Skip to content

dobin/ffw

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

FFW - Fuzzing For Worms

Fuzzes network servers/services by intercepting valid network communication data, then replay it with some fuzzing.

FFW can fuzz open source applications and supports feedback driven fuzzing by instrumenting honggfuzz, for both open- and closed source apps.

In comparison with the alternatives, FFW is the most advanced, feature-complete and tested network fuzzer.

Features:

  • Fuzzes all kind of network protocol (HTTP, MQTT, SMTP, you name it)
  • No modification of the fuzzing target needed (at all)
  • Has feedback-driven fuzzing (with compiler support, or hardware based)
  • Can fuzz network clients too (wip)
  • Fast fuzzing setup (no source code changes or protocol reversing needed!)
  • Reasonable fuzzing performance

Presentation

Presented at security conference Area 41 2018.

Docker

Easiest way to start is to use the docker image:

By doing so:

docker run -ti --privileged -lxc-conf="aa_profile=unconfined" dobin/ffw:0.1

Examples are located in /ffw-examples.

Manual Installation

Get FFW

git clone https://github.com/dobin/ffw.git
cd ffw/

Note: Manually installed dependencies are expected to live in the ffw/ directory (e.g. honggfuzz, radamsa).

Install FFW dependencies

If its a fresh Ubuntu, install relevant packages for FFW:

apt-get install python python-pip gdb

For honggfuzz:

apt-get install clang binutils-dev libunwind8-dev

And python dependencies:

pip install -r requirements.txt

Install Radamsa fuzzer

$ git clone https://github.com/aoh/radamsa.git
$ cd radamsa
$ make

Default Radamsa directory specified in ffw is ffw/radamsa.

Setup a project

Steps involved in setting up a fuzzing project:

  • Create directory structure for that fuzzing project by copying template folder
  • Copy target binary to bin/
  • Specify all necessary information in the config file fuzzing.py
  • Start interceptor-mode to record traffic
  • Start test-mode to verify recorded traffic (optional)
  • Start fuzz-mode to fuzz
  • Start verify-mode to verify crashed from the fuzz mode (optional)
  • Start upload-mode to upload verified crashes to the web (optional)

For a step-by-step guide:

Unit Tests

Test all:

python -m unittest discover

Test a single module:

python -m unittest test.test_interceptor

Alternatives

Fuzzotron

Available via https://github.com/denandz/fuzzotron. "Fuzzotron is a simple network fuzzer supporting TCP, UDP and multithreading."

Support network fuzzing, also uses Radamsa. Can use coverage data, but it is experimental.

Con's:

  • Does not restart target server
  • Unreliable crash detection
  • Experimental code coverage

Mutiny

Available via https://github.com/Cisco-Talos/mutiny-fuzzer. "The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer."

Con's:

  • No code coverage
  • Only one commit (no development?)
  • Rudimentary crash detection

About

A fuzzing framework for network servers

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages