EternalBlueExploit.py 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325
  1. import logging
  2. import random as rnd
  3. import lea
  4. import scapy.layers.inet as inet
  5. import scapy.utils
  6. import Attack.AttackParameters as atkParam
  7. import Attack.BaseAttack as BaseAttack
  8. import ID2TLib.SMBLib as SMBLib
  9. import ID2TLib.Utility as Util
  10. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  11. # noinspection PyPep8
  12. class EternalBlueExploit(BaseAttack.BaseAttack):
  13. template_scan_pcap_path = Util.RESOURCE_DIR + "Win7_eternalblue_scan.pcap"
  14. template_attack_pcap_path = Util.RESOURCE_DIR + "Win7_eternalblue_exploit.pcap"
  15. # Empirical values from Metasploit experiments
  16. minDefaultPort = 30000
  17. maxDefaultPort = 50000
  18. last_conn_dst_port = 4444
  19. def __init__(self):
  20. """
  21. Creates a new instance of the EternalBlue Exploit.
  22. """
  23. # Initialize attack
  24. super(EternalBlueExploit, self).__init__("EternalBlue Exploit", "Injects an EternalBlue exploit'",
  25. "Privilege elevation")
  26. self.pkt_num = 0
  27. self.path_attack_pcap = None
  28. # Define allowed parameters and their type
  29. self.supported_params.update({
  30. atkParam.Parameter.MAC_SOURCE: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  31. atkParam.Parameter.IP_SOURCE: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  32. atkParam.Parameter.PORT_SOURCE: atkParam.ParameterTypes.TYPE_PORT,
  33. atkParam.Parameter.MAC_DESTINATION: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  34. atkParam.Parameter.IP_DESTINATION: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  35. atkParam.Parameter.PORT_DESTINATION: atkParam.ParameterTypes.TYPE_PORT,
  36. atkParam.Parameter.INJECT_AT_TIMESTAMP: atkParam.ParameterTypes.TYPE_FLOAT,
  37. atkParam.Parameter.INJECT_AFTER_PACKET: atkParam.ParameterTypes.TYPE_PACKET_POSITION,
  38. atkParam.Parameter.PACKETS_PER_SECOND: atkParam.ParameterTypes.TYPE_FLOAT
  39. })
  40. def init_params(self):
  41. """
  42. Initialize the parameters of this attack using the user supplied command line parameters.
  43. Use the provided statistics to calculate default parameters and to process user
  44. supplied queries.
  45. """
  46. # PARAMETERS: initialize with default utilsvalues
  47. # (values are overwritten if user specifies them)
  48. # Attacker configuration
  49. most_used_ip_address = self.statistics.get_most_used_ip_address()
  50. random_ip_address = self.statistics.get_random_ip_address()
  51. while random_ip_address == most_used_ip_address:
  52. random_ip_address = self.statistics.get_random_ip_address()
  53. self.add_param_value(atkParam.Parameter.IP_SOURCE, random_ip_address)
  54. self.add_param_value(atkParam.Parameter.MAC_SOURCE, self.statistics.get_mac_address(random_ip_address))
  55. self.add_param_value(atkParam.Parameter.PORT_SOURCE, rnd.randint(self.minDefaultPort, self.maxDefaultPort))
  56. # Victim configuration
  57. self.add_param_value(atkParam.Parameter.IP_DESTINATION, most_used_ip_address)
  58. destination_mac = self.statistics.get_mac_address(most_used_ip_address)
  59. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  60. destination_mac = self.generate_random_mac_address()
  61. self.add_param_value(atkParam.Parameter.MAC_DESTINATION, destination_mac)
  62. self.add_param_value(atkParam.Parameter.PORT_DESTINATION, SMBLib.smb_port)
  63. # Attack configuration
  64. self.add_param_value(atkParam.Parameter.PACKETS_PER_SECOND,
  65. (self.statistics.get_pps_sent(most_used_ip_address) +
  66. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  67. self.add_param_value(atkParam.Parameter.INJECT_AFTER_PACKET, rnd.randint(0, self.statistics.get_packet_count()))
  68. def generate_attack_packets(self):
  69. # Timestamp
  70. timestamp_next_pkt = self.get_param_value(atkParam.Parameter.INJECT_AT_TIMESTAMP)
  71. pps = self.get_param_value(atkParam.Parameter.PACKETS_PER_SECOND)
  72. # calculate complement packet rates of BG traffic per interval
  73. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  74. # Initialize parameters
  75. self.packets = []
  76. mac_source = self.get_param_value(atkParam.Parameter.MAC_SOURCE)
  77. ip_source = self.get_param_value(atkParam.Parameter.IP_SOURCE)
  78. # FIXME: why is port_source never used?
