boofuzz
boofuzz copied to clipboard
jtpereyda
Is it possible to fuzz SNMP with boofuzz?
I have some doubts in how to fuzz the protocol. I am trying to fuzz the SNMP protocol, but I don't know how to start to do it. Is it possible to fuzz SNMP with boofuzz? Thank you.
Surely, boofuzz can be used to fuzz SNMP, although I haven't tried it yet. I have used it to fuzz protocols like HTTP, RTSP, FTP and so on.
Just like fuzzing any other protocol, the general steps are:
- capture the packets with tools like Wireshark
- define the protocol format using
s_***() - connect the protocol message definitions into a graph using Session
- start fuzzing
You can refer to the examples in this repository.
It is indeed possible. Fuzzing a server would be easier. See the quickstart guide for an example with FTP: https://boofuzz.readthedocs.io/en/latest/user/quickstart.html
Happy fuzzing!
@cq674350529 @jtpereyda Thank you. I have tried it. As the MIB and OID in the SNMP protocol and the encode ASN.1( Basic Encoding Rules), the effect of Fuzz is not good. Is it necessary to load the OID library in the program? Thank you again.
@jtpereyda Sorry for not explaining it clearly. SNMP protocol builds the PDU with ASN.1(Basic Encoding Rules). I use the boofuzz to fuzz the SNMP, the most packets are rejected. The format of SNMP is here. SNMP. The data in the PDU is nested. Thank you again.
If you are looking for input on your format, it might help to share what you have so far...
@jtpereyda Thank you.
I have reversed snmp agent of a router and tried to fuzz the SNMP agent of this router. As far as I know, because the SNMP protocol uses BER encoding, when the SNMP agent parses the packet, it will first check the type, and then parse it step by step (nested data). When the current parsing is in error, the latter will not be parsed. Therefore, when the fuzzing test is directly performed, the code of the test is not deep enough (the code coverage is low)
