def __init__(self):
default_parameters = [
60.0, generic_sniffer.DEFAULT_INTERFACE,
generic_sniffer.DEFAULT_SAVE
]
inputs = [
InputFormat("Timeout", "timeout", self.timeout, float),
InputFormat("Interface",
"interface",
str(self.interface),
str,
mandatory=True),
InputFormat("Save Captured Packets", "save_output",
str(self.save_output), bool)
]
Attack.__init__(
self, "MQTT Sniff Attack", inputs, default_parameters,
" It listens to the network traffic and\n"
" captures MQTT packages.")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def __init__(self):
default_parameters = ["", 10, "any"]
inputs = [
InputFormat("Selected packet index",
"selected_index",
self.selected_index,
int,
mandatory=True),
InputFormat("Timeout", "timeout", self.timeout, float),
InputFormat("Interface",
"interface",
str(self.interface),
str,
mandatory=True)
]
Attack.__init__(
self, "CoAP Replay Attack", inputs, default_parameters,
" It listens to the network traffic and\n"
" sends captured packets without changing anything.")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def __init__(self):
default_parameters = ["", 10.0, "any"]
inputs = [
InputFormat("Selected packet index",
"selected_index",
self.selected_index,
int,
mandatory=True),
InputFormat("Timeout", "timeout", self.timeout, float),
InputFormat("Interface",
"interface",
str(self.interface),
str,
mandatory=True)
]
Attack.__init__(
self, "MQTT Replay Attack", inputs, default_parameters,
"Performs a replay attack using the inputs\n"
"which are provided by the user.")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def __init__(self):
default_parameters = ["", "", "", "", "", 2, 10, 100]
inputs = [
InputFormat("Host Name", "host", "", str, mandatory=True),
InputFormat("Port Number", "port", "", int, mandatory=True),
InputFormat("Endpoint", "path", "", str, mandatory=True),
InputFormat("Seed Payload", "payload", "", str, mandatory=True),
InputFormat("Method",
"method_string",
self.method_string,
str,
mandatory=True),
InputFormat("Fuzzing Round Count", "fuzzing_turn",
self.fuzzing_turn, int),
InputFormat("Number of fuzzer messages", "fuzzing_count",
self.fuzzing_count, int),
InputFormat("Payload length",
"max_length_of_random_payload",
self.max_length_of_random_payload,
int,
mandatory=True)
]
Attack.__init__(
self, "CoAP Random Payload Fuzzing Attack", inputs,
default_parameters, " It creates a random payload and sends \n"
" this payload to the client.")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def __init__(self):
default_parameters = ["", "", "", "", "", 10.0]
inputs = [
InputFormat("Host Name", "host", "", str, mandatory=True),
InputFormat("Port Number", "port", "", int, mandatory=True),
InputFormat("Endpoint", "path", "", str, mandatory=True),
InputFormat("Method",
"method_string",
self.method_string,
str,
mandatory=True),
InputFormat("Payload", "payload", "", str, mandatory=True),
InputFormat("Timeout", "timeout", self.timeout, float)
]
Attack.__init__(
self, "CoAP DoS Attack", inputs, default_parameters,
" We send CoAP requests to the client.\n"
" The time difference between those requests\n"
" can be specified.")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def run(self):
Attack.run(self)
self.pre_attack_init()
self.client.publish(self.client2_name + "/status",
"topic_name_fuzzing_type_1")
print "Please check if the attacked client continues working"
er = self.client.subscribe("$SYS/#", 1)
if er[0] == 0:
self.logger.info(
"Successfully subscribed to all system topics. ALERT!")
self.client.unsubscribe("$SYS/#")
else:
self.logger.info(
"Failed to subscribe to all system topics. Very good!")
# Trying to publish to a system topic, change the number of clients connected
self.logger.info(
"Please check from the broker monitor if 999 is published to $SYS/broker/clients/connected, it will be published in a seconds!"
)
time.sleep(2)
self.client.publish("$SYS/broker/clients/connected", 999)
self.logger.info(
"Please check from the broker monitor if 999 is published to $SYS/broker/clients/connected."
