|
|
@@ -0,0 +1,245 @@
|
|
|
+import logging
|
|
|
+import csv
|
|
|
+
|
|
|
+from random import shuffle, randint, choice, uniform
|
|
|
+
|
|
|
+from lea import Lea
|
|
|
+
|
|
|
+from Attack import BaseAttack
|
|
|
+from Attack.AttackParameters import Parameter as Param
|
|
|
+from Attack.AttackParameters import ParameterTypes
|
|
|
+
|
|
|
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
|
|
|
+# noinspection PyPep8
|
|
|
+from scapy.layers.inet import IP, Ether, TCP
|
|
|
+from scapy.layers.netbios import NBTSession
|
|
|
+
|
|
|
+# Resources:
|
|
|
+# https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/smb/smb_loris.rb
|
|
|
+# https://samsclass.info/124/proj14/smbl.htm
|
|
|
+# https://gist.githubusercontent.com/marcan/6a2d14b0e3eaa5de1795a763fb58641e/raw/565befecf4d9a4a27248d027a90b6e3e5994b5b6/smbloris.c
|
|
|
+# http://smbloris.com/
|
|
|
+
|
|
|
+class SMBLorisAttack(BaseAttack.BaseAttack):
|
|
|
+ # SMB port
|
|
|
+ smb_port = 445
|
|
|
+
|
|
|
+ def __init__(self):
|
|
|
+ """
|
|
|
+ Creates a new instance of the SMBLorisAttack.
|
|
|
+
|
|
|
+ """
|
|
|
+ # Initialize attack
|
|
|
+ super(SMBLorisAttack, self).__init__("SMBLoris Attack", "Injects an SMBLoris DoS Attack",
|
|
|
+ "Resource Exhaustion")
|
|
|
+
|
|
|
+ # Define allowed parameters and their type
|
|
|
+ self.supported_params = {
|
|
|
+ Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
|
|
|
+ Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
|
|
|
+ Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
|
|
|
+ Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
|
|
|
+ Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
|
|
|
+ Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
|
|
|
+ Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT,
|
|
|
+ Param.ATTACK_DURATION: ParameterTypes.TYPE_INTEGER_POSITIVE
|
|
|
+ }
|
|
|
+
|
|
|
+ def init_params(self):
|
|
|
+ """
|
|
|
+ Initialize the parameters of this attack using the user supplied command line parameters.
|
|
|
+ Use the provided statistics to calculate default parameters and to process user
|
|
|
+ supplied queries.
|
|
|
+
|
|
|
+ :param statistics: Reference to a statistics object.
|
|
|
+ """
|
|
|
+ # PARAMETERS: initialize with default values
|
|
|
+ # (values are overwritten if user specifies them)
|
|
|
+ most_used_ip_address = self.statistics.get_most_used_ip_address()
|
|
|
+ if isinstance(most_used_ip_address, list):
|
|
|
+ most_used_ip_address = most_used_ip_address[0]
|
|
|
+
|
|
|
+ self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
|
|
|
+ self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
|
|
|
+
|
|
|
+ random_ip_address = self.statistics.get_random_ip_address()
|
|
|
+ # ip-dst should be valid and not equal to ip.src
|
|
|
+ while not self.is_valid_ip_address(random_ip_address) or random_ip_address==most_used_ip_address:
|
|
|
+ random_ip_address = self.statistics.get_random_ip_address()
|
|
|
+
|
|
|
+ self.add_param_value(Param.IP_DESTINATION, random_ip_address)
|
|
|
+ destination_mac = self.statistics.get_mac_address(random_ip_address)
|
|
|
+ if isinstance(destination_mac, list) and len(destination_mac) == 0:
|
|
|
+ destination_mac = self.generate_random_mac_address()
|
|
|
+ self.add_param_value(Param.MAC_DESTINATION, destination_mac)
|
|
|
+ self.add_param_value(Param.PACKETS_PER_SECOND,
|
|
|
+ (self.statistics.get_pps_sent(most_used_ip_address) +
|
|
|
+ self.statistics.get_pps_received(most_used_ip_address)) / 2)
|
|
|
+ self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
|
|
|
+ self.add_param_value(Param.ATTACK_DURATION, 30)
|
|
|
+
|
|
|
+ def generate_attack_pcap(self):
|
|
|
+ def update_timestamp(timestamp, pps, delay=0):
|
|
|
+ """
|
|
|
+ Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
|
|
|
+
|
|
|
+ :return: Timestamp to be used for the next packet.
