如何在Ubuntu 18.04上安装和使用Radamsa来模糊测试程序和网络服务

The author selected the Electronic Frontier Foundation Inc to receive a donation as part of the Write for DOnations program.

作者选择Electronic Frontier Foundation Inc接受捐赠，作为Write for DOnations计划的一部分。

介绍 (Introduction)

Security threats are continually becoming more sophisticated, so developers and systems administrators need to take a proactive approach in defending and testing the security of their applications.

安全威胁不断变得越来越复杂，因此开发人员和系统管理员需要采取主动的方法来防御和测试其应用程序的安全性。

A common method for testing the security of client applications or network services is fuzzing, which involves repeatedly sending invalid or malformed data to the application and analyzing its response. This is useful to help test how resilient and robust the application is to unexpected input, which may include corrupted data or actual attacks.

测试客户端应用程序或网络服务的安全性的常用方法是模糊测试 ，它涉及向应用程序重复发送无效或格式错误的数据并分析其响应。 这对于帮助测试应用程序对意外输入(包括可能损坏的数据或实际攻击)的弹性和健壮性很有用。

Radamsa is an open-source fuzzing tool that can generate test cases based on user-specified input data. Radamsa is fully scriptable, and so far has been successful in finding vulnerabilities in real-world applications, such as Gzip.

Radamsa是一种开放源代码的模糊测试工具，可以根据用户指定的输入数据生成测试用例。 Radamsa具有完全可编写脚本的功能，到目前为止，它已经成功地发现了诸如Gzip之类的实际应用程序中的漏洞。

In this tutorial, you will install and use Radamsa to fuzz test command-line and network-based applications using your own test cases.

在本教程中，您将安装并使用Radamsa使用自己的测试用例对命令行和基于网络的应用程序进行模糊测试。

Warning: Radamsa is a penetration testing tool which may allow you to identify vulnerabilities or weaknesses in certain systems or applications. You must not use vulnerabilities found with Radamsa for any form of reckless behavior, harm, or malicious exploitation. Vulnerabilities should be ethically reported to the maintainer of the affected application, and not disclosed publicly without explicit permission.

警告： Radamsa是一种渗透测试工具，可以使您识别某些系统或应用程序中的漏洞或弱点。 您不得将Radamsa发现的漏洞用于任何形式的鲁ck行为，危害或恶意利用。 漏洞应从伦理上报告给受影响的应用程序的维护者，未经明确允许，不得公开披露。

先决条件 (Prerequisites)

Before you begin this guide you’ll need the following:

在开始本指南之前，您需要满足以下条件：

• One Ubuntu 18.04 server set up by following the Initial Server Setup with Ubuntu 18.04, including a sudo non-root user and enabled firewall to block non-essential ports.

  通过对Ubuntu 18.04进行初始服务器设置来设置一台Ubuntu 18.04服务器，包括sudo非root用户和已启用的防火墙以阻止非必需端口。

• A command-line or network-based application that you wish to test, for example Gzip, Tcpdump, Bind, Apache, jq, or any other application of your choice. As an example for the purposes of this tutorial, we’ll use jq.

  您要测试的命令行或基于网络的应用程序，例如Gzip，Tcpdump，Bind，Apache，jq或您选择的任何其他应用程序。 作为本教程的示例，我们将使用jq 。

Warning: Radamsa can cause applications or systems to run unstably or crash, so only run Radamsa in an environment where you are prepared for this, such as a dedicated server. Please also ensure that you have explicit written permission from the owner of a system before conducting fuzz testing against it.

警告： Radamsa可能导致应用程序或系统运行不稳定或崩溃，因此，仅在您为此做好准备的环境(例如专用服务器)中运行Radamsa。 在对系统进行模糊测试之前，还请确保您已获得系统所有者的明确书面许可。

Once you have these ready, log in to your server as your non-root user to begin.

准备就绪后，以非root用户身份登录到服务器以开始。

第1步-安装Radamsa (Step 1 — Installing Radamsa)

Firstly, you will download and compile Radamsa in order to begin using it on your system. The Radamsa source code is available in the official repository on GitLab.

首先，您将下载并编译Radamsa，以便开始在系统上使用它。 Radamsa源代码可在GitLab上的官方存储库中找到 。

Begin by updating the local package index to reflect any new upstream changes:

首先更新本地包索引以反映任何新的上游更改：

• sudo apt update
  sudo apt更新

Then, install the gcc, git, make, and wget packages needed to compile the source code into an executable binary:

然后，安装将源代码编译成可执行二进制文件所需的gcc ， git ， make和wget软件包：

• sudo apt install gcc git make wget
  须藤apt install gcc git make wget

After confirming the installation, apt will download and install the specified packages and all of their required dependencies.

确认安装后， apt将下载并安装指定的软件包及其所有必需的依赖项。

Next, you’ll download a copy of the source code for Radamsa by cloning it from the repository hosted on GitLab:

接下来，您将通过从GitLab托管的存储库中克隆Radamsa的源代码来下载该副本：

• git clone https://gitlab.com/akihe/radamsa.git
  git克隆https://gitlab.com/akihe/radamsa.git

This will create a directory called radamsa, containing the source code for the application. Move into the directory to begin compiling the code:

这将创建一个名为radamsa的目录，其中包含应用程序的源代码。 进入目录开始编译代码：

• cd radamsa
  cd拉达姆萨

Next, you can start the compilation process using make:

接下来，您可以使用make开始编译过程：

• make
  使

Finally, you can install the compiled Radamsa binary to your $PATH