123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378 |
- import logging
- from random import shuffle, randint, choice, uniform
- from lea import Lea
- from Attack import BaseAttack
- from Attack.AttackParameters import Parameter as Param
- from Attack.AttackParameters import ParameterTypes
- logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
- # noinspection PyPep8
- from scapy.layers.inet import IP, Ether, TCP
- from scapy.layers.smb import *
- from scapy.layers.netbios import *
- class SmbScanAttack(BaseAttack.BaseAttack):
- # SMB port
- smb_port = 445
- def __init__(self):
- """
- Creates a new instance of the SmbScanAttack.
- """
- # Initialize attack
- super(SmbScanAttack, self).__init__("SmbScan Attack", "Injects an SMB scan",
- "Scanning/Probing")
- # Define allowed parameters and their type
- self.supported_params = {
- Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
- Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
- Param.PORT_SOURCE: ParameterTypes.TYPE_PORT,
- Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
- Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
- Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
- Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
- Param.IP_SOURCE_RANDOMIZE: ParameterTypes.TYPE_BOOLEAN,
- Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT,
- Param.PORT_SOURCE_RANDOMIZE: ParameterTypes.TYPE_BOOLEAN,
- Param.IP_HOSTING: ParameterTypes.TYPE_IP_ADDRESS,
- Param.PROTOCOL_VERSION: ParameterTypes.TYPE_STRING
- }
- def init_params(self):
- """
- Initialize the parameters of this attack using the user supplied command line parameters.
- Use the provided statistics to calculate default parameters and to process user
- supplied queries.
- :param statistics: Reference to a statistics object.
- """
- # PARAMETERS: initialize with default values
- # (values are overwritten if user specifies them)
- most_used_ip_address = self.statistics.get_most_used_ip_address()
- if isinstance(most_used_ip_address, list):
- most_used_ip_address = most_used_ip_address[0]
- self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
- self.add_param_value(Param.IP_SOURCE_RANDOMIZE, 'False')
- self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
- all_ips = self.statistics.get_ip_addresses()
- if not isinstance(all_ips, list):
- ip_destinations = []
- ip_destinations.append(all_ips)
- else:
- ip_destinations = all_ips
- self.add_param_value(Param.IP_DESTINATION, ip_destinations)
- # MAYBE REMOVE/CHANGE THIS MAC STUFF
- #
- destination_mac = []
- for ip in ip_destinations:
- destination_mac.append(self.statistics.get_mac_address(str(ip)))
- if isinstance(destination_mac, list) and len(destination_mac) == 0:
- destination_mac = self.generate_random_mac_address()
- self.add_param_value(Param.MAC_DESTINATION, destination_mac)
- #
- #
- self.add_param_value(Param.PORT_SOURCE, randint(1024, 65535))
- self.add_param_value(Param.PORT_SOURCE_RANDOMIZE, 'False')
- self.add_param_value(Param.PACKETS_PER_SECOND,
- (self.statistics.get_pps_sent(most_used_ip_address) +
- self.statistics.get_pps_received(most_used_ip_address)) / 2)
- self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
- rnd_ip_count = self.statistics.get_ip_address_count()/2
- self.add_param_value(Param.IP_HOSTING, self.statistics.get_random_ip_address(rnd_ip_count))
- # maybe change to version 1 as default
- self.add_param_value(Param.PROTOCOL_VERSION, "2.1")
- @property
- def generate_attack_pcap(self):
- def update_timestamp(timestamp, pps, delay=0):
- """
- Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
- :return: Timestamp to be used for the next packet.
- """
- if delay == 0:
- # Calculate request timestamp
- # To imitate the bursty behavior of traffic
- randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 20, 5 / pps: 7, 10 / pps: 3})
- return timestamp + uniform(1/pps , randomdelay.random())
- else:
- # Calculate reply timestamp
- randomdelay = Lea.fromValFreqsDict({2*delay: 70, 3*delay: 20, 5*delay: 7, 10*delay: 3})
- return timestamp + uniform(1 / pps + delay, 1 / pps + randomdelay.random())
- def getIntervalPPS(complement_interval_pps, timestamp):
- """
- Gets the packet rate (pps) for a specific time interval.
