add SMB scan attack

add SMB1 support
add parameters
choose sensible default values for params
add PROTOCOL_VERSION param
add IP_HOSTING param
add statistics.get_ip_addresses
add statistics.get_ip_address_count

code/Attack/AttackParameters.py

@@ -10,6 +10,7 @@ class Parameter(Enum):
     IP_SOURCE = 'ip.src'  # source IP address
     IP_DESTINATION = 'ip.dst'  # destination IP address
     IP_DNS = 'ip.dns'  # IP address of DNS server
+    IP_HOSTING = 'ip.hosting'
     # recommended type: MAC address ------------------------------
     MAC_SOURCE = 'mac.src'  # MAC address of source
     MAC_DESTINATION = 'mac.dst'  # MAC address of destination
@@ -37,6 +38,8 @@ class Parameter(Enum):
     IP_SOURCE_RANDOMIZE = 'ip.src.shuffle'  # randomizes the sources IP address if a list of IP addresses is given
     PORT_SOURCE_RANDOMIZE = 'port.src.shuffle'  # randomizes the source port if a list of sources ports is given
 
+    PROTOCOL_VERSION = 'protocol.version'
+
 
 class ParameterTypes(Enum):
     """
@@ -52,3 +55,4 @@ class ParameterTypes(Enum):
     TYPE_FLOAT = 6
     TYPE_PACKET_POSITION = 7  # used to derive timestamp from parameter INJECT_AFTER_PACKET
     TYPE_DOMAIN = 8
+    TYPE_STRING = 9

code/Attack/BaseAttack.py

@@ -301,6 +301,9 @@ class BaseAttack(metaclass=ABCMeta):
             elif isinstance(value, str) and value.isdigit() and int(value) >= 0:
                 is_valid = True
                 value = int(value)
+        elif param_type == ParameterTypes.TYPE_STRING:
+            if isinstance(value, str):
+                is_valid = True
         elif param_type == ParameterTypes.TYPE_FLOAT:
             is_valid, value = self._is_float(value)
             # this is required to avoid that the timestamp's microseconds of the first attack packet is '000000'

