PortscanAttack.py 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288
  1. import logging
  2. import csv
  3. from random import shuffle, randint, choice, uniform
  4. from lea import Lea
  5. from Attack import BaseAttack
  6. from Attack.AttackParameters import Parameter as Param
  7. from Attack.AttackParameters import ParameterTypes
  8. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  9. # noinspection PyPep8
  10. from scapy.layers.inet import IP, Ether, TCP
  11. class PortscanAttack(BaseAttack.BaseAttack):
  12. def __init__(self):
  13. """
  14. Creates a new instance of the PortscanAttack.
  15. """
  16. # Initialize attack
  17. super(PortscanAttack, self).__init__("Portscan Attack", "Injects a nmap 'regular scan'",
  18. "Scanning/Probing")
  19. # Define allowed parameters and their type
  20. self.supported_params = {
  21. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  22. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  23. Param.PORT_SOURCE: ParameterTypes.TYPE_PORT,
  24. Param.PORT_DESTINATION: ParameterTypes.TYPE_PORT,
  25. Param.PORT_OPEN: ParameterTypes.TYPE_PORT,
  26. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  27. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  28. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  29. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  30. Param.PORT_DEST_SHUFFLE: ParameterTypes.TYPE_BOOLEAN,
  31. Param.PORT_DEST_ORDER_DESC: ParameterTypes.TYPE_BOOLEAN,
  32. Param.IP_SOURCE_RANDOMIZE: ParameterTypes.TYPE_BOOLEAN,
  33. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT,
  34. Param.PORT_SOURCE_RANDOMIZE: ParameterTypes.TYPE_BOOLEAN
  35. }
  36. def init_params(self):
  37. """
  38. Initialize the parameters of this attack using the user supplied command line parameters.
  39. Use the provided statistics to calculate default parameters and to process user
  40. supplied queries.
  41. :param statistics: Reference to a statistics object.
  42. """
  43. # PARAMETERS: initialize with default values
  44. # (values are overwritten if user specifies them)
  45. most_used_ip_address = self.statistics.get_most_used_ip_address()
  46. if isinstance(most_used_ip_address, list):
  47. most_used_ip_address = most_used_ip_address[0]
  48. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  49. self.add_param_value(Param.IP_SOURCE_RANDOMIZE, 'False')
  50. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  51. random_ip_address = self.statistics.get_random_ip_address()
  52. # ip-dst should be valid and not equal to ip.src
  53. while not self.is_valid_ip_address(random_ip_address) or random_ip_address==most_used_ip_address:
  54. random_ip_address = self.statistics.get_random_ip_address()
  55. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  56. destination_mac = self.statistics.get_mac_address(random_ip_address)
  57. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  58. destination_mac = self.generate_random_mac_address()
  59. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  60. self.add_param_value(Param.PORT_DESTINATION, self.get_ports_from_nmap_service_dst(1000))
  61. self.add_param_value(Param.PORT_OPEN, '1')
  62. self.add_param_value(Param.PORT_DEST_SHUFFLE, 'False')
  63. self.add_param_value(Param.PORT_DEST_ORDER_DESC, 'False')
  64. self.add_param_value(Param.PORT_SOURCE, randint(1024, 65535))
  65. self.add_param_value(Param.PORT_SOURCE_RANDOMIZE, 'False')
  66. self.add_param_value(Param.PACKETS_PER_SECOND,
  67. (self.statistics.get_pps_sent(most_used_ip_address) +
  68. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  69. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  70. def get_ports_from_nmap_service_dst(self, ports_num):
  71. """
  72. Read the most ports_num frequently open ports from nmap-service-tcp file to be used in the port scan.
  73. :return: Ports numbers to be used as default destination ports or default open ports in the port scan.
