Boofuzz for Layer 2 3 protocol fuzzing

[zero.l...@gmail.com]

Hello,

My goal is to conduct an IPv6 extension header fuzzing for Linux based systems.

I am investigating use of Sulley/Boofuzz for L2/3 protocol fuzing. I have spent some days on this already in order to figure out how Boofuzz syntax works and what are constructs to create a fuzzing test-case, 

Currently all examples I found on Google are around fuzzing the sessions where underlying IP/transport connection has been already established.

Q: Does Boofuzz support Target SocketConnection to RAW sockets?

I know that with Python Sockets native library I am able to create a raw socket with (AF_PACKET. SOCK_RAW).

Q: Maybe the Boofuzz can fuzz the packet, but is delivered over already established Raw socket? How in this case fuzzer would be initialized without specifying a target? Or maybe Boofuzz could be integrated together with Scapy?

Any hint or guidance would be very highly appreciated!

Best,

[Josh Pereyda]

> Q: Does Boofuzz support Target SocketConnection to RAW sockets?

Yes, but right now it works only on Linux, since Windows doesn't support the same raw sockets functionality. If anybody wants to port SocketConnection to work on Windows as well, that'd be great! (and probably painful)

See the documentation for the SocketConnection (boofuzz/socket_connection.py) constructor 'proto' parameter. "raw-l2" fuzzes Ethernet, and "raw-l3" fuzzes IP.

> Q: Maybe the Boofuzz can fuzz the packet, but is delivered over already established Raw socket?

Check out SocketConnection.open for full details on the behavior of open() for different socket types. For raw-l2, it's:
    self._sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)

for raw-l3:
    self._sock = socket.socket(socket.AF_PACKET, socket.SOCK_DGRAM)

> How in this case fuzzer would be initialized without specifying a target?

Your "Target" would be a SocketConnection in this case. It is up to you to specify the L2 or L3 packet well enough for it to reach its destination.

> Or maybe Boofuzz could be integrated together with Scapy?

I've thought about this before; scapy has some very cool tools with a little intersection with boofuzz. I gave up because of the lack of usable docs at the time. :) If you manage to get it working, please let us know!

> My goal is to conduct an IPv6 extension header fuzzing for Linux based systems.

I've only used the current code with IPv4. For IPv6, you'll either need to make your own implementation of boofuzz.ITargetConnection, or extend socket_connection.py with a new "protocol". Making your own implementation is probably easier.

If you get it working, please share your code via a Github PR! :)

Happy fuzzing,

Joshua

--
You received this message because you are subscribed to the Google Groups "boofuzz" group.
To unsubscribe from this group and stop receiving emails from it, send an email to boofuzz+u...@googlegroups.com.
To post to this group, send email to boo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/boofuzz/620c8ee1-c07d-461f-b885-05ffd0aab35f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Zero Lockout]

Joshua,

Thanks for your reply! The things are now looking a bit brighter :)

And just to note - my host and target systems are Linux based, in which case there are some advantages (e.g. socket bindings) and disadvantages (e.g. some target host monitoring features not available).

I will further explore the possibilities of Boofuzz for IPv6 fuzzing test case development.

Just a wild guess, that if I would be using raw-l2, then I could actually craft my own L2 frame with type set to IPv6 "0x86dd". And then describe the remaining IPv6 header and extension headers. In that case I might not even require to create new IPv6 Connection implementation.

Will let you know once I have made some progress in that direction.

Best,

B