)
def run(self):
Attack.run(self)
self.pre_attack_init()
# Fill the size list as randomly generated
size_list = [0, self.max_payload_length]
size_list.extend([random.randint(0, self.max_payload_length) for _ in range(self.fuzzing_turn - 2)])
fuzzing = 0
self.logger.info("Size payload fuzzing is started. Please consider it may take some time.")
for payload_size in size_list:
if self.stopped_flag is True: # Attack is terminated
break
# Create payload and send it
random_strings = "".join([chr(_) for _ in range(65, 91)]) + "".join([chr(_) for _ in range(97, 123)])
random_character = random.choice(random_strings)
sized_payload = random_character * payload_size
PeniotCoAP.make_request(self.client, self.path, self.method, sized_payload)
# Informative procedures
self.logger.info("Turn {0} is completed".format(fuzzing + 1))
self.sent_message_count += 1
fuzzing += 1
time.sleep(1)
if self.stopped_flag is False:
self.logger.info("Payload size attack is finished.")
else:
self.logger.info("Payload size attack has been terminated.")
if self.client is not None:
self.client.stop()
self.client = None
def __init__(self):
default_parameters = ["/dev/ttyUSB0"]
inputs = [
InputFormat("Port", "port", self.port, str, mandatory=True),
]
Attack.__init__(self, "BLE Sniffing", inputs, default_parameters, "BLE Sniff Definition")
logging.basicConfig(level=logging.DEBUG, format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
def run(self):
Attack.run(self)
self.pre_attack_init()
payload = self.payload
if payload is None:
# Create seed with randomly
length = random.randint(1, self.max_length_of_random_payload)
payload = "".join(
[chr(random.randint(1, 127)) for _ in range(length)])
self.logger.info("Random payload fuzzing is started.")
for fuzzing in range(self.turn):
if self.stopped_flag is True:
break
while True:
try:
returned_strings = rdm.get_ascii_decodable_radamsa_malformed_input(
payload, self.count)
if type(returned_strings) == list:
fuzzer_messages = [
string.decode("utf-8")
for string in returned_strings
]
else:
fuzzer_messages = returned_strings.decode("utf-8")
break
except UnicodeDecodeError:
continue
# Check whether result is list or not
if type(fuzzer_messages) == list:
for message in fuzzer_messages:
self.channel.basic_publish(exchange=self.exchange,
routing_key=self.routing_key,
body=message)
# Increment sent message count
self.sent_message_count += 1
else:
self.channel.basic_publish(exchange=self.exchange,
routing_key=self.routing_key,
body=fuzzer_messages)
# Increment sent message count
self.sent_message_count += 1
time.sleep(1)
self.logger.info("Turn {0} is completed".format(fuzzing + 1))
if self.stopped_flag is False:
self.logger.info("Random payload fuzzing is finished.")
if self.connection is not None:
self.connection.close()
def run(self):
Attack.run(self)
self.pre_attack_init()
self.logger.info("Random payload fuzzing is started.")
if self.payload is None:
length = random.randint(1, self.max_length_of_random_payload)
self.payload = "".join(
[chr(random.randint(1, 127)) for _ in range(length)])
for fuzzing in range(self.fuzzing_turn):
if self.stopped_flag is True:
break
while self.stopped_flag is False:
try:
returned_strings = rdm.get_ascii_decodable_radamsa_malformed_input(
self.payload, self.fuzzing_count)
if type(returned_strings) == list:
fuzzer_messages = [
string.decode("utf-8")
for string in returned_strings
]
else:
fuzzer_messages = returned_strings.decode("utf-8")
break
except UnicodeDecodeError:
continue
# Check whether result is list or not
if type(fuzzer_messages) == list:
for message in fuzzer_messages:
PeniotCoAP.make_request(self.client, self.path,
self.method, message)
# Increment sent message count
self.sent_message_count += 1
else:
PeniotCoAP.make_request(self.client, self.path, self.method,
fuzzer_messages)
# Increment sent message count
self.sent_message_count += 1
time.sleep(1)
self.logger.info("Turn {0} is completed".format(fuzzing + 1))
if self.stopped_flag is False:
self.logger.info("Random payload fuzzing is finished.")
else:
self.logger.info("Random payload fuzzing has been terminated.")
if self.client is not None:
self.client.stop()
self.client = None
def run(self):
Attack.run(self)
self.pre_attack_process() # Sniff the packets so we can replay
self.pre_attack_init() # Do the necessary checks
try:
selected_packet = self.captured_packets[self.selected_index]
try:
self.client.connect(selected_packet.ip.dst_host)
except Exception as e:
self.logger.error("Failed to connect to broker")
self.logger.info(selected_packet)
self.client.publish(selected_packet.mqtt.topic,
selected_packet.mqtt.msg)
except IndexError as _:
self.logger.error("Invalid packet index. Indices start from 0...")