  74. """
  75. ports_dst = []
  76. spamreader = csv.reader(open('resources/nmap-services-tcp.csv', 'rt'), delimiter=',')
  77. for count in range(ports_num):
  78. # escape first row (header)
  79. next(spamreader)
  80. # save ports numbers
  81. ports_dst.append(next(spamreader)[0])
  82. # shuffle ports numbers partially
  83. if (ports_num == 1000): # used for port.dst
  84. temp_array = [[0 for i in range(10)] for i in range(100)]
  85. port_dst_shuffled = []
  86. for count in range(0, 9):
  87. temp_array[count] = ports_dst[count * 100:count * 100 + 99]
  88. shuffle(temp_array[count])
  89. port_dst_shuffled += temp_array[count]
  90. else: # used for port.open
  91. shuffle(ports_dst)
  92. port_dst_shuffled = ports_dst
  93. return port_dst_shuffled
  94. def generate_attack_pcap(self):
  95. def update_timestamp(timestamp, pps, delay=0):
  96. """
  97. Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
  98. :return: Timestamp to be used for the next packet.
  99. """
  100. if delay == 0:
  101. # Calculate request timestamp
  102. # To imitate the bursty behavior of traffic
  103. randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 20, 5 / pps: 7, 10 / pps: 3})
  104. return timestamp + uniform(1/pps , randomdelay.random())
  105. else:
  106. # Calculate reply timestamp
  107. randomdelay = Lea.fromValFreqsDict({2*delay: 70, 3*delay: 20, 5*delay: 7, 10*delay: 3})
  108. return timestamp + uniform(1 / pps + delay, 1 / pps + randomdelay.random())
  109. def getIntervalPPS(complement_interval_pps, timestamp):
  110. """
  111. Gets the packet rate (pps) for a specific time interval.
  112. :param complement_interval_pps: an array of tuples (the last timestamp in the interval, the packet rate in the crresponding interval).
  113. :param timestamp: the timestamp at which the packet rate is required.
  114. :return: the corresponding packet rate (pps) .
  115. """
  116. for row in complement_interval_pps:
  117. if timestamp<=row[0]:
  118. return row[1]
  119. return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
  120. mac_source = self.get_param_value(Param.MAC_SOURCE)
  121. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  122. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  123. # Calculate complement packet rates of the background traffic for each interval
  124. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  125. # Determine ports
  126. dest_ports = self.get_param_value(Param.PORT_DESTINATION)
  127. if self.get_param_value(Param.PORT_DEST_ORDER_DESC):
  128. dest_ports.reverse()
  129. elif self.get_param_value(Param.PORT_DEST_SHUFFLE):
  130. shuffle(dest_ports)
  131. if self.get_param_value(Param.PORT_SOURCE_RANDOMIZE):
  132. sport = randint(1, 65535)
  133. else:
  134. sport = self.get_param_value(Param.PORT_SOURCE)
  135. # Timestamp
  136. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  137. # store start time of attack
  138. self.attack_start_utime = timestamp_next_pkt
  139. timestamp_prv_reply, timestamp_confirm = 0,0
  140. # Initialize parameters
  141. packets = []
  142. ip_source = self.get_param_value(Param.IP_SOURCE)
  143. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  144. # Check ip.src == ip.dst
  145. self.ip_src_dst_equal_check(ip_source, ip_destination)
  146. # Select open ports
  147. ports_open = self.get_param_value(Param.PORT_OPEN)
  148. if ports_open == 1: # user did not specify open ports
  149. # the ports that were already used by ip.dst (direction in) in the background traffic are open ports
  150. ports_used_by_ip_dst = self.statistics.process_db_query(
  151. "SELECT portNumber FROM ip_ports WHERE portDirection='in' AND ipAddress='" + ip_destination + "'")
  152. if ports_used_by_ip_dst:
  153. ports_open = ports_used_by_ip_dst
  154. else: # if no ports were retrieved from database
  155. ports_open = self.statistics.process_db_query(
  156. "SELECT portNumber FROM ip_ports GROUP BY portNumber ORDER BY SUM(portCount) DESC LIMIT "+str(randint(1,10)))
  157. # in case of one open port, convert ports_open to array
  158. if not isinstance(ports_open, list):
  159. ports_open = [ports_open]
  160. # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
  161. source_mss_dist = self.statistics.get_mss_distribution(ip_source)
  162. if len(source_mss_dist) > 0:
  163. source_mss_prob_dict = Lea.fromValFreqsDict(source_mss_dist)