- :param complement_interval_pps: an array of tuples (the last timestamp in the interval, the packet rate in the crresponding interval).
- :param timestamp: the timestamp at which the packet rate is required.
- :return: the corresponding packet rate (pps) .
- """
- for row in complement_interval_pps:
- if timestamp<=row[0]:
- return row[1]
- return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
- mac_source = self.get_param_value(Param.MAC_SOURCE)
- mac_dest = self.get_param_value(Param.MAC_DESTINATION)
- pps = self.get_param_value(Param.PACKETS_PER_SECOND)
- # Calculate complement packet rates of the background traffic for each interval
- complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
- if self.get_param_value(Param.PORT_SOURCE_RANDOMIZE):
- sport = randint(1, 65535)
- else:
- sport = self.get_param_value(Param.PORT_SOURCE)
- # Timestamp
- timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
- # store start time of attack
- self.attack_start_utime = timestamp_next_pkt
- timestamp_prv_reply, timestamp_confirm = 0,0
- # Initialize parameters
- ip_source = self.get_param_value(Param.IP_SOURCE)
- ip_destinations = self.get_param_value(Param.IP_DESTINATION)
- ip_hosting = self.get_param_value(Param.IP_HOSTING)
- packets = []
- # Check ip.src == ip.dst
- #self.ip_src_dst_equal_check(ip_source, ip_destination)
- # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
- source_mss_dist = self.statistics.get_mss_distribution(ip_source)
- if len(source_mss_dist) > 0:
- source_mss_prob_dict = Lea.fromValFreqsDict(source_mss_dist)
- source_mss_value = source_mss_prob_dict.random()
- else:
- source_mss_value = self.statistics.process_db_query("most_used(mssValue)")
- # Set TTL based on TTL distribution of IP address
- source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
- if len(source_ttl_dist) > 0:
- source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
- source_ttl_value = source_ttl_prob_dict.random()
- else:
- source_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
- # Set Window Size based on Window Size distribution of IP address
- source_win_dist = self.statistics.get_win_distribution(ip_source)
- if len(source_win_dist) > 0:
- source_win_prob_dict = Lea.fromValFreqsDict(source_win_dist)
- source_win_value = source_win_prob_dict.random()
- else:
- source_win_value = self.statistics.process_db_query("most_used(winSize)")
- # ACTUAL ATTACK GOES HERE
- #print(len(mac_dest))
- #print(mac_destination)
- #print(len(ip_destinations))
- #print(ip_destinations)
- #print(ip_source)
- ip_dests = []
- if isinstance(ip_destinations, list):
- ip_dests = ip_destinations
- else:
- ip_dests.append(ip_destinations)
- #print(ip_dests)
- for ip in ip_dests:
- if ip != ip_source:
- # Get destination Mac Address
- #print(ip)
- mac_destination = self.statistics.get_mac_address(str(ip))
- if len(mac_destination) == 0:
- if isinstance(mac_dest, str):
- mac_destination = mac_dest
- else:
- mac_destination = self.generate_random_mac_address()
- #print(len(mac_destination))
- #print(mac_destination)
- #print(ip)
- # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
- destination_mss_dist = self.statistics.get_mss_distribution(ip)
- if len(destination_mss_dist) > 0:
- destination_mss_prob_dict = Lea.fromValFreqsDict(destination_mss_dist)
- destination_mss_value = destination_mss_prob_dict.random()
- else:
- destination_mss_value = self.statistics.process_db_query("most_used(mssValue)")
- # Set TTL based on TTL distribution of IP address
- destination_ttl_dist = self.statistics.get_ttl_distribution(ip)
- if len(destination_ttl_dist) > 0:
- destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
- destination_ttl_value = destination_ttl_prob_dict.random()
- else:
- destination_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
- # Set Window Size based on Window Size distribution of IP address
- destination_win_dist = self.statistics.get_win_distribution(ip)
- if len(destination_win_dist) > 0:
- destination_win_prob_dict = Lea.fromValFreqsDict(destination_win_dist)
- destination_win_value = destination_win_prob_dict.random()
- else:
- destination_win_value = self.statistics.process_db_query("most_used(winSize)")
- minDelay, maxDelay = self.get_reply_delay(ip)
- # New connection, new random TCP sequence numbers
- attacker_seq = randint(1000, 50000)
- victim_seq = randint(1000, 50000)
- # 1) Build request package
- request_ether = Ether(src=mac_source, dst=mac_destination)
- request_ip = IP(src=ip_source, dst=ip, ttl=source_ttl_value, flags='DF')
- request_tcp = TCP(sport=sport, dport=self.smb_port, window=source_win_value, flags='S',
- seq=attacker_seq, options=[('MSS', source_mss_value)])
- attacker_seq += 1
- request = (request_ether / request_ip / request_tcp)
- request.time = timestamp_next_pkt
- # Append request
- packets.append(request)
- # Update timestamp for next package
- timestamp_reply = update_timestamp(timestamp_next_pkt, pps, minDelay)
- while (timestamp_reply <= timestamp_prv_reply):
- timestamp_reply = update_timestamp(timestamp_prv_reply, pps, minDelay)
- timestamp_prv_reply = timestamp_reply
- if ip in ip_hosting:
- # 2) Build TCP packages for ip that hosts SMB
- # destination sends SYN, ACK
- reply_ether = Ether(src=mac_destination, dst=mac_source)
- reply_ip = IP(src=ip, dst=ip_source, ttl=destination_ttl_value, flags='DF')
- reply_tcp = TCP(sport=self.smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, flags='SA', window=destination_win_value,
- options=[('MSS', destination_mss_value)])
- victim_seq += 1
- reply = (reply_ether / reply_ip / reply_tcp)
- reply.time = timestamp_reply
- packets.append(reply)
- # requester confirms, ACK
- confirm_ether = request_ether
- confirm_ip = request_ip
- confirm_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, window=source_win_value, flags='A')
- confirm = (confirm_ether / confirm_ip / confirm_tcp)
- timestamp_confirm = update_timestamp(timestamp_reply, pps, minDelay)
- confirm.time = timestamp_confirm
- packets.append(confirm)
- # INSERT SMB-REQUEST PACKAGE HERE
- # CHECK FOR PROTOCOL VERSION?
- smb_MID = randint(1, 65535)
- smb_PID = randint(1, 65535)
- smb_req_tail = SMBNegociate_Protocol_Request_Tail()
- smb_req_head = SMBNegociate_Protocol_Request_Header(Flags2=0x2801, PID=smb_PID, MID=smb_MID)
- smb_req_length = len(smb_req_head) + len(smb_req_tail)
- smb_req_net_bio = NBTSession(TYPE=0x00, LENGTH=smb_req_length)
- smb_req_tcp = TCP(sport=sport, dport=self.smb_port, flags='PA', seq=attacker_seq, ack=victim_seq)
- smb_req_ip = IP(src=ip_source, dst=ip, ttl=source_ttl_value)
- smb_req_ether = Ether(src=mac_source, dst=mac_destination)
- attacker_seq += len(smb_req_net_bio) + len(smb_req_head) + len(smb_req_tail)
- smb_req_combined = (
- smb_req_ether / smb_req_ip / smb_req_tcp / smb_req_net_bio / smb_req_head / smb_req_tail)
- timestamp_smb_req = update_timestamp(timestamp_confirm, pps, minDelay)
- smb_req_combined.time = timestamp_smb_req
- packets.append(smb_req_combined)
- # destination confirms SMB request package
- reply_tcp = TCP(sport=self.smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, window=destination_win_value, flags='A')
- confirm_smb_req = (reply_ether / reply_ip / reply_tcp)
- timestamp_reply = update_timestamp(timestamp_smb_req, pps, minDelay)
- confirm_smb_req.time = timestamp_reply
- packets.append(confirm_smb_req)
- # INSERT SMB-RESPONSE PACKAGE HERE
- # CHECK FOR PROTOCOL VERSION?
