{"id":13650551,"url":"https://github.com/Samsung/cotopaxi","last_synced_at":"2025-04-22T18:32:16.441Z","repository":{"id":35848147,"uuid":"168120604","full_name":"Samsung/cotopaxi","owner":"Samsung","description":"Set of tools for security testing of Internet of Things devices using specific network IoT protocols","archived":false,"fork":false,"pushed_at":"2024-04-03T19:47:04.000Z","size":15479,"stargazers_count":342,"open_issues_count":1,"forks_count":78,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-04-24T13:55:23.753Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Samsung.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-29T08:43:29.000Z","updated_at":"2024-08-02T02:07:23.683Z","dependencies_parsed_at":"2022-08-08T12:00:19.376Z","dependency_job_id":"d586427f-fb55-411a-8503-c25dba65fab8","html_url":"https://github.com/Samsung/cotopaxi","commit_stats":{"total_commits":81,"total_committers":10,"mean_commits":8.1,"dds":0.6790123456790124,"last_synced_commit":"d19178b1235017257fec20d0a41edc918de55574"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Samsung%2Fcotopaxi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Samsung%2Fcotopaxi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Samsung%2Fcotopaxi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Samsung%2Fcotopaxi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Samsung","download_url":"https://codeload.github.com/Samsung/cotopaxi/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250297478,"owners_count":21407216,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T02:00:37.719Z","updated_at":"2025-04-22T18:32:13.955Z","avatar_url":"https://github.com/Samsung.png","language":"Python","readme":"```\n .d8888b.           888                                       d8b \nd88P  Y88b          888                                       Y8P \n888    888          888\n888         .d88b.  888888 .d88b.  88888b.   8888b.  888  888 888 \n888        d88\"\"88b 888   d88\"\"88b 888 \"88b     \"88b 'Y8bd8P' 888 \n888    888 888  888 888   888  888 888  888 .d888888   X88K   888 \nY88b  d88P Y88..88P Y88b. Y88..88P 888 d88P 888  888 .d8\"\"8b. 888 \n \"Y8888P\"   \"Y88P\"   \"Y888 \"Y88P\"  88888P\"  \"Y888888 888  888 888 \n                                   888\n                                   888\n                                   888\n```\n\n[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-blue.svg?style=plastic)](LICENSE)\n![GitHub top language](https://img.shields.io/github/languages/top/Samsung/cotopaxi?style=plastic)\n![PyPI - Python Version](https://img.shields.io/pypi/pyversions/cotopaxi?style=plastic)\n![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/Samsung/cotopaxi?style=plastic)\n![Lines of code](https://img.shields.io/tokei/lines/github/samsung/cotopaxi?style=plastic)\n[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg?style=plastic)](https://github.com/psf/black)\n![GitHub search hit counter](https://img.shields.io/github/search/Samsung/cotopaxi/*?style=plastic)\n![GitHub release (latest by date)](https://img.shields.io/github/v/release/Samsung/cotopaxi?style=plastic)\n![GitHub issues](https://img.shields.io/github/issues/Samsung/cotopaxi?style=plastic)\n![PyPI - Downloads](https://img.shields.io/pypi/dm/cotopaxi?style=plastic)\n\u003c!---![GitHub all releases](https://img.shields.io/github/downloads/Samsung/cotopaxi/total)---\u003e\n\n[![Black Hat Arsenal](https://img.shields.io/badge/Black%20Hat%20Arsenal-ASIA%202019-1E90FF?style=plastic)](https://www.blackhat.com/asia-19/arsenal/schedule/#cotopaxi-iot-protocols-security-testing-toolkit-14325)\n[![Black Hat Arsenal](https://img.shields.io/badge/Black%20Hat%20Arsenal-USA%202019-1E90FF?style=plastic)](https://www.blackhat.com/us-19/arsenal/schedule/#cotopaxi-iot-protocols-security-testing-toolkit-17034)\n[![DEF CON 27](https://img.shields.io/badge/DEF%20CON%C2%AE%2027%20%E2%88%92%20Demo%20Labs-2019-ff0000?style=plastic)](https://www.defcon.org/html/defcon-27/dc-27-demolabs.html#Cotopaxi)\n[![Black Hat Arsenal](https://img.shields.io/badge/Black%20Hat%20Arsenal-EU%202019-1E90FF?style=plastic)](https://www.blackhat.com/eu-19/arsenal/schedule/index.html#cotopaxi-iot-protocols-security-testing-toolkit-18201)\n[![DEF CON 28](https://img.shields.io/badge/DEF%20CON%C2%AE%2028%20%E2%88%92%20Demo%20Labs-2020-ff0000?style=plastic)](https://www.defcon.org/html/defcon-safemode/dc-safemode-demolabs.html#Cotopaxi)\n[![Black Hat Arsenal](https://img.shields.io/badge/Black%20Hat%20Arsenal-USA%202020-1E90FF?style=plastic)](https://www.blackhat.com/us-20/arsenal/schedule/#cotopaxi-iot-protocols-security-testing-toolkit-21082)\n[![Black Hat Arsenal](https://img.shields.io/badge/Black%20Hat%20Arsenal-EU%202020-1E90FF?style=plastic)](https://www.blackhat.com/eu-20/arsenal/schedule/#cotopaxi-iot-protocols-security-testing-toolkit-21757)\n\nSet of tools for security testing of Internet of Things devices using protocols: AMQP, CoAP, DTLS, HTCPCP, HTTP, HTTP/2, gRPC, KNX, mDNS, MQTT, MQTT-SN, QUIC, RTSP, SSDP.