Cotopaxi:使用指定IoT网络协议对IoT设备进行安全测试 – 作者:secist

cotopaxi是用于IoT设备安全测试的工具集。你可以指定IoT网络协议(如CoAP,DTLS,HTCPCP,mDNS,MQTT,SSDP)进行测试。

安装

只需从git克隆代码即可:https://github.com/Samsung/cotopaxi

要求

目前Cotopaxi仅适用于Python 2.7.x,但未来版本也将适用于Python 3。

如果你之前安装了scapy没有scapy-ssl_tls,请将其删除或使用venv。

安装主库:

scapy-ssl_tls(这也将在2.4.2中安装scapy)

pip install git+https://github.com/tintinweb/scapy-ssl_tls@ec5714d560c63ea2e0cce713cec54edc2bfa0833

常见问题:

如果遇到错误:error: [Errno 2] No such file or directory: ‘LICENSE’,请尝试重复命令。

如果遇到错误:NameError: name ‘os’ is not defined – 将缺少的import os添加到scapy/layers/ssl_tls.py。

你也可以使用requirements.txt文件安装所有其他依赖包:

pip install -r cotopaxi/requirements.txt

手动安装其他所需的包:

pip install dnslib IPy hexdump pyyaml psutil enum34 configparser

声明

Cotopaxi工具包仅用于授权的安全测试!

某些工具(尤其是漏洞测试程序和协议fuzzer)可能会导致某些设备或服务器停止工作 – 例如导致测试实体崩溃或挂起等。

在运行这些工具之前,请确保你已获得测试设备或服务器的所有者的许可!

在运行这些工具之前,请务必查看当地法律!

其中包含的工具有:

service_ping

server_fingerprinter

resource_listing

server_fingerprinter

protocol_fuzzer (用于fuzzing服务器)

client_proto_fuzzer (用于fuzzing客户端)

vulnerability_tester (用于测试服务)

client_vuln_tester (用于测试客户端)

amplifier_detector

不同工具所支持的协议:

Tool CoAP DTLS HTCPCP mDNS MQTT SSDP
service_ping
server_fingerprinter        
resource_listing      
protocol_fuzzer
client_proto_fuzzer
vulnerability_tester
client_vuln_tester
amplifier_detector    

cotopaxi.service_ping

用于检查给定IP和端口范围的网络服务可用性的工具

usage: sudo python -m cotopaxi.service_ping [-h] [-v] [--protocol {UDP,TCP,CoAP,MQTT,DTLS,ALL}]
                       [--src-port SRC_PORT]
                       dest_ip dest_port

positional arguments:
  dest_ip               destination IP address or multiple IPs separated by
                        coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask
                        (e.g. '10.0.0.0/22') or both
  dest_port             destination port or multiple ports given by list
                        separated by coma (e.g. '8080,9090') or port range
                        (e.g. '1000-2000') or both

optional arguments:
  -h, --help            show this help message and exit
  --retries RETRIES, -R RETRIES
                        number of retries
  --timeout TIMEOUT, -T TIMEOUT
                        timeout in seconds
  --verbose, -V, --debug, -D
                        Turn on verbose/debug mode (more messages)
  --protocol {UDP,TCP,CoAP,mDNS,SSDP,MQTT,DTLS,ALL,HTCPCP}, -P {UDP,TCP,CoAP,mDNS,SSDP,MQTT,DTLS,ALL,HTCPCP}
                        protocol to be tested (UDP includes CoAP, DTLS, mDNS,
                        and SSDP, TCP includes CoAP, HTCPCP, and MQTT, ALL
                        includes all supported protocols)
  --src-port SRC_PORT, -SP SRC_PORT
                        source port (if not specified random port will be
                        used)

cotopaxi.server_fingerprinter

用于在给定IP和端口范围内对网络服务器进行软件指纹识别的工具

目前支持的服务器:

CoAP:

aiocoap,

CoAPthon,

FreeCoAP,

libcoap,

MicroCoAP,

Mongoose

Wakaama (formerly liblwm2m)

DTLS:

GnuTLS,

Goldy,

LibreSSL,

MatrixSSL,

mbed TLS,

OpenSSL,

TinyDTLS

usage: sudo python -m cotopaxi.server_fingerprinter [-h] [--retries RETRIES] [--timeout TIMEOUT]
                               [--verbose]
                               [--protocol {CoAP,DTLS}]
                               [--src-port SRC_PORT]
                               dest_ip dest_port

positional arguments:
  dest_ip               destination IP address or multiple IPs separated by
                        coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask
                        (e.g. '10.0.0.0/22') or both
  dest_port             destination port or multiple ports given by list
                        separated by coma (e.g. '8080,9090') or port range
                        (e.g. '1000-2000') or both

optional arguments:
  -h, --help            show this help message and exit
  --retries RETRIES, -R RETRIES
                        number of retries
  --timeout TIMEOUT, -T TIMEOUT
                        timeout in seconds
  --verbose, -V, --debug, -D
                        Turn on verbose/debug mode (more messages)
  --protocol {CoAP,DTLS}, -P {CoAP,DTLS}
                        protocol to be tested
  --src-port SRC_PORT, -SP SRC_PORT
                        source port (if not specified random port will be
                        used)
  --ignore-ping-check, -Pn
                        ignore ping check (treat all ports as alive)

cotopaxi.resource_listing

用于在给定IP和端口范围的服务器上检查名为url的资源可用性的工具。urls目录中提供了示例URL列表

usage: sudo python -m cotopaxi.resource_listing [-h] [-v] [--protocol {CoAP,ALL}]
                           [--method {GET,POST,PUT,DELETE,ALL}]
                           [--src-port SRC_PORT]
                           dest_ip dest_port url_filepath

positional arguments:
  dest_ip               destination IP address or multiple IPs separated by
                        coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask
                        (e.g. '10.0.0.0/22') or both
  dest_port             destination port or multiple ports given by list
                        separated by coma (e.g. '8080,9090') or port range
                        (e.g. '1000-2000') or both
  url_filepath          path to file with list of URLs to be tested (each URL
                        in separated line)

optional arguments:
  -h, --help            show this help message and exit
  --retries RETRIES, -R RETRIES
                        number of retries
  --timeout TIMEOUT, -T TIMEOUT
                        timeout in seconds
  --verbose, -V, --debug, -D
                        Turn on verbose/debug mode (more messages)
  --protocol {CoAP,mDNS,SSDP}, -P {CoAP,mDNS,SSDP}
                        protocol to be tested
  --method {GET,POST,PUT,DELETE,ALL}, -M {GET,POST,PUT,DELETE,ALL}
                        methods to be tested (ALL includes all supported
                        methods)
  --src-port SRC_PORT, -SP SRC_PORT
                        source port (if not specified random port will be
                        used)
  --ignore-ping-check, -Pn
                        ignore ping check (treat all ports as alive)

cotopaxi.protocol_fuzzer

用于测试协议服务器的黑盒fuzzer

usage: sudo python -m cotopaxi.protocol_fuzzer 
                          [-h] [--retries RETRIES] [--timeout TIMEOUT]
                          [--verbose] [--protocol {CoAP,mDNS,MQTT,DTLS}]
                          [--src-ip SRC_IP] [--src-port SRC_PORT]
                          [--ignore-ping-check] [--corpus-dir CORPUS_DIR]
                          dest_ip dest_port

positional arguments:
  dest_ip               destination IP address or multiple IPs separated by
                        coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask
                        (e.g. '10.0.0.0/22') or both
  dest_port             destination port or multiple ports given by list
                        separated by coma (e.g. '8080,9090') or port range
                        (e.g. '1000-2000') or both

optional arguments:
  -h, --help            show this help message and exit
  --retries RETRIES, -R RETRIES
                        number of retries
  --timeout TIMEOUT, -T TIMEOUT
                        timeout in seconds
  --verbose, -V, --debug, -D
                        Turn on verbose/debug mode (more messages)
  --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}
                        protocol to be tested
  --hide-disclaimer, -HD
                        hides legal disclaimer (shown before starting
                        intrusive tools)
  --src-ip SRC_IP, -SI SRC_IP
                        source IP address (return result will not be
                        received!)
  --src-port SRC_PORT, -SP SRC_PORT
                        source port (if not specified random port will be
                        used)
  --ignore-ping-check, -Pn
                        ignore ping check (treat all ports as alive)
  --corpus-dir CORPUS_DIR, -C CORPUS_DIR
                        path to directory with fuzzing payloads (corpus) (each
                        payload in separated file)
  --delay-after-crash DELAY_AFTER_CRASH, -DAC DELAY_AFTER_CRASH
                        number of seconds that fuzzer will wait after crash
                        for respawning tested server

cotopaxi.client_proto_fuzzer

用于测试协议客户端的黑盒fuzzer

usage: sudo client_proto_fuzzer.py [-h] [--server-ip SERVER_IP]
                              [--server-port SERVER_PORT]
                              [--protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}]
                              [--verbose] [--corpus-dir CORPUS_DIR]

optional arguments:
  -h, --help            show this help message and exit
  --server-ip SERVER_IP, -SI SERVER_IP
                        IP address, that will be used to set up tester server
  --server-port SERVER_PORT, -SP SERVER_PORT
                        port that will be used to set up server
  --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}
                        protocol to be tested
  --verbose, -V, --debug, -D
                        Turn on verbose/debug mode (more messages)
  --corpus-dir CORPUS_DIR, -C CORPUS_DIR
                        path to directory with fuzzing payloads (corpus) (each
                        payload in separated file)

