SPIN
/
ID2T-toolkit


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264
							from random import choice

from Core import Statistics
from ID2TLib.IPv4 import IPAddress

is_ipv4 = IPAddress.is_ipv4

class PcapAddressOperations():

    def __init__(self, statistics: Statistics, uncertain_ip_mult: int=3):
        """
        Initializes a pcap information extractor that uses the provided statistics for its operations.

        :param statistics: The statistics of the pcap file
        :param uncertain_ip_mult: the mutliplier to create new address space when the remaining observed space has been drained
        """
        self.statistics = statistics
        self.UNCERTAIN_IPSPACE_MULTIPLIER = uncertain_ip_mult

        stat_result = self.statistics.process_db_query("most_used(macAddress)", print_results=False)
        if isinstance(stat_result, list):
            self.probable_router_mac = choice(stat_result)
        else:
            self.probable_router_mac = stat_result

        self._init_ipaddress_ops()

    def get_probable_router_mac(self):
        """
        Returns the most probable router MAC address based on the most used MAC address in the statistics.
        :return: the MAC address
        """
        return self.probable_router_mac

    def pcap_contains_priv_ips(self):
        """
        Returns if the provided traffic contains private IPs.
        :return: True if the provided traffic contains private IPs, otherwise False
        """
        return self.contains_priv_ips

    def get_local_address_range(self):
        """
        Returns a tuple with the start and end of the observed local IP range.
        :return: The IP range as tuple
        """
        return str(self.min_local_ip), str(self.max_local_ip)

    def get_count_rem_local_ips(self):
        """
        Returns the number of local IPs in the pcap file that have not aldready been returned by get_existing_local_ips.
        :return: the not yet assigned local IPs
        """
        return len(self.remaining_local_ips)

    def get_existing_local_ips(self, count: int=1):
        """
        Returns the given number of local IPs that are existent in the pcap file.

        :param count: the number of local IPs to return
        :return: the chosen local IPs
        """

        if count > len(self.remaining_local_ips):
            print("Warning: There are no more {} local IPs in the .pcap file. Returning all remaining local IPs.".format(count))

        total = min(len(self.remaining_local_ips), count)

        retr_local_ips = []
        local_ips = self.remaining_local_ips
        for _ in range(0, total):
            random_local_ip = choice(sorted(local_ips))
            retr_local_ips.append(str(random_local_ip))
            local_ips.remove(random_local_ip)

        return retr_local_ips

    def get_new_local_ips(self, count: int=1):
        """
        Returns in the pcap not existent local IPs that are in proximity of the observed local IPs. IPs can be returned
        that are either between the minimum and maximum observed IP and are therefore considered certain
        or that are above the observed maximum address, are more likely to not belong to the local network 
        and are therefore considered uncertain.

        :param count: the number of new local IPs to return
        :return: the newly created local IP addresses
        """

        # add more unused local ips to the pool, if needed
        while len(self.unused_local_ips) < count and self.expand_unused_local_ips() == True:
            pass

        unused_local_ips = self.unused_local_ips
        uncertain_local_ips = self.uncertain_local_ips
        count_certain = min(count, len(unused_local_ips))
        retr_local_ips = []

        for _ in range(0, count_certain):
            random_local_ip = choice(sorted(unused_local_ips))
            retr_local_ips.append(str(random_local_ip))
            unused_local_ips.remove(random_local_ip)

        # retrieve uncertain local ips
        if count_certain < count:
            count_uncertain = count - count_certain

            # check if new uncertain IPs have to be created
            if len(uncertain_local_ips) < count_uncertain:
                ipspace_multiplier = self.UNCERTAIN_IPSPACE_MULTIPLIER

                max_new_ip = self.max_uncertain_local_ip.to_int() + ipspace_multiplier * count_uncertain

                count_new_ips = max_new_ip - self.max_uncertain_local_ip.to_int()

                # create ipspace_multiplier * count_uncertain new uncertain local IP addresses
                last_gen_ip = None
                for i in range(1, count_new_ips + 1):
                    ip = IPAddress.from_int(self.max_uncertain_local_ip.to_int() + i)
                    # exclude the definite broadcast address
                    if self.priv_ip_segment:
                        if ip.to_int() >= self.priv_ip_segment.last_address().to_int():
                            break
                    uncertain_local_ips.add(ip)
                    last_gen_ip = ip
                self.max_uncertain_local_ip = last_gen_ip

            # choose the uncertain IPs to return
            total_uncertain = min(count_uncertain, len(uncertain_local_ips))
            for _ in range(0, total_uncertain):
                random_local_ip = choice(sorted(uncertain_local_ips))
                retr_local_ips.append(str(random_local_ip))
                uncertain_local_ips.remove(random_local_ip)
            
        return retr_local_ips

    def get_existing_external_ips(self, count: int=1):
        """
        Returns the given number of external IPs that are existent in the pcap file.

