First version of EternalBlue implementation

code/Attack/EternalBlueExploit.py

@@ -0,0 +1,184 @@
+import logging
+from random import randint, uniform
+
+from lea import Lea
+
+from Attack import BaseAttack
+from Attack.AttackParameters import Parameter as Param
+from Attack.AttackParameters import ParameterTypes
+
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
+# noinspection PyPep8
+from scapy.utils import RawPcapReader
+from scapy.layers.inet import IP, Ether, TCP, RandShort
+
+class EternalBlueExploit(BaseAttack.BaseAttack):
+    def __init__(self, statistics, pcap_file_path):
+        """
+        Creates a new instance of the EternalBlue Exploit.
+
+        :param statistics: A reference to the statistics class.
+        """
+        # Initialize attack
+        super(EternalBlueExploit, self).__init__(statistics, "EternalBlue Exploit", "Injects an EternalBlue exploit'",
+                                        "Resource Exhaustion")
+
+        # Define allowed parameters and their type
+        self.supported_params = {
+            Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.PORT_SOURCE: ParameterTypes.TYPE_PORT,
+            Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
+            Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
+            Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
+            Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
+            Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
+        }
+
+        # PARAMETERS: initialize with default utilsvalues
+        # (values are overwritten if user specifies them)
+        most_used_ip_address = self.statistics.get_most_used_ip_address()
+        if isinstance(most_used_ip_address, list):
+            most_used_ip_address = most_used_ip_address[0]
+        self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
+        self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
+        self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
+        self.add_param_value(Param.PORT_SOURCE, str(RandShort()))
+        self.add_param_value(Param.PACKETS_PER_SECOND, randint(1, 64))
+
+        # victim configuration
+        # TO-DO: confirm that ip.dst uses Win OS
+        random_ip_address = self.statistics.get_random_ip_address()
+        self.add_param_value(Param.IP_DESTINATION, random_ip_address)
+
+        destination_mac = self.statistics.get_mac_address(random_ip_address)
+        if isinstance(destination_mac, list) and len(destination_mac) == 0:
+            destination_mac = self.generate_random_mac_address()
+        self.add_param_value(Param.MAC_DESTINATION, destination_mac)
+
+    def generate_attack_pcap(self):
+        def update_timestamp(timestamp, pps, maxdelay):
+            """
+            Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
+
+            :return: Timestamp to be used for the next packet.
+            """
+            return timestamp + uniform(0.1 / pps, maxdelay)
+
+
+        # Timestamp
+        timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
+        # TO-DO: find better pkt rate
+        pps = self.get_param_value(Param.PACKETS_PER_SECOND)
+        randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 30, 5 / pps: 15, 10 / pps: 3})
+
+        # Initialize parameters
+        packets = []
+        mac_source = self.get_param_value(Param.MAC_SOURCE)
+        ip_source = self.get_param_value(Param.IP_SOURCE)
+        port_source = self.get_param_value(Param.PORT_SOURCE)
+        mac_destination = self.get_param_value(Param.MAC_DESTINATION)
+        ip_destination = self.get_param_value(Param.IP_DESTINATION)
+
+        path_attack_pcap = None
+
+        # Scan (MS17) for EternalBlue
+        # Read Win7_eternalblue_scan_vulnerable pcap file
+        orig_ip_dst = None
+        exploit_raw_packets = RawPcapReader("Win7_eternalblue_scan.pcap")
+        for pkt_num, pkt in enumerate(exploit_raw_packets):
+            eth_frame = Ether(pkt[0])
+            ip_pkt = eth_frame.payload
+            tcp_pkt = ip_pkt.payload
+
+            smb_port = 445
+            if pkt_num == 0:
+                if tcp_pkt.getfieldval("dport") == smb_port:
+                    orig_ip_dst = ip_pkt.getfieldval("dst")
+
+            # Request
+            if ip_pkt.getfieldval("dst") == orig_ip_dst:
+                # Ether
+                eth_frame.setfieldval("src", mac_source)
+                eth_frame.setfieldval("dst", mac_destination)
+                # IP
+                ip_pkt.setfieldval("src", ip_source)
+                ip_pkt.setfieldval("dst", ip_destination)
+                # TCP
+                tcp_pkt.setfieldval("sport",port_source)
+            # Reply
+            else:
+                # Ether
+                eth_frame.setfieldval("src", mac_destination)
+                eth_frame.setfieldval("dst", mac_source)
+                # IP
+                ip_pkt.setfieldval("src", ip_destination)
+                ip_pkt.setfieldval("dst", ip_source)
+                # TCP
+                tcp_pkt.setfieldval("dport", port_source)
+
+            new_pkt = (eth_frame / ip_pkt / tcp_pkt)
+            # TO-DO: reply should have different timestamp delay
+            new_pkt.time = timestamp_next_pkt
+
+            packets.append(new_pkt)
+
+            maxdelay = randomdelay.random()
+            timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
+
+
+        # Inject EternalBlue exploit packets
+        # Read Win7_eternalblue_exploit pcap file
+        exploit_raw_packets = RawPcapReader("Win7_eternalblue_exploit.pcap")
+        for pkt_num, pkt in enumerate(exploit_raw_packets):
+            eth_frame = Ether(pkt[0])
+            ip_pkt = eth_frame.payload
+            tcp_pkt = ip_pkt.payload
+
+            smb_port = 445
+            if pkt_num == 0:
+                if tcp_pkt.getfieldval("dport") == smb_port:
+                    orig_ip_dst = ip_pkt.getfieldval("dst")
+
+            # Request
+            if ip_pkt.getfieldval("dst") == orig_ip_dst:
+                # Ether
+                eth_frame.setfieldval("src", mac_source)
+                eth_frame.setfieldval("dst", mac_destination)
+                # IP
+                ip_pkt.setfieldval("src", ip_source)
+                ip_pkt.setfieldval("dst", ip_destination)
+                # TCP
+                #tcp_pkt.setfieldval("sport", port_source)
+            # Reply
+            else:
+                # Ether
+                eth_frame.setfieldval("src", mac_destination)
+                eth_frame.setfieldval("dst", mac_source)
+                # IP
+                ip_pkt.setfieldval("src", ip_destination)
+                ip_pkt.setfieldval("dst", ip_source)
+                # TCP
+                #tcp_pkt.setfieldval("dport", port_source)
+
+            new_pkt = (eth_frame / ip_pkt / tcp_pkt)
+            # TO-DO: reply should have different timestamp delay
+            new_pkt.time = timestamp_next_pkt
+
+            packets.append(new_pkt)
+
+            maxdelay = randomdelay.random()
+            timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
+
+
+        # Store timestamp of first packet (for attack label)
+        self.attack_start_utime = packets[0].time
+        self.attack_end_utime = packets[-1].time
+
+        if len(packets) > 0:
+            packets = sorted(packets, key=lambda pkt: pkt.time)
+            path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
+
+        # return packets sorted by packet time_sec_start
+        # pkt_num+1: because pkt_num starts at 0
+        return pkt_num + 1, path_attack_pcap