Fuzzowski – the Network Protocol Fuzzer that we will want to use
The idea behind Fuzzowski, was to create the Network Protocol Fuzzer that we will want to use.
The aim of this tool is to assist during the whole process of fuzzing a network protocol, allowing to define the communications, helping to identify the “suspects” of crashing a service, and much more.
Last Changes
[16/12/2019]
- Data Generation modules fully recoded (Primitives, Blocks, Requests)
- Improved Strings fuzzing libraries, allowing also for custom lists, files and callback commands
- Variable data type, which takes a variable set by the session, the user or a Response
- Session fully recoded. Now it is based on TestCases, which contains all the information needed to perform the request, check the response, store data such as errors received, etc.
- Responses added. Now you can define responses with s_response(), This allows to check the response from the server, set variables and even perform additional tests on the response to check if something is wrong
- Monitors now automatically mark TestCases as suspect if they fail
- Added the IPP (Internet Printing Protocol) Fuzzer that we used to find several vulnerabilities in different printer brands during our printers research project (https://www.youtube.com/watch?v=3X-ZnlyGuWc&t=7s)
Features
- Based on Sulley Fuzzer for data generation [https://github.com/OpenRCE/sulley]
- Actually, forked BooFuzz (which is a fork of Sulley) [https://github.com/jtpereyda/boofuzz ]
- Python3
- Not random (finite number of possibilities)
- Requires to “create the packets” with types (spike fuzzer style)
- Also allows to create “”Raw”” packets from parameters, with injection points (quite useful for fuzzing simple protocols)
- Has a nice console to pause, review and retest any suspect (prompt_toolkit ftw)
- Allows to skip parameters that cause errors, automatically or with the console
- Nice print formats for suspect packets (to know exactly what was fuzzed)
- It saves PoCs as python scripts for you when you mark a test case as a crash
- Monitor modules to gather information of the target, detecting odd behaviours and marking suspects
- Restarter modules that will restart the target if the connection is lost (e.g. powering off and on an smart plug)
Protocols implemented
- LPD (Line Printing Daemon): Fully implemented
- IPP (Internet Printing Protocol): Partially implemented
- BACnet (Building Automation and Control networks Protocol): Partially implemented
- Modbus (ICS communication protocol): Partially implemented
Installation
virtualenv venv -p python3
source venv/bin/activate
pip install -r requirements.txt
Help
usage: python -m fuzzowski [-h] [-p {tcp,udp,ssl}] [-b BIND] [-st SEND_TIMEOUT]
[-rt RECV_TIMEOUT] [--sleep-time SLEEP_TIME] [-nc] [-tn]
[-nr] [-nrf] [-cr]
[--threshold-request CRASH_THRESHOLD_REQUEST]
[--threshold-element CRASH_THRESHOLD_ELEMENT]
[--ignore-aborted] [--ignore-reset] [--error-fuzz-issues]
[-c CALLBACK | --file FILENAME] -f
{cops,dhcp,ipp,lpd,netconf,telnet_cli,tftp,raw}
[-r FUZZ_REQUESTS [FUZZ_REQUESTS ...]]
[--restart module_name [args ...]]
[--restart-sleep RESTART_SLEEP_TIME]
[--monitors {IPPMon} [{IPPMon} ...]] [--path PATH]
[--document_url DOCUMENT_URL]
host port
█ █
████████
██████████
██ ████ ██
██ ████ ██
████ ████
█ ████████████ █
█ ██████████ █ Fuzzowski Network Fuzzer
█ █ █ █ ? Fuzzers, inc.
██ ██
positional arguments:
host Destination Host
port Destination Port
optional arguments:
-h, --help show this help message and exit
Connection Options:
-p {tcp,udp,ssl}, --protocol {tcp,udp,ssl}
Protocol (Default tcp)
-b BIND, --bind BIND Bind to port
-st SEND_TIMEOUT, --send_timeout SEND_TIMEOUT
Set send() timeout (Default 5s)
-rt RECV_TIMEOUT, --recv_timeout RECV_TIMEOUT
Set recv() timeout (Default 5s)
--sleep-time SLEEP_TIME
Sleep time between each test (Default 0)
-nc, --new-conns Open a new connection after each packet of the same test
-tn, --transmit-next-node
Transmit the next node in the graph of the fuzzed node
RECV() Options:
-nr, --no-recv Do not recv() in the socket after each send
-nrf, --no-recv-fuzz Do not recv() in the socket after sending a fuzzed request
-cr, --check-recv Check that data has been received in recv()
Crashes Options:
--threshold-request CRASH_THRESHOLD_REQUEST
Set the number of allowed crashes in a Request before skipping it (Default 9999)
--threshold-element CRASH_THRESHOLD_ELEMENT
Set the number of allowed crashes in a Primitive before skipping it (Default 3)
--ignore-aborted Ignore ECONNABORTED errors
--ignore-reset Ignore ECONNRESET errors
--error-fuzz-issues Log as error when there is any connection issue in the fuzzed node
Fuzz Options:
-c CALLBACK, --callback CALLBACK
Set a callback address to fuzz with callback generator instead of normal mutations
--file FILENAME Use contents of a file for fuzz mutations
Fuzzers:
-f {cops,dhcp,ipp,lpd,netconf,telnet_cli,tftp,raw}, --fuzz {cops,dhcp,ipp,lpd,netconf,telnet_cli,tftp,raw}
Available Protocols
-r FUZZ_REQUESTS [FUZZ_REQUESTS ...], --requests FUZZ_REQUESTS [FUZZ_REQUESTS ...]
Requests of the protocol to fuzz, default All
dhcp: [opt82]
ipp: [http_headers, get_printer_attribs, print_uri_message, send_uri, get_jobs, get_job_attribs]
lpd: [long_queue, short_queue, ctrl_file, data_file, remove_job]
telnet_cli: [commands]
tftp: [read]
raw: ['\x01string\n' '\x02request2\x00' ...]
Restart options:
--restart module_name [args ...]
Restarter Modules:
run: '<executable> [<argument> ...]' (Pass command and arguments within quotes, as only one argument)
smartplug: It will turn off and on the Smart Plug
teckin: <PLUG_IP>
--restart-sleep RESTART_SLEEP_TIME
Set sleep seconds after a crash before continue (Default 5)
Monitor options:
--monitors {IPPMon} [{IPPMon} ...], -m {IPPMon} [{IPPMon} ...]
Monitor Modules:
IPPMon: Sends a get-attributes IPP message to the target
Other Options:
--path PATH Set path when fuzzing HTTP based protocols (Default /)
--document_url DOCUMENT_URL
Set Document URL for print_uri
Examples
Fuzz the get_printer_attribs IPP operation with default options:
python -m fuzzowski printer1 631 -f ipp -r get_printer_attribs --restart smartplug
Demo : https://asciinema.org/a/0RMDMrJWiFo4RoRwAjx61BXDY
Use the raw feature of IPP to fuzz the finger protocol:
python -m fuzzowski printer 79 -f raw -r '{{root}}\n'
Demo : https://asciinema.org/a/Pch0JbkNK97dgrCUMK8iIfJv5
Use the raw feature of IPP to fuzz the finger protocol, but instead of using the predefined mutations, use a file:
python -m fuzzowski printer 79 -f raw -r '{{root}}\n' --file 'path/to/my/fuzzlist'
Leave a Reply