Mutiny Fuzzing Framework - Network Fuzzer That Operates Past Times Replaying Pcaps Through A Mutational Fuzzer


The Mutiny Fuzzing Framework is a network fuzzer that operates yesteryear replaying PCAPs through a mutational fuzzer. The destination is to start network fuzzing every bit apace every bit possible, at the expense of existence thorough.
The full general workflow for Mutiny is to accept a sample of legitimate traffic, such every bit a browser request, as well as feed it into a prep script to generate a .fuzzer file. Then, Mutiny tin survive run with this .fuzzer file to generate traffic against a target host, mutating whichever packets the user would like.
There are extensions that let changing how Mutiny behaves, including changing messages based on input/output, changing how Mutiny responds to network errors, as well as monitoring the target inwards a split thread.

Mutiny uses Radamsa to perform mutations.
The Decept Proxy is a multi-purpose network proxy that tin forrad traffic from a plaintext or TLS TCP/UDP/domain socket connexion to a plaintext or TLS TCP/UDP/domain socket connection, alongside other features. It makes a skillful companion for Mutiny, every bit it tin both generate .fuzzer files directly, especially helpful when fuzzing TLS connections, as well as let Mutiny to communicate with TLS hosts.
sample_apps give a basic watch of to a greater extent than or less things that tin survive done with the fuzzer, with a few dissimilar applications/clients to essay with.
Written yesteryear James Spadaro (jaspadar@cisco.com) as well as Lilith Wyatt (liwyatt@cisco.com)

Setup
Ensure python as well as scapy are installed.
Untar Radamsa as well as make (You practice non get got to brand install, unless yous desire it inwards /usr/bin - it volition occupation the local Radamsa) Update mutiny.py with path to Radamsa if yous changed it.

Basic Usage
Save pcap into a folder. Run mutiny_prep.py on <XYZ>.pcap (also optionally overstep the directory of a custom processor if any, to a greater extent than below). Answer the questions, terminate upward with a <XYZ>.fuzzer file inwards same folder every bit pcap.
Run mutiny.py <XYZ>.fuzzer <targetIP> This volition start fuzzing. Logs volition survive saved inwards same folder, nether directory <XYZ>_logs/<time_of_session>/<seed_number>

More Detailed Usage

.fuzzer Files
The .fuzzer files are human-readable as well as commented. They let changing diverse options on a per-fuzzer-file basis, including which message or message parts are fuzzed.

Message Formatting
Within a .fuzzer file is the message contents. These are only lines that start with either 'inbound' or 'outbound', signifying which administration the message goes. They are inwards Python string format, with '\xYY' existence used for non-printable characters. These are autogenerated yesteryear 'mutiny_prep.py' as well as Decept, but sometimes require to survive manually modified.

Message Formatting - Manual Editing
If a message has the 'fuzz' keyword afterwards 'outbound', this indicates it is to survive fuzzed through Radamsa. Influenza A virus subtype H5N1 given message tin get got occupation continuations, yesteryear only putting to a greater extent than message information inwards quotes on a novel line. In this case, this mo occupation volition survive merged with the first.
Alternatively, the 'sub' keyword tin survive used to dot a subcomponent. This allows specifying a split factor of the message, inwards club to fuzz only certainly parts as well as for convenience inside a Message Processor.
Here is an illustration arbitrary laid of message data:
outbound 'say'     ' hi' sub fuzz ' as well as fuzz'     ' this' sub ' but non this\xde\xad\xbe\xef' inbound 'this is the server's'     ' expected response'
This volition travail Mutiny to transmit say hey as well as fuzz this but non this(0xdeadbeef). 0xdeadbeef volition survive transmitted every bit four hex bytes. and fuzz this volition survive passed through Radamsa for fuzzing, but say hi as well as but non this(0xdeadbeef) volition survive left alone.
Mutiny volition hold off for a reply from the server afterwards transmitting the unmarried higher upward message, due to the 'inbound' line. The server's expected reply is this is the server's expected response. Mutiny won't practice a whole lot with this data, aside from seeing if what the server genuinely sent matches this string. If a crash occurs, Mutiny volition log both the expected output from the server as well as what the server genuinely replied with.

Customization
mutiny_classes/ contains base of operations classes for the Message Processor, Monitor, as well as Exception Processor. Any of these files tin survive copied into the same folder every bit the .fuzzer (by default) or into a split subfolder specified every bit the 'processor_dir' inside the .fuzzer file.
These 3 classes let for storing server responses as well as changing outgoing messages, monitoring the target on a split thread, as well as changing how Mutiny handles exceptions.