cotopaxi.vulnerability_tester

用于检查给定IP和端口范围的网络服务漏洞的工具

usage: sudo python -m cotopaxi.vulnerability_tester [-h] [-v]
                               [--cve {ALL,CVE-2018-19417,...}]
                               [--list LIST] [--src-port SRC_PORT]
                               dest_ip dest_port

positional arguments:
  dest_ip               destination IP address or multiple IPs separated by
                        coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask
                        (e.g. '10.0.0.0/22') or both
  dest_port             destination port or multiple ports given by list
                        separated by coma (e.g. '8080,9090') or port range
                        (e.g. '1000-2000') or both

optional arguments:
  -h, --help            show this help message and exit
  --retries RETRIES, -R RETRIES
                        number of retries
  --timeout TIMEOUT, -T TIMEOUT
                        timeout in seconds
  --protocol {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL}, -P {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL}
                        protocol to be tested (UDP includes CoAP, mDNS and
                        DTLS, TCP includes CoAP and MQTT, ALL includes all
                        supported protocols)
  --hide-disclaimer, -HD
                        hides legal disclaimer (shown before starting
                        intrusive tools)
  --verbose, -V, --debug, -D
                        Turn on verbose/debug mode (more messages)
  --cve {ALL,CVE-2018-19417,...}
                        list of vulnerabilities to be tested (by CVE id)
  --vuln {ALL,BOTAN_000,COAPTHON3_000,...} 
                        list of vulnerabilities to be tested (by SOFT_NUM id)

  --list, -L            display lists of all vulnerabilities supported by this
                        tool with detailed description
  --src-port SRC_PORT, -SP SRC_PORT
                        source port (if not specified random port will be
                        used)
  --ignore-ping-check, -Pn
                        ignore ping check (treat all ports as alive)

cotopaxi.client_vuln_tester

用于检查此工具提供的连接到服务器的网络客户端漏洞的工具

usage: sudo client_vuln_tester.py [-h] [--server-ip SERVER_IP]
                             [--server-port SERVER_PORT]
                             [--protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}]
                             [--verbose]
                             [--vuln {ALL,BOTAN_000,COAPTHON3_000,...} [{ALL,BOTAN_000,COAPTHON3_000,...} ...]]
                             [--cve {ALL,CVE-2017-12087,...} [{ALL,CVE-2017-12087,...} ...]]
                             [--list]

optional arguments:
  -h, --help            show this help message and exit
  --server-ip SERVER_IP, -SI SERVER_IP
                        IP address, that will be used to set up tester server
  --server-port SERVER_PORT, -SP SERVER_PORT
                        port that will be used to set up server
  --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}
                        protocol to be tested
  --verbose, -V, --debug, -D
                        Turn on verbose/debug mode (more messages)
  --vuln {ALL,BOTAN_000,COAPTHON3_000,...} [{ALL,BOTAN_000,COAPTHON3_000,...} ...]
                        list of vulnerabilities to be tested (by SOFT_NUM id)
  --cve {ALL,CVE-2017-12087,CVE-2017-12130,...} [{ALL,CVE-2017-12087,CVE-2017-12130,...} ...]
                        list of vulnerabilities to be tested (by CVE id)
  --list, -L            display lists of all vulnerabilities supported by this
                        tool with detailed description

cotopaxi.amplifier_detector

用于检测网络设备的工具,通过观察分组的输入和输出大小来放大反射的流量

usage: sudo python -m cotopaxi.amplifier_detector [-h] [--port PORT] [--nr NR] [--verbose] dest_ip

positional arguments:
  dest_ip               destination IP address

optional arguments:
  -h, --help            show this help message and exit
  --interval INTERVAL, -I INTERVAL
                        minimal interval in sec between displayed status
                        messages (default: 1 sec)
  --port PORT, --dest_port PORT, -P PORT
                        destination port
  --nr NR, -N NR        number of packets to be sniffed (default: 9999999)
  --verbose, -V, --debug, -D
                        turn on verbose/debug mode (more messages)

已知问题/限制

使用scapy作为网络库会导致一些已知问题或限制:

在同一台计算机上运行的测试服务可能会由于未传递某些数据包而导致出现问题,

针对同一目标运行的多个工具可能会导致它们之间的干扰(数据包可能表示为对另一个请求的响应)。

更多信息请访问:https://scapy.readthedocs.io/en/latest/troubleshooting.html#

Unit tests

要运行所有单元测试,请使用(从cotopaxi上层目录):

sudo python -m unittest discover

大多数测试都是针对远程测试服务器执行的,需要准备测试环境,在tests/test_config.ini和tests/test_servers.yaml中进行设置。

*参考来源:GitHub,FB小编secist编译,转载请注明来自FreeBuf.COM

来源:freebuf.com 2019-10-08 15:00:12 by: secist

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论