Fuzzing TKIP & CCMP

[StepanGavrilov]

How correct fuzzing TKIP & CCMP ?
I tried to look for something in the documentation, but did not find it, as I understand it, I need to change the setting
s_static() & s_byte() ?

from boofuzz import *


def main():
    interface = "eth0"

    l2destination = b'\xff\xff\xff\xff\xff\xff'

    session = Session(
        target=Target(
            connection=RawL3SocketConnection(
                interface,
                send_timeout=5.0,
                recv_timeout=5.0,
                ethernet_proto=2048,
                l2_dst=l2destination,
                packet_size=1500
            ),
        ),
    )

    s_initialize(name="Request")
    s_static("\x4e\xfe\x01\x08\x00\x00\x40\x00")  # Data
    s_byte(0x20, name='version')
    session.connect(s_get("Request"))

    session.fuzz()


if __name__ == "__main__":
    main()

[cq674350529]

Not familiar with TKIP & CCMP protocol, the general steps to fuzz a protocol are like follows:

1. define each request with boofuzz primitives such as s_static(), s_string(), s_byte();
2. connect defined requests based on the protocol state transition;
3. setup a proper connection, which is used to communcate with the target;
4. setup a proper monitor if necessary, to monitor the status of target;
5. initialize a Session and put them together.

Here is an ftp example available in the boofuzz repository:
https://github.com/jtpereyda/boofuzz/blob/master/examples/ftp_simple.py

[cq674350529]

@StepanGavrilov What do you mean "set the settings"? How to define each request as a whole? Or define them automatically?

[StepanGavrilov]

@cq674350529 for example, I want the protocol - X, how do I see what I need to set the settings for the protocol X

[cq674350529]

It depends on the specific protocol. Take ftp protocol as an example,

• it's on the layer of TCP, so use TCPSocketConnection;
• it's a plain-text protocol, so s_string() is ok to mutate the value;
• for monitors, it depends on your real environment.

As mentioned in your first post, s_static() is used for constant (non-mutated) value. s_byte() can be used to mutate a single byte value.

[StepanGavrilov]

@cq674350529 if I want define 802.11 protocol, what settings should I set, where can I read about it?

[cq674350529]

Hi @StepanGavrilov, here is a blog about fuzzing 5G protocol fron NCC Group: https://research.nccgroup.com/2021/10/11/the-challenges-of-fuzzing-5g-protocols/. Fuzzowski, which is forked from boofuzz, and maintained by them, is used for that purpose. I'm note sure if it'l help you.

There probably are no documents available to teach how to set up for each protocol. If you are familiar with the protocol and the concepts of boofuzz, then set up a simple fuzzer and refine it in practice.