Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to fuzz SNMP with boofuzz? #218

Open
yasong opened this issue Nov 4, 2018 · 7 comments
Open

Is it possible to fuzz SNMP with boofuzz? #218

yasong opened this issue Nov 4, 2018 · 7 comments

Comments

@yasong
Copy link

yasong commented Nov 4, 2018
edited
Loading

I have some doubts in how to fuzz the protocol. I am trying to fuzz the SNMP protocol, but I don't know how to start to do it. Is it possible to fuzz SNMP with boofuzz?
Thank you.
@cq674350529
Copy link
Contributor

Surely, boofuzz can be used to fuzz SNMP, although I haven't tried it yet. I have used it to fuzz protocols like HTTP, RTSP, FTP and so on.

Just like fuzzing any other protocol, the general steps are:

  • capture the packets with tools like Wireshark
  • define the protocol format using s_***()
  • connect the protocol message definitions into a graph using Session
  • start fuzzing

You can refer to the examples in this repository.

@jtpereyda
Copy link
Owner

It is indeed possible. Fuzzing a server would be easier. See the quickstart guide for an example with FTP: https://boofuzz.readthedocs.io/en/latest/user/quickstart.html

Happy fuzzing!

@yasong
Copy link
Author

yasong commented Nov 6, 2018

@cq674350529 @jtpereyda Thank you. I have tried it. As the MIB and OID in the SNMP protocol and the encode ASN.1( Basic Encoding Rules), the effect of Fuzz is not good. Is it necessary to load the OID library in the program? Thank you again.

@jtpereyda
Copy link
Owner

@yasong What doesn't work about ASN.1? What are you using for it?

@yasong
Copy link
Author

yasong commented Nov 6, 2018

@jtpereyda Sorry for not explaining it clearly. SNMP protocol builds the PDU with ASN.1(Basic Encoding Rules). I use the boofuzz to fuzz the SNMP, the most packets are rejected. The format of SNMP is here. SNMP. The data in the PDU is nested. Thank you again.

@jtpereyda
Copy link
Owner

If you are looking for input on your format, it might help to share what you have so far...

@yasong
Copy link
Author

yasong commented Nov 11, 2018

@jtpereyda Thank you.
I have reversed snmp agent of a router and tried to fuzz the SNMP agent of this router. As far as I know, because the SNMP protocol uses BER encoding, when the SNMP agent parses the packet, it will first check the type, and then parse it step by step (nested data). When the current parsing is in error, the latter will not be parsed. Therefore, when the fuzzing test is directly performed, the code of the test is not deep enough (the code coverage is low)
image

image

image

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jtpereyda @yasong @cq674350529