Cotopaxi:使用指定IoT网络协议对IoT设备进行安全测试
摘要:usage: sudo python -m cotopaxi.vulnerability_tester [-h] [-v] [--cve {ALL,CVE-2018-19417,...}] [--list LIST] [--src-port SRC_PORT] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --protocol {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL}, -P {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL} protocol to be tested (UDP includes CoAP, mDNS and DTLS, TCP includes CoAP and MQTT, ALL includes all supported protocols) --hide-disclaimer, -HD hides legal disclaimer (shown before starting intrusive tools) --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --cve {ALL,CVE-2018-19417,...} list of vulnerabilities to be tested (by CVE id) --vuln {ALL,BOTAN_000,COAPTHON3_000,...} list of vulnerabilities to be tested (by SOFT_NUM id) --list, -L display lists of all vulnerabilities supported by this tool with detailed description --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive)。usage: sudo python -m cotopaxi.protocol_fuzzer [-h] [--retries RETRIES] [--timeout TIMEOUT] [--verbose] [--protocol {CoAP,mDNS,MQTT,DTLS}] [--src-ip SRC_IP] [--src-port SRC_PORT] [--ignore-ping-check] [--corpus-dir CORPUS_DIR] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP} protocol to be tested --hide-disclaimer, -HD hides legal disclaimer (shown before starting intrusive tools) --src-ip SRC_IP, -SI SRC_IP source IP address (return result will not be received。
cotopaxi是用于IoT设备安全测试的工具集。你可以指定IoT网络协议(如CoAP,DTLS,HTCPCP,mDNS,MQTT,SSDP)进行测试。
安装
只需从git克隆代码即可: https://github.com/Samsung/cotopaxi
要求
目前Cotopaxi仅适用于Python 2.7.x,但未来版本也将适用于Python 3。
如果你之前安装了scapy没有scapy-ssl_tls,请将其删除或使用venv。
安装主库:
scapy-ssl_tls(这也将在2.4.2中安装scapy)
pip install git+https://github.com/tintinweb/scapy-ssl_tls@ec5714d560c63ea2e0cce713cec54edc2bfa0833
常见问题:
如果遇到错误:error: [Errno 2] No such file or directory: ‘LICENSE’,请尝试重复命令。
如果遇到错误:NameError: name ‘os’ is not defined – 将缺少的import os添加到scapy/layers/ssl_tls.py。
你也可以使用requirements.txt文件安装所有其他依赖包:
pip install -r cotopaxi/requirements.txt
手动安装其他所需的包:
pip install dnslib IPy hexdump pyyaml psutil enum34 configparser
声明
Cotopaxi工具包仅用于授权的安全测试!
某些工具(尤其是漏洞测试程序和协议fuzzer)可能会导致某些设备或服务器停止工作 – 例如导致测试实体崩溃或挂起等。
在运行这些工具之前,请确保你已获得测试设备或服务器的所有者的许可!
在运行这些工具之前,请务必查看当地法律!
其中包含的工具有:
service_ping server_fingerprinter resource_listing server_fingerprinter protocol_fuzzer (用于fuzzing服务器) client_proto_fuzzer (用于fuzzing客户端) vulnerability_tester (用于测试服务) client_vuln_tester (用于测试客户端) amplifier_detector
不同工具所支持的协议:
Tool | CoAP | DTLS | HTCPCP | mDNS | MQTT | SSDP |
---|---|---|---|---|---|---|
service_ping | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
server_fingerprinter | ☑ | ☑ | ||||
resource_listing | ☑ | ☑ | ☑ | |||
protocol_fuzzer | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
client_proto_fuzzer | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
vulnerability_tester | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
client_vuln_tester | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
amplifier_detector | ☑ | ☑ | ☑ | ☑ |
cotopaxi.service_ping
用于检查给定IP和端口范围的网络服务可用性的工具
usage: sudo python -m cotopaxi.service_ping [-h] [-v] [--protocol {UDP,TCP,CoAP,MQTT,DTLS,ALL}] [--src-port SRC_PORT] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {UDP,TCP,CoAP,mDNS,SSDP,MQTT,DTLS,ALL,HTCPCP}, -P {UDP,TCP,CoAP,mDNS,SSDP,MQTT,DTLS,ALL,HTCPCP} protocol to be tested (UDP includes CoAP, DTLS, mDNS, and SSDP, TCP includes CoAP, HTCPCP, and MQTT, ALL includes all supported protocols) --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used)
cotopaxi.server_fingerprinter
用于在给定IP和端口范围内对网络服务器进行软件指纹识别的工具
目前支持的服务器:
CoAP:
aiocoap, CoAPthon, FreeCoAP, libcoap, MicroCoAP, Mongoose Wakaama (formerly liblwm2m)
DTLS:
GnuTLS, Goldy, LibreSSL, MatrixSSL, mbed TLS, OpenSSL, TinyDTLS
usage: sudo python -m cotopaxi.server_fingerprinter [-h] [--retries RETRIES] [--timeout TIMEOUT] [--verbose] [--protocol {CoAP,DTLS}] [--src-port SRC_PORT] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {CoAP,DTLS}, -P {CoAP,DTLS} protocol to be tested --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive)
cotopaxi.resource_listing
用于在给定IP和端口范围的服务器上检查名为url的资源可用性的工具。urls目录中提供了示例URL列表
usage: sudo python -m cotopaxi.resource_listing [-h] [-v] [--protocol {CoAP,ALL}] [--method {GET,POST,PUT,DELETE,ALL}] [--src-port SRC_PORT] dest_ip dest_port url_filepath positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both url_filepath path to file with list of URLs to be tested (each URL in separated line) optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {CoAP,mDNS,SSDP}, -P {CoAP,mDNS,SSDP} protocol to be tested --method {GET,POST,PUT,DELETE,ALL}, -M {GET,POST,PUT,DELETE,ALL} methods to be tested (ALL includes all supported methods) --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive)
