AutoGadgetFS:一款針對USB設備的安全測試工具
關于AutoGadgetFS
AutoGadgetFS是一款開源框架,它可以幫助廣大研究人員在無需深入了解USB協議的情況下對USB設備以及相關的主機/驅動器/軟件進行評估。該工具基于Python 3開發,并且使用了RabbitMQ和WiFi訪問來幫助研究人員對遠程USB設備進行安全審計。在ConfigFS的幫助下,AutoGadgetFS允許用戶迅速克隆和模擬設備而無需深入研究每一個實現細節。除此之外,該框架還允許用戶創建自己的模糊測試器。
功能介紹
輕松查找、選擇并連接到USB設備。
模擬任何USB HID設備。
以中間件設備身份執行AGFS嗅探HID設備(將通信保存到磁盤)。
設備嗅探(任何設備)。
多個Fuzzer允許您對設備或主機進行模糊測試。
隨機Fuzzer(具有固定或隨機長度的數據包)。
智能Fuzzer,可以從以前的USB通信中學習。
可以告訴Fuzzer哪些字節要模糊化,使包的其余部分保持不變。
小工具Fuzzer。
順序Fuzzer。
控制傳輸枚舉器。
從文件中重放數據包。
從保存的USBLyzer捕獲重放數據包。
顯示數據包的可視方式,以便于對通信信息進行逆向分析。
DFU模式下的設備警報,或者設備泄漏信息。
支持對USB設備和主機進行遠程調試。
監控突然的界面變化。
工具要求
一臺運行了Linux的主機(Debian/Ubuntu/Kali);
支持WiFi訪問的樹莓派Raspberry Pi Zero;
目標設備選擇:虛擬機或單一主機;
兩條USB線纜;
目標USB設備;
硬件調試器(可選);
工具配置圖
設備測試
設置中間件
設置中間件并支持設備調試
工具安裝
Linux設備
sudo apt install python3 ipython3 git python3-pip rabbitmq-server dfu-util
sudo service rabbitmq-server start
git clone https://github.com/ehabhussein/AutoGadgetFS
cd AutoGadgetFS
sudo -H pip3 install -r requirements.txt
sudo python3 -m pip install prompt-toolkit~=2.0
sudo rabbitmq-plugins enable rabbitmq_management
http://localhost:15672/ to reach the web interface
sudo rabbitmqctl add_user autogfs usb4ever
sudo rabbitmqctl set_user_tags autogfs administrator
sudo service rabbitmq-server restart
安裝完成后,請按照下列方式測試安裝結果
sudo ipython3
Python 3.7.7 (default, Apr 1 2020, 1352)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.9.0 -- An enhanced Interactive Python. Type '?' for help.
In [1]: import libagfs
In [2]: x = libagfs.agfs()
***************************************
AutoGadgetFS: USB testing made easy
***************************************
Enter IP address of the rabbitmq server: 127.0.0.1
In [3]: exit
sudo `python3` agfsconsole.py
***************************************
AutoGadgetFS: USB testing made easy
***************************************
Enter IP address of the rabbitmq server: 127.0.0.1
Give your project a name?!:
工具運行截圖
中間人攻擊
USB設備模糊測試
主機端基于代碼覆蓋的模糊測試
基于字節的模糊測試
AutoGadgetFS命令行終端
基于流量學習的智能Fuzzer
In [44]: x.devSmartFuzz(engine="smart",samples=5,filename="/home/raindrop/PycharmProjects/AutoGadgetFs/binariesdb/Nud-Nuvoton-1046-20764-1590421333.5169587-Nuvoton-1046-20764-1590421600.8067
...: 274-device.bin")
[+]General Statistics
Full charset : !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~
Discarded charset : !"#$%&'()*+,-./:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`ghijklmnopqrstuvwxyz{|}~
Final charset : 0123456789abcdef
Word Length : 128
Lower Case index usage : 92%
Lower Case index locations : [1, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 121, 122, 124, 125, 127]
Upper Case index usage : 0%
Upper Case index locations : []
Digit index usage : 96%
Digit index locations : [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 123, 126]
NonAN index usage : 0%
NonAN index locations : []
Counter statistics : Uppercase: 0 , Lowercase: 133071, Digits:212017 , NonAlphaNumeric:0
All char Frequencies :
character:5 found:5012 times
character:2 found:22563 times
character:3 found:12197 times
character:8 found:15008 times
character:4 found:13275 times
character:0 found:98056 times
character:1 found:17861 times
character:f found:87823 times
character:d found:7221 times
character:7 found:9614 times
character:a found:11148 times