- smb_rsp_paket = SMBNegociate_Protocol_Response_No_Security_No_Key()
- smb_rsp_length = len(smb_rsp_paket)
- smb_rsp_net_bio = NBTSession(TYPE=0x00, LENGTH=smb_rsp_length)
- smb_rsp_tcp = TCP(sport=self.smb_port, dport=sport, flags='PA', seq=victim_seq, ack=attacker_seq)
- smb_rsp_ip = IP(src=ip, dst=ip_source, ttl=destination_ttl_value)
- smb_rsp_ether = Ether(src=mac_destination, dst=mac_source)
- victim_seq += len(smb_rsp_net_bio) + len(smb_rsp_paket)
- smb_rsp_combined = (smb_rsp_ether / smb_rsp_ip / smb_rsp_tcp / smb_rsp_net_bio / smb_rsp_paket)
- timestamp_smb_rsp = update_timestamp(timestamp_reply, pps, minDelay)
- smb_rsp_combined.time = timestamp_smb_rsp
- packets.append(smb_rsp_combined)
- # source confirms SMB response package
- confirm_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, window=source_win_value, flags='A')
- confirm_smb_res = (confirm_ether / confirm_ip / confirm_tcp)
- timestamp_confirm = update_timestamp(timestamp_smb_rsp, pps, minDelay)
- confirm_smb_res.time = timestamp_confirm
- packets.append(confirm_smb_res)
- # attacker sends FIN ACK
- confirm_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, window=source_win_value, flags='FA')
- source_fin_ack = (confirm_ether / confirm_ip / confirm_tcp)
- timestamp_src_fin_ack = update_timestamp(timestamp_confirm, pps, minDelay)
- source_fin_ack.time = timestamp_src_fin_ack
- attacker_seq += 1
- packets.append(source_fin_ack)
- # victim sends FIN ACK
- reply_tcp = TCP(sport=self.smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, window=destination_win_value, flags='FA')
- destination_fin_ack = (reply_ether / reply_ip / reply_tcp)
- timestamp_dest_fin_ack = update_timestamp(timestamp_src_fin_ack, pps, minDelay)
- victim_seq += 1
- destination_fin_ack.time = timestamp_dest_fin_ack
- packets.append(destination_fin_ack)
- # source sends final ACK
- confirm_tcp = TCP(sport=sport, dport=self.smb_port, seq=attacker_seq, ack=victim_seq, window=source_win_value, flags='A')
- final_ack = (confirm_ether / confirm_ip / confirm_tcp)
- timestamp_final_ack = update_timestamp(timestamp_dest_fin_ack, pps, minDelay)
- final_ack.time = timestamp_final_ack
- packets.append(final_ack)
- else:
- # Build RST package
- reply_ether = Ether(src=mac_destination, dst=mac_source)
- reply_ip = IP(src=ip, dst=ip_source, ttl=destination_ttl_value, flags='DF')
- reply_tcp = TCP(sport=self.smb_port, dport=sport, seq=0, ack=attacker_seq, flags='RA', window=destination_win_value,
- options=[('MSS', destination_mss_value)])
- reply = (reply_ether / reply_ip / reply_tcp)
- reply.time = timestamp_reply
- packets.append(reply)
- pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
- timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
- # store end time of attack
- self.attack_end_utime = packets[-1].time
- # write attack packets to pcap
- pcap_path = self.write_attack_pcap(sorted(packets, key=lambda pkt: pkt.time))
- # return packets sorted by packet time_sec_start
- return len(packets), pcap_path
|