def __init__(self):
default_parameters = [""]
inputs = [
InputFormat("File Path",
"file_path",
"",
str,
mandatory=True,
from_captured_packets=True),
]
Attack.__init__(self, "BLE Replay Attack", inputs, default_parameters,
"BLE Replay Attack Definition")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
def __init__(self):
default_parameters = ["127.0.0.1", ""]
inputs = [
InputFormat("Broker Address", "address", "", str, mandatory=True),
InputFormat("Client Name", "client2_name", "", str, mandatory=True)
]
Attack.__init__(self, "MQTT Topic Name Fuzzing Attack", inputs,
default_parameters,
" MQTT Topic Name Fuzzing Attack description")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def __init__(self):
default_parameters = ["127.0.0.1"]
inputs = [
InputFormat("Broker Address", "address", "", str, mandatory=True)
]
Attack.__init__(
self, "MQTT Generation Based Fuzzing Attack", inputs,
default_parameters,
" Inject the packets which are created from the scratch\n"
" and changed by come of their bits to corrupt the content")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def __init__(self):
inputs = [
# You need to decide inputs to be taken from graphical user interface to conduct attack
]
# Auto generated attack name, you can change attack name to be displayed in graphical user interface
attack_name = "_ATTACK_NAME"
# Auto generated attack description, you can change or add description for the new attack,
# you can browse it from ? button nearby attacks in attack menu
description = "_ATTACK_NAME Description"
Attack.__init__(self, attack_name, inputs, description)
# Simple logger and registration
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
self.logger = logging.getLogger("_ATTACK_NAME")
def __init__(self):
default_parameters = ["", "", "", "", 10, self.max_payload_length]
inputs = [
InputFormat("Host Name", "host", "", str, mandatory=True),
InputFormat("Port Number", "port", "", int, mandatory=True),
InputFormat("Endpoint", "path", "", str, mandatory=True),
InputFormat("Method", "method_string", self.method_string, str, mandatory=True),
InputFormat("Fuzzing Round Count", "fuzzing_turn", self.fuzzing_turn, int),
InputFormat("Maximum Payload Size", "max_payload_length", self.max_payload_length, int, mandatory=True)
]
Attack.__init__(self, "CoAP Payload Size Fuzzer Attack", inputs, default_parameters,
" CoAP Payload size fuzzer attack description")
logging.basicConfig(level=logging.DEBUG, format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def __init__(self):
default_parameters = ["127.0.0.1", "#", 10, 10, ""]
inputs = [
InputFormat("Broker Address", "address", "", str, mandatory=True),
InputFormat("Topic", "topic", "", str, mandatory=True),
InputFormat("Fuzzing Turn", "turn", self.turn, int),
InputFormat("Fuzzing Message Count in each Turn", "count", self.count, int),
InputFormat("Payload", "payload", "", str, mandatory=True)
]
Attack.__init__(self, "MQTT Random Payload Fuzzing Attack", inputs, default_parameters,
" It creates a random payload and sends \n"
" this payload to the client.")
logging.basicConfig(level=logging.DEBUG, format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def __init__(self):
default_parameters = ["", "", "", "", "", "", 10.0]
inputs = [
InputFormat("Host Name", "host", "localhost", str, mandatory=True),
InputFormat("Queue Name",
"queue",
"peniot-queue",
str,
mandatory=True),
InputFormat("Exchange Name",
"exchange",
"peniot-exchange",
str,
mandatory=True),
InputFormat("Routing Key",
"routing_key",
"peniot-routing-key",
str,
mandatory=True),
InputFormat("Message Body",
"body",
"peniot-body",
str,
mandatory=True),
InputFormat("Exchange Type",
"exchange_type",
"direct",
str,
mandatory=True),
InputFormat("Timeout", "timeout", self.timeout, float)
]
Attack.__init__(
self, "AMQP DoS Attack", inputs, default_parameters,
" We send AMQP requests to the client.\n"
" The time difference between those requests\n"
" can be specified.")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def __init__(self):
default_parameters = ["127.0.0.1", "#", 10]
inputs = [
InputFormat("Broker Address", "host", "", str, mandatory=True),
InputFormat("Topic Name", "topic", self.topic, str,
mandatory=True),
InputFormat("Fuzzing Turn", "fuzzing_turn", self.fuzzing_turn, int)
]
Attack.__init__(self, "MQTT Payload Size Fuzzer Attack", inputs,
default_parameters,
" MQTT Payload size fuzzer attack description")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def run(self):
Attack.run(self)
self.pre_attack_init()
self.client.loop_start()
self.logger.info("Random payload fuzzing is started.")
