Skip to content

Skill3t/IEC61850-MMS-Fuzzer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

IEC61850-MMS-Fuzzer

Overview

Mutation Based Fuzzer. Test your IEC61850 MMS Server Implementations. Mutation Based means in this context that the inputs have to do be genrated separately. The previously recorded network traffic has to be split in little chunks. The input data needs to have the following datanames.

Format: X_YY_ZZ.pcap X: sequential number. YY: coding of the service:

  • 00 Association
  • 01 Write value
  • 11 Direct control with normal security
  • 12 SBO control with normal security
  • 13 Direct control with enhanced security
  • 14 SBO control with enhanced security
  • 20 SGCB
  • ZZ: Logical node reference.

Input filter:

Use Wireshark Filter ip.src == (server ip) && mms

  • 01: Use first package
  • 11: Use first package
  • 12: Use first and second package (first select, second control)
  • 13: Use first and second package (first select, second control) enhanced security is just for the client relevant but not for Fuzzing
  • 20: Use first, second and third package (edit SG, write single Data, confirm edit SG)

Features

  • Association
  • Mutation of data
  • Resend the mutated data (over a TCP-Socked)
  • Generate PDF documentation of the tests

Parameter

  • Python main.py -h
  • f: Directory of the input data
  • i: IP-Adress of the server
  • o: Path to the documentation directory (output for the PDF documentation)
  • c: Count number of tests (mutations) of each input file (default 500)
  • d: Debug (default false)

example: python main.py -f /Users/XZ/... -i 192.168.1.42 -c 200 –d

Used IEC61850 services

  • Associate
  • Release
  • SelectEditSG
  • SetEditSGValue
  • ConfirmEditSGValues - Select
  • SelectWithValue
  • Operate
  • Write

Requirements

  • Python 3.X
  • Pyshark
  • Anytree
  • Reportlab
  • ...
  • Pip install -r requirements.txt

Info

  • please feel free to send a pull request
  • no warranty
  • please only use laboratory environment and handle all findings responible

Findings

Siemens SIPROTEC5 CVSS v3.0 Base Score: 7.5

License

  • CDDL