EternalBlueExploit.py 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309
  1. # Created by Aidmar
  2. import logging
  3. from random import randint, uniform
  4. from lea import Lea
  5. from Attack import BaseAttack
  6. from Attack.AttackParameters import Parameter as Param
  7. from Attack.AttackParameters import ParameterTypes
  8. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  9. # noinspection PyPep8
  10. from scapy.utils import RawPcapReader
  11. from scapy.layers.inet import IP, Ether, TCP, RandShort
  12. class EternalBlueExploit(BaseAttack.BaseAttack):
  13. # Metasploit default packet rate
  14. maxDefaultPPS = 100
  15. minDefaultPPS = 5
  16. # SMB port
  17. smb_port = 445
  18. # Empirical values from Metasploit experiments
  19. minDefaultPort = 30000
  20. maxDefaultPort = 50000
  21. last_conn_dst_port = 4444
  22. def __init__(self, statistics, pcap_file_path):
  23. """
  24. Creates a new instance of the EternalBlue Exploit.
  25. :param statistics: A reference to the statistics class.
  26. """
  27. # Initialize attack
  28. super(EternalBlueExploit, self).__init__(statistics, "EternalBlue Exploit", "Injects an EternalBlue exploit'",
  29. "Resource Exhaustion")
  30. # Define allowed parameters and their type
  31. self.supported_params = {
  32. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  33. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  34. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  35. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  36. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  37. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  38. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  39. }
  40. # PARAMETERS: initialize with default utilsvalues
  41. # (values are overwritten if user specifies them)
  42. most_used_ip_address = self.statistics.get_most_used_ip_address()
  43. if isinstance(most_used_ip_address, list):
  44. most_used_ip_address = most_used_ip_address[0]
  45. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  46. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  47. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  48. self.add_param_value(Param.PACKETS_PER_SECOND,self.maxDefaultPPS)
  49. # victim configuration
  50. random_ip_address = self.statistics.get_random_ip_address()
  51. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  52. destination_mac = self.statistics.get_mac_address(random_ip_address)
  53. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  54. destination_mac = self.generate_random_mac_address()
  55. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  56. def generate_attack_pcap(self):
  57. def update_timestamp(timestamp, pps, maxdelay):
  58. """
  59. Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
  60. :return: Timestamp to be used for the next packet.
  61. """
  62. return timestamp + uniform(1 / pps, maxdelay)
  63. # Aidmar
  64. def getIntervalPPS(complement_interval_pps, timestamp):
  65. """
  66. Gets the packet rate (pps) in specific time interval.
  67. :return: the corresponding packet rate for packet rate (pps) .
  68. """
  69. for row in complement_interval_pps:
  70. if timestamp<=row[0]:
  71. return row[1]
  72. return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
  73. # Timestamp
  74. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  75. # TO-DO: find better pkt rate
  76. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  77. randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 30, 5 / pps: 15, 10 / pps: 3})
  78. # Aidmar - calculate complement packet rates of BG traffic per interval
  79. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  80. # Initialize parameters
  81. packets = []
  82. mac_source = self.get_param_value(Param.MAC_SOURCE)
  83. ip_source = self.get_param_value(Param.IP_SOURCE)
  84. #port_source = self.get_param_value(Param.PORT_SOURCE)
  85. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  86. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  87. # Aidmar - check ip.src == ip.dst
  88. if ip_source == ip_destination:
  89. print("\nERROR: Invalid IP addresses; source IP is the same as destination IP: " + ip_source + ".")
  90. import sys
  91. sys.exit(0)
  92. path_attack_pcap = None
  93. minDelay, maxDelay = self.get_reply_delay(ip_destination)
  94. # Set TTL based on TTL distribution of IP address
  95. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  96. if len(source_ttl_dist) > 0:
  97. source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
  98. source_ttl_value = source_ttl_prob_dict.random()
  99. else:
  100. source_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  101. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  102. if len(destination_ttl_dist) > 0:
  103. destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
  104. destination_ttl_value = destination_ttl_prob_dict.random()
  105. else:
  106. destination_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  107. # Scan (MS17) for EternalBlue
  108. # Read Win7_eternalblue_scan_vulnerable pcap file
  109. orig_ip_dst = None
  110. exploit_raw_packets = RawPcapReader("resources/Win7_eternalblue_scan.pcap")
  111. port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports
  112. for pkt_num, pkt in enumerate(exploit_raw_packets):
  113. eth_frame = Ether(pkt[0])
  114. ip_pkt = eth_frame.payload
  115. tcp_pkt = ip_pkt.payload
  116. if pkt_num == 0:
  117. if tcp_pkt.getfieldval("dport") == self.smb_port:
  118. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  119. # Request
  120. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  121. # Ether
  122. eth_frame.setfieldval("src", mac_source)
  123. eth_frame.setfieldval("dst", mac_destination)
  124. # IP
  125. ip_pkt.setfieldval("src", ip_source)
  126. ip_pkt.setfieldval("dst", ip_destination)
  127. ip_pkt.setfieldval("ttl", source_ttl_value)
