SQLiAttack.py 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292
  1. import logging
  2. import random
  3. from lea import Lea
  4. from scapy.layers.inet import Ether
  5. from scapy.utils import RawPcapReader
  6. from Attack import BaseAttack
  7. from Attack.AttackParameters import Parameter as Param
  8. from Attack.AttackParameters import ParameterTypes
  9. import ID2TLib.Utility as Util
  10. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  11. # noinspection PyPep8
  12. class SQLiAttack(BaseAttack.BaseAttack):
  13. template_attack_pcap_path = Util.RESOURCE_DIR + "ATutorSQLi.pcap"
  14. # HTTP port
  15. http_port = 80
  16. # Metasploit experiments show this range of ports
  17. minDefaultPort = 30000
  18. maxDefaultPort = 50000
  19. def __init__(self):
  20. """
  21. Creates a new instance of the SQLi Attack.
  22. """
  23. # Initialize attack
  24. super(SQLiAttack, self).__init__("SQLi Attack", "Injects a SQLi attack'",
  25. "Privilege elevation")
  26. # Define allowed parameters and their type
  27. self.supported_params.update({
  28. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  29. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  30. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  31. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  32. Param.PORT_DESTINATION: ParameterTypes.TYPE_PORT,
  33. Param.TARGET_HOST: ParameterTypes.TYPE_DOMAIN,
  34. #Param.TARGET_URI: ParameterTypes.TYPE_URI,
  35. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  36. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  37. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  38. })
  39. def init_params(self):
  40. """
  41. Initialize the parameters of this attack using the user supplied command line parameters.
  42. Use the provided statistics to calculate default parameters and to process user
  43. supplied queries.
  44. """
  45. # PARAMETERS: initialize with default utilsvalues
  46. # (values are overwritten if user specifies them)
  47. # Attacker configuration
  48. most_used_ip_address = self.statistics.get_most_used_ip_address()
  49. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  50. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  51. # Victim configuration
  52. random_ip_address = self.statistics.get_random_ip_address()
  53. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  54. destination_mac = self.statistics.get_mac_address(random_ip_address)
  55. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  56. destination_mac = self.generate_random_mac_address()
  57. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  58. self.add_param_value(Param.PORT_DESTINATION, self.http_port)
  59. # self.add_param_value(Param.TARGET_URI, "/")
  60. self.add_param_value(Param.TARGET_HOST, "www.hackme.com")
  61. # Attack configuration
  62. self.add_param_value(Param.INJECT_AFTER_PACKET, random.randint(0, self.statistics.get_packet_count()))
  63. self.add_param_value(Param.PACKETS_PER_SECOND,
  64. (self.statistics.get_pps_sent(most_used_ip_address) +
  65. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  66. def generate_attack_pcap(self):
  67. # Timestamp
  68. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  69. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  70. # Calculate complement packet rates of BG traffic per interval
  71. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  72. # Initialize parameters
  73. packets = []
  74. mac_source = self.get_param_value(Param.MAC_SOURCE)
  75. ip_source = self.get_param_value(Param.IP_SOURCE)
  76. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  77. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  78. port_destination = self.get_param_value(Param.PORT_DESTINATION)
  79. target_host = self.get_param_value(Param.TARGET_HOST)
  80. target_uri = "/" # self.get_param_value(Param.TARGET_URI)
  81. # Check ip.src == ip.dst
  82. self.ip_src_dst_equal_check(ip_source, ip_destination)
  83. path_attack_pcap = None
  84. # Set TTL based on TTL distribution of IP address
  85. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  86. if len(source_ttl_dist) > 0:
  87. source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
  88. source_ttl_value = source_ttl_prob_dict.random()
  89. else:
  90. source_ttl_value = Util.handle_most_used_outputs(self.statistics.process_db_query("most_used(ttlValue)"))
  91. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  92. if len(destination_ttl_dist) > 0:
  93. destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
  94. destination_ttl_value = destination_ttl_prob_dict.random()
  95. else:
  96. destination_ttl_value = Util.handle_most_used_outputs(self.statistics.process_db_query("most_used(ttlValue)"))
  97. # Inject SQLi Attack
  98. # Read SQLi Attack pcap file
  99. orig_ip_dst = None
  100. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  101. inter_arrival_times, inter_arrival_time_dist = self.get_inter_arrival_time(exploit_raw_packets,True)
  102. timeSteps = Lea.fromValFreqsDict(inter_arrival_time_dist)
  103. exploit_raw_packets.close()
  104. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  105. port_source = random.randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports
  106. # Random TCP sequence numbers
  107. global attacker_seq
  108. attacker_seq = random.randint(1000, 50000)
  109. global victim_seq
  110. victim_seq = random.randint(1000, 50000)
  111. for pkt_num, pkt in enumerate(exploit_raw_packets):
  112. eth_frame = Ether(pkt[0])
  113. ip_pkt = eth_frame.payload
