Cotopaxi:使用指定IoT網絡協議對IoT設備進行安全測試
摘要:usage: sudo python -m cotopaxi.vulnerability_tester [-h] [-v] [--cve {ALL,CVE-2018-19417,...}] [--list LIST] [--src-port SRC_PORT] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --protocol {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL}, -P {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL} protocol to be tested (UDP includes CoAP, mDNS and DTLS, TCP includes CoAP and MQTT, ALL includes all supported protocols) --hide-disclaimer, -HD hides legal disclaimer (shown before starting intrusive tools) --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --cve {ALL,CVE-2018-19417,...} list of vulnerabilities to be tested (by CVE id) --vuln {ALL,BOTAN_000,COAPTHON3_000,...} list of vulnerabilities to be tested (by SOFT_NUM id) --list, -L display lists of all vulnerabilities supported by this tool with detailed description --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive)。usage: sudo python -m cotopaxi.protocol_fuzzer [-h] [--retries RETRIES] [--timeout TIMEOUT] [--verbose] [--protocol {CoAP,mDNS,MQTT,DTLS}] [--src-ip SRC_IP] [--src-port SRC_PORT] [--ignore-ping-check] [--corpus-dir CORPUS_DIR] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP} protocol to be tested --hide-disclaimer, -HD hides legal disclaimer (shown before starting intrusive tools) --src-ip SRC_IP, -SI SRC_IP source IP address (return result will not be received。
cotopaxi是用於IoT設備安全測試的工具集。你可以指定IoT網絡協議(如CoAP,DTLS,HTCPCP,mDNS,MQTT,SSDP)進行測試。
安裝
只需從git克隆代碼即可: https://github.com/Samsung/cotopaxi
要求
目前Cotopaxi僅適用於Python 2.7.x,但未來版本也將適用於Python 3。
如果你之前安裝了scapy沒有scapy-ssl_tls,請將其刪除或使用venv。
安裝主庫:
scapy-ssl_tls(這也將在2.4.2中安裝scapy)
pip install git+https://github.com/tintinweb/scapy-ssl_tls@ec5714d560c63ea2e0cce713cec54edc2bfa0833
常見問題:
如果遇到錯誤:error: [Errno 2] No such file or directory: ‘LICENSE’,請嘗試重複命令。
如果遇到錯誤:NameError: name ‘os’ is not defined – 將缺少的import os添加到scapy/layers/ssl_tls.py。
你也可以使用requirements.txt文件安裝所有其他依賴包:
pip install -r cotopaxi/requirements.txt
手動安裝其他所需的包:
pip install dnslib IPy hexdump pyyaml psutil enum34 configparser
聲明
Cotopaxi工具包僅用於授權的安全測試!
某些工具(尤其是漏洞測試程序和協議fuzzer)可能會導致某些設備或服務器停止工作 – 例如導致測試實體崩潰或掛起等。
在運行這些工具之前,請確保你已獲得測試設備或服務器的所有者的許可!
在運行這些工具之前,請務必查看當地法律!
其中包含的工具有:
service_ping server_fingerprinter resource_listing server_fingerprinter protocol_fuzzer (用於fuzzing服務器) client_proto_fuzzer (用於fuzzing客戶端) vulnerability_tester (用於測試服務) client_vuln_tester (用於測試客戶端) amplifier_detector
不同工具所支持的協議:
Tool | CoAP | DTLS | HTCPCP | mDNS | MQTT | SSDP |
---|---|---|---|---|---|---|
service_ping | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
server_fingerprinter | ☑ | ☑ | ||||
resource_listing | ☑ | ☑ | ☑ | |||
protocol_fuzzer | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
client_proto_fuzzer | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
vulnerability_tester | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
client_vuln_tester | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ |
amplifier_detector | ☑ | ☑ | ☑ | ☑ |
cotopaxi.service_ping
用於檢查給定IP和端口範圍的網絡服務可用性的工具
usage: sudo python -m cotopaxi.service_ping [-h] [-v] [--protocol {UDP,TCP,CoAP,MQTT,DTLS,ALL}] [--src-port SRC_PORT] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {UDP,TCP,CoAP,mDNS,SSDP,MQTT,DTLS,ALL,HTCPCP}, -P {UDP,TCP,CoAP,mDNS,SSDP,MQTT,DTLS,ALL,HTCPCP} protocol to be tested (UDP includes CoAP, DTLS, mDNS, and SSDP, TCP includes CoAP, HTCPCP, and MQTT, ALL includes all supported protocols) --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used)
cotopaxi.server_fingerprinter
用於在給定IP和端口範圍內對網絡服務器進行軟件指紋識別的工具
目前支持的服務器:
CoAP:
aiocoap, CoAPthon, FreeCoAP, libcoap, MicroCoAP, Mongoose Wakaama (formerly liblwm2m)
DTLS:
GnuTLS, Goldy, LibreSSL, MatrixSSL, mbed TLS, OpenSSL, TinyDTLS
usage: sudo python -m cotopaxi.server_fingerprinter [-h] [--retries RETRIES] [--timeout TIMEOUT] [--verbose] [--protocol {CoAP,DTLS}] [--src-port SRC_PORT] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {CoAP,DTLS}, -P {CoAP,DTLS} protocol to be tested --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive)
cotopaxi.resource_listing
用於在給定IP和端口範圍的服務器上檢查名爲url的資源可用性的工具。urls目錄中提供了示例URL列表
usage: sudo python -m cotopaxi.resource_listing [-h] [-v] [--protocol {CoAP,ALL}] [--method {GET,POST,PUT,DELETE,ALL}] [--src-port SRC_PORT] dest_ip dest_port url_filepath positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both url_filepath path to file with list of URLs to be tested (each URL in separated line) optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {CoAP,mDNS,SSDP}, -P {CoAP,mDNS,SSDP} protocol to be tested --method {GET,POST,PUT,DELETE,ALL}, -M {GET,POST,PUT,DELETE,ALL} methods to be tested (ALL includes all supported methods) --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive)
cotopaxi.protocol_fuzzer
用於測試協議服務器的黑盒fuzzer
usage: sudo python -m cotopaxi.protocol_fuzzer [-h] [--retries RETRIES] [--timeout TIMEOUT] [--verbose] [--protocol {CoAP,mDNS,MQTT,DTLS}] [--src-ip SRC_IP] [--src-port SRC_PORT] [--ignore-ping-check] [--corpus-dir CORPUS_DIR] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP} protocol to be tested --hide-disclaimer, -HD hides legal disclaimer (shown before starting intrusive tools) --src-ip SRC_IP, -SI SRC_IP source IP address (return result will not be received!) --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive) --corpus-dir CORPUS_DIR, -C CORPUS_DIR path to directory with fuzzing payloads (corpus) (each payload in separated file) --delay-after-crash DELAY_AFTER_CRASH, -DAC DELAY_AFTER_CRASH number of seconds that fuzzer will wait after crash for respawning tested server
cotopaxi.client_proto_fuzzer
用於測試協議客戶端的黑盒fuzzer
usage: sudo client_proto_fuzzer.py [-h] [--server-ip SERVER_IP] [--server-port SERVER_PORT] [--protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}] [--verbose] [--corpus-dir CORPUS_DIR] optional arguments: -h, --help show this help message and exit --server-ip SERVER_IP, -SI SERVER_IP IP address, that will be used to set up tester server --server-port SERVER_PORT, -SP SERVER_PORT port that will be used to set up server --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP} protocol to be tested --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --corpus-dir CORPUS_DIR, -C CORPUS_DIR path to directory with fuzzing payloads (corpus) (each payload in separated file)