\n\n## License:\n\nCotopaxi uses GNU General Public License, version 2:\nhttps://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html\n\n## Disclaimer\n\nCotopaxi toolkit is intended to be used only for authorized security testing!\n\nSome tools (especially vulnerability tester and protocol fuzzer) can cause some devices or servers to stop acting in the intended way \n-- for example leading to crash or hang of tested entities or flooding with network traffic another entities.\n\nMake sure you have permission from the owners of tested devices or servers before running these tools!\n\nMake sure you check with your local laws before running these tools! \n\n## Installation\n\nTo install minimal Cotopaxi version (without Machine Learning and development tools): \n\n```\npip install cotopaxi\n```\n\nAlmost complete installation (without scapy-ssl_tls required for DTLS support):\n```\npip install cotopaxi[all]\n```\n\nFor more detailed documentation about installation see: [Installation Guide](docs/installation.md)\n\n## Integration with Metasploit\n\nIf you want to use Cotopaxi tools from Metasploit see: [Metasploit integration](docs/metasploit.md)\n\n## Acknowlegments\n\nMachine learning classificator used in the device_identification tool was trained using corpus \"IMC 2019 payload dataset\" \nprovided by authors of the following paper:\n\nTitle: Information Exposure for Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach\nAuthors: Jingjing Ren, Daniel J. Dubois, David Choffnes, Anna Maria Mandalari, Roman Kolcun, Hamed Haddadi\nVenue: Internet Measurement Conference (IMC) 2019 \nURL: https://moniotrlab.ccis.neu.edu/imc19dataset/\n\nWe would like to thank above listed authors for sharing this corpus!\n\n## Tools in this package:\n\n* service_ping\n* server_fingerprinter\n* device_identification\n* traffic_analyzer\n* resource_listing\n* protocol_fuzzer (for fuzzing servers)\n* client_proto_fuzzer (for fuzzing clients)\n* vulnerability_tester (for testing servers)\n* client_vuln_tester (for testing clients)\n* amplifier_detector\n* active_scanner\n\nProtocols supported by different tools (left box describes working implementation in Python 2 and right one for Python 3): \n\nTool                 |     AMQP     |      CoAP    |      DTLS    |    HTCPCP    |      HTTP/2  |     gRPC     |      KNX     |     mDNS     |      MQTT    |    MQTT-SN   |     QUIC     |     RTSP     |     SSDP\n---------------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------\nservice_ping         |\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;\nserver_fingerprinter |\u0026#9744;\u0026#9744;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;\ndevice_identification|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;\ntraffic_analyzer     |\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;|\u0026#9744;\u0026#9745;\nresource_listing     |\u0026#9744;\u0026#9744;|\u0026#9745;\u0026#9745;|     N/A      |\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9745;\u0026#9745;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|     N/A      |\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;\nprotocol_fuzzer      |\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;\nclient_proto_fuzzer  |\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;\nvulnerability_tester |\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;\nclient_vuln_tester   |\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;\namplifier_detector   |     N/A      |\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|     N/A      |     N/A      |     N/A      |     N/A      |\u0026#9745;\u0026#9745;|     N/A      |\u0026#9745;\u0026#9745;|\u0026#9745;\u0026#9745;|     N/A      |\u0026#9745;\u0026#9745;\nactive_scanner       |\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9745;\u0026#9745;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;|\u0026#9744;\u0026#9744;\n\nFor more detailed documentation of each tool see: [Tools](docs/tools.md)\n\n## Supported