3
0

SQLiAttack.py 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255
  1. import logging
  2. import random as rnd
  3. import lea
  4. import scapy.layers.inet as inet
  5. import scapy.utils
  6. import Attack.AttackParameters as atkParam
  7. import Attack.BaseAttack as BaseAttack
  8. import ID2TLib.Utility as Util
  9. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  10. # noinspection PyPep8
  11. class SQLiAttack(BaseAttack.BaseAttack):
  12. template_attack_pcap_path = Util.RESOURCE_DIR + "ATutorSQLi.pcap"
  13. # HTTP port
  14. http_port = 80
  15. # Metasploit experiments show this range of ports
  16. minDefaultPort = 30000
  17. maxDefaultPort = 50000
  18. def __init__(self):
  19. """
  20. Creates a new instance of the SQLi Attack.
  21. """
  22. # Initialize attack
  23. super(SQLiAttack, self).__init__("SQLi Attack", "Injects a SQLi attack'",
  24. "Privilege elevation")
  25. self.pkt_num = 0
  26. self.path_attack_pcap = None
  27. # Define allowed parameters and their type
  28. self.supported_params.update({
  29. atkParam.Parameter.MAC_SOURCE: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  30. atkParam.Parameter.IP_SOURCE: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  31. atkParam.Parameter.MAC_DESTINATION: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  32. atkParam.Parameter.IP_DESTINATION: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  33. atkParam.Parameter.PORT_DESTINATION: atkParam.ParameterTypes.TYPE_PORT,
  34. atkParam.Parameter.TARGET_HOST: atkParam.ParameterTypes.TYPE_DOMAIN,
  35. # atkParam.Parameter.TARGET_URI: atkParam.ParameterTypes.TYPE_URI,
  36. atkParam.Parameter.INJECT_AT_TIMESTAMP: atkParam.ParameterTypes.TYPE_FLOAT,
  37. atkParam.Parameter.INJECT_AFTER_PACKET: atkParam.ParameterTypes.TYPE_PACKET_POSITION,
  38. atkParam.Parameter.PACKETS_PER_SECOND: atkParam.ParameterTypes.TYPE_FLOAT
  39. })
  40. def init_params(self):
  41. """
  42. Initialize the parameters of this attack using the user supplied command line parameters.
  43. Use the provided statistics to calculate default parameters and to process user
  44. supplied queries.
  45. """
  46. # PARAMETERS: initialize with default utilsvalues
  47. # (values are overwritten if user specifies them)
  48. # Attacker configuration
  49. most_used_ip_address = self.statistics.get_most_used_ip_address()
  50. self.add_param_value(atkParam.Parameter.IP_SOURCE, most_used_ip_address)
  51. self.add_param_value(atkParam.Parameter.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  52. # Victim configuration
  53. random_ip_address = self.statistics.get_random_ip_address()
  54. self.add_param_value(atkParam.Parameter.IP_DESTINATION, random_ip_address)
  55. destination_mac = self.statistics.get_mac_address(random_ip_address)
  56. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  57. destination_mac = self.generate_random_mac_address()
  58. self.add_param_value(atkParam.Parameter.MAC_DESTINATION, destination_mac)
  59. self.add_param_value(atkParam.Parameter.PORT_DESTINATION, self.http_port)
  60. # self.add_param_value(atkParam.Parameter.TARGET_URI, "/")
  61. self.add_param_value(atkParam.Parameter.TARGET_HOST, "www.hackme.com")
  62. # Attack configuration
  63. self.add_param_value(atkParam.Parameter.INJECT_AFTER_PACKET, rnd.randint(0, self.statistics.get_packet_count()))
  64. self.add_param_value(atkParam.Parameter.PACKETS_PER_SECOND,
  65. (self.statistics.get_pps_sent(most_used_ip_address) +
  66. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  67. def generate_attack_packets(self):
  68. # Timestamp
  69. timestamp_next_pkt = self.get_param_value(atkParam.Parameter.INJECT_AT_TIMESTAMP)
  70. pps = self.get_param_value(atkParam.Parameter.PACKETS_PER_SECOND)
  71. # Calculate complement packet rates of BG traffic per interval
  72. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  73. # Initialize parameters
  74. self.packets = []
  75. mac_source = self.get_param_value(atkParam.Parameter.MAC_SOURCE)
  76. ip_source = self.get_param_value(atkParam.Parameter.IP_SOURCE)
  77. if isinstance(ip_source, list):
  78. ip_source = ip_source[0]
  79. mac_destination = self.get_param_value(atkParam.Parameter.MAC_DESTINATION)
  80. ip_destination = self.get_param_value(atkParam.Parameter.IP_DESTINATION)
  81. if isinstance(ip_destination, list):
  82. ip_destination = ip_destination[0]
  83. port_destination = self.get_param_value(atkParam.Parameter.PORT_DESTINATION)
  84. target_host = self.get_param_value(atkParam.Parameter.TARGET_HOST)
  85. target_uri = "/" # self.get_param_value(atkParam.Parameter.TARGET_URI)
  86. # Check ip.src == ip.dst
  87. self.ip_src_dst_equal_check(ip_source, ip_destination)
  88. # Set TTL based on TTL distribution of IP address
  89. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  90. if len(source_ttl_dist) > 0:
  91. source_ttl_prob_dict = lea.Lea.fromValFreqsDict(source_ttl_dist)
  92. source_ttl_value = source_ttl_prob_dict.random()
  93. else:
  94. source_ttl_value = Util.handle_most_used_outputs(self.statistics.process_db_query("most_used(ttlValue)"))
  95. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  96. if len(destination_ttl_dist) > 0:
  97. destination_ttl_prob_dict = lea.Lea.fromValFreqsDict(destination_ttl_dist)