cotopaxi.protocol_fuzzer
用于测试协议服务器的黑盒fuzzer
usage: sudo python -m cotopaxi.protocol_fuzzer [-h] [--retries RETRIES] [--timeout TIMEOUT] [--verbose] [--protocol {CoAP,mDNS,MQTT,DTLS}] [--src-ip SRC_IP] [--src-port SRC_PORT] [--ignore-ping-check] [--corpus-dir CORPUS_DIR] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP} protocol to be tested --hide-disclaimer, -HD hides legal disclaimer (shown before starting intrusive tools) --src-ip SRC_IP, -SI SRC_IP source IP address (return result will not be received!) --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive) --corpus-dir CORPUS_DIR, -C CORPUS_DIR path to directory with fuzzing payloads (corpus) (each payload in separated file) --delay-after-crash DELAY_AFTER_CRASH, -DAC DELAY_AFTER_CRASH number of seconds that fuzzer will wait after crash for respawning tested server
cotopaxi.client_proto_fuzzer
用于测试协议客户端的黑盒fuzzer
usage: sudo client_proto_fuzzer.py [-h] [--server-ip SERVER_IP] [--server-port SERVER_PORT] [--protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}] [--verbose] [--corpus-dir CORPUS_DIR] optional arguments: -h, --help show this help message and exit --server-ip SERVER_IP, -SI SERVER_IP IP address, that will be used to set up tester server --server-port SERVER_PORT, -SP SERVER_PORT port that will be used to set up server --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP} protocol to be tested --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --corpus-dir CORPUS_DIR, -C CORPUS_DIR path to directory with fuzzing payloads (corpus) (each payload in separated file)
cotopaxi.vulnerability_tester
用于检查给定IP和端口范围的网络服务漏洞的工具
usage: sudo python -m cotopaxi.vulnerability_tester [-h] [-v] [--cve {ALL,CVE-2018-19417,...}] [--list LIST] [--src-port SRC_PORT] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --protocol {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL}, -P {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL} protocol to be tested (UDP includes CoAP, mDNS and DTLS, TCP includes CoAP and MQTT, ALL includes all supported protocols) --hide-disclaimer, -HD hides legal disclaimer (shown before starting intrusive tools) --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --cve {ALL,CVE-2018-19417,...} list of vulnerabilities to be tested (by CVE id) --vuln {ALL,BOTAN_000,COAPTHON3_000,...} list of vulnerabilities to be tested (by SOFT_NUM id) --list, -L display lists of all vulnerabilities supported by this tool with detailed description --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive)
cotopaxi.client_vuln_tester
用于检查此工具提供的连接到服务器的网络客户端漏洞的工具
usage: sudo client_vuln_tester.py [-h] [--server-ip SERVER_IP] [--server-port SERVER_PORT] [--protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}] [--verbose] [--vuln {ALL,BOTAN_000,COAPTHON3_000,...} [{ALL,BOTAN_000,COAPTHON3_000,...} ...]] [--cve {ALL,CVE-2017-12087,...} [{ALL,CVE-2017-12087,...} ...]] [--list] optional arguments: -h, --help show this help message and exit --server-ip SERVER_IP, -SI SERVER_IP IP address, that will be used to set up tester server --server-port SERVER_PORT, -SP SERVER_PORT port that will be used to set up server --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP} protocol to be tested --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --vuln {ALL,BOTAN_000,COAPTHON3_000,...} [{ALL,BOTAN_000,COAPTHON3_000,...} ...] list of vulnerabilities to be tested (by SOFT_NUM id) --cve {ALL,CVE-2017-12087,CVE-2017-12130,...} [{ALL,CVE-2017-12087,CVE-2017-12130,...} ...] list of vulnerabilities to be tested (by CVE id) --list, -L display lists of all vulnerabilities supported by this tool with detailed description
cotopaxi.amplifier_detector
用于检测网络设备的工具,通过观察分组的输入和输出大小来放大反射的流量
usage: sudo python -m cotopaxi.amplifier_detector [-h] [--port PORT] [--nr NR] [--verbose] dest_ip positional arguments: dest_ip destination IP address optional arguments: -h, --help show this help message and exit --interval INTERVAL, -I INTERVAL minimal interval in sec between displayed status messages (default: 1 sec) --port PORT, --dest_port PORT, -P PORT destination port --nr NR, -N NR number of packets to be sniffed (default: 9999999) --verbose, -V, --debug, -D turn on verbose/debug mode (more messages)
已知问题/限制
使用scapy作为网络库会导致一些已知问题或限制:
在同一台计算机上运行的测试服务可能会由于未传递某些数据包而导致出现问题,
针对同一目标运行的多个工具可能会导致它们之间的干扰(数据包可能表示为对另一个请求的响应)。
更多信息请访问: https://scapy.readthedocs.io/en/latest/troubleshooting.html#
Unit tests
要运行所有单元测试,请使用(从cotopaxi上层目录):
sudo python -m unittest discover
大多数测试都是针对远程测试服务器执行的,需要准备测试环境,在tests/test_config.ini和tests/test_servers.yaml中进行设置。
*参考来源: GitHub ,FB小编secist编译,转载请注明来自FreeBuf.COM