|
|
|
+ """
|
|
|
+ if delay == 0:
|
|
|
+ # Calculate request timestamp
|
|
|
+ # To imitate the bursty behavior of traffic
|
|
|
+ randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 20, 5 / pps: 7, 10 / pps: 3})
|
|
|
+ return timestamp + uniform(1/pps , randomdelay.random())
|
|
|
+ else:
|
|
|
+ # Calculate reply timestamp
|
|
|
+ randomdelay = Lea.fromValFreqsDict({2*delay: 70, 3*delay: 20, 5*delay: 7, 10*delay: 3})
|
|
|
+ return timestamp + uniform(1 / pps + delay, 1 / pps + randomdelay.random())
|
|
|
+
|
|
|
+ def getIntervalPPS(complement_interval_pps, timestamp):
|
|
|
+ """
|
|
|
+ Gets the packet rate (pps) for a specific time interval.
|
|
|
+
|
|
|
+ :param complement_interval_pps: an array of tuples (the last timestamp in the interval, the packet rate in the crresponding interval).
|
|
|
+ :param timestamp: the timestamp at which the packet rate is required.
|
|
|
+ :return: the corresponding packet rate (pps) .
|
|
|
+ """
|
|
|
+ for row in complement_interval_pps:
|
|
|
+ if timestamp<=row[0]:
|
|
|
+ return row[1]
|
|
|
+ return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
|
|
|
+
|
|
|
+ def getIpData(ip_address: str):
|
|
|
+ """
|
|
|
+ :param ip_address: the ip of which (packet-)data shall be returned
|
|
|
+ :return: MSS, TTL and Window Size values of the given IP
|
|
|
+ """
|
|
|
+ # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
|
|
|
+ mss_dist = self.statistics.get_mss_distribution(ip_address)
|
|
|
+ if len(mss_dist) > 0:
|
|
|
+ mss_prob_dict = Lea.fromValFreqsDict(mss_dist)
|
|
|
+ mss_value = mss_prob_dict.random()
|
|
|
+ else:
|
|
|
+ mss_value = self.statistics.process_db_query("most_used(mssValue)")
|
|
|
+
|
|
|
+ # Set TTL based on TTL distribution of IP address
|
|
|
+ ttl_dist = self.statistics.get_ttl_distribution(ip_address)
|
|
|
+ if len(ttl_dist) > 0:
|
|
|
+ ttl_prob_dict = Lea.fromValFreqsDict(ttl_dist)
|
|
|
+ ttl_value = ttl_prob_dict.random()
|
|
|
+ else:
|
|
|
+ ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
|
|
|
+
|
|
|
+ # Set Window Size based on Window Size distribution of IP address
|
|
|
+ win_dist = self.statistics.get_win_distribution(ip_address)
|
|
|
+ if len(win_dist) > 0:
|
|
|
+ win_prob_dict = Lea.fromValFreqsDict(win_dist)
|
|
|
+ win_value = win_prob_dict.random()
|
|
|
+ else:
|
|
|
+ win_value = self.statistics.process_db_query("most_used(winSize)")
|
|
|
+
|
|
|
+ return mss_value, ttl_value, win_value
|
|
|
+
|
|
|
+ mac_source = self.get_param_value(Param.MAC_SOURCE)
|
|
|
+ mac_destination = self.get_param_value(Param.MAC_DESTINATION)
|
|
|
+ pps = self.get_param_value(Param.PACKETS_PER_SECOND)
|
|
|
+
|
|
|
+ # Calculate complement packet rates of the background traffic for each interval
|
|
|
+ complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
|
|
|
+
|
|
|
+ # Timestamp
|
|
|
+ timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
|
|
|
+ # store start time of attack
|
|
|
+ self.attack_start_utime = timestamp_next_pkt
|
|
|
+ timestamp_prv_reply, timestamp_confirm = 0,0
|
|
|
+
|
|
|
+ # Initialize parameters
|
|
|
+ packets = []
|
|
|
+ ip_source = self.get_param_value(Param.IP_SOURCE)
|
|
|
+ ip_destination = self.get_param_value(Param.IP_DESTINATION)
|
|
|
+
|
|
|
+ # Check ip.src == ip.dst
|
|
|
+ self.ip_src_dst_equal_check(ip_source, ip_destination)
|
|
|
+
|
|
|
+ # Get MSS, TTL and Window size value for source and destination IP
|
|
|
+ source_mss_value, source_ttl_value, source_win_value = getIpData(ip_source)
|
|
|
+ destination_mss_value, destination_ttl_value, destination_win_value = getIpData(ip_destination)
