monkey/chaos_monkey/tunnel.py

import socket
import struct
import logging
from threading import Thread
from network.info import local_ips, get_free_tcp_port
from network.firewall import app as firewall
from difflib import get_close_matches
from network.tools import check_port_tcp
from model import VictimHost
import time

__author__ = 'hoffer'

LOG = logging.getLogger(__name__)

MCAST_GROUP = '224.1.1.1'
MCAST_PORT = 5007
BUFFER_READ = 1024
DEFAULT_TIMEOUT = 10
QUIT_TIMEOUT = 60 * 10  # 10 minutes


def _set_multicast_socket(timeout=DEFAULT_TIMEOUT, adapter=''):
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
    sock.settimeout(timeout)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind((adapter, MCAST_PORT))
    sock.setsockopt(socket.IPPROTO_IP,
                    socket.IP_ADD_MEMBERSHIP,
                    struct.pack("4sl", socket.inet_aton(MCAST_GROUP), socket.INADDR_ANY))
    return sock


def find_tunnel(default=None, attempts=3, timeout=DEFAULT_TIMEOUT):
    l_ips = local_ips()

    for adapter in l_ips:
        for attempt in range(0, attempts):
            try:
                LOG.info("Trying to find using adapter %s", adapter)
                sock = _set_multicast_socket(timeout, adapter)
                sock.sendto("?", (MCAST_GROUP, MCAST_PORT))
                tunnels = []
                if default:
                    tunnels.append(default)

                while True:
                    try:
                        answer, address = sock.recvfrom(BUFFER_READ)
                        if answer not in ['?', '+', '-']:
                            tunnels.append(answer)
                    except socket.timeout:
                        break

                for tunnel in tunnels:
                    if tunnel.find(':') != -1:
                        address, port = tunnel.split(':', 1)
                        if address in l_ips:
                            continue

                        LOG.debug("Checking tunnel %s:%s", address, port)
                        is_open, _ = check_port_tcp(address, int(port))
                        if not is_open:
                            LOG.debug("Could not connect to %s:%s", address, port)
                            continue

                        sock.sendto("+", (address, MCAST_PORT))
                        sock.close()
                        return address, port
            except Exception, exc:
                LOG.debug("Caught exception in tunnel lookup: %s", exc)
                continue

    return None


def quit_tunnel(address, timeout=DEFAULT_TIMEOUT):
    try:
        sock = _set_multicast_socket(timeout)
        sock.sendto("-", (address, MCAST_PORT))
        sock.close()
        LOG.debug("Success quitting tunnel")        
    except Exception, exc:
        LOG.debug("Exception quitting tunnel: %s", exc)
        return


class MonkeyTunnel(Thread):
    def __init__(self, proxy_class, target_addr=None, target_port=None, timeout=DEFAULT_TIMEOUT):
        self._target_addr = target_addr
        self._target_port = target_port
        self._proxy_class = proxy_class
        self._broad_sock = None
        self._timeout = timeout
        self._stopped = False
        self._clients = []
        self.local_port = None
        super(MonkeyTunnel, self).__init__()
        self.daemon = True
        self.l_ips = None

    def run(self):
        self._broad_sock = _set_multicast_socket(self._timeout)
        self.l_ips = local_ips()
        self.local_port = get_free_tcp_port()

        if not self.local_port:
            return

        if not firewall.listen_allowed(localport=self.local_port):
            LOG.info("Machine firewalled, listen not allowed, not running tunnel.")
            return

        proxy = self._proxy_class(local_port=self.local_port, dest_host=self._target_addr, dest_port=self._target_port)
        LOG.info("Running tunnel using proxy class: %s, listening on port %s, routing to: %s:%s",
                 proxy.__class__.__name__,
                 self.local_port,
                 self._target_addr,
                 self._target_port)
        proxy.start()

        while not self._stopped:
            try:
                search, address = self._broad_sock.recvfrom(BUFFER_READ)
                if '?' == search:
                    ip_match = get_close_matches(address[0], self.l_ips) or self.l_ips
                    if ip_match:
                        answer = '%s:%d' % (ip_match[0], self.local_port)
                        LOG.debug("Got tunnel request from %s, answering with %s", address[0], answer)
                        self._broad_sock.sendto(answer, (address[0], MCAST_PORT))
                elif '+' == search:
                    if not address[0] in self._clients:
                        self._clients.append(address[0])
                elif '-' == search:
                        self._clients = [client for client in self._clients if client != address[0]]
            