  164. source_mss_value = source_mss_prob_dict.random()
  165. else:
  166. source_mss_value = self.statistics.process_db_query("most_used(mssValue)")
  167. destination_mss_dist = self.statistics.get_mss_distribution(ip_destination)
  168. if len(destination_mss_dist) > 0:
  169. destination_mss_prob_dict = Lea.fromValFreqsDict(destination_mss_dist)
  170. destination_mss_value = destination_mss_prob_dict.random()
  171. else:
  172. destination_mss_value = self.statistics.process_db_query("most_used(mssValue)")
  173. # Set TTL based on TTL distribution of IP address
  174. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  175. if len(source_ttl_dist) > 0:
  176. source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
  177. source_ttl_value = source_ttl_prob_dict.random()
  178. else:
  179. source_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  180. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  181. if len(destination_ttl_dist) > 0:
  182. destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
  183. destination_ttl_value = destination_ttl_prob_dict.random()
  184. else:
  185. destination_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  186. # Set Window Size based on Window Size distribution of IP address
  187. source_win_dist = self.statistics.get_win_distribution(ip_source)
  188. if len(source_win_dist) > 0:
  189. source_win_prob_dict = Lea.fromValFreqsDict(source_win_dist)
  190. source_win_value = source_win_prob_dict.random()
  191. else:
  192. source_win_value = self.statistics.process_db_query("most_used(winSize)")
  193. destination_win_dist = self.statistics.get_win_distribution(ip_destination)
  194. if len(destination_win_dist) > 0:
  195. destination_win_prob_dict = Lea.fromValFreqsDict(destination_win_dist)
  196. destination_win_value = destination_win_prob_dict.random()
  197. else:
  198. destination_win_value = self.statistics.process_db_query("most_used(winSize)")
  199. minDelay,maxDelay = self.get_reply_delay(ip_destination)
  200. for dport in dest_ports:
  201. # Parameters changing each iteration
  202. if self.get_param_value(Param.IP_SOURCE_RANDOMIZE) and isinstance(ip_source, list):
  203. ip_source = choice(ip_source)
  204. # 1) Build request package
  205. request_ether = Ether(src=mac_source, dst=mac_destination)
  206. request_ip = IP(src=ip_source, dst=ip_destination, ttl=source_ttl_value)
  207. # Random src port for each packet
  208. sport = randint(1, 65535)
  209. request_tcp = TCP(sport=sport, dport=dport, window= source_win_value, flags='S', options=[('MSS', source_mss_value)])
  210. request = (request_ether / request_ip / request_tcp)
  211. request.time = timestamp_next_pkt
  212. # Append request
  213. packets.append(request)
  214. # 2) Build reply (for open ports) package
  215. if dport in ports_open: # destination port is OPEN
  216. reply_ether = Ether(src=mac_destination, dst=mac_source)
  217. reply_ip = IP(src=ip_destination, dst=ip_source, ttl=destination_ttl_value, flags='DF')
  218. reply_tcp = TCP(sport=dport, dport=sport, seq=0, ack=1, flags='SA', window=destination_win_value,
  219. options=[('MSS', destination_mss_value)])
  220. reply = (reply_ether / reply_ip / reply_tcp)
  221. timestamp_reply = update_timestamp(timestamp_next_pkt,pps,minDelay)
  222. while (timestamp_reply <= timestamp_prv_reply):
  223. timestamp_reply = update_timestamp(timestamp_prv_reply,pps,minDelay)
  224. timestamp_prv_reply = timestamp_reply
  225. reply.time = timestamp_reply
  226. packets.append(reply)
  227. # requester confirms
  228. confirm_ether = request_ether
  229. confirm_ip = request_ip
  230. confirm_tcp = TCP(sport=sport, dport=dport, seq=1, window=0, flags='R')
  231. confirm = (confirm_ether / confirm_ip / confirm_tcp)
  232. timestamp_confirm = update_timestamp(timestamp_reply,pps,minDelay)
  233. confirm.time = timestamp_confirm
  234. packets.append(confirm)
  235. # else: destination port is NOT OPEN -> no reply is sent by target
  236. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt),10)
  237. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
  238. # store end time of attack
  239. self.attack_end_utime = packets[-1].time
  240. # write attack packets to pcap
  241. pcap_path = self.write_attack_pcap(sorted(packets, key=lambda pkt: pkt.time))
  242. # return packets sorted by packet time_sec_start
  243. return len(packets), pcap_path