code/Attack/SmbScanAttack.py

@@ -0,0 +1,378 @@
+import logging
+
+from random import shuffle, randint, choice, uniform
+
+from lea import Lea
+
+from Attack import BaseAttack
+from Attack.AttackParameters import Parameter as Param
+from Attack.AttackParameters import ParameterTypes
+
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
+# noinspection PyPep8
+from scapy.layers.inet import IP, Ether, TCP
+from scapy.layers.smb import *
+from scapy.layers.netbios import *
+
+class SmbScanAttack(BaseAttack.BaseAttack):
+    # SMB port
+    smb_port = 445
+
+    def __init__(self):
+        """
+        Creates a new instance of the SmbScanAttack.
+
+        """
+        # Initialize attack
+        super(SmbScanAttack, self).__init__("SmbScan Attack", "Injects an SMB scan",
+                                             "Scanning/Probing")
+
+        # Define allowed parameters and their type
+        self.supported_params = {
+            Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.PORT_SOURCE: ParameterTypes.TYPE_PORT,
+            Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
+            Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
+            Param.IP_SOURCE_RANDOMIZE: ParameterTypes.TYPE_BOOLEAN,
+            Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT,
+            Param.PORT_SOURCE_RANDOMIZE: ParameterTypes.TYPE_BOOLEAN,
+            Param.IP_HOSTING: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.PROTOCOL_VERSION: ParameterTypes.TYPE_STRING
+        }
+
+    def init_params(self):
+        """
+        Initialize the parameters of this attack using the user supplied command line parameters.
+        Use the provided statistics to calculate default parameters and to process user
+        supplied queries.
+
+        :param statistics: Reference to a statistics object.
+        """
+        # PARAMETERS: initialize with default values
+        # (values are overwritten if user specifies them)
+        most_used_ip_address = self.statistics.get_most_used_ip_address()
+        if isinstance(most_used_ip_address, list):
+            most_used_ip_address = most_used_ip_address[0]
+
+        self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
+        self.add_param_value(Param.IP_SOURCE_RANDOMIZE, 'False')
+        self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
+
+        all_ips = self.statistics.get_ip_addresses()
+        if not isinstance(all_ips, list):
+            ip_destinations = []
+            ip_destinations.append(all_ips)
+        else:
+            ip_destinations = all_ips
+        self.add_param_value(Param.IP_DESTINATION, ip_destinations)
+        # MAYBE REMOVE/CHANGE THIS MAC STUFF
+        #
+        destination_mac = []
+        for ip in ip_destinations:
+            destination_mac.append(self.statistics.get_mac_address(str(ip)))
+        if isinstance(destination_mac, list) and len(destination_mac) == 0:
+            destination_mac = self.generate_random_mac_address()
+        self.add_param_value(Param.MAC_DESTINATION, destination_mac)
+        #
+        #
+        self.add_param_value(Param.PORT_SOURCE, randint(1024, 65535))
+        self.add_param_value(Param.PORT_SOURCE_RANDOMIZE, 'False')
+        self.add_param_value(Param.PACKETS_PER_SECOND,
+                             (self.statistics.get_pps_sent(most_used_ip_address) +
+                              self.statistics.get_pps_received(most_used_ip_address)) / 2)
+        self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
+
+        rnd_ip_count = self.statistics.get_ip_address_count()/2
+        self.add_param_value(Param.IP_HOSTING, self.statistics.get_random_ip_address(rnd_ip_count))
+        # maybe change to version 1 as default
+        self.add_param_value(Param.PROTOCOL_VERSION, "2.1")
+
+    @property
+    def generate_attack_pcap(self):
+        def update_timestamp(timestamp, pps, delay=0):
+            """
+            Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
+
+            :return: Timestamp to be used for the next packet.
+            """
+            if delay == 0:
+                # Calculate request timestamp
+                # To imitate the bursty behavior of traffic
+                randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 20, 5 / pps: 7, 10 / pps: 3})
+                return timestamp + uniform(1/pps ,  randomdelay.random())
+            else:
+                # Calculate reply timestamp
+                randomdelay = Lea.fromValFreqsDict({2*delay: 70, 3*delay: 20, 5*delay: 7, 10*delay: 3})
+                return timestamp + uniform(1 / pps + delay,  1 / pps + randomdelay.random())
+
+        def getIntervalPPS(complement_interval_pps, timestamp):
+            """
+            Gets the packet rate (pps) for a specific time interval.
+
