SQLiAttack.py 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262
  1. import logging
  2. import random as rnd
  3. import lea
  4. import scapy.layers.inet as inet
  5. import scapy.utils
  6. import Attack.AttackParameters as atkParam
  7. import Attack.BaseAttack as BaseAttack
  8. import ID2TLib.Utility as Util
  9. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  10. # noinspection PyPep8
  11. class SQLiAttack(BaseAttack.BaseAttack):
  12. template_attack_pcap_path = Util.RESOURCE_DIR + "ATutorSQLi.pcap"
  13. # HTTP port
  14. http_port = 80
  15. # Metasploit experiments show this range of ports
  16. minDefaultPort = 30000
  17. maxDefaultPort = 50000
  18. def __init__(self):
  19. """
  20. Creates a new instance of the SQLi Attack.
  21. """
  22. # Initialize attack
  23. super(SQLiAttack, self).__init__("SQLi Attack", "Injects a SQLi attack'",
  24. "Privilege elevation")
  25. self.pkt_num = 0
  26. self.path_attack_pcap = None
  27. # Define allowed parameters and their type
  28. self.supported_params.update({
  29. atkParam.Parameter.MAC_SOURCE: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  30. atkParam.Parameter.IP_SOURCE: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  31. atkParam.Parameter.MAC_DESTINATION: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  32. atkParam.Parameter.IP_DESTINATION: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  33. atkParam.Parameter.PORT_DESTINATION: atkParam.ParameterTypes.TYPE_PORT,
  34. atkParam.Parameter.TARGET_HOST: atkParam.ParameterTypes.TYPE_DOMAIN,
  35. # atkParam.Parameter.TARGET_URI: atkParam.ParameterTypes.TYPE_URI,
  36. atkParam.Parameter.INJECT_AT_TIMESTAMP: atkParam.ParameterTypes.TYPE_FLOAT,
  37. atkParam.Parameter.INJECT_AFTER_PACKET: atkParam.ParameterTypes.TYPE_PACKET_POSITION,
  38. atkParam.Parameter.PACKET_LIMIT_PER_SECOND: atkParam.ParameterTypes.TYPE_FLOAT
  39. })
  40. def init_params(self):
  41. """
  42. Initialize the parameters of this attack using the user supplied command line parameters.
  43. Use the provided statistics to calculate default parameters and to process user
  44. supplied queries.
  45. """
  46. # PARAMETERS: initialize with default utilsvalues
  47. # (values are overwritten if user specifies them)
  48. # Attacker configuration
  49. most_used_ip_address = self.statistics.get_most_used_ip_address()
  50. self.add_param_value(atkParam.Parameter.IP_SOURCE, most_used_ip_address)
  51. self.add_param_value(atkParam.Parameter.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  52. # Victim configuration
  53. random_ip_address = self.statistics.get_random_ip_address()
  54. self.add_param_value(atkParam.Parameter.IP_DESTINATION, random_ip_address)
  55. destination_mac = self.statistics.get_mac_address(random_ip_address)
  56. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  57. destination_mac = self.generate_random_mac_address()
  58. self.add_param_value(atkParam.Parameter.MAC_DESTINATION, destination_mac)
  59. self.add_param_value(atkParam.Parameter.PORT_DESTINATION, self.http_port)
  60. # self.add_param_value(atkParam.Parameter.TARGET_URI, "/")
  61. self.add_param_value(atkParam.Parameter.TARGET_HOST, "www.hackme.com")
  62. # Attack configuration
  63. self.add_param_value(atkParam.Parameter.INJECT_AFTER_PACKET, rnd.randint(0, self.statistics.get_packet_count()))
  64. self.add_param_value(atkParam.Parameter.PACKET_LIMIT_PER_SECOND,
  65. (self.statistics.get_pps_sent(most_used_ip_address) +
  66. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  67. def generate_attack_packets(self):
  68. """
  69. Creates the attack packets.
  70. """
  71. # Timestamp
  72. timestamp_next_pkt = self.get_param_value(atkParam.Parameter.INJECT_AT_TIMESTAMP)
  73. pps = self.get_param_value(atkParam.Parameter.PACKET_LIMIT_PER_SECOND)
  74. # Calculate complement packet rates of BG traffic per interval
  75. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  76. # Initialize parameters
  77. self.packets = []
  78. mac_source = self.get_param_value(atkParam.Parameter.MAC_SOURCE)
  79. ip_source = self.get_param_value(atkParam.Parameter.IP_SOURCE)
  80. if isinstance(ip_source, list):
  81. ip_source = ip_source[0]
  82. mac_destination = self.get_param_value(atkParam.Parameter.MAC_DESTINATION)
  83. ip_destination = self.get_param_value(atkParam.Parameter.IP_DESTINATION)
  84. if isinstance(ip_destination, list):
  85. ip_destination = ip_destination[0]
  86. port_destination = self.get_param_value(atkParam.Parameter.PORT_DESTINATION)
  87. target_host = self.get_param_value(atkParam.Parameter.TARGET_HOST)
  88. target_uri = "/" # self.get_param_value(atkParam.Parameter.TARGET_URI)
  89. # Check ip.src == ip.dst
  90. self.ip_src_dst_equal_check(ip_source, ip_destination)
  91. # Set TTL based on TTL distribution of IP address
  92. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  93. if len(source_ttl_dist) > 0:
  94. source_ttl_prob_dict = lea.Lea.fromValFreqsDict(source_ttl_dist)
  95. source_ttl_value = source_ttl_prob_dict.random()
  96. else:
  97. source_ttl_value = Util.handle_most_used_outputs(self.statistics.get_most_used_ttl_value())
  98. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  99. if len(destination_ttl_dist) > 0:
  100. destination_ttl_prob_dict = lea.Lea.fromValFreqsDict(destination_ttl_dist)