  128. # TCP
  129. tcp_pkt.setfieldval("sport",port_source)
  130. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  131. new_pkt.time = timestamp_next_pkt
  132. maxdelay = randomdelay.random()
  133. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), self.minDefaultPPS)
  134. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
  135. # Reply
  136. else:
  137. # Ether
  138. eth_frame.setfieldval("src", mac_destination)
  139. eth_frame.setfieldval("dst", mac_source)
  140. # IP
  141. ip_pkt.setfieldval("src", ip_destination)
  142. ip_pkt.setfieldval("dst", ip_source)
  143. ip_pkt.setfieldval("ttl", destination_ttl_value)
  144. # TCP
  145. tcp_pkt.setfieldval("dport", port_source)
  146. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  147. timestamp_next_pkt = timestamp_next_pkt + uniform(minDelay, maxDelay)
  148. new_pkt.time = timestamp_next_pkt
  149. packets.append(new_pkt)
  150. # Inject EternalBlue exploit packets
  151. # Read Win7_eternalblue_exploit pcap file
  152. exploit_raw_packets = RawPcapReader("resources/Win7_eternalblue_exploit.pcap")
  153. port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports
  154. # conversations = {(ip.src, ip.dst, port.src, port.dst): packets}
  155. conversations, orderList_conversations = self.packetsToConvs(exploit_raw_packets)
  156. # the last two connections have special treatment, they start after the other connections finish
  157. # TO-DO
  158. conv_start_timesamp = timestamp_next_pkt
  159. for conv_index, conv in enumerate(orderList_conversations):
  160. conv_start_timesamp = conv_start_timesamp + uniform(0.001,0.01) # the distance between the starts of the converstaions
  161. timestamp_next_pkt = conv_start_timesamp
  162. conv_pkts = conversations[conv]
  163. if conv_index == len(orderList_conversations) - 2: # Not the last conversation
  164. timestamp_next_pkt = packets[-1].time + uniform(0.001,0.01)
  165. if conv_index != len(orderList_conversations)-1: # Not the last conversation
  166. port_source += 2
  167. for pkt_num, pkt in enumerate(conv_pkts):
  168. eth_frame = Ether(pkt[0])
  169. ip_pkt = eth_frame.payload
  170. tcp_pkt = ip_pkt.payload
  171. if pkt_num == 0:
  172. if tcp_pkt.getfieldval("dport") == self.smb_port:
  173. orig_ip_dst = ip_pkt.getfieldval("dst")
  174. # defining req/rep should be adapted to fit the last converstaion where
  175. # victim starts a connection with the attacker
  176. # Request
  177. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  178. # Ether
  179. eth_frame.setfieldval("src", mac_source)
  180. eth_frame.setfieldval("dst", mac_destination)
  181. # IP
  182. ip_pkt.setfieldval("src", ip_source)
  183. ip_pkt.setfieldval("dst", ip_destination)
  184. ip_pkt.setfieldval("ttl", source_ttl_value)
  185. # TCP
  186. tcp_pkt.setfieldval("sport", port_source)
  187. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  188. new_pkt.time = timestamp_next_pkt
  189. maxdelay = randomdelay.random()
  190. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), self.minDefaultPPS)
  191. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
  192. # Reply
  193. else:
  194. # Ether
  195. eth_frame.setfieldval("src", mac_destination)
  196. eth_frame.setfieldval("dst", mac_source)
  197. # IP
  198. ip_pkt.setfieldval("src", ip_destination)
  199. ip_pkt.setfieldval("dst", ip_source)
  200. ip_pkt.setfieldval("ttl", destination_ttl_value)
  201. # TCP
  202. tcp_pkt.setfieldval("dport", port_source)
  203. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  204. timestamp_next_pkt = timestamp_next_pkt + uniform(minDelay, maxDelay)
  205. new_pkt.time = timestamp_next_pkt
  206. packets.append(new_pkt)
  207. else: # Last conversation where the victim start a connection with the attacker
  208. timestamp_next_pkt = packets[-1].time + uniform(0.001, 0.01)
  209. port_source = randint(self.minDefaultPort,self.maxDefaultPort)
  210. for pkt_num, pkt in enumerate(conv_pkts):
  211. eth_frame = Ether(pkt[0])
  212. ip_pkt = eth_frame.payload
  213. tcp_pkt = ip_pkt.payload
  214. # defining req/rep should be adapted to fit the last converstaion where
  215. # victim start a connection with the attacker
  216. # Request
  217. if tcp_pkt.getfieldval("dport") == self.last_conn_dst_port:
  218. # Ether
  219. eth_frame.setfieldval("src", mac_destination)
  220. eth_frame.setfieldval("dst", mac_source)
  221. # IP
  222. ip_pkt.setfieldval("src", ip_destination)
  223. ip_pkt.setfieldval("dst", ip_source)
  224. ip_pkt.setfieldval("ttl", destination_ttl_value)
  225. # TCP
  226. tcp_pkt.setfieldval("sport", port_source)
  227. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  228. new_pkt.time = timestamp_next_pkt
  229. maxdelay = randomdelay.random()
  230. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), self.minDefaultPPS)
  231. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
  232. # Reply
  233. else:
  234. # Ether
  235. eth_frame.setfieldval("src", mac_source)
  236. eth_frame.setfieldval("dst", mac_destination)
  237. # IP
  238. ip_pkt.setfieldval("src", ip_source)
  239. ip_pkt.setfieldval("dst", ip_destination)
  240. ip_pkt.setfieldval("ttl", source_ttl_value)
  241. # TCP
  242. tcp_pkt.setfieldval("dport", port_source)
  243. new_pkt = (eth_frame / ip_pkt / tcp_pkt)
  244. timestamp_next_pkt = timestamp_next_pkt + uniform(minDelay, maxDelay)
  245. new_pkt.time = timestamp_next_pkt
  246. packets.append(new_pkt)
  247. # Store timestamp of first packet (for attack label)
  248. self.attack_start_utime = packets[0].time
  249. self.attack_end_utime = packets[-1].time
  250. if len(packets) > 0:
  251. packets = sorted(packets, key=lambda pkt: pkt.time)
  252. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  253. # return packets sorted by packet time_sec_start
  254. # pkt_num+1: because pkt_num starts at 0
  255. return pkt_num + 1, path_attack_pcap