  98. destination_ttl_value = destination_ttl_prob_dict.random()
  99. else:
  100. destination_ttl_value = Util.handle_most_used_outputs(
  101. self.statistics.process_db_query("most_used(ttlValue)"))
  102. # Inject SQLi Attack
  103. # Read SQLi Attack pcap file
  104. orig_ip_dst = None
  105. exploit_raw_packets = scapy.utils.RawPcapReader(self.template_attack_pcap_path)
  106. inter_arrival_times, inter_arrival_time_dist = self.get_inter_arrival_time(exploit_raw_packets, True)
  107. time_steps = lea.Lea.fromValFreqsDict(inter_arrival_time_dist)
  108. exploit_raw_packets.close()
  109. exploit_raw_packets = scapy.utils.RawPcapReader(self.template_attack_pcap_path)
  110. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort) # experiments show this range of ports
  111. # Random TCP sequence numbers
  112. global attacker_seq
  113. attacker_seq = rnd.randint(1000, 50000)
  114. global victim_seq
  115. victim_seq = rnd.randint(1000, 50000)
  116. for self.pkt_num, pkt in enumerate(exploit_raw_packets):
  117. eth_frame = inet.Ether(pkt[0])
  118. ip_pkt = eth_frame.payload
  119. tcp_pkt = ip_pkt.payload
  120. str_tcp_seg = str(tcp_pkt.payload)
  121. # Clean payloads
  122. eth_frame.payload = b''
  123. ip_pkt.payload = b''
  124. tcp_pkt.payload = b''
  125. # FIXME: no getfieldval in class bytes
  126. if self.pkt_num == 0:
  127. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  128. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  129. # Last connection
  130. if tcp_pkt.getfieldval("dport") != 80 and tcp_pkt.getfieldval("sport") != 80:
  131. # New connection, new random TCP sequence numbers
  132. attacker_seq = rnd.randint(1000, 50000)
  133. victim_seq = rnd.randint(1000, 50000)
  134. # First packet in a connection has ACK = 0
  135. tcp_pkt.setfieldval("ack", 0)
  136. # Attacker --> vicitm
  137. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  138. # There are 363 TCP connections with different source ports, for each of them we generate random port
  139. if tcp_pkt.getfieldval("sport") != prev_orig_port_source and tcp_pkt.getfieldval("dport") != 4444 \
  140. and (tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80):
  141. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort)
  142. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  143. # New connection, new random TCP sequence numbers
  144. attacker_seq = rnd.randint(1000, 50000)
  145. victim_seq = rnd.randint(1000, 50000)
  146. # First packet in a connection has ACK = 0
  147. tcp_pkt.setfieldval("ack", 0)
  148. # Ether
  149. eth_frame.setfieldval("src", mac_source)
  150. eth_frame.setfieldval("dst", mac_destination)
  151. # IP
  152. ip_pkt.setfieldval("src", ip_source)
  153. ip_pkt.setfieldval("dst", ip_destination)
  154. ip_pkt.setfieldval("ttl", source_ttl_value)
  155. # TCP
  156. # Regular connection
  157. if tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80:
  158. tcp_pkt.setfieldval("sport", port_source)
  159. tcp_pkt.setfieldval("dport", port_destination)
  160. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  161. # TCP Seq, Ack
  162. if tcp_pkt.getfieldval("ack") != 0:
  163. tcp_pkt.setfieldval("ack", victim_seq)
  164. tcp_pkt.setfieldval("seq", attacker_seq)
  165. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  166. attacker_seq += max(len(str_tcp_seg), 1)
  167. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  168. new_pkt.time = timestamp_next_pkt
  169. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  170. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(time_steps.random())
  171. # Victim --> attacker
  172. else:
  173. # Ether
  174. eth_frame.setfieldval("src", mac_destination)
  175. eth_frame.setfieldval("dst", mac_source)
  176. # IP
  177. ip_pkt.setfieldval("src", ip_destination)
  178. ip_pkt.setfieldval("dst", ip_source)
  179. ip_pkt.setfieldval("ttl", destination_ttl_value)
  180. # TCP
  181. # Regular connection
  182. if tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80:
  183. tcp_pkt.setfieldval("dport", port_source)
  184. tcp_pkt.setfieldval("sport", port_destination)
  185. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/ATutor', target_uri, orig_ip_dst, target_host)
  186. # TCP Seq, ACK
  187. tcp_pkt.setfieldval("ack", attacker_seq)
  188. tcp_pkt.setfieldval("seq", victim_seq)
  189. strLen = len(str_tcp_seg)
  190. if not (tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  191. victim_seq += max(strLen, 1)
  192. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  193. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(time_steps.random())
  194. new_pkt.time = timestamp_next_pkt
  195. self.packets.append(new_pkt)
  196. exploit_raw_packets.close()
  197. def generate_attack_pcap(self):
  198. # Store timestamp of first packet (for attack label)
  199. self.attack_start_utime = self.packets[0].time
  200. self.attack_end_utime = self.packets[-1].time
  201. if len(self.packets) > 0:
  202. self.packets = sorted(self.packets, key=lambda pkt: pkt.time)
  203. self.path_attack_pcap = self.write_attack_pcap(self.packets, True, self.path_attack_pcap)
  204. # return self.packets sorted by packet time_sec_start
  205. # pkt_num+1: because pkt_num starts at 0
  206. return self.pkt_num + 1, self.path_attack_pcap