Copy link

nixawk commented Mar 12, 2016

Thanks @PolymathMonkey @Fitblip . It works.

  • fuzz.py is on the Kali Linux
  • network_minitor.py and process_monitor.py are on windows xp3.

screen shot 2016-03-12 at 8 53 51 am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants