ID2T-toolkit/code/Attack/EternalBlueExploit.py

# Created by Aidmar

import logging
import math
from operator import itemgetter
import operator
from random import randint, uniform

from lea import Lea

from Attack import BaseAttack
from Attack.AttackParameters import Parameter as Param
from Attack.AttackParameters import ParameterTypes

logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
# noinspection PyPep8
from scapy.utils import RawPcapReader
from scapy.layers.inet import IP, Ether, TCP, RandShort

class EternalBlueExploit(BaseAttack.BaseAttack):
    # Metasploit default packet rate
    maxDefaultPPS = 100
    minDefaultPPS = 5
    # SMB port
    smb_port = 445
    # Metasploit experiments show this range of ports
    minDefaultPort = 30000
    maxDefaultPort = 50000
    last_conn_dst_port = 4444

    def __init__(self, statistics, pcap_file_path):
        """
        Creates a new instance of the EternalBlue Exploit.

        :param statistics: A reference to the statistics class.
        """
        # Initialize attack
        super(EternalBlueExploit, self).__init__(statistics, "EternalBlue Exploit", "Injects an EternalBlue exploit'",
                                        "Resource Exhaustion")

        # Define allowed parameters and their type
        self.supported_params = {
            Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
            Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
            #Param.PORT_SOURCE: ParameterTypes.TYPE_PORT,
            Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
            Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
            Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
            Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
            Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
        }

        # PARAMETERS: initialize with default utilsvalues
        # (values are overwritten if user specifies them)
        most_used_ip_address = self.statistics.get_most_used_ip_address()
        if isinstance(most_used_ip_address, list):
            most_used_ip_address = most_used_ip_address[0]
        self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
        self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
        self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
        #self.add_param_value(Param.PORT_SOURCE, str(RandShort()))
        self.add_param_value(Param.PACKETS_PER_SECOND,self.maxDefaultPPS)

        # victim configuration
        # TO-DO: confirm that ip.dst uses Win OS
        random_ip_address = self.statistics.get_random_ip_address()
        self.add_param_value(Param.IP_DESTINATION, random_ip_address)

        destination_mac = self.statistics.get_mac_address(random_ip_address)
        if isinstance(destination_mac, list) and len(destination_mac) == 0:
            destination_mac = self.generate_random_mac_address()
        self.add_param_value(Param.MAC_DESTINATION, destination_mac)

    def generate_attack_pcap(self):
        def update_timestamp(timestamp, pps, maxdelay):
            """
            Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.

            :return: Timestamp to be used for the next packet.
            """
            return timestamp + uniform(1 / pps, maxdelay)


        # Timestamp
        timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
        # TO-DO: find better pkt rate
        pps = self.get_param_value(Param.PACKETS_PER_SECOND)
        randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 30, 5 / pps: 15, 10 / pps: 3})

        # Aidmar
        # Calculate the complement packet rates of the background traffic packet rates per interval
        result = self.statistics.process_db_query(
            "SELECT timestamp,pktsCount FROM interval_statistics ORDER BY timestamp")
        print(result)
        bg_interval_pps = []
        intervalsSum = 0
        if result:
            # Get the interval in seconds
            for i, row in enumerate(result):
                if i < len(result) - 1:
                    intervalsSum += math.ceil((int(result[i + 1][0]) * 10 ** -6) - (int(row[0]) * 10 ** -6))
            interval = intervalsSum / (len(result) - 1)
            # Convert timestamp from micro to seconds, convert packet rate "per interval" to "per second"
            for row in result:
                bg_interval_pps.append((int(row[0]) * 10 ** -6, int(row[1] / interval)))
            # Find max PPS
            maxPPS = max(bg_interval_pps, key=itemgetter(1))[1]
            complement_interval_pps = []
            for row in bg_interval_pps:
                complement_interval_pps.append((row[0], int(pps * (maxPPS - row[1]) / maxPPS)))
            print(complement_interval_pps)

        def getIntervalPPS(timestamp):
            for row in complement_interval_pps:
                if timestamp <= row[0]:
                    return row[1]
            return complement_interval_pps[-1][1]  # in case the timstamp > capture max timestamp

        # Initialize parameters
        packets = []
        mac_source = self.get_param_value(Param.MAC_SOURCE)
        ip_source = self.get_param_value(Param.IP_SOURCE)
        #port_source = self.get_param_value(Param.PORT_SOURCE)
        mac_destination = self.get_param_value(Param.MAC_DESTINATION)
        ip_destination = self.get_param_value(Param.IP_DESTINATION)

