EternalBlueExploit.py 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307
  1. import logging
  2. from random import randint, uniform
  3. from lea import Lea
  4. from Attack import BaseAttack
  5. from Attack.AttackParameters import Parameter as Param
  6. from Attack.AttackParameters import ParameterTypes
  7. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  8. # noinspection PyPep8
  9. from scapy.utils import RawPcapReader
  10. from scapy.layers.inet import IP, Ether, TCP, RandShort
  11. class EternalBlueExploit(BaseAttack.BaseAttack):
  12. template_attack_pcap_path = "resources/Win7_eternalblue_scan.pcap"
  13. # SMB port
  14. smb_port = 445
  15. # Empirical values from Metasploit experiments
  16. minDefaultPort = 30000
  17. maxDefaultPort = 50000
  18. last_conn_dst_port = 4444
  19. def __init__(self, statistics, pcap_file_path):
  20. """
  21. Creates a new instance of the EternalBlue Exploit.
  22. :param statistics: A reference to the statistics class.
  23. """
  24. # Initialize attack
  25. super(EternalBlueExploit, self).__init__(statistics, "EternalBlue Exploit", "Injects an EternalBlue exploit'",
  26. "Resource Exhaustion")
  27. # Define allowed parameters and their type
  28. self.supported_params = {
  29. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  30. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  31. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  32. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  33. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  34. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  35. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  36. }
  37. # PARAMETERS: initialize with default utilsvalues
  38. # (values are overwritten if user specifies them)
  39. most_used_ip_address = self.statistics.get_most_used_ip_address()
  40. if isinstance(most_used_ip_address, list):
  41. most_used_ip_address = most_used_ip_address[0]
  42. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  43. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  44. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  45. self.add_param_value(Param.PACKETS_PER_SECOND,
  46. (self.statistics.get_pps_sent(most_used_ip_address) +
  47. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  48. # victim configuration
  49. random_ip_address = self.statistics.get_random_ip_address()
  50. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  51. destination_mac = self.statistics.get_mac_address(random_ip_address)
  52. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  53. destination_mac = self.generate_random_mac_address()
  54. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  55. def generate_attack_pcap(self):
  56. def update_timestamp(timestamp, pps):
  57. """
  58. Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
  59. :return: Timestamp to be used for the next packet.
  60. """
  61. # Calculate the request timestamp
  62. # A distribution to imitate the bursty behavior of traffic
  63. randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 20, 5 / pps: 7, 10 / pps: 3})
  64. return timestamp + uniform(1 / pps, randomdelay.random())
  65. def getIntervalPPS(complement_interval_pps, timestamp):
  66. """
  67. Gets the packet rate (pps) in specific time interval.
  68. :return: the corresponding packet rate for packet rate (pps) .
  69. """
  70. for row in complement_interval_pps:
  71. if timestamp<=row[0]:
  72. return row[1]
  73. return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
  74. # Timestamp
  75. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  76. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  77. # calculate complement packet rates of BG traffic per interval
  78. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  79. # Initialize parameters
  80. packets = []
  81. mac_source = self.get_param_value(Param.MAC_SOURCE)
  82. ip_source = self.get_param_value(Param.IP_SOURCE)
  83. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  84. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  85. # check ip.src == ip.dst
  86. self.ip_src_dst_equal_check(ip_source, ip_destination)
  87. path_attack_pcap = None
  88. minDelay, maxDelay = self.get_reply_delay(ip_destination)
  89. # Set TTL based on TTL distribution of IP address
  90. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  91. if len(source_ttl_dist) > 0:
  92. source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
  93. source_ttl_value = source_ttl_prob_dict.random()
  94. else:
  95. source_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  96. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  97. if len(destination_ttl_dist) > 0:
  98. destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
  99. destination_ttl_value = destination_ttl_prob_dict.random()
  100. else:
  101. destination_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  102. # Scan (MS17) for EternalBlue
  103. # Read Win7_eternalblue_scan_vulnerable pcap file
  104. orig_ip_dst = None
  105. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  106. inter_arrival_time_dist = self.get_inter_arrival_time_dist(exploit_raw_packets)
  107. timeSteps = Lea.fromValFreqsDict(inter_arrival_time_dist)
  108. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  109. port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports
  110. for pkt_num, pkt in enumerate(exploit_raw_packets):
  111. eth_frame = Ether(pkt[0])
  112. ip_pkt = eth_frame.payload
  113. tcp_pkt = ip_pkt.payload
  114. if pkt_num == 0:
  115. if tcp_pkt.getfieldval("dport") == self.smb_port:
  116. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  117. # Request
  118. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  119. # Ether
  120. eth_frame.setfieldval("src", mac_source)
  121. eth_frame.setfieldval("dst", mac_destination)
  122. # IP
  123. ip_pkt.setfieldval("src", ip_source)
