boofuzz: Network Protocol Fuzzing for Humans

Overview

boofuzz logo

boofuzz: Network Protocol Fuzzing for Humans

https://github.com/jtpereyda/boofuzz/workflows/Test/badge.svg?branch=master Documentation Status Join the chat at https://gitter.im/jtpereyda/boofuzz

Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework. Besides numerous bug fixes, boofuzz aims for extensibility. The goal: fuzz everything.

boofuzz screenshot

Why?

Sulley has been the preeminent open source fuzzer for some time, but has fallen out of maintenance.

Features

Like Sulley, boofuzz incorporates all the critical elements of a fuzzer:

  • Easy and quick data generation.
  • Instrumentation – AKA failure detection.
  • Target reset after failure.
  • Recording of test data.

Unlike Sulley, boofuzz also features:

  • Online documentation.
  • Support for arbitrary communications mediums.
  • Built-in support for serial fuzzing, ethernet- and IP-layer, UDP broadcast.
  • Better recording of test data -- consistent, thorough, clear.
  • Test result CSV export.
  • Extensible instrumentation/failure detection.
  • Much easier install experience!
  • Far fewer bugs.

Sulley is affectionately named after the giant teal and purple creature from Monsters Inc. due to his fuzziness. Boofuzz is likewise named after the only creature known to have scared Sulley himself: Boo!

Boo from Monsters Inc

Boo from Monsters Inc

Installation

pip install boofuzz

Boofuzz installs as a Python library used to build fuzzer scripts. See INSTALL.rst for advanced and detailed instructions.

Documentation

Documentation is available at https://boofuzz.readthedocs.io/, including nifty quickstart guides.

Contributions

Pull requests are welcome, as boofuzz is actively maintained (at the time of this writing ;)). See CONTRIBUTING.rst.

Community

For questions that take the form of “How do I… with boofuzz?” or “I got this error with boofuzz, why?”, consider posting your question on Stack Overflow. Make sure to use the fuzzing tag.

If you’ve found a bug, or have an idea/suggestion/request, file an issue here on GitHub.

For other questions, check out boofuzz on gitter or Google Groups.

For updates, follow @b00fuzz on Twitter.

Issues
  • Improved & Reworked Monitor infrastructure

    Improved & Reworked Monitor infrastructure

    So, this is going to be a big one, and while unfinished, I'd like to invite everyone to read my changes.

    Breaking changes in this PR:

    • target.netmon_options and target.procmon_options are gone. Instead, you can supply callbacks that get called when a monitor gets alive; set your options there. However, I am currently debating whether I should move the callback logic into the monitors themselves, the logic for that shouldn't be in target at all.
    • data dump format: procmon_results is now monitor_results, netmon_results is now monitor_data. monitor_results are collected for all testcases where one monitor detected a failure where as supplement data is collected for every testcase (like netmon was).

    ToDo

    • [x] reuse_target_connection seems to be broken for any case that doesn't use a custom callback method for restarting; however I think this should be fixed in another PR. Open another Issue maybe?
    • [x] Test/Fix Webinterface (I'll do a quick job here and probably iron over it in a future PR)
    • [x] Fix/Add Tests
    • [x] Write docs
    • [x] Move boofuzz/pedrpc.py to boofuzz/monitors/pedrpc.py (?)
    • [x] Move boofuzz/instrumentation.py to boofuzz/monitors/external.py, let it implement IMonitor, rename to ExternalMonitor
    • [x] Add hook monitor
    • [x] move all the callback functions into the monitor infrastructure - I think we should keep the session arguments, but internally use the monitor infrastructure to simplify the implementation in the Session class.

    General Every breaking change throws an exception with reasoning. Every non-breaking change emits a warning (as long as I did not miss anything). We can debate whether we want to keep the NotImplementedExceptions; I would argue that we should keep them and remove them when we remove the rest of the to-be-deprecated interfaces.

    Fixes #380

    opened by mistressofjellyfish 33
  • Fix broken TLS

    Fix broken TLS

    Fuzzing a SSL/TLS enabled server did not work anymore. I got this error:

    Traceback (most recent call last):
      File "fuzz.py", line 26, in <module>
        session.fuzz()
      File "/usr/lib/python2.7/site-packages/boofuzz/sessions.py", line 598, in fuzz
        self._main_fuzz_loop(self._iterate_protocol())
      File "/usr/lib/python2.7/site-packages/boofuzz/sessions.py", line 703, in _main_fuzz_loop
        self._fuzz_current_case(*fuzz_args)
      File "/usr/lib/python2.7/site-packages/boofuzz/sessions.py", line 1419, in _fuzz_current_case
        self._open_connection_keep_trying(target)
      File "/usr/lib/python2.7/site-packages/boofuzz/sessions.py", line 1457, in _open_connection_keep_trying
        target.open()
      File "/usr/lib/python2.7/site-packages/boofuzz/sessions.py", line 87, in open
        self._target_connection.open()
      File "/usr/lib/python2.7/site-packages/boofuzz/socket_connection.py", line 171, in open
        ssl_sock = ssl.SSLContext.wrap_socket(self._sock)
    TypeError: unbound method wrap_socket() must be called with SSLContext instance as first argument (got _socketobject instance instead)
    

    The solution was simple: Use ssl.wrap_socket instead of ssl.SSLContext.wrap_socket.

    In order to reproduce, please use this script:

    #!/usr/bin/env python2
    from boofuzz import *
    
    session = Session(
        target=Target(
            connection=SocketConnection(
                host="127.0.0.1",
                port=12345,
                proto='ssl', 
                ),
        ),
    )
    s_initialize("A")
    s_byte(0x41)
    session.connect(session.root, s_get("A"))
    session.fuzz()
    

    and run it against a test server with

    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
    openssl s_server -accept 12345 -key key.pem -cert cert.pem
    
    opened by keisentraut 16
  • Added python3 compatibility

    Added python3 compatibility

    This pull request is for adding compatibility for python 3 without losing compatibility with python 2. In many cases I am utilizing the "six" library.

    For future work, but as a separate issue, I think we should work on making all data stored as a "six.binary_type" to guarantee compatibility between python versions and to avoid needing to worry about the encoding of the string object.

    Some additional issue I believe we should open would be to update the contribution guide, and to add more testing to the framework

    opened by aedrax 16
  • Added curses logger class to provide a console GUI

    Added curses logger class to provide a console GUI

    First attempt to add a console GUI. Use session option console_gui to enable. If constructed with default arguments keep_web_open is redundant, so it's being disabled. There is still a bug where the screen dimensions aren't correctly read on the first startup, just resize the window to fix this. Resizing the window smaller than 130x40 (WxH) will output a black screen to avoid curses errors.

    I'd like to show the paused status too, but I couldn't find a way to pass the value to the logger class without adding another function to all logger classes as I already did with the window resize function. This is something for another time though.

    The SIGWINCH handler is necessary as the curses default handler interrupts sleeps, which might result in errors when the minimum sleep time between cases is suddenly shortened. With the custom signal handler the sleep time is restarted when a resize event is caught. That again might result in longer sleep times than expected, but in my opinion this is the evil. To prevent this we'd have to write a custom sleep function.

    I haven't tested this under Windows at all, it would be nice if someone else could. windows-curses is definitely needed.

    Suggestions, especially about the design, are welcome.

    opened by SR4ven 14
  • HTTP server with authentication

    HTTP server with authentication

    Hi,

    I'm searching to fuzz my HTTP server and its API, this server is protected by an authentication phase. Authentication process is by HTTP request containing username and password. Server response will contain an authenticated token the client will need for all subsequent requests (integrated in "Authorization" header field).

    In order to fuzz the API, Boofuzz has to authenticate itself to the server. How can I do that ?

    opened by llabadie 13
  • Split SocketConnection into subclasses

    Split SocketConnection into subclasses

    Packet sockets may be bound to an interface, restricting the recieved packets to come from a specific interface. Additionally, recieving on raw sockets can be filtered by protocol (like it's done already for raw-l3). This commit makes this functionality available to the user.

    TODO:

    • [x] Update documentation consistently
    • [x] Update changelog
    • [ ] Write unit-test for raw socket receiving (optimal but would be really nice to have)
    • [x] Update examples folder (optimal, could be done in another PR)
    opened by mistressofjellyfish 13
  • OSError: [Errno 98] Address already in use

    OSError: [Errno 98] Address already in use

    I use SocketConnection with tcp protocol.

    When I run a bunch of tests, sometimes (for me usually after between 15 000 - 30 000 test cases) I got the following error:

    Traceback (most recent call last):
      File "fuzzer/src/wfuzz.py", line 43, in <module>
        main()
      File "fuzzer/src/wfuzz.py", line 39, in main
        fuzzer.fuzz()
      File ".../fuzzer/src/fuzzer.py", line 52, in fuzz
        self._session.fuzz()
      File ".../env/lib/python3.6/site-packages/boofuzz/sessions.py", line 590, in fuzz
        self._main_fuzz_loop(self._iterate_protocol())
      File ".../env/lib/python3.6/site-packages/boofuzz/sessions.py", line 695, in _main_fuzz_loop
        self._fuzz_current_case(*fuzz_args)
      File ".../env/lib/python3.6/site-packages/boofuzz/sessions.py", line 1412, in _fuzz_current_case
        self._open_connection_keep_trying(target)
      File ".../env/lib/python3.6/site-packages/boofuzz/sessions.py", line 1450, in _open_connection_keep_trying
        target.open()
      File ".../env/lib/python3.6/site-packages/boofuzz/sessions.py", line 79, in open
        self._target_connection.open()
      File ".../env/lib/python3.6/site-packages/boofuzz/socket_connection.py", line 159, in open
        self._sock.connect((self.host, self.port))
    OSError: [Errno 98] Address already in use
    

    It happens on both Windows and WSL and different versions of Python. No other application is connecting to the target port. Any ideas?

    opened by starek4 13
  • Update block and primitive documentation

    Update block and primitive documentation

    I noticed that parts of the new protocol definition documentation is incomplete, so I completely reworked that part. The static protocol definition documentation remains mostly the same, to prevent breaking changes.

    There's one thing I'm uncertain about: Should each primitives docstring and signature contain the name and fuzzable parameter? Technically this is not needed because we pass kwargs down to Fuzzable, however I think it would make it more clear for the user which parameter a primitive/block can take.

    So on top of this change I'd suggest adding the fuzzable parameter after name, just like we have it on most static definitions.

    opened by SR4ven 12
  • Documentation Template

    Documentation Template

    Hey,

    so I know this was discussed recently in #347, but I have a few more comments on the situation. In particular, I have one major issue with the current theme - the menu sidebar is completely gone if my browser only occupates 1/2 of my 1920x1080 screen.

    Unbenannt

    To access the menu, I have to scroll all the way down. In my opinon, this sucks from an UX perspective. How easy is it for us to modify the theme? If we could reasonably easy modify the template, I'd propose an off-canvas approach. If not, I would advocate for discussing another theme again.

    opened by mistressofjellyfish 12
  • add primitive s_bytes: fuzz arbitrary binary data

    add primitive s_bytes: fuzz arbitrary binary data

    This was requested in issue #144.

    The code is kind of cumbersome because of the cumbersome API of BasePrimitive. However, I've tested it on Python 2 and Python 3 and it seems to work.

    The fuzzing strategy for an arbitrary length, binary string is:

    • replace binary value with list of static binary strings
    • replace each 1 byte block in original value with list of static 1byte strings
    • replace each 2 byte block in original value with list of static 2byte strings
    • replace each 4 byte block in original value with list of static 4byte strings

    I've compiled the list of interesting strings based on the wikipedia list of magic debug values and some others based on my gut feeling. Please feel free to change them.

    Minimal sample to test it:

    #!/usr/bin/env python
    from boofuzz import *
    
    session = Session( target=Target( connection=SocketConnection( host="127.0.0.1", port=12345, proto='tcp', server=True ),),) 
    s_initialize("A")
    s_bytes(b"0000000000000000000")
    session.connect(session.root, s_get("A"))
    session.fuzz()
    

    and run while [ True ]; do nc 127.0.0.1 12345 | hexdump -C; sleep 0.1; done in another terminal.

    opened by keisentraut 12
  • Add options for callback functions to Sessions.py

    Add options for callback functions to Sessions.py

    • Added pre_send, restart_target callbacks plus exception handling
    • Modified post_send callback (backward compatible)
    • Fixed error in fuzz_logger_db when trying to force write without log lines to be written
    • Minor changes to some expressions
    • Implementation of #239
    opened by SR4ven 12
  • fix s_update primitive

    fix s_update primitive

    Upate the s_update():

    • use _default_value instead, for there is no _value field anymore
    • use qualified_name instead of name field to be consistent with blocks.CURRENT.names

    P.S. don't know why there are irrelevant commits :(

    opened by cq674350529 1
  • `Session.fuzz()` options to minimize redundant testcases

    `Session.fuzz()` options to minimize redundant testcases

    Proposal

    Continuing from #622, I believe it would be beneficial to add additional parameters to Session.fuzz() for fine-tuning the generation of testcases. The current method of recursive generation may cause BooFuzz to revisit already-sent payloads.

    Therefore I would suggest/request the following:

    1. An optional min_depth parameter that specifies the minimum combinatorial count of Fuzzable mutations to use in testcases
    2. An optional unique_only parameter that modifies the test generation logic to ignore mutation ordering when determining if a testcase has already been visited

    I have included example code in the discussion answer that demonstrates how this can behave as well as the performance speedup in doing so.

    Use-Case

    Our test targets are rate-limited and the pre-/post-testcase callbacks will likely add significant processing time for checks/verification of results. Reducing the quantity of redundant testcases will help us optimize our time and ensure that we can reasonably perform testing in our approaching window. Other users may benefit from the reduction of redundant testcases when they include a large number of primitives in a payload.

    Anything else?

    The code example provided is a demonstration of the benefit(s) from this request and by no means an expectation of how it should be implemented.

    enhancement 
    opened by kamakazikamikaze 2
  • Update sessions.py

    Update sessions.py

    • Changed plain print about completion of fuzzing session into log info message.
    • Catching EOFError exception when all test cases are executed to not throw traceback.
    opened by siw3kosky 11
  • Problem with web interface (port: 26000)

    Problem with web interface (port: 26000)

    Report

    Hi I have launched boofuzz to test my vm but when I want to connect to web interface http://127.0.0.1:26000 I got 500 Internal server error I am using boofuzz 0.41 from pip install boofuzz (python3.6)

    Can you help me to resolve the issue please ?

    Expected behavior

    No response

    Actual behavior

    No response

    Steps to reproduce the problem

    boofuzz script

    No response

    boofuzz version

    No response

    Python version

    No response

    Platform

    No response

    Anything else?

    No response

    bug 
    opened by mehdighninoudev 8
  • Logs to a txt or csv file missed some line for the last Test case

    Logs to a txt or csv file missed some line for the last Test case

    Report

    Hi Team,

    I have a boofuzz script as below, log 3 type files: txt, csv and db. def main(): fuzz_loggers = [] txt_log = open("/srv/boofuzz/http-fuzz-results.txt", "w") fuzz_loggers.append(FuzzLoggerText(file_handle=txt_log)) csv_log = open("/srv/boofuzz/http-fuzz-results.csv", "w") fuzz_loggers.append(FuzzLoggerCsv(file_handle=csv_log))

    session = Session(
        target=Target(connection=TCPSocketConnection("192.168.1.1", 80)),
        fuzz_loggers=fuzz_loggers,
        keep_web_open=False,
        restart_threshold=5,
        db_filename="/srv/boofuzz/http-fuzz-results.db"
    )
    
    define_proto_static(session=session)
    session.fuzz()
    

    After scan finished, when I check the db file by "boo open...", and open the txt or csv files, I found that there are some lines missed in txt and csv files compared with the GUI for the last case.

    Here is the result from GUI for the last case: boofuzz_gui

    Here is the txt log file for the last case: boofuzz_txt

    Expected behavior

    The "Check OK: No crash detected." and other lines are contained in txt&csv files for the last case.

    Actual behavior

    The "Check OK: No crash detected." and other lines are missed in txt&csv files for the last case.

    Steps to reproduce the problem

    1. Just run the boofuzz script as above
    2. Use "boo open..." to check the result
    3. Open the txt log file, compared with GUI result, missed some lines

    boofuzz script

    def main():
        fuzz_loggers = []
        txt_log = open("/srv/boofuzz/http-fuzz-results.txt", "w")
        fuzz_loggers.append(FuzzLoggerText(file_handle=txt_log))
        csv_log = open("/srv/boofuzz/http-fuzz-results.csv", "w")
        fuzz_loggers.append(FuzzLoggerCsv(file_handle=csv_log))
    
        session = Session(
            target=Target(connection=TCPSocketConnection("192.168.1.1", 80)),
            fuzz_loggers=fuzz_loggers,
            keep_web_open=False,
            restart_threshold=5,
            db_filename="/srv/boofuzz/http-fuzz-results.db"
        )
    
        define_proto_static(session=session)
        session.fuzz()
    
    def define_proto_static(session):
        s_initialize(name="Request")
        with s_block("Request-Line"):
            s_group("Method", ["GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE"])
            s_delim(" ", name="space-1")
            s_static("/index.html", name="Request-URI")
            s_static(" ", name="space-2")
            s_static("HTTP/1.1", name="HTTP-Version")
            s_static("\r\n", name="Request-Line-CRLF")
            s_static("Host:", name="Host-Line")
            s_static(" ", name="space-3")
            s_static("example.com", name="Host-Line-Value")
            s_static("\r\n", name="Host-Line-CRLF")
        s_static("\r\n", "Request-CRLF")
    
        session.connect(s_get("Request"))
    
    
    if __name__ == "__main__":
        main()
    

    boofuzz version

    0.4.1

    Python version

    3.9

    Platform

    Linux

    Anything else?

    No response

    bug 
    opened by vincentwh2018 1
  • Update to make boofuzz more compatible

    Update to make boofuzz more compatible

    I had these 3 issues when using boofuzz:

    • I could not change processmonitor.py listening interface
    • processmonitor.py was not compatible with Windows, multiple function used in boofuzz were not available for Windows.
    • Some processes to fuzz needs a lot of time before starting up, so the hardcoded 3 seconds delay were not sufficient. A parameter "restart_wait" in Session class has been added to solve this issue
    opened by hegusung 6
Releases(v0.4.1)
  • v0.4.1(Jan 30, 2022)

    Features

    • Added support for fuzzing NETCONF servers with the NETCONFConnection class.
    • Add support and tests for Python 3.10.
    • Added Session arg db_filename to modify the location of the log database.

    Fixes

    • Fixed check for when to enable the web app.
    • Documented the possibility to disable the web app.
    • Correctly initialize all children of a request which inherits from FuzzableBlock.
    • Added type checking for arguments of Bytes primitive to prevent incorrect use.
    • Fixed TypeError in s_binary initialization.
    • Remove redundant unicode strings.
    Source code(tar.gz)
    Source code(zip)
  • v0.4.0(Jun 30, 2021)

    Features

    • Fuzzing CLI -- Use main_helper() to use boofuzz's generic fuzzing CLI with your script.
    • Combinatorial fuzzing -- now fuzzes multiple mutations at once by default.
    • Test cases can now be specified and re-run by name.
    • Implemented visual request-graph rendering functions for Session.
    • Added to web UIL: runtime, exec speed, current test case name.
    • Added simple custom checksum and example usage.
    • Added Simple primitive that uses only the specified values for fuzzing.
    • Added Float primitive with support for IEEE 754 encoding.
    • Added an example for s_float/Float usage.

    Fixes

    • Clarified documentation of custom checksum function for Checksum primitive.
    • String and RandomData primitives now use a local and independent instance of random.
    • The minimum supported Python version is now 3.6.
    • Fixed two memory leaks in the fuzz logger.
    Source code(tar.gz)
    Source code(zip)
  • v0.3.0(Feb 28, 2021)

    This release brings some huge memory optimizations as we are now using iterators to generate the test case data. Boofuzz will no longer munch Gigabytes of RAM when fuzzing with large protocol definitions! Also check out the new object orientated method for defining protocols here.