  79. port_source = self.get_param_value(atkParam.Parameter.PORT_SOURCE)
  80. mac_destination = self.get_param_value(atkParam.Parameter.MAC_DESTINATION)
  81. ip_destination = self.get_param_value(atkParam.Parameter.IP_DESTINATION)
  82. port_destination = self.get_param_value(atkParam.Parameter.PORT_DESTINATION)
  83. # Check ip.src == ip.dst
  84. self.ip_src_dst_equal_check(ip_source, ip_destination)
  85. # Set TTL based on TTL distribution of IP address
  86. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  87. if len(source_ttl_dist) > 0:
  88. source_ttl_prob_dict = lea.Lea.fromValFreqsDict(source_ttl_dist)
  89. source_ttl_value = source_ttl_prob_dict.random()
  90. else:
  91. source_ttl_value = Util.handle_most_used_outputs(self.statistics.get_most_used_ttl_value())
  92. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  93. if len(destination_ttl_dist) > 0:
  94. destination_ttl_prob_dict = lea.Lea.fromValFreqsDict(destination_ttl_dist)
  95. destination_ttl_value = destination_ttl_prob_dict.random()
  96. else:
  97. destination_ttl_value = Util.handle_most_used_outputs(
  98. self.statistics.get_most_used_ttl_value())
  99. # Set Window Size based on Window Size distribution of IP address
  100. source_win_dist = self.statistics.get_win_distribution(ip_source)
  101. if len(source_win_dist) > 0:
  102. source_win_prob_dict = lea.Lea.fromValFreqsDict(source_win_dist)
  103. else:
  104. source_win_dist = self.statistics.get_win_distribution(self.statistics.get_most_used_ip_address())
  105. source_win_prob_dict = lea.Lea.fromValFreqsDict(source_win_dist)
  106. destination_win_dist = self.statistics.get_win_distribution(ip_destination)
  107. if len(destination_win_dist) > 0:
  108. destination_win_prob_dict = lea.Lea.fromValFreqsDict(destination_win_dist)
  109. else:
  110. destination_win_dist = self.statistics.get_win_distribution(self.statistics.get_most_used_ip_address())
  111. destination_win_prob_dict = lea.Lea.fromValFreqsDict(destination_win_dist)
  112. # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
  113. mss_value = Util.handle_most_used_outputs(self.statistics.get_most_used_mss_value())
  114. if not mss_value:
  115. mss_value = 1465
  116. # Inject EternalBlue exploit packets
  117. # Read Win7_eternalblue_exploit pcap file
  118. source_origin_wins, destination_origin_wins = {}, {}
  119. exploit_raw_packets = scapy.utils.RawPcapReader(self.template_attack_pcap_path)
  120. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort) # experiments show this range of ports
  121. # conversations = {(ip.src, ip.dst, port.src, port.dst): packets}
  122. conversations, order_list_conversations = self.packets_to_convs(exploit_raw_packets)
  123. exploit_raw_packets.close()
  124. conv_start_timesamp = timestamp_next_pkt
  125. for conv_index, conv in enumerate(order_list_conversations):
  126. # the distance between the starts of the converstaions
  127. conv_start_timesamp = conv_start_timesamp + rnd.uniform(0.001, 0.01)
  128. timestamp_next_pkt = conv_start_timesamp
  129. conv_pkts = conversations[conv]
  130. inter_arrival_times = self.get_inter_arrival_time(conv_pkts)
  131. if conv_index == len(order_list_conversations) - 2: # Not the last conversation
  132. timestamp_next_pkt = self.packets[-1].time + rnd.uniform(0.001, 0.01)
  133. if conv_index != len(order_list_conversations) - 1: # Not the last conversation
  134. port_source += 2
  135. for self.pkt_num, pkt in enumerate(conv_pkts):
  136. eth_frame = inet.Ether(pkt[0])
  137. ip_pkt = eth_frame.payload
  138. tcp_pkt = ip_pkt.payload
  139. if self.pkt_num == 0:
  140. if tcp_pkt.getfieldval("dport") == SMBLib.smb_port:
  141. orig_ip_dst = ip_pkt.getfieldval("dst")
  142. # Request
  143. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  144. # Ether
  145. eth_frame.setfieldval("src", mac_source)
  146. eth_frame.setfieldval("dst", mac_destination)
  147. # IP
  148. ip_pkt.setfieldval("src", ip_source)
  149. ip_pkt.setfieldval("dst", ip_destination)
  150. ip_pkt.setfieldval("ttl", source_ttl_value)
  151. # TCP
  152. tcp_pkt.setfieldval("sport", port_source)
  153. tcp_pkt.setfieldval("dport", port_destination)
  154. # Window Size
  155. source_origin_win = tcp_pkt.getfieldval("window")
  156. if source_origin_win not in source_origin_wins:
  157. source_origin_wins[source_origin_win] = source_win_prob_dict.random()
  158. new_win = source_origin_wins[source_origin_win]
  159. tcp_pkt.setfieldval("window", new_win)
  160. # MSS
  161. tcp_options = tcp_pkt.getfieldval("options")
  162. if tcp_options:
  163. if tcp_options[0][0] == "MSS":
  164. tcp_options[0] = ("MSS", mss_value)
  165. tcp_pkt.setfieldval("options", tcp_options)
  166. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  167. new_pkt.time = timestamp_next_pkt
  168. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  169. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + inter_arrival_times[