character:6 found:10472 times
character:b found:8189 times
character:9 found:7959 times
character:c found:9172 times
character:e found:9518 times
***********************
generated:5 Packets
***********************
Out[44]:
['5608305852bf2ffd61770e2c827542f20be0b0fcba09db916bd07e1734b04cb0352b1d278068064d19f033bfad6fa90e53d865693fd4fee0214f00000eb0aa2c',
'3b083595f276e2f1353a535c32f0f59516fc9328f7673bb80262c4da11c93683afe6dcff8a7a83018d78f41498a0da4d141ebd39c361b1724f2b00000eb0aa2c',
'0120961963495c4dab9470738b497eddde07b0d70b357795ad9554d7964761969a6d997205e17eada6fa84eb33dcfb11412f75e04c195001283900000eb0aa2c',
'091065d52127bbc6e840e02f8e1316f1c4d9c92a23931c00cdbb8c158368852ef8fabd461b98812b51ec84e1ccc5c04aaa366fbafabec623bd3500000eb0aa2c',
'7300cc61151b7af27a578e766f49bebb2de68c48b37a00df1030ae464f456928eedd035303e697208bf58217af728a2a346fda5c8aef0335b82e00000eb0aa2c'
In [46]: x.edap.packets
Out[46]:
['5608305852bf2ffd61770e2c827542f20be0b0fcba09db916bd07e1734b04cb0352b1d278068064d19f033bfad6fa90e53d865693fd4fee0214f00000eb0aa2c',
'3b083595f276e2f1353a535c32f0f59516fc9328f7673bb80262c4da11c93683afe6dcff8a7a83018d78f41498a0da4d141ebd39c361b1724f2b00000eb0aa2c',
'0120961963495c4dab9470738b497eddde07b0d70b357795ad9554d7964761969a6d997205e17eada6fa84eb33dcfb11412f75e04c195001283900000eb0aa2c',
'091065d52127bbc6e840e02f8e1316f1c4d9c92a23931c00cdbb8c158368852ef8fabd461b98812b51ec84e1ccc5c04aaa366fbafabec623bd3500000eb0aa2c',
'7300cc61151b7af27a578e766f49bebb2de68c48b37a00df1030ae464f456928eedd035303e697208bf58217af728a2a346fda5c8aef0335b82e00000eb0aa2c']
幫助模式
In [15]: x.help("")
Currently supported methods:
__________________________________________________________________________________________________________________________________________________________________
Method ||-->Description
----------------------------------------------------------------------------------------------------------------------------
MITMproxy ||-->This method creates a connection to the RabbitMQ and listen on received messages on the todev queue
____________________________________________________________________________________________________________________________
MITMproxyRQueues ||-->This method reads from the queue todev and sends the request to the device its self.
____________________________________________________________________________________________________________________________
SmartFuzz ||-->This method is generates packets based on what it has learned from a sniff from either the host or the device
____________________________________________________________________________________________________________________________
chgIntrfs ||-->This method allows you to change and select another interface
____________________________________________________________________________________________________________________________
clearqueues ||-->this method clears all the queues on the rabbitMQ queues that are set up
____________________________________________________________________________________________________________________________
clonedev ||-->This method does not need any parameters it only saves a backup of the device incase you need to share it or use it later.
