-
Notifications
You must be signed in to change notification settings - Fork 888
Simulator
New in Version 2.0
There are protocols where it is not enough to fire a bunch of fuzzed packets against the device and hope to break them. More adavanced protocols have several states and use e.g. sequence numbers to refer to previous messages in a session. These data must be captured during interacting with the device and manipulated in a certain way e.g. increase a sequence number by one.
This is were the Simulator tab comes into play. Here you can configure label values to be learned during simulation time and even apply formulas to these values or get them from external programs. We will explore the features of the Simulator tab based on the challenge response procedure between a smart home central and a wireless remote control.
First we start as usual by capturing messages with a Software Defined Radio and label the data in Analysis tab (see below). Of course, you can edit the labels later in the Simulator tab but the protocols from Analysis are useful for bootstrapping.
Now, move to the Simulator Tab and drop your protocol from the tree view on the left to the flow graph on the right. You will see the logical flow of your messages as shown in the below image.
Next, we want to configure the flow graph to match our use case. Simply right click on a message in the flow graph to edit it's source and destination. You can choose any participant that you have defined in project settings. For convenience, you can also configure available participants in the Participants tab located on the most right of the Flow Graph tab.
Use the context menu of the flow graph to add rules (if then else
). This allows you to model protocol state machines and e.g. send responses only when certain conditions are met.
Using the context menu (right click) of the flow graph you can add actions to arbitrary positions allowing you to deal with more complex scenarios:
- Goto enables to jump to arbitrary items in the flow graph. Simply choose the desired item from a dropdown menu.
- Counter actions increase their value by a (configurable) number each time they are hit during simulation. In combination with rules and Goto actions this enables stateful fuzzing.
- Sleep will pause the simulation for a selected time.
- Trigger Command enables you to call external programs so you can e.g. send an E-Mail as soon as simulation reaches a certain state.
Using the table on the bottom of the Simulator tab you can define how the values of labels shall be determined. You have five options for this:
- Constant value will match against the defined value of the label. If the value does not match during simulation the message will not be accepted. You can configure the value in the Messages tab on the right of the Flow Graph tab.
- Live input will insert the value of the label during simulation time. This is especially useful if a value is not known beforehand e.g. a sequence number.
-
Formula allows you to calculate a value based on previous messages. You can write arbitrary python expressions here and refer to previous label values e.g. with
item1.sequence_number + 1
. This will insert the value of the first message's sequence number (which may be a live input) incremented by one. This way to can refer to previous values and manipulate them as desired. - External program is useful when you have an external program (e.g. AES encryption) that produces the desired value for a label. When called during simulation, your external program will get all previously received and sent messages for the certain participant. The messages and their directions will be passed to STDIN of your program.
- Random value will insert a random value from a customizable range.
Once everything is configured, you can click the Simulate... button on the bottom left of the Simulator tab. This will bring up the simulation dialog:
Before starting the simulation, you should configure a SDR for receiving and transmitting in the RX settings and TX settings tab, respectively.
During simulation, the currently captured signal will be shown under RX status so you can quickly debug RX issues. This capture is limited in size, if you want to capture everything simply check the Capture complete RX checkbox, but be aware that this will constantly use more and more RAM. With the save button on the right you can save the current capture to further investigate it in Interpretation.
To start the simulation use the Start button at the bottom of the dialog. During simulation you will see a log what is currently happening and be informed e.g. about mismatching constant values like shown below:
After simulation, you will find the transcript in the Transcript tab located at the left of the Simulator tab. You can also save this transcript or open it directly in Analysis for further investigations.