import logging
import random
from lea import Lea
from scapy.layers.inet import Ether
from scapy.utils import RawPcapReader
import ID2TLib.Utility as Util
from Attack import BaseAttack
from Attack.AttackParameters import Parameter as Param
from Attack.AttackParameters import ParameterTypes
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
# noinspection PyPep8
class SQLiAttack(BaseAttack.BaseAttack):
template_attack_pcap_path = Util.RESOURCE_DIR + "ATutorSQLi.pcap"
# HTTP port
http_port = 80
# Metasploit experiments show this range of ports
minDefaultPort = 30000
maxDefaultPort = 50000
def __init__(self):
"""
Creates a new instance of the SQLi Attack.
"""
# Initialize attack
super(SQLiAttack, self).__init__("SQLi Attack", "Injects a SQLi attack'",
"Privilege elevation")
# Define allowed parameters and their type
self.supported_params.update({
Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
Param.PORT_DESTINATION: ParameterTypes.TYPE_PORT,
Param.TARGET_HOST: ParameterTypes.TYPE_DOMAIN,
#Param.TARGET_URI: ParameterTypes.TYPE_URI,
Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
})
def init_params(self):
"""
Initialize the parameters of this attack using the user supplied command line parameters.
Use the provided statistics to calculate default parameters and to process user
supplied queries.
"""
# PARAMETERS: initialize with default utilsvalues
# (values are overwritten if user specifies them)
# Attacker configuration
most_used_ip_address = self.statistics.get_most_used_ip_address()
self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
# Victim configuration
random_ip_address = self.statistics.get_random_ip_address()
self.add_param_value(Param.IP_DESTINATION, random_ip_address)
destination_mac = self.statistics.get_mac_address(random_ip_address)
if isinstance(destination_mac, list) and len(destination_mac) == 0:
destination_mac = self.generate_random_mac_address()
self.add_param_value(Param.MAC_DESTINATION, destination_mac)
self.add_param_value(Param.PORT_DESTINATION, self.http_port)
# self.add_param_value(Param.TARGET_URI, "/")
self.add_param_value(Param.TARGET_HOST, "www.hackme.com")
# Attack configuration
self.add_param_value(Param.INJECT_AFTER_PACKET, random.randint(0, self.statistics.get_packet_count()))
self.add_param_value(Param.PACKETS_PER_SECOND,
(self.statistics.get_pps_sent(most_used_ip_address) +
self.statistics.get_pps_received(most_used_ip_address)) / 2)
def generate_attack_packets(self):
# Timestamp
timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
pps = self.get_param_value(Param.PACKETS_PER_SECOND)
# Calculate complement packet rates of BG traffic per interval
complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
# Initialize parameters
self.packets = []
mac_source = self.get_param_value(Param.MAC_SOURCE)
ip_source = self.get_param_value(Param.IP_SOURCE)
if isinstance(ip_source, list):
ip_source = ip_source[0]
mac_destination = self.get_param_value(Param.MAC_DESTINATION)
ip_destination = self.get_param_value(Param.IP_DESTINATION)
if isinstance(ip_destination, list):
ip_destination = ip_destination[0]
port_destination = self.get_param_value(Param.PORT_DESTINATION)
target_host = self.get_param_value(Param.TARGET_HOST)
target_uri = "/" # self.get_param_value(Param.TARGET_URI)
# Check ip.src == ip.dst
self.ip_src_dst_equal_check(ip_source, ip_destination)
self.path_attack_pcap = None
# Set TTL based on TTL distribution of IP address
source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
if len(source_ttl_dist) > 0:
source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
source_ttl_value = source_ttl_prob_dict.random()
else:
source_ttl_value = Util.handle_most_used_outputs(self.statistics.process_db_query("most_used(ttlValue)"))
destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
if len(destination_ttl_dist) > 0:
destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
destination_ttl_value = destination_ttl_prob_dict.random()
else:
destination_ttl_value = Util.handle_most_used_outputs(self.statistics.process_db_query("most_used(ttlValue)"))
# Inject SQLi Attack
# Read SQLi Attack pcap file
orig_ip_dst = None
exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
inter_arrival_times, inter_arrival_time_dist = self.get_inter_arrival_time(exploit_raw_packets,True)
timeSteps = Lea.fromValFreqsDict(inter_arrival_time_dist)
exploit_raw_packets.close()
exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
port_source = random.randint(self.minDefaultPort, self.maxDefaultPort) # experiments show this range of ports
# Random TCP sequence numbers
global attacker_seq
attacker_seq = random.randint(1000, 50000)
global victim_seq
victim_seq = random.randint(1000, 50000)
for self.pkt_num, pkt in enumerate(exploit_raw_packets):
eth_frame = Ether(pkt[0])
ip_pkt = eth_frame.payload
tcp_pkt = ip_pkt.payload
str_tcp_seg = str(tcp_pkt.payload)
# Clean payloads
eth_frame.payload = b''
ip_pkt.payload = b''
tcp_pkt.payload = b''
if self.pkt_num == 0:
prev_orig_port_source = tcp_pkt.getfieldval("sport")
orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
# Last connection
if tcp_pkt.getfieldval("dport") != 80 and tcp_pkt.getfieldval("sport") != 80:
# New connection, new random TCP sequence numbers
attacker_seq = random.randint(1000, 50000)
victim_seq = random.randint(1000, 50000)
# First packet in a connection has ACK = 0
tcp_pkt.setfieldval("ack", 0)
# Attacker --> vicitm
if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
# There are 363 TCP connections with different source ports, for each of them we generate random port
if tcp_pkt.getfieldval("sport") != prev_orig_port_source and tcp_pkt.getfieldval("dport") != 4444\
and (tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80):
port_source = random.randint(self.minDefaultPort, self.maxDefaultPort)
prev_orig_port_source = tcp_pkt.getfieldval("sport")
# New connection, new random TCP sequence numbers
attacker_seq = random.randint(1000, 50000)
victim_seq = random.randint(1000, 50000)
# First packet in a connection has ACK = 0
tcp_pkt.setfieldval("ack", 0)
# Ether
eth_frame.setfieldval("src", mac_source)
eth_frame.setfieldval("dst", mac_destination)
# IP
ip_pkt.setfieldval("src", ip_source)
ip_pkt.setfieldval("dst", ip_destination)
ip_pkt.setfieldval("ttl", source_ttl_value)
# TCP
# Regular connection
if tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80:
tcp_pkt.setfieldval("sport",port_source)
tcp_pkt.setfieldval("dport", port_destination)
str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
# TCP Seq, Ack
if tcp_pkt.getfieldval("ack") != 0:
tcp_pkt.setfieldval("ack", victim_seq)
tcp_pkt.setfieldval("seq", attacker_seq)
if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
attacker_seq += max(len(str_tcp_seg), 1)
new_pkt = (eth_frame / ip_pkt/ tcp_pkt / str_tcp_seg)
new_pkt.time = timestamp_next_pkt
pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
# Victim --> attacker
else:
# Ether
eth_frame.setfieldval("src", mac_destination)
eth_frame.setfieldval("dst", mac_source)
# IP
ip_pkt.setfieldval("src", ip_destination)
ip_pkt.setfieldval("dst", ip_source)
ip_pkt.setfieldval("ttl", destination_ttl_value)
# TCP
# Regular connection
if tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80:
tcp_pkt.setfieldval("dport", port_source)
tcp_pkt.setfieldval("sport", port_destination)
str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
# TCP Seq, ACK
tcp_pkt.setfieldval("ack", attacker_seq)
tcp_pkt.setfieldval("seq", victim_seq)
strLen = len(str_tcp_seg)
if not (tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
victim_seq += max(strLen, 1)
new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
new_pkt.time = timestamp_next_pkt
self.packets.append(new_pkt)
exploit_raw_packets.close()
def generate_attack_pcap(self):
# Store timestamp of first packet (for attack label)
self.attack_start_utime = self.packets[0].time
self.attack_end_utime = self.packets[-1].time
if len(self.packets) > 0:
self.packets = sorted(self.packets, key=lambda pkt: pkt.time)
self.path_attack_pcap = self.write_attack_pcap(self.packets, True, self.path_attack_pcap)
# return self.packets sorted by packet time_sec_start
# pkt_num+1: because pkt_num starts at 0
return self.pkt_num + 1, self.path_attack_pcap