  170. self.pkt_num] # float(timeSteps.random())
  171. # Reply
  172. else:
  173. # Ether
  174. eth_frame.setfieldval("src", mac_destination)
  175. eth_frame.setfieldval("dst", mac_source)
  176. # IP
  177. ip_pkt.setfieldval("src", ip_destination)
  178. ip_pkt.setfieldval("dst", ip_source)
  179. ip_pkt.setfieldval("ttl", destination_ttl_value)
  180. # TCP
  181. tcp_pkt.setfieldval("dport", port_source)
  182. tcp_pkt.setfieldval("sport", port_destination)
  183. # Window Size
  184. destination_origin_win = tcp_pkt.getfieldval("window")
  185. if destination_origin_win not in destination_origin_wins:
  186. destination_origin_wins[destination_origin_win] = destination_win_prob_dict.random()
  187. new_win = destination_origin_wins[destination_origin_win]
  188. tcp_pkt.setfieldval("window", new_win)
  189. # MSS
  190. tcp_options = tcp_pkt.getfieldval("options")
  191. if tcp_options:
  192. if tcp_options[0][0] == "MSS":
  193. tcp_options[0] = ("MSS", mss_value)
  194. tcp_pkt.setfieldval("options", tcp_options)
  195. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  196. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  197. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + inter_arrival_times[
  198. self.pkt_num] # float(timeSteps.random())
  199. new_pkt.time = timestamp_next_pkt
  200. self.packets.append(new_pkt)
  201. else: # Last conversation where the victim start a connection with the attacker
  202. timestamp_next_pkt = self.packets[-1].time + rnd.uniform(0.001, 0.01)
  203. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort)
  204. for self.pkt_num, pkt in enumerate(conv_pkts):
  205. eth_frame = inet.Ether(pkt[0])
  206. ip_pkt = eth_frame.payload
  207. tcp_pkt = ip_pkt.payload
  208. # Request
  209. if tcp_pkt.getfieldval("dport") == self.last_conn_dst_port:
  210. # Ether
  211. eth_frame.setfieldval("src", mac_destination)
  212. eth_frame.setfieldval("dst", mac_source)
  213. # IP
  214. ip_pkt.setfieldval("src", ip_destination)
  215. ip_pkt.setfieldval("dst", ip_source)
  216. ip_pkt.setfieldval("ttl", destination_ttl_value)
  217. # TCP
  218. tcp_pkt.setfieldval("sport", port_source)
  219. # destination port is fixed 4444
  220. # Window Size
  221. destination_origin_win = tcp_pkt.getfieldval("window")
  222. if destination_origin_win not in destination_origin_wins:
  223. destination_origin_wins[destination_origin_win] = destination_win_prob_dict.random()
  224. new_win = destination_origin_wins[destination_origin_win]
  225. tcp_pkt.setfieldval("window", new_win)
  226. # MSS
  227. tcp_options = tcp_pkt.getfieldval("options")
  228. if tcp_options:
  229. if tcp_options[0][0] == "MSS":
  230. tcp_options[0] = ("MSS", mss_value)
  231. tcp_pkt.setfieldval("options", tcp_options)
  232. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  233. new_pkt.time = timestamp_next_pkt
  234. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  235. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + inter_arrival_times[
  236. self.pkt_num] # float(timeSteps.random())
  237. # Reply
  238. else:
  239. # Ether
  240. eth_frame.setfieldval("src", mac_source)
  241. eth_frame.setfieldval("dst", mac_destination)
  242. # IP
  243. ip_pkt.setfieldval("src", ip_source)
  244. ip_pkt.setfieldval("dst", ip_destination)
  245. ip_pkt.setfieldval("ttl", source_ttl_value)
  246. # TCP
  247. tcp_pkt.setfieldval("dport", port_source)
  248. # source port is fixed 4444
  249. # Window Size
  250. source_origin_win = tcp_pkt.getfieldval("window")
  251. if source_origin_win not in source_origin_wins:
  252. source_origin_wins[source_origin_win] = source_win_prob_dict.random()
  253. new_win = source_origin_wins[source_origin_win]
  254. tcp_pkt.setfieldval("window", new_win)
  255. # MSS
  256. tcp_options = tcp_pkt.getfieldval("options")
  257. if tcp_options:
  258. if tcp_options[0][0] == "MSS":
  259. tcp_options[0] = ("MSS", mss_value)
  260. tcp_pkt.setfieldval("options", tcp_options)
  261. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  262. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  263. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + inter_arrival_times[
  264. self.pkt_num] # float(timeSteps.random())
  265. new_pkt.time = timestamp_next_pkt
  266. self.packets.append(new_pkt)
  267. def generate_attack_pcap(self):
  268. # Store timestamp of first packet (for attack label)
  269. self.attack_start_utime = self.packets[0].time
  270. self.attack_end_utime = self.packets[-1].time
  271. if len(self.packets) > 0:
  272. self.packets = sorted(self.packets, key=lambda pkt: pkt.time)
  273. self.path_attack_pcap = self.write_attack_pcap(self.packets, True, self.path_attack_pcap)
  274. # return packets sorted by packet time_sec_start
  275. # pkt_num+1: because pkt_num starts at 0
  276. return self.pkt_num + 1, self.path_attack_pcap