        :param count: the number of external IPs to return
        :return: the chosen external IPs
        """

        if not (len(self.external_ips) > 0):
            print("Warning: .pcap does not contain any external ips.")
            return []

        total = min(len(self.remaining_external_ips), count)
        retr_external_ips = []
        external_ips = self.remaining_external_ips

        for _ in range(0, total):
            random_external_ip = choice(sorted(external_ips))
            retr_external_ips.append(str(random_external_ip))
            external_ips.remove(random_external_ip)

        return retr_external_ips

    def _init_ipaddress_ops(self):
        """
        Load and process data needed to perform functions on the IP addresses contained in the statistics
        """

        # retrieve local and external IPs
        all_ips_str = set(self.statistics.process_db_query("all(ipAddress)", print_results=False))
        # external_ips_str = set(self.statistics.process_db_query("ipAddress(macAddress=%s)" % self.get_probable_router_mac(), print_results=False))  # including router
        # local_ips_str = all_ips_str - external_ips_str
        external_ips = set()
        local_ips = set()
        all_ips = set()

        self.contains_priv_ips = False
        self.priv_ip_segment = None

        # convert IP strings to IPv4.IPAddress representation
        for ip in all_ips_str:
            if is_ipv4(ip):
                ip = IPAddress.parse(ip)
                # exclude local broadcast address and other special addresses
                if (not str(ip) == "255.255.255.255") and (not ip.is_localhost()) and (not ip.is_multicast()) and (
                not ip.is_reserved()) and (not ip.is_zero_conf()):
                    all_ips.add(ip)

        for ip in all_ips:
            if ip.is_private():
                local_ips.add(ip)

        external_ips = all_ips - local_ips

        # save the certain unused local IPs of the network
        # to do that, divide the unused local Addressspace into chunks of (chunks_size) Addresses
        # initally only the first chunk will be used, but more chunks can be added to the pool of unused_local_ips if needed
        self.min_local_ip, self.max_local_ip = min(local_ips), max(local_ips)
        local_ip_range = (self.max_local_ip.to_int()) - (self.min_local_ip.to_int() + 1)
        if local_ip_range < 0:
            # for min,max pairs like (1,1), (1,2) there is no free address in between, but for (1,1) local_ip_range may be -1, because 1-(1+1)=-1
            local_ip_range = 0

        # chunk size can be adjusted if needed
        self.chunk_size = 200

        self.current_chunk = 1
        if local_ip_range < self.chunk_size:
            # there are not more than chunk_size unused IP Addresses to begin with
            self.chunks = 0
            self.chunk_remainder = local_ip_range
        else:
            # determine how many chunks of (chunk_size) Addresses there are and the save the remainder
            self.chunks = local_ip_range // self.chunk_size
            self.chunk_remainder = local_ip_range % self.chunk_size

        # add the first chunk of IP Addresses
        self.unused_local_ips = set()
        self.expand_unused_local_ips()

        # save the gathered information for efficient later use
        self.external_ips = frozenset(external_ips)
        self.remaining_external_ips = external_ips
        self.max_uncertain_local_ip = self.max_local_ip
        self.local_ips = frozenset(local_ips)
        # print("External IPS: " + str(external_ips))
        # print("LOCAL IPS: " + str(local_ips))
        self.remaining_local_ips = local_ips
        self.uncertain_local_ips = set()

    def expand_unused_local_ips(self):
        """
        expands the set of unused_local_ips by one chunk_size
        to illustrate this algorithm: suppose we have a chunksize of 100 and an Address space of 1 to 1000 (1 and 1000 are unused too), we then have 10 chunks
        every time this method is called, one chunk (100 Addresses) is added, each chunk starts at the base_address + the number of its chunk
        then, every chunk_amounth'th Address is added. Therefore for 10 chunks, every 10th address is added
        For the above example for the first, second and last call, we get the following IPs, respectively:
        first Call:  1+0,  1+10,  1+20,  1+30, ...,  1+990
        second Call: 2+0,  2+10,  2+20,  2+30, ...,  2+990
        ten'th Call: 10+0, 10+10, 10+20, 10+30, ..., 10+990

        :return: False if there are no more available unusd local IP Addresses, True otherwise
        """

        if self.current_chunk == self.chunks+1:
            # all chunks are used up, therefore add the remainder
            remainder_base_addr = self.min_local_ip.to_int() + self.chunks*self.chunk_size + 1
            for i in range(0,self.chunk_remainder):
                ip = IPAddress.from_int(remainder_base_addr + i)
                self.unused_local_ips.add(ip)

            self.current_chunk = self.current_chunk + 1
            return True

        elif self.current_chunk <= self.chunks:
            # add another chunk
            # choose IPs from the whole address space, that is available
            base_address = self.min_local_ip.to_int() + self.current_chunk

            for i in range(0,self.chunk_size):
                ip = IPAddress.from_int(base_address + i*self.chunks)
                self.unused_local_ips.add(ip)

            self.current_chunk = self.current_chunk + 1
            return True

        else:
            # no free IPs remaining
            return False