Introducing vulnserver

We will be using vulnserver, that can be downloaded from here: http://thegreycorner.com/2010/12/introducing-vulnserver.html

This will be our target during several of the following exercises. This intentionally vulnerable application was created by Stephen Bradshaw to provide himself and the security community with an application that can be used to practice various security-related tasks.

Ideally, the program is to be run on a Windows-based machine; as we are trying to keep the book focused on open source and freely available programs, we will run the server on our Ubuntu_test1machine_1 machine. This will be sufficient to learn more about the fuzzing tools available in Kali.

Download the vulnserver application to your Ubuntu_testmachine_1 machine, unzip it, and review the license and readme files carefully. In a terminal window, enter the following:

#apt-get install wine

Start vulnserver.exe up using the following command in the Ubuntu machine:

#wine vulnserver.exe 4444
Starting vulnserver version 1.00
Called essential function dll version 1.00

This is vulnerable software!
Do not allow access from untrusted systems or networks!

Waiting for client connections...

This command will use wine to run your vulnserver.exe application on port 4444. To test that the server is working properly, open up a terminal session and connect it to the server using netcat, as follows:

# nc 127.0.0.1 4444

You will be presented with an introduction screen from vulnserver:

Welcome to Vulnerable Server! Enter HELP for help.

As mentioned by the prompt, you may enter HELP to receive information about available inputs:

HELP
Valid Commands:
HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT

We will be using different fuzzers that come preinstalled on Kali to inject malformed, random, or mutated data into these inputs. To get more familiar with the server, feel free to poke around. Here is an example of a valid input:

LTER AAAAAA
LTER COMPLETE

The application expected an input, which we provided as LTER AAAAAA. As there is no problem with this input, the application returns to the normal state.

Tip

As you may have discovered, case does matter! This is typical in Unix and Linux; the case in most of these systems does matter.

The application expected an input, which we provided as LTER AAAAAA. As there is no problem with this input, the application returns to the normal state.

Tip

For detailed information about the vulnserver application, visit Stephen Bradshaw's blog. While there, you will also find that it contains several great tutorials related to his vulnserver application and more, that are well written and easy to follow.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset