-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathmtf_storm_v_python3_instructions-en.txt
131 lines (103 loc) · 6.43 KB
/
mtf_storm_v_python3_instructions-en.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
============================================
MTF - Storm v.1 for python3 quick start guide
============================================
MTF-Storm[2] extends MTF [1] introducing novel techniques and methods in the selection of values and the format
alteration techniques. MTF-Storm adopts a systematic approach to exercise values of packet fields and format
changes, in contrast to the random values and changes used by MTF.
MTF-Storm is implemented based on the MTF software,i.e. it is implemented in Python and employs the modbus-tk (available at https://pypi.org/project/modbus_tk/)
open source Modbus protocol implementation in Python,
pymodbus (available at https://github.com/riptideio/pymodbus ),scapy (available at https://github.com/secdev/scapy ) and Sulley (available at https://github.com/OpenRCE/sulley ) to generate valid Modbus/TCP frames and manage the master/slave connectivity.
For the generation of tests that include combinations of fields, MTF-Storm uses the tools NIST ACTS (available at https://csrc.nist.gov/Projects/automated-combinatorial-testing-for-software/downloadable-tools) and allpairspy 2.5.0 (available at https://github.com/thombashi/allpairspy)
See related work:
[1] A.G. Voyiatzis, K. Katsigiannis and S. Koubias, “A Modbus/TCP
Fuzzer for testing internetworked industrial systems.” In Proceedings of
the 20th IEEE International Conference on Emerging Technologies and
Factory Automation (ETFA), Luxembourg, Sept. 8-11, 2015, pp. 1-6.
[2]Katsigiannis K, and Dimitrios Serpanos. "MTF-Storm: a high performance fuzzer for Modbus/TCP."
2018 IEEE 23rd International Conference on Emerging Technologies and Factory Automation (ETFA). Vol. 1. IEEE, 2018.
MTF-Storm:Source code for Modbus/TCP fuzzer used for ETFA 2018 paper [2]
Linux Prerequisites:
1. Python 3.9 installed
2. apt install python3-pip
3. Install numpy under python3 and numpy
apt install python3-numpy
pip3 install numpy
4. modbus-tk-1.0.0 installed
pip3 install modbus_tk==1.1.2
5. Install scapy 2.4.5 library
pip3 install scapy==2.4.5
6. Install coloredlogs
pip3 install coloredlogs
7. Install allpairspy 2.5.0
pip3 install allpairspy
8. git clone https://github.com/ntinosk-mtf/etfa2018
copy to /home/user/MTF_Storm
cd MTF-Storm_python3_v1/MTF-Storm
9.From /home/user/MTF_STORM/MTF-Storm_python3_v1, run script mtf.py with the following parameters:
python mtf.py -i <host> -s <search_mode> -z <fuzz_mode> -f <csvFile=search.csv> -p <pcap_file=packets.pcap> -t <suite test> -r <normal_request>'
host - the IP of the remote machine (under test) or local host (127.0.0.1)
csvFile - stores search information
pcap_file - trace pcap file
normal_reguest - number of requests for every FC found during the identification phase (default=1000)
suite test = [('test_MBAP', 1), ('test_message_PDU', 2), ('test_field_PDU', 3),('Not_fuzz',4)]
I. python mtf.py -i 192.168.x.x -s -f, identification process, where 192.168.x.x (or local host) is the IP address of the device or software with open port 502
Output:
a) generation of a file with name "search.csv". The file contains the list of supported FC and addressed of the device or software
under test.
b) generation of a file with name "dump_memory.csv", storing information for the dump memory attack (retrieve information regarding
the memory locations of the remote machine (SUT) (Address 0x Value READ_COILS", "Address 3x Value READ_INPUT_REGISTERS" etc.
c) generation of log files with name format "info_Y_m_d_H_M_S.log" (Year_Month_Day_Hour_Minute_Second.log) and
"error_Y_m_d_H_M_S.log" containing information about the executed transactions during the identification phase.
II. python mtf.py -i 192.168.x.x -s -f -p, identification phase based on pcap files (~60mb request/response, ~250.000 packet). A "search.csv" file is generated as in I.
The file contains the list of supported FC and addresses based on the traffic read from the pcap file
(if option -z and - t <suite test> is given, then mtf.py starts automatically the fuzzing process as well).
III.python mtf.py -i 192.168.x.x -z -f -t 2 fuzzing process (phase 2), assumes that the file "search.csv" already exists
(generated by phase 1 of I above).(<-t 2> test_message_PDU )
a.python mtf.py -i 192.168.x.x -z -f -t 2 -F 1 (test dumplicate ADU)
b.python mtf.py -i 192.168.x.x -z -f -t 2 -F 2 (test attack byte PDU)
IV. python mtf.py -i 192.168.x.x -s -z -f -t 3, identification process (phase 1) and then fuzzing (phase 2), (<-t 1> test field MBAP,<-t 3> test field PDU,single and pairwise)
a.python mtf.py -i 192.168.x.x -z -f -t 2 -w 1 test for 1-way (only single test)
b.python mtf.py -i 192.168.x.x -z -f -t 2 -w 2 test for 2-way (only pairwise test)
Output:
a) generation of log files with name format "info_Y_m_d_H_M_S.log" (Year_Month_Day_Hour_Minute_Second.log) and
"error_Y_m_d_H_M_S.log" containing information about the executed transactions (requests-responses) and errors.
b) generated files as I.a and I.b above.
IVV. python mtf.py -i 192.168.x.x -z -f -t 4 -r 300, send 300 normal request (not fuzzing) in the list of supported FC, with random valid value in PDU fields (if not -r 300,default=1000)
INFO:
Defaults directory ./ 'install dir' -- such as MTF_STORM
./ -- save search.csv (FC support and address and dump_memory.csv (map address table), csv file after search mode (reconnaissance)
log_dir=./log -- path log file,save log files,
log_dir=./log -defaults dir save log files and statistics, Coverage report, case valid/invalid, cov % , tuples of test value
/tmp/def save dir .csv from AllPairs 2.0.1 PAIRWISE test -create for FC01-FC04..
/Nist-csv
csv file from ACTS Test Suite Generation PAIRWISE test for FC 15,16,20,21,23,43 and mbap.csv
/tools
some csv file and script from allpairspy and allpairs
/utils
some utils script,wireshark filter,help txt e.g
/fig_test
some shot from results (crash, DoS)
/png
png run MTF-Storm
/spec
Modbus_Application_Protocol V1 1b3
ACTS user guide v3.0
/results
/txt
some instructions-en
/reconnaissance
some results from reconnaissance
/coverage
some results from statistics, Coverage, tuples of test value
/some_test_pcap
some results from reconnaissance from pcap files
/test_format
set configuration address vs quantity for test format (dumplicate ADU/PDU)
/test-PDU
set configuration pairwise test of field PDU (address vs quantity)
/basetest
script for base test
/libraries
library for fuzz testing
/product
script for product message