  101. destination_ttl_value = destination_ttl_prob_dict.random()
  102. else:
  103. destination_ttl_value = Util.handle_most_used_outputs(
  104. self.statistics.get_most_used_ttl_value())
  105. # Inject SQLi Attack
  106. # Read SQLi Attack pcap file
  107. orig_ip_dst = None
  108. exploit_raw_packets = scapy.utils.RawPcapReader(self.template_attack_pcap_path)
  109. inter_arrival_times, inter_arrival_time_dist = self.get_inter_arrival_time(exploit_raw_packets, True)
  110. time_steps = lea.Lea.fromValFreqsDict(inter_arrival_time_dist)
  111. exploit_raw_packets.close()
  112. exploit_raw_packets = scapy.utils.RawPcapReader(self.template_attack_pcap_path)
  113. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort) # experiments show this range of ports
  114. # Random TCP sequence numbers
  115. global attacker_seq
  116. attacker_seq = rnd.randint(1000, 50000)
  117. global victim_seq
  118. victim_seq = rnd.randint(1000, 50000)
  119. for self.pkt_num, pkt in enumerate(exploit_raw_packets):
  120. eth_frame = inet.Ether(pkt[0])
  121. ip_pkt = eth_frame.payload
  122. tcp_pkt = ip_pkt.payload
  123. str_tcp_seg = str(tcp_pkt.payload)
  124. # Clean payloads
  125. eth_frame.payload = b''
  126. ip_pkt.payload = b''
  127. tcp_pkt.payload = b''
  128. # FIXME: no getfieldval in class bytes
  129. if self.pkt_num == 0:
  130. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  131. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  132. # Last connection
  133. if tcp_pkt.getfieldval("dport") != 80 and tcp_pkt.getfieldval("sport") != 80:
  134. # New connection, new random TCP sequence numbers
  135. attacker_seq = rnd.randint(1000, 50000)
  136. victim_seq = rnd.randint(1000, 50000)
  137. # First packet in a connection has ACK = 0
  138. tcp_pkt.setfieldval("ack", 0)
  139. # Attacker --> vicitm
  140. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  141. # There are 363 TCP connections with different source ports, for each of them we generate random port
  142. if tcp_pkt.getfieldval("sport") != prev_orig_port_source and tcp_pkt.getfieldval("dport") != 4444 \
  143. and (tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80):
  144. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort)
  145. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  146. # New connection, new random TCP sequence numbers
  147. attacker_seq = rnd.randint(1000, 50000)
  148. victim_seq = rnd.randint(1000, 50000)
  149. # First packet in a connection has ACK = 0
  150. tcp_pkt.setfieldval("ack", 0)
  151. # Ether
  152. eth_frame.setfieldval("src", mac_source)
  153. eth_frame.setfieldval("dst", mac_destination)
  154. # IP
  155. ip_pkt.setfieldval("src", ip_source)
  156. ip_pkt.setfieldval("dst", ip_destination)
  157. ip_pkt.setfieldval("ttl", source_ttl_value)
  158. # TCP
  159. # Regular connection
  160. if tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80:
  161. tcp_pkt.setfieldval("sport", port_source)
  162. tcp_pkt.setfieldval("dport", port_destination)
  163. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  164. # TCP Seq, Ack
  165. if tcp_pkt.getfieldval("ack") != 0:
  166. tcp_pkt.setfieldval("ack", victim_seq)
  167. tcp_pkt.setfieldval("seq", attacker_seq)
  168. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  169. attacker_seq += max(len(str_tcp_seg), 1)
  170. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  171. new_pkt.time = timestamp_next_pkt
  172. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  173. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(time_steps.random())
  174. # Victim --> attacker
  175. else:
  176. # Ether
  177. eth_frame.setfieldval("src", mac_destination)
  178. eth_frame.setfieldval("dst", mac_source)
  179. # IP
  180. ip_pkt.setfieldval("src", ip_destination)
  181. ip_pkt.setfieldval("dst", ip_source)
  182. ip_pkt.setfieldval("ttl", destination_ttl_value)
  183. # TCP
  184. # Regular connection
  185. if tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80:
  186. tcp_pkt.setfieldval("dport", port_source)
  187. tcp_pkt.setfieldval("sport", port_destination)
  188. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  189. # TCP Seq, ACK
  190. tcp_pkt.setfieldval("ack", attacker_seq)
  191. tcp_pkt.setfieldval("seq", victim_seq)
  192. strLen = len(str_tcp_seg)
  193. if not (tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  194. victim_seq += max(strLen, 1)
  195. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  196. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(time_steps.random())
  197. new_pkt.time = timestamp_next_pkt
  198. self.packets.append(new_pkt)
  199. exploit_raw_packets.close()
  200. def generate_attack_pcap(self):
  201. """
  202. Creates a pcap containing the attack packets.
  203. :return: The location of the generated pcap file.
  204. """
  205. # Store timestamp of first packet (for attack label)
  206. self.attack_start_utime = self.packets[0].time
  207. self.attack_end_utime = self.packets[-1].time
  208. if len(self.packets) > 0:
  209. self.packets = sorted(self.packets, key=lambda pkt: pkt.time)
  210. self.path_attack_pcap = self.write_attack_pcap(self.packets, True, self.path_attack_pcap)
  211. # return self.packets sorted by packet time_sec_start
  212. # pkt_num+1: because pkt_num starts at 0
  213. return self.pkt_num + 1, self.path_attack_pcap