臺灣博碩士論文加值系統

模糊測試為藉由輸入異常的數據到測試設備，期望設備產生預期之外的反應， 例如測試設備會發生當機、重開、回覆等行為。本研究使用模糊測試的方法來測 試 VLAN、CWMP 及 RADIUS 等三個網路協定的漏洞，以找出這些網路協定潛 在的危險。研究過程分為四個部分：第一部份研讀網路協定的內容及運作過程。 第二部分以 Python撰寫網路協定的封包架構及運作過程。第三部分以 Python寫 出模糊測試的核心系統架構。第四部分執行第二部分用 Python 所撰寫的網路協 定程式來送出測試封包到測試設備，並以 Wireshark 觀察及分析測試設備跟程式 之間的封包傳遞，以證明測試設備所支援的網路協定是否有安全上的漏洞。實作 結果顯示，在 VLAN 方面，內含 VLAN ID 為 0 跟 1 的測試封包會被交換器移除 VLAN 標籤並將此測試封包轉送到目的地；內含 VLAN ID 為 4095 的測試封包 則會被交換器丟棄。在 CWMP 方面，ACS 伺服器會根據接收封包的內容來回傳 含有錯誤訊息內容的封包給測試程式。在 RADIUS 方面，伺服器會依據所收到 的測試封包是否有資料過長或不合理的數值，來丟棄封包或回傳拒絕封包給測試程式。

The fuzz testing is to input the abnormal data into a target machine, and expects the target machine to produce unexpected events, such as crashing or restarting. In this study, we used the fuzz testing to check the vulnerabilities for three network protocols: VLAN, CWMP, and RADIUS. The implementation is divided into four parts. First, to study the network protocol concepts and their operation. Second, the packet format and transmission process of the three protocols are implemented using Python. Third, to implement the core fuzz testing. Fourth, the test packets are sent to the target machine in order to examine whether there is a security vulnerability in these network protocols supported by the target machine. Wireshark is used to observe and analyze the packet contents. The experimental results show that the VLAN tag containing the VLAN IDs 0 and 1 in the test packets are removed and then forwarded to the destination by the switch; VLAN tag containing the VLAN IDs 4095 in the test packets are discarded by the switch. In CWMP, the ACS server responds the different error messages to the test program based on the received packet. In RADIUS, the server will discard the test packets or return the rejected packets to the test program based on whether the received test packets are too long or the numerical value contained in the received test packets is unreasonable.

目錄
摘要 i
Abstract ii
誌謝 iii
目錄 iv
表目錄 v
圖目錄 vi
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機 1
1.3 研究目的 1
第二章 文獻探討 2
2.1 模糊測試 2
2.2 滲透測試 2
2.3 通用漏洞披露(CVE) 3
2.4 模糊測試相關公司 3
2.4.1 新思科技 3
2.4.2 Peach Tech 6
第三章 使用模糊測試來偵測網路協定的漏洞 7
3.1 VLAN(802.1Q) 7
3.1.1 VLAN封包傳遞流程 8
3.1.2 VLAN封包格式介紹 9
3.2 CWMP 10
3.2.1 CWMP封包傳遞流程 11
3.2.2 CWMP封包格式介紹 12
3.3 RADIUS 15
3.3.1 RADIUS封包傳遞流程 15
3.3.2 RADIUS封包格式介紹 16
3.4 模糊測試對網路協定的測試程序 17
3.4.1 VLAN測試程序 19
3.4.2 CWMP測試程序 19
3.4.3 RADIUS測試程序 24
第四章 模糊測試實作成果 50
4.1 VLAN的測試環境架設 50
4.2 VLAN測試實作成果 51
4.3 CWMP的測試環境架設 51
4.4 CWMP測試實作成果 55
4.5 RADIUS的測試環境架設 64
4.6 RADIUS測試實作成果 66
第五章 結論 74
參考文獻 75

[1]Wiki, "fuzzing", https://en.wikipedia.org/wiki/Fuzzing
[2]Wiki, "IEEE 802.1Q ", https://zh.wikipedia.org/wiki/IEEE_802.1Q
[3]Wiki, "TR-069", https://en.wikipedia.org/wiki/TR-069
[4]Wiki, "RADIUS", https://en.wikipedia.org/wiki/RADIUS
[5]Wiki, "Penetration test",
https://en.wikipedia.org/wiki/Penetration_test
[6]MITRE,"CVE - Common Vulnerabilities and Exposures (CVE) ",
http://cve.mitre.org/
[7]Wiki, "Black-box testing",
https://en.wikipedia.org/wiki/Black-box_testing
[8]Synopsys, "Synopsys Official Website", https://www.synopsys.com/
[9]Peach Tech, "Peach Tech Official Website", https://www.peach.tech/
[10]Synopsys, "fuzzing-tool-datasheet",
https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/fuzzing-tool-datasheet.pdf
[11]Synopsys, "Ethernet Test Suite Data Sheet",
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing/defensics/protocols/ethernet.html
[12]Synopsys, "CWMP ACS Test Suite Data Sheet ",
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing/defensics/protocols/cwmp-acs.html
[13]Synopsys, "CWMP CPE Test Suite Data Sheet",
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing/defensics/protocols/cwmp-cpe.html
[14]Synopsys, "RADIUS Server Test Suite Data Sheet",
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing/defensics/protocols/radius-server.html
[15]Synopsys, "RADIUS Client Test Suite Data Sheet",
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing/defensics/protocols/radius-client.html
[16]Peachtech, "peach-pits", https://www.peach.tech/products/peach-
fuzzer/peach-pits/
[17]Peachtech, "VLAN Peach Pit Data Sheet",
https://www.peach.tech/wp-content/uploads/VLAN_DataSheet.pdf
[18]The Wireshark team, "Wireshark Wiki", https://wiki.wireshark.org/FrontPage
[19]QA Cafe, "CloudShark", https://www.cloudshark.org/
[20]The Wireshark team, "Wireshark", https://www.wireshark.org/
[21]IEEE Computer Society, "IEEE Standard for Local and metropolitan area networks—Bridges and Bridged Networks",2014
[22]Wiki, "Broadcast radiation", https://en.wikipedia.org/wiki/Broadcast_radiation
[23]Broadband Forum, "TR-069 CPE WAN Management Protocol",
https://www.broadband-forum.org/technical/download/TR-069.pdf
[24]Rigney, et al., "RFC 2865 ", https://tools.ietf.org/html/rfc2865
[25]Rigney, "RFC 2866 ", https://tools.ietf.org/html/rfc2866
[26] Wiki, "MD5", https://en.wikipedia.org/wiki/MD5
[27]Internet Assigned Numbers Authority(IANA), "RADIUS Types",
https://www.iana.org/assignments/radius-types/radius-types.xhtml
[28]GenieACS Inc., "genieacs", https://genieacs.com/
[29]GenieACS Inc., "genieacs acs github", https://github.com/genieacs/genieacs
[30]GenieACS Inc., "genieacs cpe github", https://github.com/genieacs/genieacs-sim
[31]Node.js Foundation, "Node.js", https://nodejs.org/en/
[32]MongoDB, Inc., "mongoDB", https://www.mongodb.com/
[33]VMware, Inc., "Workstation Player",
https://www.vmware.com/tw/products/workstation-player.html
[34]Canonical Ltd., Ubuntu community, "Ubuntu",
https://www.ubuntu.com/download/desktop
[35]The FreeRADIUS Server Project and Contributors, "FreeRADIUS",
https://freeradius.org/
[36]Microsoft, "Windows Sever",
https://www.microsoft.com/zh-tw/evalcenter/evaluate-windows-server-2016/