if self.payload is None:
length = random.randint(1, self.max_length_of_random_payload)
self.payload = "".join([chr(random.randint(1, 127)) for _ in range(length)])
for fuzzing in range(self.turn):
if self.stopped_flag is True:
break
while True:
try:
returned_strings = rdm.get_ascii_decodable_radamsa_malformed_input(self.payload, self.count)
if type(returned_strings) == list:
fuzzer_messages = [string.decode("utf-8") for string in returned_strings]
else:
fuzzer_messages = returned_strings.decode("utf-8")
break
except UnicodeDecodeError:
self.logger.debug("Error occurred while decoding payload in random payload fuzzing.")
continue
# Check whether result is list or not
if type(fuzzer_messages) == list:
for message in fuzzer_messages:
self.client.publish(self.topic, message)
# Increment sent message count
self.sent_message_count += 1
else:
self.client.publish(self.topic, fuzzer_messages)
# Increment sent message count
self.sent_message_count += 1
time.sleep(1)
self.logger.info("Turn {0} is completed with message content = {1}".format(fuzzing + 1, fuzzer_messages))
self.client.loop_stop()
self.logger.info("Random payload fuzzing is finished.")
def __init__(self):
default_parameters = ["", "", "", "", "", "", 10, 1]
inputs = [
InputFormat("Host Name", "host", "localhost", str, mandatory=True),
InputFormat("Queue Name",
"queue",
"peniot-queue",
str,
mandatory=True),
InputFormat("Exchange Name",
"exchange",
"peniot-exchange",
str,
mandatory=True),
InputFormat("Routing Key",
"routing_key",
"peniot-routing-key",
str,
mandatory=True),
InputFormat("Payload", "payload", "", str),
InputFormat("Exchange Type",
"exchange_type",
"direct",
str,
mandatory=True),
InputFormat("Fuzzing Turn", "turn", 10, int),
InputFormat("Fuzzing Count", "count", 1, int)
]
Attack.__init__(
self, "AMQP Random Payload Fuzzing Attack", inputs,
default_parameters, " It creates a random payload and sends \n"
" this payload to the client.")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def run(self):
Attack.run(self)
self.pre_attack_init()
assert self.turn >= 2
# Fill the size list as randomly generated
size_list = [0, self.max_payload_length]
size_list.extend([
random.randint(0, self.max_payload_length)
for _ in range(self.turn - 2)
])
fuzzing = 0
self.logger.info(
"Size payload fuzzing is started. Please consider it may take some time."
)
for payload_size in size_list:
if self.stopped_flag is True:
break
# Create payload and send it
random_strings = "".join([chr(_)
for _ in range(65, 91)]) + "".join(
[chr(_) for _ in range(97, 123)])
random_character = random.choice(random_strings)
sized_payload = random_character * payload_size
self.channel.basic_publish(exchange=self.exchange,
routing_key=self.routing_key,
body=sized_payload)
# Informative procedures
self.logger.info("Turn {0} is completed".format(fuzzing + 1))
self.sent_message_count += 1
fuzzing += 1
time.sleep(1)
if self.stopped_flag is False:
self.logger.info("Payload size attack is finished.")
def __init__(self):
default_parameters = ["", "", "", "", "", "", 10]
inputs = [
InputFormat("Host Name", "host", "localhost", str, mandatory=True),
InputFormat("Queue Name",
"queue",
"peniot-queue",
str,
mandatory=True),
InputFormat("Exchange Name",
"exchange",
"peniot-exchange",
str,
mandatory=True),
InputFormat("Routing Key",
"routing_key",
"peniot-routing-key",
str,
mandatory=True),
InputFormat("Payload", "payload", "", str, mandatory=True),
InputFormat("Exchange Type",
"exchange_type",
"direct",
str,
mandatory=True),
InputFormat("Fuzzing Turn", "turn", 10, int)
]
Attack.__init__(self, "AMQP Payload Size Fuzzer Attack", inputs,
default_parameters,
" AMQP Payload size fuzzer attack description")
logging.basicConfig(
level=logging.DEBUG,
format="%(asctime)s:%(levelname)s:%(name)s:%(message)s")
# Signal handler to exit from function
signal.signal(signal.SIGINT, self.signal_handler)
def run(self):
Attack.run(self)
self.pre_attack_init()
# Fill the size list as randomly generated
size_list = [0, self.max_payload_length]
size_list.extend([
random.randint(0, self.max_payload_length)
for _ in range(self.fuzzing_turn - 2)
])
fuzzing = 0
self.logger.info(
"Size payload fuzzing is started. Please consider it may take some time."
