boofuzz to fuzz a router/firewall?

[said]

Hi,

I fuzzed routers/firewall in the past and my approach was to implement everything in Python from scratch. I'd like to know if boofuzz would have been useful and if I could port what I did to boofuzz in order to have a more generic fuzzer (and maybe contribute to it!)

My original fuzzer does the following:

1) Detection if the target is still alive/crashed

- a) Using an ARP request (Scapy arping())

- b) Or instrumenting a serial line and looking for crash dump patterns

2) If the target previously crashed, detect the device has finished rebooting by sniffing for a gratuitous ARP packet (raw socket) – so we can restart the fuzzing

3) Generation: depends on the protocol

- a) Scapy for SNMP

- b) XML sample for XML-based protocol

- c) Use an external generator like AFL, domato, etc. anything that can generate packets into file for the protocol I am targeting

4) Mutation: depends on the protocol

- a) Take n random bytes and change their values randomly (e.g. SNMP)

- b) Use radamsa (e.g. XML)

- c) No mutation if I take them from files I generated with AFL, domato, etc.

My question is: can I do all steps with boofuzz? And what needs to be added to boofuzz to make it happen?

Thanks for your pointers,

said.

[joshua.t...@gmail.com]

For parts 1 and 2, you would use the callback method.

Generation: See https://boofuzz.readthedocs.io/en/latest/user/quickstart.html for an example. Sometimes a simpler tool is better if it's good enough.

Mutation: Boofuzz uses a generative approach instead of mutational. Integrating mutational would be a new tack, though it would be very cool if somebody made that into a feature. :)

The generative approach of something like boofuzz has different pros and cons compared to a mutational approach.