A fuzzing framework for network servers
Switch branches/tags
Nothing to show
Clone or download
Latest commit 3d16a11 Aug 2, 2018
Permalink
Failed to load latest commit information.
basicmode fix #27 Jun 15, 2018
clientfuzzer fenrir rename fuzzer to mutator and fixes Apr 27, 2018
common stepbystep guide related cleanup, see #27 Jun 15, 2018
docs fix typo Jul 9, 2018
honggmode config cleanup and hangsAreCrashes support Jun 2, 2018
mutator fix unittests Jun 2, 2018
network fix basic fuzzer Jun 14, 2018
target make very faster (working?) - pre demo udpate + log Jun 14, 2018
test finally transporting a dict in stead of an array slave->master Jun 2, 2018
test_client fix typo Jul 9, 2018
uploader implements python3 compatibility Nov 4, 2017
verifier nicer output - for demo Jun 15, 2018
vulnserver still fixing stepbystep, #27 Jun 15, 2018
.gitignore add tweet support May 11, 2018
LICENSE create license Nov 18, 2017
README.md doc update for demo Jun 15, 2018
classdiagram.md first phase of fenrir Apr 21, 2018
configmanager.py post ngircd-benchmark update May 26, 2018
convertdata.py fenrir update 7 Apr 25, 2018
corpusparser.py intial commit May 6, 2018
defaultconfig.py add tmpfs support Jun 4, 2018
ffw.py nicer cmd handling Jun 15, 2018
framework.py make replay taking port from config Jun 15, 2018
gui.py better output files (+lint fixes) Sep 17, 2017
hexdump.py post ngircd-benchmark fail update May 26, 2018
make-dictionary.sh better dictionary maker May 19, 2018
printpickle.py fixed verifier Oct 12, 2017
requirements.txt fix #26 Jun 14, 2018
tweet.conf.example add tweet support May 11, 2018
twitterinterface.py initial commit May 12, 2018
utils.py add tmpfs support Jun 4, 2018

README.md

FFW - Fuzzing For Worms

Fuzzes network servers/services by intercepting valid network communication data, then replay it with some fuzzing.

FFW can fuzz open source applications and supports feedback driven fuzzing by instrumenting honggfuzz, for both open- and closed source apps.

In comparison with the alternatives, FFW is the most advanced, feature-complete and tested network fuzzer.

Features:

  • Fuzzes all kind of network protocol (HTTP, MQTT, SMTP, you name it)
  • No modification of the fuzzing target needed (at all)
  • Has feedback-driven fuzzing (with compiler support, or hardware based)
  • Can fuzz network clients too (wip)
  • Fast fuzzing setup (no source code changes or protocol reversing needed!)
  • Reasonable fuzzing performance

Docker

Easiest way to start is to use the docker image:

By doing so:

docker run -ti --privileged -lxc-conf="aa_profile=unconfined" dobin/ffw:0.1

Examples are located in /ffw-examples.

Manual Installation

Get FFW

git clone https://github.com/dobin/ffw.git
cd ffw/

Note: Manually installed dependencies are expected to live in the ffw/ directory (e.g. honggfuzz, radamsa).

Install FFW dependencies

If its a fresh Ubuntu, install relevant packages for FFW:

apt-get install python python-pip gdb

For honggfuzz:

apt-get install clang binutils-dev libunwind8-dev

And python dependencies:

pip install -r requirements.txt

Install Radamsa fuzzer

$ git clone https://github.com/aoh/radamsa.git
$ cd radamsa
$ make

Default Radamsa directory specified in ffw is ffw/radamsa.

Setup a project

Steps involved in setting up a fuzzing project:

  • Create directory structure for that fuzzing project by copying template folder
  • Copy target binary to bin/
  • Specify all necessary information in the config file fuzzing.py
  • Start interceptor-mode to record traffic
  • Start test-mode to verify recorded traffic (optional)
  • Start fuzz-mode to fuzz
  • Start verify-mode to verify crashed from the fuzz mode (optional)
  • Start upload-mode to upload verified crashes to the web (optional)

For a step-by-step guide:

Unit Tests

Test all:

python -m unittest discover

Test a single module:

python -m unittest test.test_interceptor

Alternatives

Fuzzotron

Available via https://github.com/denandz/fuzzotron. "Fuzzotron is a simple network fuzzer supporting TCP, UDP and multithreading."

Support network fuzzing, also uses Radamsa. Can use coverage data, but it is experimental.

Con's:

  • Does not restart target server
  • Unreliable crash detection
  • Experimental code coverage

Mutiny

Available via https://github.com/Cisco-Talos/mutiny-fuzzer. "The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer."

Con's:

  • No code coverage
  • Only one commit (no development?)
  • Rudimentary crash detection