# Created by Aidmar import logging import math from operator import itemgetter import operator from random import randint, uniform from lea import Lea from Attack import BaseAttack from Attack.AttackParameters import Parameter as Param from Attack.AttackParameters import ParameterTypes logging.getLogger("scapy.runtime").setLevel(logging.ERROR) # noinspection PyPep8 from scapy.utils import RawPcapReader from scapy.layers.inet import IP, Ether, TCP, RandShort class EternalBlueExploit(BaseAttack.BaseAttack): # Metasploit default packet rate maxDefaultPPS = 100 minDefaultPPS = 5 # SMB port smb_port = 445 # Metasploit experiments show this range of ports minDefaultPort = 30000 maxDefaultPort = 50000 last_conn_dst_port = 4444 def __init__(self, statistics, pcap_file_path): """ Creates a new instance of the EternalBlue Exploit. :param statistics: A reference to the statistics class. """ # Initialize attack super(EternalBlueExploit, self).__init__(statistics, "EternalBlue Exploit", "Injects an EternalBlue exploit'", "Resource Exhaustion") # Define allowed parameters and their type self.supported_params = { Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS, Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS, #Param.PORT_SOURCE: ParameterTypes.TYPE_PORT, Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS, Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS, Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT, Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION, Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT } # PARAMETERS: initialize with default utilsvalues # (values are overwritten if user specifies them) most_used_ip_address = self.statistics.get_most_used_ip_address() if isinstance(most_used_ip_address, list): most_used_ip_address = most_used_ip_address[0] self.add_param_value(Param.IP_SOURCE, most_used_ip_address) self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address)) self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count())) #self.add_param_value(Param.PORT_SOURCE, str(RandShort())) self.add_param_value(Param.PACKETS_PER_SECOND,self.maxDefaultPPS) # victim configuration # TO-DO: confirm that ip.dst uses Win OS random_ip_address = self.statistics.get_random_ip_address() self.add_param_value(Param.IP_DESTINATION, random_ip_address) destination_mac = self.statistics.get_mac_address(random_ip_address) if isinstance(destination_mac, list) and len(destination_mac) == 0: destination_mac = self.generate_random_mac_address() self.add_param_value(Param.MAC_DESTINATION, destination_mac) def generate_attack_pcap(self): def update_timestamp(timestamp, pps, maxdelay): """ Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay. :return: Timestamp to be used for the next packet. """ return timestamp + uniform(1 / pps, maxdelay) # Timestamp timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP) # TO-DO: find better pkt rate pps = self.get_param_value(Param.PACKETS_PER_SECOND) randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 30, 5 / pps: 15, 10 / pps: 3}) # Aidmar # Calculate the complement packet rates of the background traffic packet rates per interval result = self.statistics.process_db_query( "SELECT timestamp,pktsCount FROM interval_statistics ORDER BY timestamp") print(result) bg_interval_pps = [] intervalsSum = 0 if result: # Get the interval in seconds for i, row in enumerate(result): if i < len(result) - 1: intervalsSum += math.ceil((int(result[i + 1][0]) * 10 ** -6) - (int(row[0]) * 10 ** -6)) interval = intervalsSum / (len(result) - 1) # Convert timestamp from micro to seconds, convert packet rate "per interval" to "per second" for row in result: bg_interval_pps.append((int(row[0]) * 10 ** -6, int(row[1] / interval))) # Find max PPS maxPPS = max(bg_interval_pps, key=itemgetter(1))[1] complement_interval_pps = [] for row in bg_interval_pps: complement_interval_pps.append((row[0], int(pps * (maxPPS - row[1]) / maxPPS))) print(complement_interval_pps) def getIntervalPPS(timestamp): for row in complement_interval_pps: if timestamp <= row[0]: return row[1] return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp # Initialize parameters packets = [] mac_source = self.get_param_value(Param.MAC_SOURCE) ip_source = self.get_param_value(Param.IP_SOURCE) #port_source = self.get_param_value(Param.PORT_SOURCE) mac_destination = self.get_param_value(Param.MAC_DESTINATION) ip_destination = self.get_param_value(Param.IP_DESTINATION) # Aidmar - check ip.src == ip.dst if ip_source == ip_destination: print("\nERROR: Invalid IP addresses; source IP is the same as destination IP: " + ip_source + ".") import sys sys.exit(0) path_attack_pcap = None replayDelay = self.get_reply_delay(ip_destination) # Scan (MS17) for EternalBlue # Read Win7_eternalblue_scan_vulnerable pcap file orig_ip_dst = None exploit_raw_packets = RawPcapReader("Win7_eternalblue_scan.pcap") port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports for pkt_num, pkt in enumerate(exploit_raw_packets): eth_frame = Ether(pkt[0]) ip_pkt = eth_frame.payload tcp_pkt = ip_pkt.payload if pkt_num == 0: if tcp_pkt.getfieldval("dport") == self.smb_port: orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP # Request if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP # Ether eth_frame.setfieldval("src", mac_source) eth_frame.setfieldval("dst", mac_destination) # IP ip_pkt.setfieldval("src", ip_source) ip_pkt.setfieldval("dst", ip_destination) # TCP tcp_pkt.setfieldval("sport",port_source) new_pkt = (eth_frame / ip_pkt / tcp_pkt) new_pkt.time = timestamp_next_pkt maxdelay = randomdelay.random() pps = self.minDefaultPPS if getIntervalPPS(timestamp_next_pkt) is None else max( getIntervalPPS(timestamp_next_pkt), self.minDefaultPPS) timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay) # Reply else: # Ether eth_frame.setfieldval("src", mac_destination) eth_frame.setfieldval("dst", mac_source) # IP ip_pkt.setfieldval("src", ip_destination) ip_pkt.setfieldval("dst", ip_source) # TCP tcp_pkt.setfieldval("dport", port_source) new_pkt = (eth_frame / ip_pkt / tcp_pkt) timestamp_next_pkt = timestamp_next_pkt + uniform(replayDelay, 2 * replayDelay) new_pkt.time = timestamp_next_pkt packets.append(new_pkt) # Inject EternalBlue exploit packets # Read Win7_eternalblue_exploit pcap file exploit_raw_packets = RawPcapReader("Win7_eternalblue_exploit.pcap") # Group the packets in conversations def packetsToConvs(exploit_raw_packets): conversations = {} orderList_conversations = [] for pkt_num, pkt in enumerate(exploit_raw_packets): eth_frame = Ether(pkt[0]) ip_pkt = eth_frame.payload ip_dst = ip_pkt.getfieldval("dst") ip_src = ip_pkt.getfieldval("src") tcp_pkt = ip_pkt.payload port_dst = tcp_pkt.getfieldval("dport") port_src = tcp_pkt.getfieldval("sport") conv_req = (ip_src, port_src, ip_dst, port_dst) conv_rep = (ip_dst, port_dst, ip_src, port_src) if conv_req not in conversations and conv_rep not in conversations: pktList = [pkt] conversations[conv_req] = pktList # Order list of conv orderList_conversations.append(conv_req) else: if conv_req in conversations: pktList = conversations[conv_req] pktList.append(pkt) conversations[conv_req] = pktList else: pktList = conversations[conv_rep] pktList.append(pkt) conversations[conv_rep] = pktList return (conversations,orderList_conversations) port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports # conversations = {(ip.src, ip.dst, port.src, port.dst): packets} temp_tuple = packetsToConvs(exploit_raw_packets) conversations = temp_tuple[0] orderList_conversations = temp_tuple[1] for conv_index, conv in enumerate(orderList_conversations): conv_pkts = conversations[conv] if conv_index != len(orderList_conversations)-1: # Not the last conversation port_source += 2 for pkt_num, pkt in enumerate(conv_pkts): eth_frame = Ether(pkt[0]) ip_pkt = eth_frame.payload tcp_pkt = ip_pkt.payload if pkt_num == 0: if tcp_pkt.getfieldval("dport") == self.smb_port: orig_ip_dst = ip_pkt.getfieldval("dst") # defining req/rep should be adapted to fit the last converstaion where # victim start a connection with the attacker # Request if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP # Ether eth_frame.setfieldval("src", mac_source) eth_frame.setfieldval("dst", mac_destination) # IP ip_pkt.setfieldval("src", ip_source) ip_pkt.setfieldval("dst", ip_destination) # TCP tcp_pkt.setfieldval("sport", port_source) new_pkt = (eth_frame / ip_pkt / tcp_pkt) # TO-DO: reply should have different timestamp delay new_pkt.time = timestamp_next_pkt maxdelay = randomdelay.random() pps = self.minDefaultPPS if getIntervalPPS(timestamp_next_pkt) is None else max( getIntervalPPS(timestamp_next_pkt), self.minDefaultPPS) timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay) # Not perfect timestamp #req_time = req_time + randomDelay || rep_time + randomDelay # Reply else: # Ether eth_frame.setfieldval("src", mac_destination) eth_frame.setfieldval("dst", mac_source) # IP ip_pkt.setfieldval("src", ip_destination) ip_pkt.setfieldval("dst", ip_source) # TCP tcp_pkt.setfieldval("dport", port_source) new_pkt = (eth_frame / ip_pkt / tcp_pkt) timestamp_next_pkt = timestamp_next_pkt + uniform(replayDelay, 2 * replayDelay) new_pkt.time = timestamp_next_pkt # Not perfect timestamp # rep_time = req_time + replayDelay packets.append(new_pkt) else: # Last conversation where the victim start a connection with the attacker port_source = randint(self.minDefaultPort,self.maxDefaultPort) for pkt_num, pkt in enumerate(conv_pkts): eth_frame = Ether(pkt[0]) ip_pkt = eth_frame.payload tcp_pkt = ip_pkt.payload # defining req/rep should be adapted to fit the last converstaion where # victim start a connection with the attacker # Request if tcp_pkt.getfieldval("dport") == self.last_conn_dst_port: # Ether eth_frame.setfieldval("src", mac_destination) eth_frame.setfieldval("dst", mac_source) # IP ip_pkt.setfieldval("src", ip_destination) ip_pkt.setfieldval("dst", ip_source) # TCP tcp_pkt.setfieldval("sport", port_source) new_pkt = (eth_frame / ip_pkt / tcp_pkt) # TO-DO: reply should have different timestamp delay new_pkt.time = timestamp_next_pkt maxdelay = randomdelay.random() pps = self.minDefaultPPS if getIntervalPPS(timestamp_next_pkt) is None else max( getIntervalPPS(timestamp_next_pkt), self.minDefaultPPS) timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay) # Not perfect timestamp # req_time = req_time + randomDelay || rep_time + randomDelay # Reply else: # Ether eth_frame.setfieldval("src", mac_source) eth_frame.setfieldval("dst", mac_destination) # IP ip_pkt.setfieldval("src", ip_source) ip_pkt.setfieldval("dst", ip_destination) # TCP tcp_pkt.setfieldval("dport", port_source) new_pkt = (eth_frame / ip_pkt / tcp_pkt) timestamp_next_pkt = timestamp_next_pkt + uniform(replayDelay, 2 * replayDelay) new_pkt.time = timestamp_next_pkt # Not perfect timestamp # rep_time = req_time + replayDelay packets.append(new_pkt) # Store timestamp of first packet (for attack label) self.attack_start_utime = packets[0].time self.attack_end_utime = packets[-1].time if len(packets) > 0: packets = sorted(packets, key=lambda pkt: pkt.time) path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap) # return packets sorted by packet time_sec_start # pkt_num+1: because pkt_num starts at 0 return pkt_num + 1, path_attack_pcap