  114. tcp_pkt = ip_pkt.payload
  115. str_tcp_seg = str(tcp_pkt.payload)
  116. # Clean payloads
  117. eth_frame.payload = b''
  118. ip_pkt.payload = b''
  119. tcp_pkt.payload = b''
  120. if pkt_num == 0:
  121. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  122. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  123. if tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80:
  124. # Attacker --> vicitm
  125. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  126. # There are 363 TCP connections with different source ports, for each of them we generate random port
  127. if tcp_pkt.getfieldval("sport") != prev_orig_port_source and tcp_pkt.getfieldval("dport") != 4444:
  128. port_source = random.randint(self.minDefaultPort, self.maxDefaultPort)
  129. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  130. # New connection, new random TCP sequence numbers
  131. attacker_seq = random.randint(1000, 50000)
  132. victim_seq = random.randint(1000, 50000)
  133. # First packet in a connection has ACK = 0
  134. tcp_pkt.setfieldval("ack", 0)
  135. # Ether
  136. eth_frame.setfieldval("src", mac_source)
  137. eth_frame.setfieldval("dst", mac_destination)
  138. # IP
  139. ip_pkt.setfieldval("src", ip_source)
  140. ip_pkt.setfieldval("dst", ip_destination)
  141. ip_pkt.setfieldval("ttl", source_ttl_value)
  142. # TCP
  143. tcp_pkt.setfieldval("sport",port_source)
  144. tcp_pkt.setfieldval("dport", port_destination)
  145. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  146. # TCP Seq, Ack
  147. if tcp_pkt.getfieldval("ack") != 0:
  148. tcp_pkt.setfieldval("ack", victim_seq)
  149. tcp_pkt.setfieldval("seq", attacker_seq)
  150. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  151. attacker_seq += max(len(str_tcp_seg), 1)
  152. new_pkt = (eth_frame / ip_pkt/ tcp_pkt / str_tcp_seg)
  153. new_pkt.time = timestamp_next_pkt
  154. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  155. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  156. # Victim --> attacker
  157. else:
  158. # Ether
  159. eth_frame.setfieldval("src", mac_destination)
  160. eth_frame.setfieldval("dst", mac_source)
  161. # IP
  162. ip_pkt.setfieldval("src", ip_destination)
  163. ip_pkt.setfieldval("dst", ip_source)
  164. ip_pkt.setfieldval("ttl", destination_ttl_value)
  165. # TCP
  166. tcp_pkt.setfieldval("dport", port_source)
  167. tcp_pkt.setfieldval("sport", port_destination)
  168. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  169. # TCP Seq, ACK
  170. tcp_pkt.setfieldval("ack", attacker_seq)
  171. tcp_pkt.setfieldval("seq", victim_seq)
  172. strLen = len(str_tcp_seg)
  173. if not (tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  174. victim_seq += max(strLen, 1)
  175. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  176. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  177. new_pkt.time = timestamp_next_pkt
  178. # The last connection
  179. else:
  180. # New connection, new random TCP sequence numbers
  181. attacker_seq = random.randint(1000, 50000)
  182. victim_seq = random.randint(1000, 50000)
  183. # First packet in a connection has ACK = 0
  184. tcp_pkt.setfieldval("ack", 0)
  185. #port_source = random.randint(self.minDefaultPort, self.maxDefaultPort)
  186. # Attacker --> vicitm
  187. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  188. # Ether
  189. eth_frame.setfieldval("src", mac_source)
  190. eth_frame.setfieldval("dst", mac_destination)
  191. # IP
  192. ip_pkt.setfieldval("src", ip_source)
  193. ip_pkt.setfieldval("dst", ip_destination)
  194. ip_pkt.setfieldval("ttl", source_ttl_value)
  195. # TCP
  196. #tcp_pkt.setfieldval("sport", port_source)
  197. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  198. # TCP Seq, Ack
  199. if tcp_pkt.getfieldval("ack") != 0:
  200. tcp_pkt.setfieldval("ack", victim_seq)
  201. tcp_pkt.setfieldval("seq", attacker_seq)
  202. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  203. attacker_seq += max(len(str_tcp_seg), 1)
  204. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  205. new_pkt.time = timestamp_next_pkt
  206. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  207. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  208. # Victim --> attacker
  209. else:
  210. # Ether
  211. eth_frame.setfieldval("src", mac_destination)
  212. eth_frame.setfieldval("dst", mac_source)
  213. # IP
  214. ip_pkt.setfieldval("src", ip_destination)
  215. ip_pkt.setfieldval("dst", ip_source)
  216. ip_pkt.setfieldval("ttl", destination_ttl_value)
  217. # TCP
  218. #tcp_pkt.setfieldval("dport", port_source)
  219. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  220. # TCP Seq, ACK
  221. tcp_pkt.setfieldval("ack", attacker_seq)
  222. tcp_pkt.setfieldval("seq", victim_seq)
  223. strLen = len(str_tcp_seg)
  224. if not (tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  225. victim_seq += max(strLen, 1)
  226. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  227. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  228. new_pkt.time = timestamp_next_pkt
  229. packets.append(new_pkt)
  230. exploit_raw_packets.close()
  231. # Store timestamp of first packet (for attack label)
  232. self.attack_start_utime = packets[0].time
  233. self.attack_end_utime = packets[-1].time
  234. if len(packets) > 0:
  235. packets = sorted(packets, key=lambda pkt: pkt.time)
  236. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  237. # return packets sorted by packet time_sec_start
  238. # pkt_num+1: because pkt_num starts at 0
  239. return pkt_num + 1, path_attack_pcap