Trang chủ Khám phá Trợ giúp
Đăng nhập
stefan.schmidt
/
ID2T-toolkit
forked from SPIN/ID2T-toolkit
3
0
Fork 0
Các tập tin
Browse Source

Improve artifact.port.open, fix artifact.mss

aidmar.wainakh 7 năm trước cách đây
mục cha
99d8aadf4c
commit
66af2bcb96
3 tập tin đã thay đổi với 39 bổ sung16 xóa
Split View Hiển thị tình trạng sai khác
  1. 23 15
      code/Attack/PortscanAttack.py
  2. 14 1
      code/ID2TLib/Statistics.py
  3. 2 0
      code/ID2TLib/StatsDatabase.py

+ 23 - 15
code/Attack/PortscanAttack.py
Xem Tập Tin 

@@ -39,7 +39,8 @@ class PortscanAttack(BaseAttack.BaseAttack):
 
                 shuffle(temp_array[count])
 
                 port_dst_shuffled += temp_array[count]
 
         else: # used for port.open
 
-            port_dst_shuffled = shuffle(ports_dst)
 
+            shuffle(ports_dst)
 
+            port_dst_shuffled = ports_dst
 
         return port_dst_shuffled
 
 
 
@@ -165,13 +166,19 @@ class PortscanAttack(BaseAttack.BaseAttack):
 
         ports_open = self.get_param_value(Param.PORT_OPEN)
 
         if ports_open == [1,11,111,1111]:  # user did not define open ports
 
             # the ports that were already used by ip.dst (direction in) in the background traffic are open ports
 
-            ports_used_by_ip_dst = self.statistics.process_db_query(
 
-                "SELECT portNumber FROM ip_ports WHERE portDirection='in' AND ipAddress='" + ip_destination + "';")
 
+            ports_used_by_ip_dst = None #self.statistics.process_db_query(
 
+                #"SELECT portNumber FROM ip_ports WHERE portDirection='in' AND ipAddress='" + ip_destination + "'")
 
             if ports_used_by_ip_dst:
 
                 ports_open = ports_used_by_ip_dst
 
+                print("\nPorts used by %s: %s" % (ip_destination, ports_open))
 
             else: # if no ports were retrieved from database
 
-                ports_open = self.get_ports_from_nmap_service_dst(randint(0,10))
 
-            #print("\nPorts used by %s: %s" % (ip_destination, ports_open))
 
+            # Take open ports from nmap-service file
 
+                #ports_temp = self.get_ports_from_nmap_service_dst(100)
 
+                #ports_open = ports_temp[0:randint(1,10)]
 
+            # OR take open ports from the most used ports in traffic statistics
 
+                ports_open = self.statistics.process_db_query(
 
+                    "SELECT portNumber FROM ip_ports GROUP BY portNumber ORDER BY COUNT(*) DESC LIMIT "+str(randint(1,10)))
 
+                print("\nPorts retrieved from statistics: %s" % (ports_open))
 
         # in case of one open port, convert ports_open to array
 
         if not isinstance(ports_open, list):
 
             ports_open = [ports_open]
 
@@ -180,9 +187,13 @@ class PortscanAttack(BaseAttack.BaseAttack):
 
 
         # MSS (Maximum Segment Size) for Ethernet. Allowed values [536,1500]
 
         # Aidmar
 
+        mss_dst = self.statistics.get_most_used_mss(ip_destination)
 
+        if mss_dst is None:
 
+            mss_dst = self.statistics.process_db_query("most_used(mssValue)")
 
+        mss_src = self.statistics.get_most_used_mss(ip_source)
 
+        if mss_src is None:
 
+            mss_src = self.statistics.process_db_query("most_used(mssValue)")
 
         # mss = self.statistics.get_mss(ip_destination)
 
-        mss_dst = self.statistics.get_mss(ip_destination)
 
-        mss_src = self.statistics.get_mss(ip_source)
 
         # =========================================================================================================
 
 
         # Set TTL based on TTL distribution of IP address
 
@@ -204,10 +215,7 @@ class PortscanAttack(BaseAttack.BaseAttack):
 
             request_ip = IP(src=ip_source, dst=ip_destination, ttl=ttl_value)
 
             # Aidmar - random src port for each packet
 
             sport = randint(1, 65535)
 
-            if mss_src is None:
 
-                request_tcp = TCP(sport=sport, dport=dport, flags='S')
 
-            else:
 
-                request_tcp = TCP(sport=sport, dport=dport, flags='S', options=[('MSS', mss_src)])
 