    Features

    • Memory optimization: Efficient mutation generation and smarter string reuse -- decrease memory consumption by orders of magnitude.
    • Aligned block: Aligns content length to multiple of certain number of bytes.
    • Relative names: Name references for Checksum, Size, etc. now resolve absolute and relative names. Block and primitive names no longer need to be globally unique within a message, they only need to be locally unique within a block.
    • Passing data between messages: Callbacks now have a TestCaseContext object to which one can save data to be used later in the test case. TestCaseSessionReference can be passed as a default value in a protocol definition. The name it references must have been saved by the time that message in the protocol is reached.
    • Fuzzable rewrite: Simpler definitions for new fuzz primitives. See static.py for an example of a very simple primitive.
    • Protocol definition: Protocols can now be defined with an object oriented rather than static approach.
    • Independent mutation and encoding steps: Will enable multiple mutations and code coverage feedback.
    • Procmon: Additional debug steps. Partial backwards compatibility for old interface.
    • ProcessMonitorLocal allows running procmon as part of fuzzer process.
    • Network monitor: improved network interface discovery (Linux support).
    • Added support for fuzzing Unix sockets with the UnixSocketConnection class.
    • Added metadata to ProtocolSession to support callbacks -- current_message, previous_message.
    • All primitive arguments are now optional keyword arguments.

    Fixes

    • Various web interface fixes.
    • Various refactors and simplifications.
    • Fewer duplicates from Group primitives.
    • Network monitor: fixed data_bytes calculation and PcapThread synchronization.
    • Fixed a crash when using the network monitor.
    • Session can now be "quiet" by passing an empty list of loggers.
    • Process Monitor: fixed Thread.isAlive for Python 3.9 compatibility.
    • Correctly truncate values of the string primitive when max_len or size is set.
    • The string primitive will no longer generate duplicates when max_len or size is set.
    • Greatly improved string to bytes conversion speed.
    Source code(tar.gz)
    Source code(zip)
  • v0.2.1(Oct 19, 2020)

    Features

    • Added simple TFTP fuzzer example.

    Fixes

    • Fixed UDPSocketConnection data truncation when sending more data than the socket supports.
    • Fixed execution of procmon stop_commands.
    • Fixed TCP and SSL server connections.
    Source code(tar.gz)
    Source code(zip)
  • v0.2.0(Jun 3, 2020)

    v0.2.0

    Features

    • Rewrote and split the SocketConnection class into individual classes per socket type.
    • SocketConnection is now deprecated. Use the classes derived from BaseSocketConnection instead.
    • Added support for receiving on raw Layer 2 and Layer 3 connections.
    • Layer 2 and Layer 3 connections may now use arbitrary payload / MTU sizes.
    • Moved connection related modules into new connections submodule.
    • Added the ability to repeat sending of packages within a given time or count.
    • Added optional timeout and threshold to quit infinite connection retries.
    • Reworked Monitors, consolidated interface. Breaking change: session no longer has netmon_options and procmon_options.
    • SessionInfo has had attributes renamed; procmon_results and netmon_results are deprecated and now aliases for monitor_results and monitor_data respectively.
    • New BoofuzzFailure exception type allows callback methods to signal a failure that should halt the current test case.
    • Added capture_output option to process monitor to capture target process stderr/stdout .
    • Added post-start-target callbacks (called every time a target is started or restarted).
    • Added method to gracefully stop PED-RPC Server.
    • Added new boofuzz logo and favicon to docs and webinterface.
    • Added FileConnection to dump messages to files.
    • Removed deprecated session arguments fuzz_data_logger, log_level, logfile, logfile_level and log().
    • Removed deprecated logger FuzzLoggerFile.
    • crc32c is no longer a required package. Install manually if needed.

    Fixes

    • Fixed size of s_size block when output is ascii.
    • Fixed issue with tornado on Python 3.8 and Windows.
    • Fixed various potential type errors.
    • Renamed requests folder to request_definitions because it shadowed the name of the requests python module.
    • Examples are up to date with current Boofuzz version.
    • Modified timings on serial_connection unit tests to improve test reliability.
    • Refactored old unit-tests.
    • Fixed network monitor compatibility with Python 3.
    • Minor console GUI optimizations.
    • Fixed crash_threshold_element handling if blocks are used.
    • Fixed many bugs in which a failure would not stop the test case evaluation.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.6(Dec 9, 2019)

    v0.1.6

    Features

    • New primitive s_bytes which fuzzes an arbitrary length binary value (similiar to s_string).
    • We are now using Black for code style standardization.
    • Compatibility for Python 3.8
    • Added crc32c as checksum algorithm (Castagnoli).
    • Added favicon for web interface.
    • Pushed Tornado to 5.x and unpinned Flask.

    Fixes

    • Test cases were not being properly closed when using the check_message() functionality.
    • Some code style changes to meet PEP8.
    • s_group primitive was not accepting empty default value.
    • Timeout during opening TCP connection now raises BoofuzzTargetConnectionFailedError exception.
    • SSL/TLS works again. See examples/fuzz-ssl-server.py and examples/fuzz-ssl-client.py.
    • Dropped six.binary_type in favor of b"" format.
    • Fixed process monitor handling of backslashes in Windows start commands.
    • Fixed and documented boo open.
    • Fixed receive function in fuzz_logger_curses.
    • Installing boofuzz with sudo is no longer recommended, use the --user option of pip instead.
    • Fixed setting socket timeout options on Windows.
    • If all sockets are exhausted, repeatedly try fuzzing for 4 minutes before failing.
    • Fixed CSV logger send and receive data decoding.
    • Handle SSL-related exception. Added ignore_connection_ssl_errors session attribute that can be set to True to ignore SSL-related error on a test case.
    • Fixed s_from_file decoding in Python 2 (the encoding parameter is now depreciated).
    • Updated documentation of s_checksum. It is possible to use a custom algorithm with this block.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.5(May 26, 2019)

