{"id":13515557,"url":"https://github.com/nccgroup/fuzzowski","last_synced_at":"2025-04-13T00:49:43.607Z","repository":{"id":39352063,"uuid":"198253348","full_name":"nccgroup/fuzzowski","owner":"nccgroup","description":" the Network Protocol Fuzzer that we will want to use.","archived":false,"fork":false,"pushed_at":"2024-01-29T05:48:18.000Z","size":351,"stargazers_count":751,"open_issues_count":14,"forks_count":113,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-04-13T00:49:28.479Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nccgroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-22T15:41:09.000Z","updated_at":"2025-04-12T05:42:09.000Z","dependencies_parsed_at":"2024-05-05T03:42:13.536Z","dependency_job_id":null,"html_url":"https://github.com/nccgroup/fuzzowski","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Ffuzzowski","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Ffuzzowski/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Ffuzzowski/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Ffuzzowski/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nccgroup","download_url":"https://codeload.github.com/nccgroup/fuzzowski/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248650436,"owners_count":21139672,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T05:01:12.851Z","updated_at":"2025-04-13T00:49:43.586Z","avatar_url":"https://github.com/nccgroup.png","language":"Python","readme":"#  Fuzzowski\n```\n       █      █       \n       ████████       \n      ██████████      \n     ██  ████  ██     \n     ██  ████  ██     \n    ████      ████    \n   █ ████████████ █   \n   █  ██████████  █   Fuzzowski Network Fuzzer\n   █    █     █   █           🄯  Fuzzers, inc.\n       ██     ██                by Mario Rivas\n```\n\n#\n\n[![Travis](https://travis-ci.com/nccgroup/fuzzowski.svg?branch=master)](https://travis-ci.com/nccgroup/fuzzowski)\n\nThe idea is to be the Network Protocol Fuzzer that we will __want__ to use.\n\nThe aim of this tool is to assist during the whole process of fuzzing a network protocol, \nallowing to define the communications, helping to identify the \"suspects\" of crashing a service,\nand much more\n\n#### Last Changes\n\n[16/12/2019]\n* **Data Generation modules** fully recoded (Primitives, Blocks, Requests)\n  * Improved Strings fuzzing libraries, allowing also for custom lists, files and callback commands\n  * **Variable** data type, which takes a variable set by the session, the user or a Response\n* **Session** fully recoded. Now it is based on **TestCase**s, which contains all the information needed to perform the request, check the response, store data such as errors received, etc.\n* **Responses** added. Now you can define responses with s_response(), This allows to check the response from the server, set variables and even perform additional tests on the response to check if something is wrong\n* **Monitors** now automatically mark TestCases as suspect if they fail\n* Added the **IPP (Internet Printing Protocol)** Fuzzer that we used to find several vulnerabilities in different printer brands during our printers research project (https://www.youtube.com/watch?v=3X-ZnlyGuWc\u0026t=7s) \n\n#### Features\n* Based on Sulley Fuzzer for data generation [https://github.com/OpenRCE/sulley]\n* Actually, forked BooFuzz (which is a fork of Sulley) [https://github.com/jtpereyda/boofuzz ]\n* Python3\n* Not random (finite number of possibilities)\n* Requires to “create the packets” with types (spike fuzzer style)\n* Also allows to create \"\"Raw\"\" packets from parameters, with injection points (quite useful for fuzzing simple protocols)\n* Has a nice console to pause, review and retest any suspect (prompt_toolkit ftw)\n* Allows to skip parameters that cause errors, automatically or with the console\n* Nice print formats for suspect packets (to know exactly what was fuzzed)\n* It saves PoCs as python scripts for you when you mark a test case as a crash\n* Monitor modules to gather information of the target, detecting odd behaviours and marking suspects\n* Restarter modules that will restart the target if the connection is lost (e.g. powering off and on an smart plug)\n\n#### Protocols implemented\n* **LPD (Line Printing Daemon)**: Fully implemented\n* **IPP (Internet Printing Protocol)**: Partially implemented\n* **BACnet (Building Automation and Control networks Protocol)**: Partially implemented\n* **Modbus (ICS communication protocol)**: Partially implemented\n\n#### Installation\n```\nvirtualenv venv -p python3\nsource venv/bin/activate\npip install -r requirements.txt\n```\n#### Help\n```\nusage: python -m fuzzowski [-h] [-p {tcp,udp,ssl}] [-b BIND] [-st SEND_TIMEOUT]\n                    [-rt RECV_TIMEOUT] [--sleep-time SLEEP_TIME] [-nc] [-tn]\n                    [-nr] [-nrf] [-cr]\n                    [--threshold-request CRASH_THRESHOLD_REQUEST]\n                    [--threshold-element CRASH_THRESHOLD_ELEMENT]\n                    [--ignore-aborted] [--ignore-reset] [--error-fuzz-issues]\n                    [-c CALLBACK | --file FILENAME] -f\n                    {cops,dhcp,ipp,lpd,netconf,telnet_cli,tftp,raw}\n                    [-r FUZZ_REQUESTS [FUZZ_REQUESTS ...]]\n                    [--restart module_name [args ...]]