        # Aidmar - check ip.src == ip.dst
        if ip_source == ip_destination:
            print("\nERROR: Invalid IP addresses; source IP is the same as destination IP: " + ip_source + ".")
            import sys
            sys.exit(0)

        path_attack_pcap = None
        replayDelay = self.get_reply_delay(ip_destination)

        # Scan (MS17) for EternalBlue
        # Read Win7_eternalblue_scan_vulnerable pcap file
        orig_ip_dst = None
        exploit_raw_packets = RawPcapReader("Win7_eternalblue_scan.pcap")

        port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports

        for pkt_num, pkt in enumerate(exploit_raw_packets):
            eth_frame = Ether(pkt[0])
            ip_pkt = eth_frame.payload
            tcp_pkt = ip_pkt.payload

            if pkt_num == 0:
                if tcp_pkt.getfieldval("dport") == self.smb_port:
                    orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP

            # Request
            if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
                # Ether
                eth_frame.setfieldval("src", mac_source)
                eth_frame.setfieldval("dst", mac_destination)
                # IP
                ip_pkt.setfieldval("src", ip_source)
                ip_pkt.setfieldval("dst", ip_destination)
                # TCP
                tcp_pkt.setfieldval("sport",port_source)

                new_pkt = (eth_frame / ip_pkt / tcp_pkt)
                new_pkt.time = timestamp_next_pkt

                maxdelay = randomdelay.random()
                pps = self.minDefaultPPS if getIntervalPPS(timestamp_next_pkt) is None else max(
                    getIntervalPPS(timestamp_next_pkt), self.minDefaultPPS)
                timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
            # Reply
            else:
                # Ether
                eth_frame.setfieldval("src", mac_destination)
                eth_frame.setfieldval("dst", mac_source)
                # IP
                ip_pkt.setfieldval("src", ip_destination)
                ip_pkt.setfieldval("dst", ip_source)
                # TCP
                tcp_pkt.setfieldval("dport", port_source)

                new_pkt = (eth_frame / ip_pkt / tcp_pkt)
                timestamp_next_pkt = timestamp_next_pkt + uniform(replayDelay, 2 * replayDelay)
                new_pkt.time = timestamp_next_pkt

            packets.append(new_pkt)


        # Inject EternalBlue exploit packets
        # Read Win7_eternalblue_exploit pcap file
        exploit_raw_packets = RawPcapReader("Win7_eternalblue_exploit.pcap")

        # Group the packets in conversations
        def packetsToConvs(exploit_raw_packets):
            conversations = {}
            orderList_conversations = []
            for pkt_num, pkt in enumerate(exploit_raw_packets):
                eth_frame = Ether(pkt[0])

                ip_pkt = eth_frame.payload
                ip_dst = ip_pkt.getfieldval("dst")
                ip_src = ip_pkt.getfieldval("src")

                tcp_pkt = ip_pkt.payload
                port_dst = tcp_pkt.getfieldval("dport")
                port_src = tcp_pkt.getfieldval("sport")

                conv_req = (ip_src, port_src, ip_dst, port_dst)
                conv_rep = (ip_dst, port_dst, ip_src, port_src)
                if conv_req not in conversations and conv_rep not in conversations:
                    pktList = [pkt]
                    conversations[conv_req] = pktList
                    # Order list of conv
                    orderList_conversations.append(conv_req)
                else:
                    if conv_req in conversations:
                        pktList = conversations[conv_req]
                        pktList.append(pkt)
                        conversations[conv_req] = pktList
                    else:
                        pktList = conversations[conv_rep]
                        pktList.append(pkt)
                        conversations[conv_rep] = pktList
            return (conversations,orderList_conversations)

        port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports
        # conversations = {(ip.src, ip.dst, port.src, port.dst): packets}
        temp_tuple = packetsToConvs(exploit_raw_packets)
        conversations = temp_tuple[0]
        orderList_conversations = temp_tuple[1]

        for conv_index, conv in enumerate(orderList_conversations):
            conv_pkts = conversations[conv]
            if conv_index != len(orderList_conversations)-1: # Not the last conversation
                port_source += 2
                for pkt_num, pkt in enumerate(conv_pkts):
                    eth_frame = Ether(pkt[0])
                    ip_pkt = eth_frame.payload
                    tcp_pkt = ip_pkt.payload

                    if pkt_num == 0:
                        if tcp_pkt.getfieldval("dport") == self.smb_port:
                            orig_ip_dst = ip_pkt.getfieldval("dst")


