Mutiny Fuzzing Framework - Network Fuzzer That Operates Past Times Replaying Pcaps Through A Mutational Fuzzer


The Mutiny Fuzzing Framework is a network fuzzer that operates yesteryear replaying PCAPs through a mutational fuzzer. The destination is to start network fuzzing every bit apace every bit possible, at the expense of existence thorough.
The full general workflow for Mutiny is to accept a sample of legitimate traffic, such every bit a browser request, as well as feed it into a prep script to generate a .fuzzer file. Then, Mutiny tin survive run with this .fuzzer file to generate traffic against a target host, mutating whichever packets the user would like.
There are extensions that let changing how Mutiny behaves, including changing messages based on input/output, changing how Mutiny responds to network errors, as well as monitoring the target inwards a split thread.

Mutiny uses Radamsa to perform mutations.
The Decept Proxy is a multi-purpose network proxy that tin forrad traffic from a plaintext or TLS TCP/UDP/domain socket connexion to a plaintext or TLS TCP/UDP/domain socket connection, alongside other features. It makes a skillful companion for Mutiny, every bit it tin both generate .fuzzer files directly, especially helpful when fuzzing TLS connections, as well as let Mutiny to communicate with TLS hosts.
sample_apps give a basic watch of to a greater extent than or less things that tin survive done with the fuzzer, with a few dissimilar applications/clients to essay with.
Written yesteryear James Spadaro (jaspadar@cisco.com) as well as Lilith Wyatt (liwyatt@cisco.com)

Setup
Ensure python as well as scapy are installed.
Untar Radamsa as well as make (You practice non get got to brand install, unless yous desire it inwards /usr/bin - it volition occupation the local Radamsa) Update mutiny.py with path to Radamsa if yous changed it.

Basic Usage
Save pcap into a folder. Run mutiny_prep.py on <XYZ>.pcap (also optionally overstep the directory of a custom processor if any, to a greater extent than below). Answer the questions, terminate upward with a <XYZ>.fuzzer file inwards same folder every bit pcap.
Run mutiny.py <XYZ>.fuzzer <targetIP> This volition start fuzzing. Logs volition survive saved inwards same folder, nether directory <XYZ>_logs/<time_of_session>/<seed_number>

More Detailed Usage

.fuzzer Files
The .fuzzer files are human-readable as well as commented. They let changing diverse options on a per-fuzzer-file basis, including which message or message parts are fuzzed.

Message Formatting
Within a .fuzzer file is the message contents. These are only lines that start with either 'inbound' or 'outbound', signifying which administration the message goes. They are inwards Python string format, with '\xYY' existence used for non-printable characters. These are autogenerated yesteryear 'mutiny_prep.py' as well as Decept, but sometimes require to survive manually modified.

Message Formatting - Manual Editing
If a message has the 'fuzz' keyword afterwards 'outbound', this indicates it is to survive fuzzed through Radamsa. Influenza A virus subtype H5N1 given message tin get got occupation continuations, yesteryear only putting to a greater extent than message information inwards quotes on a novel line. In this case, this mo occupation volition survive merged with the first.
Alternatively, the 'sub' keyword tin survive used to dot a subcomponent. This allows specifying a split factor of the message, inwards club to fuzz only certainly parts as well as for convenience inside a Message Processor.
Here is an illustration arbitrary laid of message data:
outbound 'say'     ' hi' sub fuzz ' as well as fuzz'     ' this' sub ' but non this\xde\xad\xbe\xef' inbound 'this is the server's'     ' expected response'
This volition travail Mutiny to transmit say hey as well as fuzz this but non this(0xdeadbeef). 0xdeadbeef volition survive transmitted every bit four hex bytes. and fuzz this volition survive passed through Radamsa for fuzzing, but say hi as well as but non this(0xdeadbeef) volition survive left alone.
Mutiny volition hold off for a reply from the server afterwards transmitting the unmarried higher upward message, due to the 'inbound' line. The server's expected reply is this is the server's expected response. Mutiny won't practice a whole lot with this data, aside from seeing if what the server genuinely sent matches this string. If a crash occurs, Mutiny volition log both the expected output from the server as well as what the server genuinely replied with.

Customization
mutiny_classes/ contains base of operations classes for the Message Processor, Monitor, as well as Exception Processor. Any of these files tin survive copied into the same folder every bit the .fuzzer (by default) or into a split subfolder specified every bit the 'processor_dir' inside the .fuzzer file.
These 3 classes let for storing server responses as well as changing outgoing messages, monitoring the target on a split thread, as well as changing how Mutiny handles exceptions.

Customization - Message Processor
The Message Processor defines diverse callbacks that are called during a fuzzing run. Within these callbacks, whatever Python code tin survive run. Anecdotally, these are primarily used inwards 3 ways.
The almost mutual is when the server sends tokens that require to survive added to futurity outbound messages. For example, if Mutiny's kickoff message logs in, as well as the server responds with a session ID, the postReceiveProcess() callback tin survive used to shop that session ID. Then, inwards preSendProcess(), the outgoing information tin survive fixed upward with that session ID. An illustration of this is inwards sample_apps/session_server.
Another mutual occupation of a Message Processor is to boundary or modify a fuzzed message. For example, if the server ever drops messages greater than K bytes, it may non survive worth sending whatever large messages. preSendProcess() tin survive used to shorten messages afterwards fuzzing but earlier they are sent or to enhance an exception.
Raising an exception brings upward the in conclusion means Message Processors are usually used. Within a callback, whatever custom exceptions defined inwards mutiny_classes/mutiny_exceptions.py tin survive raised. There are several exceptions, all commented, that volition travail diverse behaviors from Mutiny. These to a greater extent than ofttimes than non involve either logging, retrying, or aborting the electrical current run.

Customization - Monitor
The Monitor has a monitorTarget() component that is run on a split thread from the principal Mutiny fuzzer. The travel is to let implementing a long-running procedure that tin monitor a host inwards to a greater extent than or less fashion. This tin survive anything that tin survive done inwards Python, such every bit communicating with a monitor daemon running on the target, reading a long file, or fifty-fifty precisely pinging the host repeatedly, depending on the requirements of the fuzzing session.
If the Monitor detects a crash, it tin telephone phone signalMain() at whatever time. This volition signal the principal Mutiny thread that a crash has occurred, as well as it volition log the crash. This component should to a greater extent than ofttimes than non operate inwards an interplanetary space loop, every bit returning volition travail the thread to terminate, as well as it volition non survive restarted.

Customization - Exception Processor
The Exception Processor determines what Mutiny should practice with a given exception during a fuzz session. In the almost full general sense, the processException() component volition interpret Python as well as OS-level exceptions into Mutiny fault treatment actions every bit best every bit it can.
For example, if Mutiny gets 'Connection Refused', the default reply is to assume that the target server has died unrecoverably, as well as then Mutiny volition log the previous run as well as halt. This is truthful inwards almost cases, but this deportment tin survive changed to that of whatever of the exceptions inwards mutiny_classes/mutiny_exceptions.py every bit needed, allowing tailoring of crash detection as well as fault correction.


Quickstart: Mutiny tutorial
Blog post here:
Links to this YouTube video demo:



Popular posts from this blog

Osweep - Don't Simply Search Osint, Sweep It

Cameradar V2.1.0 - Hacks Its Mode Into Rtsp Videosurveillance Cameras

Kerbrute - A Tool To Perform Kerberos Pre-Auth Bruteforcing