FFW - Fuzzing For Worms
Fuzzes network servers/services by intercepting valid network communication data, then replay it with some fuzzing.
FFW can fuzz open source applications and supports feedback driven fuzzing by instrumenting honggfuzz, for both open- and closed source apps.
In comparison with the alternatives, FFW is the most advanced, feature-complete and tested network fuzzer.
Features:
- Fuzzes all kind of network protocol (HTTP, MQTT, SMTP, you name it)
- No modification of the fuzzing target needed (at all)
- Has feedback-driven fuzzing (with compiler support, or hardware based)
- Can fuzz network clients too (wip)
- Fast fuzzing setup (no source code changes or protocol reversing needed!)
- Reasonable fuzzing performance
Presentation
Presented at security conference Area 41 2018.
- (Fuzzing For Worms Slides)[https://docs.google.com/presentation/d/1tLELphbkh2bVLyIedagNoFKBn_DEYv29RskZY4u-szA/edit?usp=sharing]
- (Youtube)[https://www.youtube.com/watch?v=akpk9hrizc4]
Docker
Easiest way to start is to use the docker image:
By doing so:
docker run -ti --privileged -lxc-conf="aa_profile=unconfined" dobin/ffw:0.1
Examples are located in /ffw-examples.
Manual Installation
Get FFW
git clone https://github.com/dobin/ffw.git
cd ffw/
Note: Manually installed dependencies are expected to live in
the ffw/ directory (e.g. honggfuzz, radamsa).
Install FFW dependencies
If its a fresh Ubuntu, install relevant packages for FFW:
apt-get install python python-pip gdb
For honggfuzz:
apt-get install clang binutils-dev libunwind8-dev
And python dependencies:
pip install -r requirements.txt
Install Radamsa fuzzer
$ git clone https://github.com/aoh/radamsa.git
$ cd radamsa
$ make
Default Radamsa directory specified in ffw is ffw/radamsa.
Setup a project
Steps involved in setting up a fuzzing project:
- Create directory structure for that fuzzing project by copying template folder
- Copy target binary to bin/
- Specify all necessary information in the config file fuzzing.py
- Start interceptor-mode to record traffic
- Start test-mode to verify recorded traffic (optional)
- Start fuzz-mode to fuzz
- Start verify-mode to verify crashed from the fuzz mode (optional)
- Start upload-mode to upload verified crashes to the web (optional)
For a step-by-step guide:
- Setup the sample project tutorial
- Setup the feedback-driven fuzzing project tutorial
- Some fuzzing help and infos
Unit Tests
Test all:
python -m unittest discover
Test a single module:
python -m unittest test.test_interceptor
Alternatives
Fuzzotron
Available via https://github.com/denandz/fuzzotron. "Fuzzotron is a simple network fuzzer supporting TCP, UDP and multithreading."
Support network fuzzing, also uses Radamsa. Can use coverage data, but it is experimental.
Con's:
- Does not restart target server
- Unreliable crash detection
- Experimental code coverage
Mutiny
Available via https://github.com/Cisco-Talos/mutiny-fuzzer. "The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer."
Con's:
- No code coverage
- Only one commit (no development?)
- Rudimentary crash detection