\n                    [--restart-sleep RESTART_SLEEP_TIME]\n                    [--monitors {IPPMon} [{IPPMon} ...]] [--path PATH]\n                    [--document_url DOCUMENT_URL]\n                    host port\n\n       █      █       \n       ████████       \n      ██████████      \n     ██  ████  ██     \n     ██  ████  ██     \n    ████      ████    \n   █ ████████████ █   \n   █  ██████████  █   Fuzzowski Network Fuzzer\n   █    █     █   █           🄯  Fuzzers, inc.\n       ██     ██       \n\npositional arguments:\n  host                  Destination Host\n  port                  Destination Port\n\noptional arguments:\n  -h, --help            show this help message and exit\n\nConnection Options:\n  -p {tcp,udp,ssl}, --protocol {tcp,udp,ssl}\n                        Protocol (Default tcp)\n  -b BIND, --bind BIND  Bind to port\n  -st SEND_TIMEOUT, --send_timeout SEND_TIMEOUT\n                        Set send() timeout (Default 5s)\n  -rt RECV_TIMEOUT, --recv_timeout RECV_TIMEOUT\n                        Set recv() timeout (Default 5s)\n  --sleep-time SLEEP_TIME\n                        Sleep time between each test (Default 0)\n  -nc, --new-conns      Open a new connection after each packet of the same test\n  -tn, --transmit-next-node\n                        Transmit the next node in the graph of the fuzzed node\n\nRECV() Options:\n  -nr, --no-recv        Do not recv() in the socket after each send\n  -nrf, --no-recv-fuzz  Do not recv() in the socket after sending a fuzzed request\n  -cr, --check-recv     Check that data has been received in recv()\n\nCrashes Options:\n  --threshold-request CRASH_THRESHOLD_REQUEST\n                        Set the number of allowed crashes in a Request before skipping it (Default 9999)\n  --threshold-element CRASH_THRESHOLD_ELEMENT\n                        Set the number of allowed crashes in a Primitive before skipping it (Default 3)\n  --ignore-aborted      Ignore ECONNABORTED errors\n  --ignore-reset        Ignore ECONNRESET errors\n  --error-fuzz-issues   Log as error when there is any connection issue in the fuzzed node\n\nFuzz Options:\n  -c CALLBACK, --callback CALLBACK\n                        Set a callback address to fuzz with callback generator instead of normal mutations\n  --file FILENAME       Use contents of a file for fuzz mutations\n\nFuzzers:\n  -f {cops,dhcp,ipp,lpd,netconf,telnet_cli,tftp,raw}, --fuzz {cops,dhcp,ipp,lpd,netconf,telnet_cli,tftp,raw}\n                        Available Protocols\n  -r FUZZ_REQUESTS [FUZZ_REQUESTS ...], --requests FUZZ_REQUESTS [FUZZ_REQUESTS ...]\n                        Requests of the protocol to fuzz, default All\n                          dhcp: [opt82]\n                          ipp: [http_headers, get_printer_attribs, print_uri_message, send_uri, get_jobs, get_job_attribs]\n                          lpd: [long_queue, short_queue, ctrl_file, data_file, remove_job]\n                          telnet_cli: [commands]\n                          tftp: [read]\n                          raw: ['\\x01string\\n' '\\x02request2\\x00' ...]\n\nRestart options:\n  --restart module_name [args ...]\n                        Restarter Modules:\n                          run: '\u003cexecutable\u003e [\u003cargument\u003e ...]' (Pass command and arguments within quotes, as only one argument)\n                          smartplug: It will turn off and on the Smart Plug\n                          teckin: \u003cPLUG_IP\u003e\n  --restart-sleep RESTART_SLEEP_TIME\n                        Set sleep seconds after a crash before continue (Default 5)\n\nMonitor options:\n  --monitors {IPPMon} [{IPPMon} ...], -m {IPPMon} [{IPPMon} ...]\n                        Monitor Modules:\n                          IPPMon: Sends a get-attributes IPP message to the target\n\nOther Options:\n  --path PATH           Set path when fuzzing HTTP based protocols (Default /)\n  --document_url DOCUMENT_URL\n                        Set Document URL for print_uri\n\n```\n\n#### Examples\nFuzz the get_printer_attribs IPP operation with default options:\n\n```python -m fuzzowski printer1 631 -f ipp -r get_printer_attribs --restart smartplug```\n\n[![asciicast](https://asciinema.org/a/0RMDMrJWiFo4RoRwAjx61BXDY.svg)](https://asciinema.org/a/0RMDMrJWiFo4RoRwAjx61BXDY)\n\nUse the raw feature of IPP to fuzz the finger protocol:\n\n```python -m fuzzowski printer 79 -f raw -r '{{root}}\\n'```\n\n[![asciicast](https://asciinema.org/a/Pch0JbkNK97dgrCUMK8iIfJv5.svg)](https://asciinema.org/a/Pch0JbkNK97dgrCUMK8iIfJv5)\n\nUse the raw feature of IPP to fuzz the finger protocol, but instead of using the predefined mutations, use a file:\n\n```python -m fuzzowski printer 79 -f raw -r '{{root}}\\n' --file 'path/to/my/fuzzlist'```\n\nStateful Fuzzer example, demonstrating the use of s_response and s_variable to obtain a token that is needed to fuzz a request. This example is based on the [mock http server test case](https://github.com/nccgroup/fuzzowski/blob/master/tests/mock_http_server/mock_http_fuzzer.py)\n\n[![asciicast](https://asciinema.org/a/290852.svg)](https://asciinema.org/a/290852)\n\n","funding_links":[],"categories":["Fuzzing","Python (1887)","Python","Software Tools"],"sub_categories":["Fuzzing Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Ffuzzowski","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnccgroup%2Ffuzzowski","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Ffuzzowski/lists"}