网络或传输层模糊测试
如何执行模糊测试策略来强调网络堆栈,特别是在第三层和第四层(网络和传输)?我研究过生成模糊器的框架,例如 SPIKE,但在我看来,它们主要集中在应用程序层及以上?是否有任何众所周知的技术可以模糊这些层中众所周知的协议(例如 TCP)?
谢谢。
How do I go about executing a fuzzing strategy to stress a network stack, specifically at the third and fourth layers (network and transport)? I've looked at frameworks to generate fuzzers, like SPIKE, but it seems to me that they are mostly focused on the application layer and above? Is there any well known techniques out there to fuzz well-known protocols in these layers, say, TCP?
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
看看 Scapy。它允许您在网络和传输层进行模糊测试。
fuzz函数将对您在 IP 或 TCP 层中未明确指定的任何内容进行模糊测试(您可以将其单独应用于每个层)。这为您提供了一系列能力,从随机生成 IP 地址和端口对到制作和发送无意义的数据包。您可能还想查看 Fragroute。这将扭曲 TCP/IP 使用各种规避技术,但可能会揭示网络堆栈中隐藏的错误/漏洞。
此外,如果您的组织不反对,您可以设置一个 Tor 退出节点并从中捕获流量。我发现它对于测试正确的 TCP 连接状态跟踪很有用。尽管您的连接端是众所周知且不变的,但仍然存在各种各样的服务器以及有趣的网络拥塞问题。它基本上是无尽的流量来源。请务必与您的上级核实,因为您的组织可能会反对成为恶意流量的潜在来源(尽管有不承担责任的先例)。我通过在家运行/捕获然后引入 pcap 解决了这个问题。
Look at Scapy. It allows you to fuzz at the network and transport layers. The
fuzzfunction will fuzz anything you didn't explicitly specify in the IP or TCP layers (you can apply it separately to each). This gives you a range of abilities from just randomly generating ip addresses and port pairs to making and sending nonsense packets.You may also want to look at Fragroute. This will twist TCP/IP into using all sorts of evasions techniques, but could potentially unveil otherwise hidden bugs/vulnerabilities in your network stack.
Furthermore, if your organization doesn't object, you could set up a Tor exit node and capture traffic from it. I've found it useful for testing correct TCP connection state tracking. Though your end of the connections is well-known and unchanging, there's a huge variety of servers as well as fun network congestion issues. It's basically an endless source of traffic. Be sure to check with your higher ups as your org may object to being a potential source of malicious traffic (even though there is a strong precedent of non-liability). I've gotten around that issue by running it/capturing at home, then bringing in the pcaps.
如果您想模糊 IP、UDP 或 TCP,请通过环回将数据包从高级服务路由到读取它们、模糊它们并转发它们的进程。您需要一个可以与原始套接字通信的驱动程序,并且您需要阅读/了解适用于这些协议的 RFC 的内容。
有一个简单的方法可以做到这一点。正如 Justdelegard 所建议的那样,一般来说,Scapy 可能是最好用的。
查看发布 ICMPv4/IP 模糊器原型 洛朗·加菲 (Laurent Gaffié)。他的 Python 代码(顺便说一下,他以更具可读性的方式重新发布在pastebin.com),从 scapy 导入并使用了一些他定义了一些方法来进行几种类型的模糊测试。 IP 和 ICMP 数据包在他的示例代码中进行处理。所以,这听起来与您正在寻找的完全一样。
现在,似乎有很多公司使用 Tcl/Expect对网络进行自定义自动化测试。 SIP、H.323、第 2 层和第 2 层3 协议等。
因此,如果 Scapy 不能满足您的需求,您也许可以使用 Expect 制作或找到用 Tcl 编写的东西来完成这项工作。或者,您可能希望使用 Scapy 在 Python 中执行某些操作,并使用 Expect 在 Tcl 中执行其他操作。
Tcl 长期以来一直用于网络测试和管理应用。早在 1990 年代就有一本关于如何使用 Tcl 进行基于 SNMP 的网络管理的书。
Tcl 的语法确实很奇怪,但库非常强大。它具有类似框架的功能,可以在套接字上定义自定义网络行为,类似于使用 Python 编程语言的标准库所做的事情。
与 Python 和其他脚本语言不同,Tcl 程序有一个非常强大的工具,名为 Expect(请参阅 预期手册页)。
Expect 有一个方便的功能。它可以自动生成Tcl测试脚本。生成的脚本调用 Expect 函数。在进行此录音时,它充当被动的中间人,记录对话的双方。类似于在 MS Word 或 Emacs 中进行编辑时录制宏的方式。
然后,您可以编辑自动生成的 Expect 脚本来对其进行微调,使其表现不同,或者创建它的多个变体。它对于创建回归测试非常方便。如果您需要的话,您应该能够使用它来开始编写更高层协议测试。节拍从头开始。
我认为您可以使用 Tcl/Expect 来测试使用基于字符串的命令的标准 TCP 应用程序(FTP、HTTP、SMTP 等)。它非常适合测试基于字符的应用程序,例如从 stdin 读取输入并生成输出到 stdout 的 TELNET。
If you want to fuzz the IP, UDP, or TCP route your packets from your high level services via loopback to a process that reads them, fuzzes them, and forwards them. You need a driver that lets you talk to raw sockets and you need to read/learn what the applicable RFCs say for those protocols.
There is an easy way to do this. Just as Justdelegard recommends, Scapy is probably the best thing to use, in general.
Take a look at Releasing ICMPv4/IP fuzzer prototype by Laurent Gaffié. His Python code, which incidentally he has reposted in more readable fashion at pastebin.com, imports from scapy and uses some methods he defines to do a couple of types of fuzzing. IP and ICMP packets are handled in his sample code. So, this sounds exactly like what you are seeking.
Right now, there seems to be a lot of companies using Tcl/Expect to do custom automated testing of networks. SIP, H.323, layer 2 & 3 protocols, etc.
So if Scapy does not meet your needs, you might be able to make or find something written in Tcl using Expect to do the job. Or, you may wish to do some things in Python, using Scapy - and other things in Tcl, using Expect.
Tcl has long been used for network test and management applications. There was a book on how to use Tcl to do SNMP-based network management way back in the 1990's.
Syntax of Tcl is decidedly odd but the libraries are very powerful. It comes with a framework-like ability to define behavior of custom network behavior atop sockets, similar to what you can do with the standard libraries for the Python programming language.
Unlike Python and other scripting languages, there is an extremely powerful tool for Tcl programs named Expect (see expect man page).
Expect has a handy capability. It can auto generate a Tcl test script. The generated script makes calls to Expect functions. When doing this recording, it functions as a passive man-in-the-middle, recording both sides of the conversation. Kind of the way that you record Macros while you do some editing in MS Word or in Emacs.
Then afterward, you can edit the automatically-generated Expect script to fine tune it, make it behave differently, or creation multiple variations of it. It is very handy for creating regression tests. You should be able to use this to kickstart writing higher layer protocol tests, should you need some. Beats starting from scratch.
I think you can use Tcl/Expect to test standard TCP applications (FTP, HTTP, SMTP, etc.) that use string based commands. It works well for testing character based applications like TELNET that read input from stdin and generate output to stdout too.