____________________________________________________________________________________________________________________________
createctrltrsnfDB ||-->creates a SQLite database containing values that were enumerated from control transfer enumeration
____________________________________________________________________________________________________________________________
createdb ||-->create the sqlite table and columns from usblyzer captures
____________________________________________________________________________________________________________________________
decodePacketAscii ||-->This method decodes packet bytes back to Ascii
____________________________________________________________________________________________________________________________
describeFuzz ||-->This method allows you to describe a packet and select which bytes will be fuzzed
____________________________________________________________________________________________________________________________
devEnumCtrltrnsf ||-->This method enumerates all possible combinations of a control transfer request
____________________________________________________________________________________________________________________________
devReset ||-->This method Resets the device
____________________________________________________________________________________________________________________________
devWrite ||-->To use this with a method you would write to a device make sure to run the startSniffReadThread(self,endpoint=None, pts=None, queue=None,channel=None)
____________________________________________________________________________________________________________________________
devctrltrnsf ||-->This method allows you to send ctrl transfer requests to the target device
____________________________________________________________________________________________________________________________
deviceInfo ||-->gets the complete info only for any usb connected to the host
____________________________________________________________________________________________________________________________
deviceInterfaces ||-->get all interfaces and endpoints on the device
____________________________________________________________________________________________________________________________
devrandfuzz ||-->this method allows you to create fixed or random size packets created using urandom
____________________________________________________________________________________________________________________________
devseqfuzz ||-->This method allows you to create sequential incremented packets and send them to the device
____________________________________________________________________________________________________________________________
findSelect ||-->This method enumerates all USB devices connected and allows you to select it as a target device as well as its endpoints
____________________________________________________________________________________________________________________________
help ||-->AutogadgetFS Help method
____________________________________________________________________________________________________________________________
hostwrite ||-->This method writes packets to the host either targeting a software or a driver in control of the device
____________________________________________________________________________________________________________________________
hstrandfuzz ||-->this method allows you to create fixed or random size packets created using urandom and send them to the host queue
____________________________________________________________________________________________________________________________
monInterfaceChng ||-->Method in charge of monitoring interfaces for changes this is called from def startMonInterfaceChng(self)
____________________________________________________________________________________________________________________________
newProject ||-->creates a new project name if you were testing something else
____________________________________________________________________________________________________________________________
releasedev ||-->releases the device and re-attaches the kernel driver
____________________________________________________________________________________________________________________________
removeGadget ||-->This method removes the gadget from the raspberryPI
____________________________________________________________________________________________________________________________
replaymsgs ||-->This method searches the USBLyzer parsed database and give you the option replay a message or all messages from host to device
____________________________________________________________________________________________________________________________
searchmsgs ||-->This method allows you to search and select all messages for a pattern which were saved from a USBlyzer database creation
____________________________________________________________________________________________________________________________
setupGadgetFS ||-->setup variables for gadgetFS : Linux Only, on Raspberry Pi Zero best option
____________________________________________________________________________________________________________________________
showMessage ||-->shows messages if error or warn or info
____________________________________________________________________________________________________________________________
sniffdevice ||-->read the communication between the device to hosts
____________________________________________________________________________________________________________________________
startMITMusbWifi ||-->Starts a thread to monitor the USB target Device
____________________________________________________________________________________________________________________________
startMonInterfaceChng||-->This method Allows you to monitor a device every 10 seconds in case it suddenly changes its interface configuration.
____________________________________________________________________________________________________________________________
startQueuewrite ||-->initiates a connection to the queue to communicate with the host
____________________________________________________________________________________________________________________________
startSniffReadThread ||-->This is a thread to continuously read the replies from the device and dependent on what you pass to the method either pts or queue
____________________________________________________________________________________________________________________________
stopMITMusbWifi ||-->Stops the man in the middle thread between the host and the device
____________________________________________________________________________________________________________________________
stopMonInterfaceChang||-->Stops the interface monitor thread
____________________________________________________________________________________________________________________________
stopQueuewrite ||-->stop the thread incharge of communicating with the host machine
____________________________________________________________________________________________________________________________
stopSniffing ||-->Kills the sniffing thread strted by startSniffReadThread()
____________________________________________________________________________________________________________________________
usblyzerparse ||-->This method will parse your xml exported from usblyzer and then import them into a database
____________________________________________________________________________________________________________________________
In [16]: x.help("findSelect")
****
[+]Help for findSelect Method:
[-]Signature: findSelect(self, chgint=None)
[+]findSelect Help:
This method enumerates all USB devices connected and allows you to select it as a target device as well as its endpoints
聲明:本文內容及配圖由入駐作者撰寫或者入駐合作網站授權轉載。文章觀點僅代表作者本人,不代表電子發燒友網立場。文章及其配圖僅供工程師學習之用,如有內容侵權或者其他違規問題,請聯系本站處理。
舉報投訴
-
usb
+關注
關注
60文章
8066瀏覽量
269773 -
測試器
+關注
關注
0文章
54瀏覽量
26371 -
開源框架
+關注
關注
0文章
32瀏覽量
9481
原文標題:AutoGadgetFS:一款針對USB設備的安全測試工具
文章出處:【微信號:技術讓夢想更偉大,微信公眾號:技術讓夢想更偉大】歡迎添加關注!文章轉載請注明出處。
發布評論請先 登錄
相關推薦
告別復雜操作:一款在樹莓派上測試操作系統的免費工具!