                    # defining req/rep should be adapted to fit the last converstaion where
                    # victim start a connection with the attacker
                    # Request
                    if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
                        # Ether
                        eth_frame.setfieldval("src", mac_source)
                        eth_frame.setfieldval("dst", mac_destination)
                        # IP
                        ip_pkt.setfieldval("src", ip_source)
                        ip_pkt.setfieldval("dst", ip_destination)
                        # TCP
                        tcp_pkt.setfieldval("sport", port_source)
                        new_pkt = (eth_frame / ip_pkt / tcp_pkt)
                        # TO-DO: reply should have different timestamp delay
                        new_pkt.time = timestamp_next_pkt

                        maxdelay = randomdelay.random()
                        pps = self.minDefaultPPS if getIntervalPPS(timestamp_next_pkt) is None else max(
                            getIntervalPPS(timestamp_next_pkt), self.minDefaultPPS)
                        timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
                        # Not perfect timestamp
                        #req_time = req_time + randomDelay ||  rep_time + randomDelay

                    # Reply
                    else:
                        # Ether
                        eth_frame.setfieldval("src", mac_destination)
                        eth_frame.setfieldval("dst", mac_source)
                        # IP
                        ip_pkt.setfieldval("src", ip_destination)
                        ip_pkt.setfieldval("dst", ip_source)
                        # TCP
                        tcp_pkt.setfieldval("dport", port_source)
                        new_pkt = (eth_frame / ip_pkt / tcp_pkt)
                        timestamp_next_pkt = timestamp_next_pkt + uniform(replayDelay, 2 * replayDelay)
                        new_pkt.time = timestamp_next_pkt
                        # Not perfect timestamp
                        # rep_time = req_time + replayDelay

                    packets.append(new_pkt)

            else: # Last conversation where the victim start a connection with the attacker
                port_source = randint(self.minDefaultPort,self.maxDefaultPort)
                for pkt_num, pkt in enumerate(conv_pkts):
                    eth_frame = Ether(pkt[0])
                    ip_pkt = eth_frame.payload
                    tcp_pkt = ip_pkt.payload

                    # defining req/rep should be adapted to fit the last converstaion where
                    # victim start a connection with the attacker
                    # Request
                    if tcp_pkt.getfieldval("dport") == self.last_conn_dst_port:
                        # Ether
                        eth_frame.setfieldval("src", mac_destination)
                        eth_frame.setfieldval("dst", mac_source)
                        # IP
                        ip_pkt.setfieldval("src", ip_destination)
                        ip_pkt.setfieldval("dst", ip_source)
                        # TCP
                        tcp_pkt.setfieldval("sport", port_source)
                        new_pkt = (eth_frame / ip_pkt / tcp_pkt)
                        # TO-DO: reply should have different timestamp delay
                        new_pkt.time = timestamp_next_pkt

                        maxdelay = randomdelay.random()
                        pps = self.minDefaultPPS if getIntervalPPS(timestamp_next_pkt) is None else max(
                            getIntervalPPS(timestamp_next_pkt), self.minDefaultPPS)
                        timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
                        # Not perfect timestamp
                        # req_time = req_time + randomDelay ||  rep_time + randomDelay

                    # Reply
                    else:
                        # Ether
                        eth_frame.setfieldval("src", mac_source)
                        eth_frame.setfieldval("dst", mac_destination)
                        # IP
                        ip_pkt.setfieldval("src", ip_source)
                        ip_pkt.setfieldval("dst", ip_destination)
                        # TCP
                        tcp_pkt.setfieldval("dport", port_source)
                        new_pkt = (eth_frame / ip_pkt / tcp_pkt)
                        timestamp_next_pkt = timestamp_next_pkt + uniform(replayDelay, 2 * replayDelay)
                        new_pkt.time = timestamp_next_pkt
                        # Not perfect timestamp
                        # rep_time = req_time + replayDelay

                    packets.append(new_pkt)


        # Store timestamp of first packet (for attack label)
        self.attack_start_utime = packets[0].time
        self.attack_end_utime = packets[-1].time

        if len(packets) > 0:
            packets = sorted(packets, key=lambda pkt: pkt.time)
            path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)

        # return packets sorted by packet time_sec_start
        # pkt_num+1: because pkt_num starts at 0
        return pkt_num + 1, path_attack_pcap