SQLiAttack.py 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305
  1. import logging
  2. from random import randint, uniform
  3. from lea import Lea
  4. from Attack import BaseAttack
  5. from Attack.AttackParameters import Parameter as Param
  6. from Attack.AttackParameters import ParameterTypes
  7. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  8. # noinspection PyPep8
  9. from scapy.utils import RawPcapReader
  10. from scapy.layers.inet import IP, Ether, TCP, RandShort
  11. class SQLiAttack(BaseAttack.BaseAttack):
  12. template_attack_pcap_path = "resources/ATutorSQLi.pcap"
  13. # HTTP port
  14. http_port = 80
  15. # Metasploit experiments show this range of ports
  16. minDefaultPort = 30000
  17. maxDefaultPort = 50000
  18. def __init__(self):
  19. """
  20. Creates a new instance of the SQLi Attack.
  21. """
  22. # Initialize attack
  23. super(SQLiAttack, self).__init__("SQLi Attack", "Injects a SQLi attack'",
  24. "Privilege elevation")
  25. # Define allowed parameters and their type
  26. self.supported_params = {
  27. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  28. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  29. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  30. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  31. Param.TARGET_HOST: ParameterTypes.TYPE_DOMAIN,
  32. #Param.TARGET_URI: ParameterTypes.TYPE_URI,
  33. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  34. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  35. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  36. }
  37. def init_params(self):
  38. """
  39. Initialize the parameters of this attack using the user supplied command line parameters.
  40. Use the provided statistics to calculate default parameters and to process user
  41. supplied queries.
  42. :param statistics: Reference to a statistics object.
  43. """
  44. # PARAMETERS: initialize with default utilsvalues
  45. # (values are overwritten if user specifies them)
  46. most_used_ip_address = self.statistics.get_most_used_ip_address()
  47. if isinstance(most_used_ip_address, list):
  48. most_used_ip_address = most_used_ip_address[0]
  49. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  50. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  51. #self.add_param_value(Param.TARGET_URI, "/")
  52. self.add_param_value(Param.TARGET_HOST, "www.hackme.com")
  53. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  54. self.add_param_value(Param.PACKETS_PER_SECOND,
  55. (self.statistics.get_pps_sent(most_used_ip_address) +
  56. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  57. # victim configuration
  58. # consider that the destination has port 80 opened
  59. random_ip_address = self.statistics.get_random_ip_address()
  60. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  61. destination_mac = self.statistics.get_mac_address(random_ip_address)
  62. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  63. destination_mac = self.generate_random_mac_address()
  64. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  65. def generate_attack_pcap(self):
  66. def update_timestamp(timestamp, pps):
  67. """
  68. Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
  69. :return: Timestamp to be used for the next packet.
  70. """
  71. # Calculate the request timestamp
  72. # A distribution to imitate the bursty behavior of traffic
  73. randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 20, 5 / pps: 7, 10 / pps: 3})
  74. return timestamp + uniform(1 / pps, randomdelay.random())
  75. def getIntervalPPS(complement_interval_pps, timestamp):
  76. """
  77. Gets the packet rate (pps) in specific time interval.
  78. :return: the corresponding packet rate for packet rate (pps) .
  79. """
  80. for row in complement_interval_pps:
  81. if timestamp <= row[0]:
  82. return row[1]
  83. return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
  84. # Timestamp
  85. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  86. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  87. # Calculate complement packet rates of BG traffic per interval
  88. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  89. # Initialize parameters
  90. packets = []
  91. mac_source = self.get_param_value(Param.MAC_SOURCE)
  92. ip_source = self.get_param_value(Param.IP_SOURCE)
  93. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  94. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  95. target_host = self.get_param_value(Param.TARGET_HOST)
  96. target_uri = "/" #self.get_param_value(Param.TARGET_URI)
  97. # Check ip.src == ip.dst
  98. self.ip_src_dst_equal_check(ip_source, ip_destination)
  99. path_attack_pcap = None
  100. # Set TTL based on TTL distribution of IP address
  101. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  102. if len(source_ttl_dist) > 0:
  103. source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
  104. source_ttl_value = source_ttl_prob_dict.random()
  105. else:
  106. source_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  107. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  108. if len(destination_ttl_dist) > 0:
  109. destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
  110. destination_ttl_value = destination_ttl_prob_dict.random()
  111. else:
  112. destination_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  113. # Inject SQLi Attack
  114. # Read SQLi Attack pcap file
  115. orig_ip_dst = None
  116. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  117. inter_arrival_times, inter_arrival_time_dist = self.get_inter_arrival_time(exploit_raw_packets,True)
  118. timeSteps = Lea.fromValFreqsDict(inter_arrival_time_dist)