BalenaEtcher是一款有趣的免費工具,可用于創建可啟動的SD卡和USB驅動器。我經常用它來在我的RaspberryPi上測試新的操作系統,但你也可以用它來安裝新的Linux發行
新品發布 | TOSUN同星發布多總線仿真測試工具,突破傳統通訊瓶頸!
新品發布NewproductsreleaseTC1038Pro是同星智能開發的一款多總線仿真測試工具,產品采用以太網的方式與PC連接,確保了數據傳輸的速率,使得設備在進行大量總線數據處理時不會與PC
芯科科技Z-Wave設備測試工具介紹
本篇技術博文將介紹SiliconLabs(芯科科技)提供的Z-Wave設備測試工具,通過使用一個舊的Z-Wave DUT項目來測試Z-Wave設備
Web端TCP/UDP測試工具!小白必學~
Web端TCP/UDP測試工具,方便大家進行各種基于TCP和TDP的模擬測試。該測試工具不僅支持TCP和UDP測試,還支持SSL,使用極為便捷。 按照如下
嵌入軟件單元/集成測試工具專業分析
引言 在現代軟件開發過程中,單元測試作為確保代碼質量的重要環節,得到了廣泛的關注和應用。隨著嵌入式系統的復雜性日益增加,對高效、可靠的單元測試工具的需求也愈加迫切。WinAMS作為一款專為嵌入
CAN總線測試工具選擇與使用
1. CAN分析儀 CAN分析儀是一種高級的測試工具,能夠實時捕獲和分析CAN總線上的數據。它們通常具備以下功能: 數據捕獲和存儲 實時數據顯示 信號診斷和錯誤檢測 網絡參數配置 模擬CAN消息發送 2. CAN接口卡 CAN接口卡是
SD NAND測試工具的實用技巧
H2 testw檢測工具是一款能夠為用戶們提供全面的U盤讀寫性能的U盤工具,H2testwU盤檢測工具能夠準確的檢測出U盤的參數信息,提高用戶的使用效率。
性能測試工具上線!暢玩《黑神話:悟空》 固態硬盤選致態
《黑神話:悟空》自發布以來,一直備受玩家期待。8月13日,游戲科學在Steam上發布了該游戲的電腦性能測試工具,即PC游戲界常見的benchmark“跑分工具”,一經發布便引起了游戲圈
是德科技為FiRa2.0認證版本提供UWB設備一致性測試工具
近日,是德科技(Keysight Technologies)宣布了一項重要進展,該公司已正式為最新發布的FiRa 2.0認證版本中的物理層(PHY)一致性測試提供了全面的驗證測試工具。
新品發布 | 多通道車載以太網仿真測試工具
重磅推出多通道車載以太網/CANFD/LIN仿真測試工具—TC1054Pro產品助力行業進程。TOSUN01產品簡介TC1054Pro是同星智能推出的一款多通道車
CAN總線測試工具的主要功能
和分析CAN幀: CAN測試工具能夠捕獲CAN總線上的CAN幀,并進行詳細的分析。 這包括檢測報文、過濾報文、發送報文等。 常見的工具如Canalyser、Canoe、Canalyzer等,都具備這一
新加坡推出Project Moonshot -- 這是一款生成式人工智能測試工具包,用于應對LLM安全和安保挑戰
新加坡2024年6月3日?/美通社/ -- 新加坡通訊及新聞部部長Josephine Teo 女士推出了AI Verify- Project Moonshot,這是一個易于使用的測試工具包,旨在
工具鏈工具——映射與調度、模擬與驗證、開發與測試工具
本篇文章將重點介紹工具鏈的工具相關知識,我們將從工具鏈的基本概念出發,重點介紹工具鏈中的映射和調度工具、模擬與驗證
工商網監
評論