+            :param complement_interval_pps: an array of tuples (the last timestamp in the interval, the packet rate in the crresponding interval).
+            :param timestamp: the timestamp at which the packet rate is required.
+            :return: the corresponding packet rate (pps) .
+            """
+            for row in complement_interval_pps:
+                if timestamp<=row[0]:
+                    return row[1]
+            return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
+
+
+        mac_source = self.get_param_value(Param.MAC_SOURCE)
+        mac_dest = self.get_param_value(Param.MAC_DESTINATION)
+        pps = self.get_param_value(Param.PACKETS_PER_SECOND)
+
+        # Calculate complement packet rates of the background traffic for each interval
+        complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
+
+        if self.get_param_value(Param.PORT_SOURCE_RANDOMIZE):
+            sport = randint(1, 65535)
+        else:
+            sport = self.get_param_value(Param.PORT_SOURCE)
+
+        # Timestamp
+        timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
+        # store start time of attack
+        self.attack_start_utime = timestamp_next_pkt
+        timestamp_prv_reply, timestamp_confirm = 0,0
+
+        # Initialize parameters
+        ip_source = self.get_param_value(Param.IP_SOURCE)
+        ip_destinations = self.get_param_value(Param.IP_DESTINATION)
+        ip_hosting = self.get_param_value(Param.IP_HOSTING)
+        packets = []
+
+        # Check ip.src == ip.dst
+        #self.ip_src_dst_equal_check(ip_source, ip_destination)
+
+        # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
+        source_mss_dist = self.statistics.get_mss_distribution(ip_source)
+        if len(source_mss_dist) > 0:
+            source_mss_prob_dict = Lea.fromValFreqsDict(source_mss_dist)
+            source_mss_value = source_mss_prob_dict.random()
+        else:
+            source_mss_value = self.statistics.process_db_query("most_used(mssValue)")
+
+
+        # Set TTL based on TTL distribution of IP address
+        source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
+        if len(source_ttl_dist) > 0:
+            source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
+            source_ttl_value = source_ttl_prob_dict.random()
+        else:
+            source_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
+
+
+        # Set Window Size based on Window Size distribution of IP address
+        source_win_dist = self.statistics.get_win_distribution(ip_source)
+        if len(source_win_dist) > 0:
+            source_win_prob_dict = Lea.fromValFreqsDict(source_win_dist)
+            source_win_value = source_win_prob_dict.random()
+        else:
+            source_win_value = self.statistics.process_db_query("most_used(winSize)")
+
+
+
+        # ACTUAL ATTACK GOES HERE
+        #print(len(mac_dest))
+        #print(mac_destination)
+        #print(len(ip_destinations))
+        #print(ip_destinations)
+        #print(ip_source)
+        ip_dests = []
+        if isinstance(ip_destinations, list):
+            ip_dests = ip_destinations
+        else:
+            ip_dests.append(ip_destinations)
+
+        #print(ip_dests)
+
+        for ip in ip_dests:
+
+            if ip != ip_source:
+
+                # Get destination Mac Address
+                #print(ip)
+
+                mac_destination = self.statistics.get_mac_address(str(ip))
+                if len(mac_destination) == 0:
+                    if isinstance(mac_dest, str):
+                        mac_destination = mac_dest
+                    else:
+                        mac_destination = self.generate_random_mac_address()
+                #print(len(mac_destination))
+                #print(mac_destination)
+                #print(ip)
+
+                # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
+                destination_mss_dist = self.statistics.get_mss_distribution(ip)
+                if len(destination_mss_dist) > 0:
+                    destination_mss_prob_dict = Lea.fromValFreqsDict(destination_mss_dist)
+                    destination_mss_value = destination_mss_prob_dict.random()
+                else:
+                    destination_mss_value = self.statistics.process_db_query("most_used(mssValue)")
+
+
+                # Set TTL based on TTL distribution of IP address
+                destination_ttl_dist = self.statistics.get_ttl_distribution(ip)
+                if len(destination_ttl_dist) > 0:
+                    destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
+                    destination_ttl_value = destination_ttl_prob_dict.random()
+                else:
+                    destination_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
+
+
+                # Set Window Size based on Window Size distribution of IP address
+                destination_win_dist = self.statistics.get_win_distribution(ip)
+                if len(destination_win_dist) > 0:
+                    destination_win_prob_dict = Lea.fromValFreqsDict(destination_win_dist)
+                    destination_win_value = destination_win_prob_dict.random()
+                else:
+                    destination_win_value = self.statistics.process_db_query("most_used(winSize)")
+
+                minDelay, maxDelay = self.get_reply_delay(ip)
+
+                # New connection, new random TCP sequence numbers
+                attacker_seq = randint(1000, 50000)
+                victim_seq = randint(1000, 50000)
+
+                # 1) Build request package
+                request_ether = Ether(src=mac_source, dst=mac_destination)
+                request_ip = IP(src=ip_source, dst=ip, ttl=source_ttl_value, flags='DF')
+                request_tcp = TCP(sport=sport, dport=self.smb_port, window=source_win_value, flags='S',
+                                  seq=attacker_seq, options=[('MSS', source_mss_value)])
+                attacker_seq += 1
+                request = (request_ether / request_ip / request_tcp)
+                request.time = timestamp_next_pkt
+
+                # Append request
+                packets.append(request)
+
+                # Update timestamp for next package
+                timestamp_reply = update_timestamp(timestamp_next_pkt, pps, minDelay)
+                while (timestamp_reply <= timestamp_prv_reply):
+                    timestamp_reply = update_timestamp(timestamp_prv_reply, pps, minDelay)
+                timestamp_prv_reply = timestamp_reply
+
+                if ip in ip_hosting:
+
+                    # 2) Build TCP packages for ip that hosts SMB
+
+                    # destination sends SYN, ACK
+                    reply_ether = Ether(src=mac_destination, dst=mac_source)
+                    reply_ip = IP(src=ip, dst=ip_source, ttl=destination_ttl_value, flags='DF')
+                    reply_tcp = TCP(sport=self.smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, flags='SA', window=destination_win_value,
+                                    options=[('MSS', destination_mss_value)])
+                    victim_seq += 1
+                    reply = (reply_ether / reply_ip / reply_tcp)
+                    reply.time = timestamp_reply
+                    packets.append(reply)
+
+                    # requester confirms, ACK
+                    confirm_ether = request_ether
+                    confirm_ip = request_ip
+                    confirm_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, window=source_win_value, flags='A')
+                    confirm = (confirm_ether / confirm_ip / confirm_tcp)
+                    timestamp_confirm = update_timestamp(timestamp_reply, pps, minDelay)
+                    confirm.time = timestamp_confirm
+                    packets.append(confirm)
+
+                    # INSERT SMB-REQUEST PACKAGE HERE
+                    # CHECK FOR PROTOCOL VERSION?
+                    smb_MID = randint(1, 65535)
+                    smb_PID = randint(1, 65535)
+
+                    smb_req_tail = SMBNegociate_Protocol_Request_Tail()
+                    smb_req_head = SMBNegociate_Protocol_Request_Header(Flags2=0x2801, PID=smb_PID, MID=smb_MID)
+                    smb_req_length = len(smb_req_head) + len(smb_req_tail)
+                    smb_req_net_bio = NBTSession(TYPE=0x00, LENGTH=smb_req_length)
+                    smb_req_tcp = TCP(sport=sport, dport=self.smb_port, flags='PA', seq=attacker_seq, ack=victim_seq)
+                    smb_req_ip = IP(src=ip_source, dst=ip, ttl=source_ttl_value)
+                    smb_req_ether = Ether(src=mac_source, dst=mac_destination)
+                    attacker_seq += len(smb_req_net_bio) + len(smb_req_head) + len(smb_req_tail)
+
+                    smb_req_combined = (
+                            smb_req_ether / smb_req_ip / smb_req_tcp / smb_req_net_bio / smb_req_head / smb_req_tail)
+                    timestamp_smb_req = update_timestamp(timestamp_confirm, pps, minDelay)
+                    smb_req_combined.time = timestamp_smb_req
+                    packets.append(smb_req_combined)
+
+                    # destination confirms SMB request package
+                    reply_tcp = TCP(sport=self.smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, window=destination_win_value, flags='A')
+                    confirm_smb_req = (reply_ether / reply_ip / reply_tcp)
+                    timestamp_reply = update_timestamp(timestamp_smb_req, pps, minDelay)
+                    confirm_smb_req.time = timestamp_reply
+                    packets.append(confirm_smb_req)
+
+                    # INSERT SMB-RESPONSE PACKAGE HERE
+                    # CHECK FOR PROTOCOL VERSION?
+
+                    smb_rsp_paket = SMBNegociate_Protocol_Response_No_Security_No_Key()