    v0.1.5

    Features

    • New curses logger class to provide a console gui similar to the webinterface. Use the session option console_gui to enable it. This has not been tested under Windows!
    • Compatibility for Python 3
    • Large test cases are now truncated, unless a failure is detected.
    • When a target fails to respond after restart, boofuzz will now continue to restart instead of crashing.
    • New Session option keep_web_open to allow analyzing the test results after test completion.
    • Process monitor creates new crash file for each run by default.
    • Long lines now wrap in web view; longer lines no longer need to be truncated.
    • Process monitor now stores crash bins in JSON format instead of pickled format.
    • Process monitor in Windows will use taskkill -F if taskkill fails.

    Fixes

    • Web server no longer crashes when asked for a non-existing test case.
    • EINPROGRESS socket error is now handled while opening a socket (note: this sometimes-transient error motivated the move to retry upon connection failure)
    Source code(tar.gz)
    Source code(zip)
  • v0.1.4(Mar 12, 2019)

    v0.1.4

    Features

    • New Session options restart_callbacks, pre_send_callbacks, and post_test_case_callbacks to hand over custom callback functions.
    • New Session option fuzz_db_keep_only_n_pass_cases. This allowes saving only n test cases preceding a failure or error to the database.
    • Added logic to find next available port for web interface or disable the web interface.
    • Removed sleep logs when sleep time is zero.

    Fixes

    • Windows process monitor now handles combination of proc_name and/or start_commands more reasonably
    • Windows process monitor handles certain errors more gracefully
    • Fixed target close behavior so post send callbacks can use the target.
    • Fixed a dependency issue in installation.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.3(Feb 18, 2019)

    v0.1.3

    Features

    • Socket Connections now allow client fuzzing.
    • Log only the data actually sent, when sending is truncated. Helps reduce database size, especially when fuzzing layer 2 or 3.
    • Target recv function now accepts a max_recv_bytes argument.

    Fixes

    • Fixed install package -- now includes JavaScript files.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.2(Nov 17, 2018)

    v0.1.2

    Features

    • Clearer error message when procmon is unavailable at fuzz start.
    • Web UI now refreshes current case even when snap-to-current-test-case is disabled.

    Fixes

    • Web UI no longer permits negative test cases.
    • Fix Windows procmon regression.
    • Minor fixes and UI tweaks.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.1(Oct 2, 2018)

    v0.1.1

    Features

    • New boo open command can open and inspect saved database log files.
    • Unix procmon now saves coredumps by default.
    • Improved "Cannot connect to target" error message.
    • Improved API for registering callbacks.
    • Made the global REQUESTS map available in top level boofuzz package.

    Fixes

    • Handle exceptions when opening crash bin files in process monitor.
    • Fix Block.__len__ to account for custom encoder.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0(Aug 8, 2018)

    v0.1.0

    Features

    • Web UI
      • Statistics now auto-update.
      • Test case logs now stream on the main page.
      • Cool left & right arrow buttons to move through test case
    • New Session parameter receive_data_after_fuzz. Controls whether to execute a receive step after sending fuzz messages. Defaults to False. This significantly speeds up tests in which the target tends not to respond to invalid messages.
    Source code(tar.gz)
    Source code(zip)
  • v0.0.13(Jul 29, 2018)

    v0.0.13

    Features

    • Web UI
      • Test case numbers are now clickable and link to test case detail view.
      • Test case details now in color!
    • FuzzLoggerDB
      • Added FuzzLoggerDB to allow querying of test results during and after test run. Saves results in a SQLite file.
      • Added Session.open_test_run() to read test results database from previous test run.
    • New Session.feature_check() method to verify protocol functionality before fuzzing.
    • Process Monitor
      • Unify process monitor command line interface between Unix and Windows.
      • Added procmon option proc_name to support asynchronously started target processes.
      • procmon is now checked for errors before user post_send() is called, reducing redundant error messages.
      • Improved procmon logging.
      • Process monitor gives more helpful error messages when running 64-bit application (unsupported) or when a process is killed before being attached
    • Logging Improvements
      • Target open() and close() operations are now logged.
      • Added some optional debug output from boofuzz runtime.
      • Improve capability and logging of messages' callback methods.
    • New Session & Connection Options
      • Add Session receive_data_after_each_request option to enable disabling of data receipt after messages are sent.
      • Session skip argument replaced with index_start and index_end.
      • Session now has separate crash thresholds for elements/blocks and nodes/messages.
      • Give SocketConnection separate timeouts for send()/recv().
    • Ease of Use
      • Target.recv() now has a default max_bytes value.
      • Added DEFAULT_PROCMON_PORT constant.
      • Session.post_send()'s sock parameter now deprecated (use target instead).

    Fixes

    • Fixed bug in which failures were not recognized.
    • BitField blocks with ASCII format reported incorrect sizes.
    • Fixed bug in s_update.
    • Handle socket errors that were getting missed.
    • Fixed process monitor logging when providing more or less than 1 stop/start commands.
    • Show graceful error on web requests for non-existent test cases.
    • get_max_udp_size() was crashing in Windows.
    • String padding was not always being applied.
    • String was not accepting unicode strings in value parameter.
    • String was skipping valid mutations and reporting wrong num_mutations() when size parameter was used.
    • Unix and Windows process monitors now share much more code.