Customization - Message Processor
The Message Processor defines diverse callbacks that are called during a fuzzing run. Within these callbacks, whatever Python code tin survive run. Anecdotally, these are primarily used inwards 3 ways.
The almost mutual is when the server sends tokens that require to survive added to futurity outbound messages. For example, if Mutiny's kickoff message logs in, as well as the server responds with a session ID, the postReceiveProcess() callback tin survive used to shop that session ID. Then, inwards preSendProcess(), the outgoing information tin survive fixed upward with that session ID. An illustration of this is inwards sample_apps/session_server.
Another mutual occupation of a Message Processor is to boundary or modify a fuzzed message. For example, if the server ever drops messages greater than K bytes, it may non survive worth sending whatever large messages. preSendProcess() tin survive used to shorten messages afterwards fuzzing but earlier they are sent or to enhance an exception.
Raising an exception brings upward the in conclusion means Message Processors are usually used. Within a callback, whatever custom exceptions defined inwards mutiny_classes/mutiny_exceptions.py tin survive raised. There are several exceptions, all commented, that volition travail diverse behaviors from Mutiny. These to a greater extent than ofttimes than non involve either logging, retrying, or aborting the electrical current run.

Customization - Monitor
The Monitor has a monitorTarget() component that is run on a split thread from the principal Mutiny fuzzer. The travel is to let implementing a long-running procedure that tin monitor a host inwards to a greater extent than or less fashion. This tin survive anything that tin survive done inwards Python, such every bit communicating with a monitor daemon running on the target, reading a long file, or fifty-fifty precisely pinging the host repeatedly, depending on the requirements of the fuzzing session.
If the Monitor detects a crash, it tin telephone phone signalMain() at whatever time. This volition signal the principal Mutiny thread that a crash has occurred, as well as it volition log the crash. This component should to a greater extent than ofttimes than non operate inwards an interplanetary space loop, every bit returning volition travail the thread to terminate, as well as it volition non survive restarted.

Customization - Exception Processor
The Exception Processor determines what Mutiny should practice with a given exception during a fuzz session. In the almost full general sense, the processException() component volition interpret Python as well as OS-level exceptions into Mutiny fault treatment actions every bit best every bit it can.
For example, if Mutiny gets 'Connection Refused', the default reply is to assume that the target server has died unrecoverably, as well as then Mutiny volition log the previous run as well as halt. This is truthful inwards almost cases, but this deportment tin survive changed to that of whatever of the exceptions inwards mutiny_classes/mutiny_exceptions.py every bit needed, allowing tailoring of crash detection as well as fault correction.


Quickstart: Mutiny tutorial
Blog post here:
Links to this YouTube video demo:



Popular posts from this blog

Osweep - Don't Simply Search Osint, Sweep It

Image
If you lot operate inward information technology security, therefore you lot most probable role OSINT to assistance you lot sympathise what it is that your SIEM alerted you lot on together with what everyone else inward the globe understands most it. More than probable you lot are using to a greater extent than than 1 OSINT service because most of the fourth dimension OSINT volition entirely render you lot amongst reports based on the final analysis of the IOC. For some, that's practiced enough. They do network together with electronic mail blocks, do novel rules for their IDS/IPS, update the content inward the SIEM, do novel alerts for monitors inward Google Alerts together with DomainTools, etc etc. For others, they deploy these same countermeasures based on provided reports from their third-party tools that the fellowship is paying THOUSANDS of dollars for. The work amongst both of these is that the analyst needs to dig a footling deeper (ex. FULLY deobfuscate a PowerShel
Read more

Kerbrute - A Tool To Perform Kerberos Pre-Auth Bruteforcing

Image
Influenza A virus subtype H5N1 tool to speedily bruteforce together with enumerate valid Active Directory accounts through Kerberos Pre-Authentication Grab the latest binaries from the releases page to acquire started. Background This tool grew out of approximately bash scripts I wrote a few years agone to perform bruteforcing using the Heimdal Kerberos customer from Linux. I wanted something that didn't demand privileges to install a Kerberos client, together with when I works life the amazing pure Go implementation of Kerberos gokrb5 , I decided to lastly acquire Go together with write this. Bruteforcing Windows passwords amongst Kerberos is much faster than whatever other approach I know of, together with potentially stealthier since pre-authentication failures produce non trigger that "traditional" An job organisation human relationship failed to log on final result 4625. With Kerberos, y'all tin validate a username or exam a login past times s
Read more

Cameradar V2.1.0 - Hacks Its Mode Into Rtsp Videosurveillance Cameras

Image
   An RTSP flow access tool that comes alongside its library Cameradar allows you lot to Detect opened upward RTSP hosts on whatever accessible target host Detect which device model is streaming Launch automated dictionary attacks to larn their stream route (e.g.: /live.sdp ) Launch automated lexicon attacks to larn the username in addition to password of the cameras Retrieve a consummate in addition to user-friendly study of the results Docker Image for Cameradar Install docker on your machine, in addition to run the next command: docker run -t ullaakut/cameradar -t <target> <other command-line options> See command-line options . e.g.: docker run -t ullaakut/cameradar -t 192.168.100.0/24 -l volition scan the ports 554 in addition to 8554 of hosts on the 192.168.100.0/24 subnetwork in addition to laid on the discovered RTSP streams in addition to volition output debug logs. YOUR_TARGET tin hold out a subnet (e.g.: 172.16.100.0/24 ), an IP (
Read more