+                    smb_rsp_length = len(smb_rsp_paket)
+                    smb_rsp_net_bio = NBTSession(TYPE=0x00, LENGTH=smb_rsp_length)
+                    smb_rsp_tcp = TCP(sport=self.smb_port, dport=sport, flags='PA', seq=victim_seq, ack=attacker_seq)
+                    smb_rsp_ip = IP(src=ip, dst=ip_source, ttl=destination_ttl_value)
+                    smb_rsp_ether = Ether(src=mac_destination, dst=mac_source)
+                    victim_seq += len(smb_rsp_net_bio) + len(smb_rsp_paket)
+
+                    smb_rsp_combined = (smb_rsp_ether / smb_rsp_ip / smb_rsp_tcp / smb_rsp_net_bio / smb_rsp_paket)
+                    timestamp_smb_rsp = update_timestamp(timestamp_reply, pps, minDelay)
+                    smb_rsp_combined.time = timestamp_smb_rsp
+                    packets.append(smb_rsp_combined)
+
+
+                    # source confirms SMB response package
+                    confirm_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, window=source_win_value, flags='A')
+                    confirm_smb_res = (confirm_ether / confirm_ip / confirm_tcp)
+                    timestamp_confirm = update_timestamp(timestamp_smb_rsp, pps, minDelay)
+                    confirm_smb_res.time = timestamp_confirm
+                    packets.append(confirm_smb_res)
+
+                    # attacker sends FIN ACK
+                    confirm_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, window=source_win_value, flags='FA')
+                    source_fin_ack = (confirm_ether / confirm_ip / confirm_tcp)
+                    timestamp_src_fin_ack = update_timestamp(timestamp_confirm, pps, minDelay)
+                    source_fin_ack.time = timestamp_src_fin_ack
+                    attacker_seq += 1
+                    packets.append(source_fin_ack)
+
+                    # victim sends FIN ACK
+                    reply_tcp = TCP(sport=self.smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, window=destination_win_value, flags='FA')
+                    destination_fin_ack = (reply_ether / reply_ip / reply_tcp)
+                    timestamp_dest_fin_ack = update_timestamp(timestamp_src_fin_ack, pps, minDelay)
+                    victim_seq += 1
+                    destination_fin_ack.time = timestamp_dest_fin_ack
+                    packets.append(destination_fin_ack)
+
+                    # source sends final ACK
+                    confirm_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, window=source_win_value, flags='A')
+                    final_ack = (confirm_ether / confirm_ip / confirm_tcp)
+                    timestamp_final_ack = update_timestamp(timestamp_dest_fin_ack, pps, minDelay)
+                    final_ack.time = timestamp_final_ack
+                    packets.append(final_ack)
+
+                else:
+                    # Build RST package
+                    reply_ether = Ether(src=mac_destination, dst=mac_source)
+                    reply_ip = IP(src=ip, dst=ip_source, ttl=destination_ttl_value, flags='DF')
+                    reply_tcp = TCP(sport=self.smb_port, dport=sport, seq=0, ack=attacker_seq, flags='RA', window=destination_win_value,
+                                    options=[('MSS', destination_mss_value)])
+                    reply = (reply_ether / reply_ip / reply_tcp)
+                    reply.time = timestamp_reply
+                    packets.append(reply)
+
+            pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
+            timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
+
+        # store end time of attack
+        self.attack_end_utime = packets[-1].time
+
+        # write attack packets to pcap
+        pcap_path = self.write_attack_pcap(sorted(packets, key=lambda pkt: pkt.time))
+
+        # return packets sorted by packet time_sec_start
+        return len(packets), pcap_path

code/ID2TLib/AttackController.py

@@ -81,7 +81,7 @@ class AttackController:
         # Write attack into pcap file
         print("Generating attack packets...", end=" ")
         sys.stdout.flush()  # force python to print text immediately
-        total_packets, temp_attack_pcap_path = self.current_attack.generate_attack_pcap()
+        total_packets, temp_attack_pcap_path = self.current_attack.generate_attack_pcap
         print("done. (total: " + str(total_packets) + " pkts.)")
 
         # Store label into LabelManager

code/ID2TLib/Statistics.py

@@ -499,6 +499,12 @@ class Statistics:
         result_dict = {key: value for (key, value) in result}
         return result_dict
 
+    def get_ip_address_count(self):
+        return self.process_db_query("SELECT COUNT(*) FROM ip_statistics")
+
+    def get_ip_addresses(self):
+        return self.process_db_query("SELECT ipAddress FROM ip_statistics")
+
     def get_random_ip_address(self, count: int = 1):
         """
         :param count: The number of IP addreses to return