    Development

    • Added unit tests for BitField.
    • Cleaned up CSS on web pages.
    • Added a unit test to verify restart on failure behavior
    Source code(tar.gz)
    Source code(zip)
  • v0.0.12(Apr 16, 2018)

    0.0.12

    Features

    • Test cases now have descriptive names
    • Added Session methods to fuzz a test cae by name: fuzz_by_name and fuzz_single_node_by_path

    Fixes

    • Fixed test case numbers when using fuzz_single_case
    Source code(tar.gz)
    Source code(zip)
  • v0.0.11(Nov 23, 2017)

  • v0.0.10(Nov 5, 2017)

    0.0.10

    Features

    • Add Session ignore_connection_reset parameter to suppress ECONNRESET errors.
    • Add Session ignore_connection_aborted parameter to suppress ECONNABORTED errors.

    Fixes

    • Fix Session class docstring formats.
    Source code(tar.gz)
    Source code(zip)
  • v0.0.9(Aug 23, 2017)

    0.0.9

    Features

    • s_size is now fuzzable by default.
    • Add new s_fuzz_list primitive to read fuzz value from files.
    • Add new FuzzLoggerCsv to write log in CSV format

    Fixes

    • Fixed: Add missing dummy value for custom checksum, allowing recursive uses of length/checksum (issue #107)
    Source code(tar.gz)
    Source code(zip)
  • v0.0.8(May 7, 2017)

    0.0.8

    Features

    • Console output - now with colors!
    • process_monitor_unix.py: added option to move coredumps for later analysis.
    • The process monitor (procmon) now tracks processes by PID by default rather than searching by name. Therefore, stop_commands and proc_name are no longer required.
    • SIGINT (AKA Ctrl+C) now works to close both boofuzz and process_monitor.py (usually).
    • Made Unix procmon more compatible with Windows.
    • Improved procmon debugger error handling, e.g., when running 64-bit apps.
    • Windows procmon now runs even if pydbg fails.
    • Added --help parameter to process monitor.
    • Target class now takes procmon and procmon_options in constructor.
    • Added example fuzz scripts.

    Fixes

    • SIGINT (AKA Ctrl+C) now works to close both boofuzz and process_monitor.py (usually).
    • Fixed: The pedrpc module was not being properly included in imports.
    • Made process_monitor.py --crash_bin optional (as documented).
    • Improved procmon behavior when certain parameters aren't given.
    • Improved procmon error handling.
    • Fixed a bug in which the procmon would not properly restart a target that had failed without crashing.
    Source code(tar.gz)
    Source code(zip)
  • v0.0.7(Feb 17, 2017)

    0.0.7

    Features

    • Added several command injection strings from fuzzdb.
    • Blocks can now be created and nested using with s_block("my-block"):

    Fixes

    • Fixed pydot import error message
    Source code(tar.gz)
    Source code(zip)
  • v0.0.6(Nov 7, 2016)

    0.0.6

    Features

    • Added Request.original_value() function to render the request as if it were not fuzzed. This will help enable reuse of a fuzz definition to generate valid requests.
    • SocketConnection can now send and receive UDP broadcast packets using the udp_broadcast constructor parameter.
    • Target.recv() now logs an entry before receiving data, in order to help debug receiving issues.

    Fixes

    • Maximum UDP payload value was incorrect, causing crashes for tests running over UDP. It now works on some systems, but the maximum value may be too high for systems that set it lower than the maximum possible value, 65507.
    • SocketConnection class now handles more send and receive errors: ECONNABORTED, ECONNRESET, ENETRESET, and ETIMEDOUT.
    • Fixed setup.py to not include superfluous packages.

    Development

    • Added two exceptions: BoofuzzTargetConnectionReset and BoofuzzTargetConnectionAborted.
    • These two exceptions are handled in sessions.py and may be thrown by any ITargetConnection implementation.
    Source code(tar.gz)
    Source code(zip)
  • v0.0.5(Sep 5, 2016)

    0.0.5

    Fixes

    • Boofuzz now properly reports crashes detected by the process monitor. It was calling log_info instead of log_fail.
    • Boofuzz will no longer crash, but will rather give a helpful error message, if the target refuses socket connections.
    • Add utils/crash_binning.py to boofuzz/utils, avoiding import errors.
    • Fix procmon argument processing bug.
    • Fix typos in INSTALL.rst.
    Source code(tar.gz)
    Source code(zip)
  • v0.0.4(Jul 27, 2016)

  • v0.0.4.dev1(Jul 27, 2016)

  • v0.0.3(Jul 21, 2016)

    0.0.3

    • Fixed deployment from 0.0.2.
    • Simplify CONTRIBUTING.rst for automated deployment.
    • tox no longer runs entirely as sudo. The sudo has been moved into tox.ini and is more fine-grained.
    • Reduced default Session.__init__ restart_sleep_time from 5 minutes to 5 seconds.
    Source code(tar.gz)
    Source code(zip)
  • v0.0.3.dev15(Apr 14, 2016)

  • v0.0.3.dev14(Apr 14, 2016)

  • v0.0.3.dev13(Apr 13, 2016)