  119. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  120. port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports
  121. # Random TCP sequence numbers
  122. global attacker_seq
  123. attacker_seq = randint(1000, 50000)
  124. global victim_seq
  125. victim_seq = randint(1000, 50000)
  126. for pkt_num, pkt in enumerate(exploit_raw_packets):
  127. eth_frame = Ether(pkt[0])
  128. ip_pkt = eth_frame.payload
  129. tcp_pkt = ip_pkt.payload
  130. str_tcp_seg = str(tcp_pkt.payload)
  131. # Clean payloads
  132. eth_frame.payload = b''
  133. ip_pkt.payload = b''
  134. tcp_pkt.payload = b''
  135. if pkt_num == 0:
  136. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  137. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  138. if tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80:
  139. # Attacker --> vicitm
  140. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  141. # There are 363 TCP connections with different source ports, for each of them we generate random port
  142. if tcp_pkt.getfieldval("sport") != prev_orig_port_source and tcp_pkt.getfieldval("dport") != 4444:
  143. port_source = randint(self.minDefaultPort, self.maxDefaultPort)
  144. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  145. # New connection, new random TCP sequence numbers
  146. attacker_seq = randint(1000, 50000)
  147. victim_seq = randint(1000, 50000)
  148. # First packet in a connection has ACK = 0
  149. tcp_pkt.setfieldval("ack", 0)
  150. # Ether
  151. eth_frame.setfieldval("src", mac_source)
  152. eth_frame.setfieldval("dst", mac_destination)
  153. # IP
  154. ip_pkt.setfieldval("src", ip_source)
  155. ip_pkt.setfieldval("dst", ip_destination)
  156. ip_pkt.setfieldval("ttl", source_ttl_value)
  157. # TCP
  158. tcp_pkt.setfieldval("sport",port_source)
  159. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  160. # TCP Seq, Ack
  161. if tcp_pkt.getfieldval("ack") != 0:
  162. tcp_pkt.setfieldval("ack", victim_seq)
  163. tcp_pkt.setfieldval("seq", attacker_seq)
  164. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  165. attacker_seq += max(len(str_tcp_seg), 1)
  166. new_pkt = (eth_frame / ip_pkt/ tcp_pkt / str_tcp_seg)
  167. new_pkt.time = timestamp_next_pkt
  168. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
  169. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  170. # Victim --> attacker
  171. else:
  172. # Ether
  173. eth_frame.setfieldval("src", mac_destination)
  174. eth_frame.setfieldval("dst", mac_source)
  175. # IP
  176. ip_pkt.setfieldval("src", ip_destination)
  177. ip_pkt.setfieldval("dst", ip_source)
  178. ip_pkt.setfieldval("ttl", destination_ttl_value)
  179. # TCP
  180. tcp_pkt.setfieldval("dport", port_source)
  181. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  182. # TCP Seq, ACK
  183. tcp_pkt.setfieldval("ack", attacker_seq)
  184. tcp_pkt.setfieldval("seq", victim_seq)
  185. strLen = len(str_tcp_seg)
  186. if not (tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  187. victim_seq += max(strLen, 1)
  188. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  189. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  190. new_pkt.time = timestamp_next_pkt
  191. # The last connection
  192. else:
  193. # New connection, new random TCP sequence numbers
  194. attacker_seq = randint(1000, 50000)
  195. victim_seq = randint(1000, 50000)
  196. # First packet in a connection has ACK = 0
  197. tcp_pkt.setfieldval("ack", 0)
  198. #port_source = randint(self.minDefaultPort, self.maxDefaultPort)
  199. # Attacker --> vicitm
  200. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  201. # Ether
  202. eth_frame.setfieldval("src", mac_source)
  203. eth_frame.setfieldval("dst", mac_destination)
  204. # IP
  205. ip_pkt.setfieldval("src", ip_source)
  206. ip_pkt.setfieldval("dst", ip_destination)
  207. ip_pkt.setfieldval("ttl", source_ttl_value)
  208. # TCP
  209. #tcp_pkt.setfieldval("sport", port_source)
  210. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  211. # TCP Seq, Ack
  212. if tcp_pkt.getfieldval("ack") != 0:
  213. tcp_pkt.setfieldval("ack", victim_seq)
  214. tcp_pkt.setfieldval("seq", attacker_seq)
  215. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  216. attacker_seq += max(len(str_tcp_seg), 1)
  217. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  218. new_pkt.time = timestamp_next_pkt
  219. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
  220. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  221. # Victim --> attacker
  222. else:
  223. # Ether
  224. eth_frame.setfieldval("src", mac_destination)
  225. eth_frame.setfieldval("dst", mac_source)
  226. # IP
  227. ip_pkt.setfieldval("src", ip_destination)
  228. ip_pkt.setfieldval("dst", ip_source)
  229. ip_pkt.setfieldval("ttl", destination_ttl_value)
  230. # TCP
  231. #tcp_pkt.setfieldval("dport", port_source)
  232. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  233. # TCP Seq, ACK
  234. tcp_pkt.setfieldval("ack", attacker_seq)
  235. tcp_pkt.setfieldval("seq", victim_seq)
  236. strLen = len(str_tcp_seg)
  237. if not (tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  238. victim_seq += max(strLen, 1)
  239. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  240. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  241. new_pkt.time = timestamp_next_pkt
  242. packets.append(new_pkt)
  243. # Store timestamp of first packet (for attack label)
  244. self.attack_start_utime = packets[0].time
  245. self.attack_end_utime = packets[-1].time
  246. if len(packets) > 0:
  247. packets = sorted(packets, key=lambda pkt: pkt.time)
  248. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  249. # return packets sorted by packet time_sec_start
  250. # pkt_num+1: because pkt_num starts at 0
  251. return pkt_num + 1, path_attack_pcap