Python is an excellent scripting language that can be used to effectively develop custom fuzzing utilities. When assessing TCP services, the socket function can be useful in simplifying the process of performing the full three-way handshake sequence and connecting to a listening service port. The main objective of any fuzzing script is to send data to any given function as input and evaluate the result:

1. I have developed a script that can be used to fuzz the post-authentication functions of an FTP service:

        #!/usr/bin/python

        import socket
        import sys

        if len(sys.argv) != 6:
            print "Usage - ./ftp_fuzz.py [Target-IP] [Port Number]
             [Payload] [Interval] [Maximum]"
            print "Example - ./ftp_fuzz.py 10.0.0.5 21 A 100 1000"
            print "Example will fuzz the defined FTP service
             with a series of payloads"
            print "to include 100 'A's, 200 'A's, etc...
             up to the maximum of 1000"
            sys.exit()

        target = str(sys.argv[1])
        port = int(sys.argv[2])
        char = str(sys.argv[3])
        i = int(sys.argv[4])
        interval = int(sys.argv[4])
        max = int(sys.argv[5])
        user = raw_input(str("Enter ftp username: "))
        passwd = raw_input(str("Enter ftp password: "))
        command = raw_input(str("Enter FTP command to fuzz: "))

        while i <= max:
            try:
                payload = command + " " + (char * i)
                print "Sending " + str(i) + " instances of payload
                 (" + char + ") to target"
                s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                connect=s.connect((target,port))
                s.recv(1024)
                s.send('USER ' + user + 'rn')
                s.recv(1024)
                s.send('PASS ' + passwd + 'rn')
                s.recv(1024)
                s.send(payload + 'rn')
                s.send('QUITrn')
                s.recv(1024)
                s.close()
                i = i + interval
            except:
                print "nUnable to send...Server may have crashed"
                sys.exit()

        print "nThere is no indication that the server has crashed"

2. The first part of the script defines the location of the Python interpreter and imports the required libraries.
3. The second part evaluates the number of arguments supplied to ensure that it is consistent with the appropriate usage of the script.
4. The third part of the script defines the variables that will be used throughout the script execution. Several of these variables receive their values from system arguments that are passed to the script upon execution.

5. The remaining variables are defined by accepting input from the user of the script.
6. Finally, the remainder of the script defines the fuzzing process. We execute the ftp_fuzz.py file, as follows:

7. If the script is executed without the appropriate number of system arguments, the script will return the expected usage. There are several values that must be included as system arguments:
   • The first argument to be passed to the script is the Target IP address. This IP address is the one associated with the system that is running the FTP service that you wish to fuzz.
   • The next argument is the Port Number on which the FTP service is running. In most cases, FTP will run on the TCP port 21. The Payload argument will define the character or sequence of characters to be passed in bulk to the service.
   • The Interval argument defines the number of instances of the defined payload that will be passed to the FTP service on the first iteration. The argument will also be the number by which the number of payload instances will be incremented with on each successive iteration up to the Maximum value. This Maximum value is defined by the value of the last argument.
8. After the script is executed with these system arguments, it will request authentication credentials for the FTP service and will ask which post-authentication function should be fuzzed.
9. In the example provided, the fuzzing was performed against the FTP service that runs on the TCP port 21 of the Windows XP host at the IP address 172.16.69.129. Anonymous login credentials were passed to the FTP service with an arbitrary e-mail address. Also, a series of A was passed to the MKD post-authentication function, starting with 100 instances and incrementing by 100 until the maximum of 1000 instances was reached.
10. The same script could also be used to pass a series of characters in the payload:

11. In the example provided, the payload was defined as ABCD, and instances of this payload were defined as multiples of 100 up to the value of 500.