|
|
|
+
|
|
|
+ minDelay,maxDelay = self.get_reply_delay(ip_destination)
|
|
|
+
|
|
|
+ attack_duration = self.get_param_value(Param.ATTACK_DURATION)
|
|
|
+ attack_ends_time = timestamp_next_pkt + attack_duration
|
|
|
+
|
|
|
+ sport = 1025
|
|
|
+
|
|
|
+ attacker_seq = randint(1000, 50000)
|
|
|
+ victim_seq = randint(1000, 50000)
|
|
|
+
|
|
|
+ # FIXME: Improve timestamp generation
|
|
|
+ while timestamp_next_pkt <= attack_ends_time:
|
|
|
+ # Establish TCP connection
|
|
|
+ if sport > 65535:
|
|
|
+ sport = 1025
|
|
|
+
|
|
|
+ # prepare reusable Ethernet- and IP-headers
|
|
|
+ attacker_ether = Ether(src=mac_source, dst=mac_destination)
|
|
|
+ attacker_ip = IP(src=ip_source, dst=ip_destination, ttl=source_ttl_value, flags='DF')
|
|
|
+ victim_ether = Ether(src=mac_destination, dst=mac_source)
|
|
|
+ victim_ip = IP(src=ip_destination, dst=ip_source, ttl=destination_ttl_value, flags='DF')
|
|
|
+
|
|
|
+ # connection request from attacker (client)
|
|
|
+ syn_tcp = TCP(sport=sport, dport=self.smb_port, window=source_win_value, flags='S',
|
|
|
+ seq=attacker_seq, options=[('MSS', source_mss_value)])
|
|
|
+ attacker_seq += 1
|
|
|
+ syn = (attacker_ether / attacker_ip / syn_tcp)
|
|
|
+ syn.time = timestamp_next_pkt
|
|
|
+ timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
|
|
|
+ packets.append(syn)
|
|
|
+
|
|
|
+ # response from victim (server)
|
|
|
+ synack_tcp = TCP(sport=self.smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, flags='SA',
|
|
|
+ window=destination_win_value, options=[('MSS', destination_mss_value)])
|
|
|
+ victim_seq += 1
|
|
|
+ synack = (victim_ether / victim_ip / synack_tcp)
|
|
|
+ synack.time = timestamp_next_pkt
|
|
|
+ timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
|
|
|
+ packets.append(synack)
|
|
|
+
|
|
|
+ # acknowledgement from attacker (client)
|
|
|
+ ack_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, flags='A',
|
|
|
+ window=source_win_value, options=[('MSS', source_mss_value)])
|
|
|
+ ack = (attacker_ether / attacker_ip / ack_tcp)
|
|
|
+ ack.time = timestamp_next_pkt
|
|
|
+ timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
|
|
|
+ packets.append(ack)
|
|
|
+
|
|
|
+ # send NBT session header paket with maximum LENGTH-field
|
|
|
+ req_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, flags='AP',
|
|
|
+ window=source_win_value, options=[('MSS', source_mss_value)])
|
|
|
+ req_payload = NBTSession(TYPE=0x00, LENGTH=0x1FFFF)
|
|
|
+
|
|
|
+ attacker_seq += len(req_payload)
|
|
|
+ req = (attacker_ether / attacker_ip / req_tcp / req_payload)
|
|
|
+ req.time = timestamp_next_pkt
|
|
|
+ timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
|
|
|
+ packets.append(req)
|
|
|
+
|
|
|
+ # final ack from victim (server)
|
|
|
+ last_ack_tcp = TCP(sport=self.smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, flags='A',
|
|
|
+ window=destination_win_value, options=[('MSS', destination_mss_value)])
|
|
|
+ last_ack = (victim_ether / victim_ip / last_ack_tcp)
|
|
|
+ last_ack.time = timestamp_next_pkt
|
|
|
+ timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
|
|
|
+ packets.append(last_ack)
|
|
|
+
|
|
|
+ sport += 1
|
|
|
+
|
|
|
+ # FIXME: RST?
|
|
|
+
|
|
|
+ # store end time of attack
|
|
|
+ self.attack_end_utime = packets[-1].time
|
|
|
+
|
|
|
+ # write attack packets to pcap
|
|
|
+ pcap_path = self.write_attack_pcap(sorted(packets, key=lambda pkt: pkt.time))
|
|
|
+
|
|
|
+ # return packets sorted by packet time_sec_start
|
|
|
+ return len(packets), pcap_path
|