)
for payload_size in size_list:
if self.stopped_flag is True: # An external interrupt can force us to finish the attack
break
# Create payload and send it
random_strings = "".join([chr(_)
for _ in range(65, 91)]) + "".join(
[chr(_) for _ in range(97, 123)])
random_character = random.choice(random_strings)
sized_payload = random_character * payload_size
self.client.publish(self.topic, sized_payload)
# Increment sent message count
self.logger.info(
"Turn {0} is completed and {1} bytes of message is sent.".
format(fuzzing + 1, payload_size))
self.sent_message_count += 1
fuzzing += 1
time.sleep(1)
if self.stopped_flag is False:
self.logger.info("Payload size attack is finished.")
def run(self):
Attack.run(self)
self.pre_attack_init()
subscribe = paho.SUBSCRIBE
unsubscribe = paho.UNSUBSCRIBE
# Quality of service creator
random_qosses = [0, 1, 2]
# Currently include "A...Za...z"
random_strings = "".join([chr(_) for _ in range(65, 91)]) + "".join(
[chr(_) for _ in range(97, 123)])
'''
(fuzz_client, message_type, topics, dup=False, optional_remaining_length=2,
command_dup_shift_times=3, command_base_xor_part=0x2):
'''
test_cases = [
dict(message_type=subscribe,
topics=[
self.random_topic_generator(subscribe, random_strings,
random_qosses)
],
dup=False,
optional_remaining_length=2,
command_dup_shift_times=3,
command_base_xor_part=0x2),
dict(message_type=subscribe,
topics=[
self.random_topic_generator(subscribe, random_strings,
random_qosses),
self.random_topic_generator(subscribe, random_strings,
random_qosses)
],
dup=False,
optional_remaining_length=3,
command_dup_shift_times=3,
command_base_xor_part=0x2),
dict(message_type=subscribe,
topics=[
self.random_topic_generator(subscribe, random_strings,
random_qosses)
],
dup=False,
optional_remaining_length=2,
command_dup_shift_times=5,
command_base_xor_part=0x2),
dict(message_type=subscribe,
topics=[
self.random_topic_generator(subscribe, random_strings,
random_qosses)
],
dup=False,
optional_remaining_length=2,
command_dup_shift_times=3,
command_base_xor_part=0x5),
dict(message_type=unsubscribe,
topics=[
self.random_topic_generator(unsubscribe, random_strings,
random_qosses)
],
dup=False,
optional_remaining_length=2,
command_dup_shift_times=3,
command_base_xor_part=0x2),
dict(message_type=unsubscribe,
topics=[
self.random_topic_generator(unsubscribe, random_strings,
random_qosses),
self.random_topic_generator(unsubscribe, random_strings,
random_qosses)
],
dup=False,
optional_remaining_length=3,
command_dup_shift_times=3,
command_base_xor_part=0x2),
dict(message_type=unsubscribe,
topics=[
self.random_topic_generator(unsubscribe, random_strings,
random_qosses)
],
dup=False,
optional_remaining_length=2,
command_dup_shift_times=5,
command_base_xor_part=0x2),
dict(message_type=unsubscribe,
topics=[
self.random_topic_generator(unsubscribe, random_strings,
random_qosses)
],
dup=False,
optional_remaining_length=2,
command_dup_shift_times=3,
command_base_xor_part=0x5)
]
for test_case in test_cases:
if self.stopped_flag is True:
break
self.send_subscribe_or_unsubscribe(
self.client, test_case["message_type"], test_case["topics"],
test_case["dup"], test_case["optional_remaining_length"],
test_case["command_dup_shift_times"],
test_case["command_base_xor_part"])
# Increment sent message count
self.sent_message_count += 1
self.logger.info(
"Test case {0} has been run in generation based fuzzing".
format(str(test_case)))
time.sleep(1)