+            request_tcp = TCP(sport=sport, dport=dport, flags='S', options=[('MSS', mss_src)])
 
             # =========================================================================================================
 
 
             request = (request_ether / request_ip / request_tcp)
 
@@ -221,10 +229,10 @@ class PortscanAttack(BaseAttack.BaseAttack):
 
             if dport in ports_open:  # destination port is OPEN
 
                 reply_ether = Ether(src=mac_destination, dst=mac_source)
 
                 reply_ip = IP(src=ip_destination, dst=ip_source, flags='DF')
 
-                if mss_dst is None:
 
-                    reply_tcp = TCP(sport=dport, dport=sport, seq=0, ack=1, flags='SA', window=29200)
 
-                else:
 
-                    reply_tcp = TCP(sport=dport, dport=sport, seq=0, ack=1, flags='SA', window=29200,
 
+                #if mss_dst is None:
 
+                #   reply_tcp = TCP(sport=dport, dport=sport, seq=0, ack=1, flags='SA', window=29200)
 
+                #else:
 
+                reply_tcp = TCP(sport=dport, dport=sport, seq=0, ack=1, flags='SA', window=29200,
 
                                     options=[('MSS', mss_dst)])
 
                 reply = (reply_ether / reply_ip / reply_tcp)
 
                 timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)

+ 14 - 1
code/ID2TLib/Statistics.py
Xem Tập Tin 

@@ -242,7 +242,6 @@ class Statistics:
 
 
     def get_mss(self, ipAddress: str):
 
         """
 
-
 
         :param ipAddress: The IP address whose used MSS should be determined
 
         :return: The TCP MSS value used by the IP address, or if the IP addresses never specified a MSS,
 
         then None is returned
 
@@ -253,6 +252,20 @@ class Statistics:
 
         else:
 
             return None
 
 
+    # Aidmar
 
+    def get_most_used_mss(self, ipAddress: str):
 
+        """
 
+        :param ipAddress: The IP address whose used MSS should be determined
 
+        :return: The TCP MSS value used by the IP address, or if the IP addresses never specified a MSS,
 
+        then None is returned
 
+        """
 
+        mss_value = self.process_db_query('SELECT mssValue from tcp_mss_dist WHERE ipAddress="' + ipAddress + '" ORDER BY mssCount DESC LIMIT 1')
 
+        if isinstance(mss_value, int):
 
+            return mss_value
 
+        else:
 
+            return None
 
+
 
+
 
     def get_statistics_database(self):
 
         """
 
         :return: A reference to the statistics database object

+ 2 - 0
code/ID2TLib/StatsDatabase.py
Xem Tập Tin 

@@ -174,6 +174,8 @@ class StatsDatabase:
 
             "most_used.portnumber": "SELECT portNumber, COUNT(portNumber) as cntPort FROM ip_ports GROUP BY portNumber HAVING cntPort=(SELECT MAX(cntPort) from (SELECT portNumber, COUNT(portNumber) as cntPort FROM ip_ports GROUP BY portNumber))",
 
             "most_used.protocolname": "SELECT protocolName, COUNT(protocolCount) as countProtocols FROM ip_protocols GROUP BY protocolName HAVING countProtocols=(SELECT COUNT(protocolCount) as cnt FROM ip_protocols GROUP BY protocolName ORDER BY cnt DESC LIMIT 1)",
 
             "most_used.ttlvalue": "SELECT ttlValue FROM ip_ttl WHERE ttlCount == (SELECT MAX(ttlCount) FROM ip_ttl)",
 
+            # Aidmar
 
+            "most_used.mssvalue": "SELECT mssValue FROM tcp_mss_dist WHERE mssCount == (SELECT MAX(mssCount) FROM tcp_mss_dist)",
 
             "least_used.ipaddress": "SELECT ipAddress FROM ip_statistics WHERE (pktsSent+pktsReceived) == (SELECT MIN(pktsSent+pktsReceived) from ip_statistics)",
 
             "least_used.macaddress": "SELECT * FROM (SELECT macAddress, COUNT(*) as occ from ip_mac GROUP BY macAddress ORDER BY occ ASC) WHERE occ=(SELECT COUNT(*) as occ from ip_mac GROUP BY macAddress ORDER BY occ ASC LIMIT 1)",
 
             "least_used.portnumber": "SELECT portNumber, COUNT(portNumber) as cntPort FROM ip_ports GROUP BY portNumber HAVING cntPort=(SELECT MIN(cntPort) from (SELECT portNumber, COUNT(portNumber) as cntPort FROM ip_ports GROUP BY portNumber))",