cotopaxi.vulnerability_tester
用於檢查給定IP和端口範圍的網絡服務漏洞的工具
usage: sudo python -m cotopaxi.vulnerability_tester [-h] [-v] [--cve {ALL,CVE-2018-19417,...}] [--list LIST] [--src-port SRC_PORT] dest_ip dest_port positional arguments: dest_ip destination IP address or multiple IPs separated by coma (e.g. '1.1.1.1,2.2.2.2') or given by CIDR netmask (e.g. '10.0.0.0/22') or both dest_port destination port or multiple ports given by list separated by coma (e.g. '8080,9090') or port range (e.g. '1000-2000') or both optional arguments: -h, --help show this help message and exit --retries RETRIES, -R RETRIES number of retries --timeout TIMEOUT, -T TIMEOUT timeout in seconds --protocol {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL}, -P {UDP,TCP,CoAP,mDNS,MQTT,DTLS,ALL} protocol to be tested (UDP includes CoAP, mDNS and DTLS, TCP includes CoAP and MQTT, ALL includes all supported protocols) --hide-disclaimer, -HD hides legal disclaimer (shown before starting intrusive tools) --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --cve {ALL,CVE-2018-19417,...} list of vulnerabilities to be tested (by CVE id) --vuln {ALL,BOTAN_000,COAPTHON3_000,...} list of vulnerabilities to be tested (by SOFT_NUM id) --list, -L display lists of all vulnerabilities supported by this tool with detailed description --src-port SRC_PORT, -SP SRC_PORT source port (if not specified random port will be used) --ignore-ping-check, -Pn ignore ping check (treat all ports as alive)
cotopaxi.client_vuln_tester
用於檢查此工具提供的連接到服務器的網絡客戶端漏洞的工具
usage: sudo client_vuln_tester.py [-h] [--server-ip SERVER_IP] [--server-port SERVER_PORT] [--protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}] [--verbose] [--vuln {ALL,BOTAN_000,COAPTHON3_000,...} [{ALL,BOTAN_000,COAPTHON3_000,...} ...]] [--cve {ALL,CVE-2017-12087,...} [{ALL,CVE-2017-12087,...} ...]] [--list] optional arguments: -h, --help show this help message and exit --server-ip SERVER_IP, -SI SERVER_IP IP address, that will be used to set up tester server --server-port SERVER_PORT, -SP SERVER_PORT port that will be used to set up server --protocol {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP}, -P {CoAP,mDNS,MQTT,DTLS,SSDP,HTCPCP} protocol to be tested --verbose, -V, --debug, -D Turn on verbose/debug mode (more messages) --vuln {ALL,BOTAN_000,COAPTHON3_000,...} [{ALL,BOTAN_000,COAPTHON3_000,...} ...] list of vulnerabilities to be tested (by SOFT_NUM id) --cve {ALL,CVE-2017-12087,CVE-2017-12130,...} [{ALL,CVE-2017-12087,CVE-2017-12130,...} ...] list of vulnerabilities to be tested (by CVE id) --list, -L display lists of all vulnerabilities supported by this tool with detailed description
cotopaxi.amplifier_detector
用於檢測網絡設備的工具,通過觀察分組的輸入和輸出大小來放大反射的流量
usage: sudo python -m cotopaxi.amplifier_detector [-h] [--port PORT] [--nr NR] [--verbose] dest_ip positional arguments: dest_ip destination IP address optional arguments: -h, --help show this help message and exit --interval INTERVAL, -I INTERVAL minimal interval in sec between displayed status messages (default: 1 sec) --port PORT, --dest_port PORT, -P PORT destination port --nr NR, -N NR number of packets to be sniffed (default: 9999999) --verbose, -V, --debug, -D turn on verbose/debug mode (more messages)
已知問題/限制
使用scapy作爲網絡庫會導致一些已知問題或限制:
在同一臺計算機上運行的測試服務可能會由於未傳遞某些數據包而導致出現問題,
針對同一目標運行的多個工具可能會導致它們之間的干擾(數據包可能表示爲對另一個請求的響應)。
更多信息請訪問: https://scapy.readthedocs.io/en/latest/troubleshooting.html#
Unit tests
要運行所有單元測試,請使用(從cotopaxi上層目錄):
sudo python -m unittest discover
大多數測試都是針對遠程測試服務器執行的,需要準備測試環境,在tests/test_config.ini和tests/test_servers.yaml中進行設置。
*參考來源: GitHub ,FB小編secist編譯,轉載請註明來自FreeBuf.COM