Deep Dive into Fuzzing

Course Description

Attendees would be emulating techniques which would provide a comprehensive understanding of “Crash, Detect & Triage” of fuzzed binaries or software. In “Deep dive into fuzzing” we will be covering a detailed overview of fuzzing and how it can be beneficial to professionals in uncovering security vulnerabilities with a hands-on approach through focus on labs.

Finding vulnerabilities in software requires in-depth knowledge of different technology stacks. Modern day software’s have a huge codebase and may contain vulnerabilities, manually verifying such vulnerabilities is a tedious task and may not be possible in all cases. This training is designed in such a way that it introduces the concept of fuzzing and vulnerability discovery in software’s covering multiple platforms such as Linux & Windows and triage analysis for those vulnerabilities.

Key Takeaways

  • Effective way of fuzzing
  • Understanding different class of vulnerabilities
  • Key fundamentals of fuzzing and how it works
  • Getting started with fuzzing windows binaries
  • Creating your own grammar for fuzzing
  • Implementing persistence for complex programs
  • Tons of exercises focusing on real world software’s
  • CTC – Capture the crash on a custom application

Course contents

Day 1

  • Understanding fuzzing fundamentals
  • AFL Internal
  • Setting up the environment
  • Selecting fuzzing targets
  • Spinning up the fuzzer effectively
  • Corpus generation
  • Hooking custom mutators
  • “Not so pro tips” while fuzzing
  • Improving code coverage with grammar
  • Plotting difference in code coverage
  • Enhancing your fuzzing approach

Day 2

  • Setting up persistent mode
  • AFL internals for QEMU
  • Targeting blackbox binaries
  • Setting up QEMU persistent mode
  • Introduction to network fuzzing
  • WinAFL Internals
  • Analyzing your target with debuggers
  • Improving code coverage
  • Fuzzing real world targets
  • Capture the crash (CTC)

Who should take this course?

The training is aimed for individuals & professionals who wish to learn the fundamentals of the fuzzing.

Students will be provided

  • Training Manual.
  • A dedicated server with custom OS (Windows & Linux) for one month.
  • Lab setup (OVA of Ubuntu 18.04 LTS and Windows 10) loaded with all the course exercise material including solutions to all of the exercises.
  • A private dedicated channel where trainers will be available to answer your queries after the training.

Requirements

  • Linux & Windows fundamentals
  • Understanding of C/C++ and common datatypes

What students should bring

  • Attendees are required to have a system with root/admin privilege with minimum 8GB RAM and 100 GB disk space with VirtualBox or VMware installed.

Trainer Biography

Dhiraj Mishra is an active speaker who has discovered multiple zero-days in modern web browsers and an opensource contributor. He has presented in conferences such as Hacktivity, PHDays, HITB, BSides, ekoparty. In his free time, he blogs at www.inputzero.io and tweets on @RandomDhiraj

Twitter: @RandomDhiraj

Blog: https://www.inputzero.io

Zubin Devnani is a red teamer by trade, who has identified multiple vulnerabilities in commonly used software. He has delivered multiple workshops, including PHDays and Hacktivity. Utilizes his fuzzing skills in his day to day trade to identify new ways of breaking into enterprises! Blogging at devtty0.io and tweets on @p1ngfl0yd

Twitter: @p1ngfl0yd

Blog: https://devtty0.io.

Buy Training Ticket