  124. ip_pkt.setfieldval("dst", ip_destination)
  125. ip_pkt.setfieldval("ttl", source_ttl_value)
  126. # TCP
  127. tcp_pkt.setfieldval("sport",port_source)
  128. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  129. new_pkt.time = timestamp_next_pkt
  130. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
  131. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  132. # Reply
  133. else:
  134. # Ether
  135. eth_frame.setfieldval("src", mac_destination)
  136. eth_frame.setfieldval("dst", mac_source)
  137. # IP
  138. ip_pkt.setfieldval("src", ip_destination)
  139. ip_pkt.setfieldval("dst", ip_source)
  140. ip_pkt.setfieldval("ttl", destination_ttl_value)
  141. # TCP
  142. tcp_pkt.setfieldval("dport", port_source)
  143. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  144. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  145. new_pkt.time = timestamp_next_pkt
  146. packets.append(new_pkt)
  147. # Inject EternalBlue exploit packets
  148. # Read Win7_eternalblue_exploit pcap file
  149. exploit_raw_packets = RawPcapReader("resources/Win7_eternalblue_exploit.pcap")
  150. port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports
  151. # conversations = {(ip.src, ip.dst, port.src, port.dst): packets}
  152. conversations, orderList_conversations = self.packetsToConvs(exploit_raw_packets)
  153. conv_start_timesamp = timestamp_next_pkt
  154. for conv_index, conv in enumerate(orderList_conversations):
  155. conv_start_timesamp = conv_start_timesamp + uniform(0.001,0.01) # the distance between the starts of the converstaions
  156. timestamp_next_pkt = conv_start_timesamp
  157. conv_pkts = conversations[conv]
  158. inter_arrival_time_dist = self.get_inter_arrival_time_dist(conv_pkts)
  159. timeSteps = Lea.fromValFreqsDict(inter_arrival_time_dist)
  160. if conv_index == len(orderList_conversations) - 2: # Not the last conversation
  161. timestamp_next_pkt = packets[-1].time + uniform(0.001,0.01)
  162. if conv_index != len(orderList_conversations)-1: # Not the last conversation
  163. port_source += 2
  164. for pkt_num, pkt in enumerate(conv_pkts):
  165. eth_frame = Ether(pkt[0])
  166. ip_pkt = eth_frame.payload
  167. tcp_pkt = ip_pkt.payload
  168. if pkt_num == 0:
  169. if tcp_pkt.getfieldval("dport") == self.smb_port:
  170. orig_ip_dst = ip_pkt.getfieldval("dst")
  171. # defining req/rep should be adapted to fit the last converstaion where
  172. # victim starts a connection with the attacker
  173. # Request
  174. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  175. # Ether
  176. eth_frame.setfieldval("src", mac_source)
  177. eth_frame.setfieldval("dst", mac_destination)
  178. # IP
  179. ip_pkt.setfieldval("src", ip_source)
  180. ip_pkt.setfieldval("dst", ip_destination)
  181. ip_pkt.setfieldval("ttl", source_ttl_value)
  182. # TCP
  183. tcp_pkt.setfieldval("sport", port_source)
  184. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  185. new_pkt.time = timestamp_next_pkt
  186. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
  187. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  188. # Reply
  189. else:
  190. # Ether
  191. eth_frame.setfieldval("src", mac_destination)
  192. eth_frame.setfieldval("dst", mac_source)
  193. # IP
  194. ip_pkt.setfieldval("src", ip_destination)
  195. ip_pkt.setfieldval("dst", ip_source)
  196. ip_pkt.setfieldval("ttl", destination_ttl_value)
  197. # TCP
  198. tcp_pkt.setfieldval("dport", port_source)
  199. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  200. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
  201. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  202. new_pkt.time = timestamp_next_pkt
  203. packets.append(new_pkt)
  204. else: # Last conversation where the victim start a connection with the attacker
  205. timestamp_next_pkt = packets[-1].time + uniform(0.001, 0.01)
  206. port_source = randint(self.minDefaultPort,self.maxDefaultPort)
  207. for pkt_num, pkt in enumerate(conv_pkts):
  208. eth_frame = Ether(pkt[0])
  209. ip_pkt = eth_frame.payload
  210. tcp_pkt = ip_pkt.payload
  211. # defining req/rep should be adapted to fit the last converstaion where
  212. # victim start a connection with the attacker
  213. # Request
  214. if tcp_pkt.getfieldval("dport") == self.last_conn_dst_port:
  215. # Ether
  216. eth_frame.setfieldval("src", mac_destination)
  217. eth_frame.setfieldval("dst", mac_source)
  218. # IP
  219. ip_pkt.setfieldval("src", ip_destination)
  220. ip_pkt.setfieldval("dst", ip_source)
  221. ip_pkt.setfieldval("ttl", destination_ttl_value)
  222. # TCP
  223. tcp_pkt.setfieldval("sport", port_source)
  224. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  225. new_pkt.time = timestamp_next_pkt
  226. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
  227. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  228. # Reply
  229. else:
  230. # Ether
  231. eth_frame.setfieldval("src", mac_source)
  232. eth_frame.setfieldval("dst", mac_destination)
  233. # IP
  234. ip_pkt.setfieldval("src", ip_source)
  235. ip_pkt.setfieldval("dst", ip_destination)
  236. ip_pkt.setfieldval("ttl", source_ttl_value)
  237. # TCP
  238. tcp_pkt.setfieldval("dport", port_source)
  239. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  240. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
  241. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  242. new_pkt.time = timestamp_next_pkt
  243. packets.append(new_pkt)
  244. # Store timestamp of first packet (for attack label)
  245. self.attack_start_utime = packets[0].time
  246. self.attack_end_utime = packets[-1].time
  247. if len(packets) > 0:
  248. packets = sorted(packets, key=lambda pkt: pkt.time)
  249. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  250. # return packets sorted by packet time_sec_start
  251. # pkt_num+1: because pkt_num starts at 0
  252. return pkt_num + 1, path_attack_pcap