vulnerabilites\n\nVulnerabilities identified by Cotopaxi team, that can be tested using Cotopaxi:\n* [BOTAN_000](https://github.com/randombit/botan/issues/1833)\n* [COAPTHON_000 (CVE-2018-12679)](https://github.com/Tanganelli/CoAPthon/issues/135)\n* [COAPTHON3_000 (CVE-2018-12679)](https://github.com/Tanganelli/CoAPthon3/issues/16)\n* [CONTIKI_000 (CVE-2018-19417)](https://github.com/contiki-ng/contiki-ng/issues/600)\n* [FLUENTBIT_000 (CVE-2019-9749)](https://github.com/fluent/fluent-bit/issues/1135)\n* [IOTIVITY_000 (CVE-2019-9750)](https://jira.iotivity.org/browse/IOT-3267)\n* [MADMAZE-HTCPCP_000](https://github.com/madmaze/HTCPCP/issues/13)\n* [MATRIXSSL_000](https://github.com/matrixssl/matrixssl/issues/31)\n* [MATRIXSSL_001 (CVE-2019-14431)](https://github.com/matrixssl/matrixssl/issues/30)\n* [MATRIXSSL_002](https://github.com/matrixssl/matrixssl/issues/32)\n* [MATRIXSSL_003](https://github.com/matrixssl/matrixssl/issues/33)\n* [SSDP-RESPONDER_000 (CVE-2019-14323)](https://github.com/troglobit/ssdp-responder/issues/1)\n* [TINYDTLS_001](https://bugs.eclipse.org/bugs/show_bug.cgi?id=544819)\n* [TINYDTLS_002](https://bugs.eclipse.org/bugs/show_bug.cgi?id=544824)\n* [TINYDTLS_003](https://www.eclipse.org/lists/tinydtls-dev/msg00206.html)\n* [TINYSVCMDNS_002 (CVE-2019-9747)](https://bitbucket.org/geekman/tinysvcmdns/issues/11/denial-of-service-vulnerability-infinite)\n* [WAKAAMA_000 (CVE-2019-9004)](https://github.com/eclipse/wakaama/issues/425)\n* ZYXEL_000\n\nOther vulnerabilities supported by Cotopaxi:\n* [ER_COAP_000](https://github.com/contiki-os/contiki/issues/2240)\n* [ER_COAP_001](https://github.com/contiki-os/contiki/issues/2238)\n* [ER_COAP_002](https://github.com/contiki-os/contiki/issues/2239)\n* [TINYDTLS_000 (CVE-2017-7243)](https://www.cvedetails.com/cve/CVE-2017-7243/)\n* [TINYSVCMDNS_000 (CVE-2017-12087)](https://nvd.nist.gov/vuln/detail/CVE-2017-12087)\n* [TINYSVCMDNS_001 (CVE-2017-12130)](https://nvd.nist.gov/vuln/detail/CVE-2017-12130)\n* [TP-LINK_000 (CVE-2018-18428](https://www.exploit-db.com/exploits/45632)\n* [TP-LINK_001](https://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php)\n* [FLIR_000](https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5492.php)\n* [FOSCAM_000 (CVE-2018-19077)](https://sintonen.fi/advisories/foscam-ip-camera-multiple-vulnerabilities.txt)\n* [FOSCAM_001 (CVE-2018-19067)](https://sintonen.fi/advisories/foscam-ip-camera-multiple-vulnerabilities.txt)\n* [HIKVISION_000 (CVE-2014-4878)](https://blog.rapid7.com/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities/)\n* [HIKVISION_001 (CVE-2014-4879)](https://blog.rapid7.com/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities/)\n* [HIKVISION_002 (CVE-2014-4880)](https://blog.rapid7.com/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities/)\n* [UBIQUITTI_000 (CVE-2019-12727)](https://github.com/X-C3LL/PoC-CVEs/blob/master/Aircam-DoS/Aircam-DoS.py)\n* [GSTREAMER_000 (CVE-2019-9928)](https://gstreamer.freedesktop.org/security/sa-2019-0001.html)\n* [NETFLIX_000 (CVE-2019-10028)](https://blog.forallsecure.com/forallsecure-uncovers-vulnerability-in-netflix-dial-software)\n* [BEWARD_000](https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5509.php)\n* [FALCON_000](https://github.com/sbaresearch/advisories/tree/public/2015/knAx_20150101)\n\nNew vulnerabilities can be easily added to the database in [vulnerabilities.yaml](./cotopaxi/vulnerabilities/vulnerabilities.yaml) \nand payloads in [cotopaxi/vulnerabilities/\u003cprotocol\u003e/\u003cpayload.raw\u003e](cotopaxi/vulnerabilities/).\n\n## Known issues / limitations\n\nThere are some known issues or limitations caused by using scapy as network library:\n\n* testing services running on the same machine can result in issues occurred by not delivering some packets,\n* multiple tools running against the same target can result in interference between them \n(packets may be indicated as a response to another request).\n\nSee more at:\nhttps://scapy.readthedocs.io/en/latest/troubleshooting.html#\n\n## Development\n\nFor more detailed information about development of Cotopaxi see: [Development guide](docs/development.md)\n","funding_links":[],"categories":["Tools","💽 Autopilot Firmware","Python","Software Tools"],"sub_categories":["Firmware Extraction","Misc Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSamsung%2Fcotopaxi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSamsung%2Fcotopaxi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSamsung%2Fcotopaxi/lists"}