  • v0.0.3.dev12(Apr 13, 2016)

  • v0.0.3.dev11(Apr 13, 2016)

  • v0.0.3.dev10(Apr 13, 2016)

Owner
Joshua Pereyda
Joshua Pereyda
A benchmark for stateful fuzzing of network protocols

A benchmark for stateful fuzzing of network protocols

null 3 Apr 25, 2022
Free,Cross-platform,Single-file mass network protocol server simulator

FaPro Free,Cross-platform,Single-file mass network protocol server simulator 中文Readme Description FaPro is a Fake Protocol Server tool, Can easily sta

FOFA Pro 1.2k May 31, 2022
msgspec is a fast and friendly implementation of the MessagePack protocol for Python 3.8+

msgspec msgspec is a fast and friendly implementation of the MessagePack protocol for Python 3.8+. In addition to serialization/deserializat

Jim Crist-Harif 186 Jun 9, 2022
🐛 Self spreading Botnet based on Mirai C&C Arch, spreading through SSH and Telnet protocol.

HBot Self spreading Botnet based on Mirai C&C Arch, spreading through SSH and Telnet protocol. Modern script fullly written in python3. Warning. This

Ѵιcнч 98 Jun 3, 2022
Query protocol and response

whois Query protocol and response _MᵃˢᵗᵉʳBᵘʳⁿᵗ_ _ ( ) _ ( )( ) _ | | ( ) | || |__ _ (_) ___ | | | | | || _ `\ /'_`\ | |/',__) |

MasterBurnt 4 Sep 5, 2021
Pritunl is a distributed enterprise vpn server built using the OpenVPN protocol.

Pritunl is a distributed enterprise vpn server built using the OpenVPN protocol.

Pritunl 3.6k Jun 7, 2022
libsigrok stacked Protocol Decoder for TPM 2.0 transactions from an SPI bus. BitLocker Volume Master Key (VMK) are automatically extracted.

libsigrok stacked Protocol Decoder for TPM 2.0 transactions from an SPI bus. BitLocker Volume Master Key (VMK) are automatically extracted.

Jordan Ovrè 7 May 22, 2022
A protocol or procedure that connects an ever-changing IP address to a fixed physical machine address

p0znMITM ARP Poisoning Tool What is ARP? Address Resolution Protocol (ARP) is a protocol or procedure that connects an ever-changing IP address to a f

Furkan OZKAN 5 Feb 19, 2022
A tiny end-to-end latency testing tool implemented by UDP protocol in Python 📈 .

udp-latency A tiny end-to-end latency testing tool implemented by UDP protocol in Python ?? . Features Compare with other existing latency testing too

Chuanyu Xue 3 Jun 1, 2022
Interact remotely with the computer using Python and MQTT protocol 💻

Comandos_Remotos Interagir remotamento com o computador através do Python e protocolo MQTT. ?? Status: em desenvolvimento ?? Objetivo: Interagir com o

Guilherme_Donizetti 6 May 10, 2022
This is a python based command line Network Scanner utility, which input as an argument for the exact IP address or the relative IP Address range you wish to do the Network Scan for and returns all the available IP addresses with their MAC addresses on your current Network.

This is a python based command line Network Scanner utility, which input as an argument for the exact IP address or the relative IP Address range you wish to do the Network Scan for and returns all the available IP addresses with their MAC addresses on your current Network.

Abhinandan Khurana 1 Feb 9, 2022
Nautobot is a Network Source of Truth and Network Automation Platform.

Nautobot is a Network Source of Truth and Network Automation Platform. Nautobot was initially developed as a fork of NetBox (v2.10.4). Nautobot runs as a web application atop the Django Python framework with a PostgreSQL database.

Nautobot 416 Jun 4, 2022
This Tool can help enginners and biggener in network, the tool help you to find of any ip with subnet mask that can calucate them and show you ( Availble IP's , Subnet Mask, Network-ID, Broadcast-ID )

This Tool can help enginners and biggener in network, the tool help you to find of any ip with subnet mask that can calucate them and show you ( Availble IP's , Subnet Mask, Network-ID, Broadcast-ID )

null 9 Apr 12, 2022
nettrace is a powerful tool to trace network packet and diagnose network problem inside kernel.

nettrace nettrace is is a powerful tool to trace network packet and diagnose network problem inside kernel on TencentOS. It make use of eBPF and BCC.

null 11 Jun 6, 2022
PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram

PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

Srinivas P G 1.3k May 31, 2022
ANalyse is a vehicle network analysis and attack tool.

CANalyse is a tool built to analyze the log files to find out unique datasets automatically and able to connect to simple user interfaces suc

0xh3nry 79 Apr 10, 2022
Flashes keyboard leds on incoming/outgoing network packets

LED Net Capture Flashes keyboard leds on incoming/outgoing network packets Usage Requires root priviledges to run usage: ledcapture.py [-h] --keyboard

Dan Habot 56 Apr 17, 2022
GNS3 Graphical Network Simulator

GNS3-gui GNS3 GUI repository.

GNS3 1.6k Jun 2, 2022
Share clipboards between two devices in a network

Shared Clipboard I felt the need for sharing clipboard texts between virtual machines but I didn't find any reliable solutions for this (I use HyperV)

Teja Swaroop 8 Dec 3, 2021