            except socket.timeout:
                continue

        LOG.info("Stopping tunnel, waiting for clients")
        stop_time = time.time()
        while self._clients and (time.time() - stop_time < QUIT_TIMEOUT):
            try:
                search, address = self._broad_sock.recvfrom(BUFFER_READ)
                if '-' == search:
                    self._clients = [client for client in self._clients if client != address[0]]
            except socket.timeout:
                continue
        LOG.info("Closing tunnel")
        self._broad_sock.close()
        proxy.stop()
        proxy.join()

    def set_tunnel_for_host(self, host):
        assert isinstance(host, VictimHost)
        ip_match = get_close_matches(host.ip_addr, local_ips()) or self.l_ips
        host.default_tunnel = '%s:%d' % (ip_match[0], self.local_port)

    def stop(self):
        self._stopped = True
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`import socket`
			`import struct`
			`import logging`
			`from threading import Thread`
			`from network.info import local_ips, get_free_tcp_port`
			`from network.firewall import app as firewall`
			`from difflib import get_close_matches`
			`from network.tools import check_port_tcp`
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`from model import VictimHost`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`import time`

			`__author__ = 'hoffer'`

			`LOG = logging.getLogger(__name__)`

			`MCAST_GROUP = '224.1.1.1'`
			`MCAST_PORT = 5007`
			`BUFFER_READ = 1024`
			`DEFAULT_TIMEOUT = 10`
GC-5050: skip timeouts fix and shorter timeout 2016-01-14 22:14:07 +08:00			`QUIT_TIMEOUT = 60 * 10 # 10 minutes`
code organization 2015-11-30 16:56:20 +08:00
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00
find tunnel now searches on all host's interfaces 2016-05-27 00:52:15 +08:00			`def _set_multicast_socket(timeout=DEFAULT_TIMEOUT, adapter=''):`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)`
			`sock.settimeout(timeout)`
			`sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)`
find tunnel now searches on all host's interfaces 2016-05-27 00:52:15 +08:00			`sock.bind((adapter, MCAST_PORT))`
code organization 2015-11-30 16:56:20 +08:00			`sock.setsockopt(socket.IPPROTO_IP,`
			`socket.IP_ADD_MEMBERSHIP,`
			`struct.pack("4sl", socket.inet_aton(MCAST_GROUP), socket.INADDR_ANY))`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`return sock`


added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`def find_tunnel(default=None, attempts=3, timeout=DEFAULT_TIMEOUT):`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`l_ips = local_ips()`

find tunnel now searches on all host's interfaces 2016-05-27 00:52:15 +08:00			`for adapter in l_ips:`
			`for attempt in range(0, attempts):`
			`try:`
			`LOG.info("Trying to find using adapter %s", adapter)`
			`sock = _set_multicast_socket(timeout, adapter)`
			`sock.sendto("?", (MCAST_GROUP, MCAST_PORT))`
			`tunnels = []`
			`if default:`
			`tunnels.append(default)`

			`while True:`
			`try:`
			`answer, address = sock.recvfrom(BUFFER_READ)`
			`if answer not in ['?', '+', '-']:`
			`tunnels.append(answer)`
			`except socket.timeout:`
			`break`
tunnel bugs fix 2015-10-12 19:56:44 +08:00
find tunnel now searches on all host's interfaces 2016-05-27 00:52:15 +08:00			`for tunnel in tunnels:`
			`if tunnel.find(':') != -1:`
			`address, port = tunnel.split(':', 1)`
			`if address in l_ips:`
			`continue`
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00
find tunnel now searches on all host's interfaces 2016-05-27 00:52:15 +08:00			`LOG.debug("Checking tunnel %s:%s", address, port)`
			`is_open, _ = check_port_tcp(address, int(port))`
			`if not is_open:`
			`LOG.debug("Could not connect to %s:%s", address, port)`
			`continue`
tunnel bugs fix 2015-10-12 19:56:44 +08:00
find tunnel now searches on all host's interfaces 2016-05-27 00:52:15 +08:00			`sock.sendto("+", (address, MCAST_PORT))`
			`sock.close()`
			`return address, port`
			`except Exception, exc:`
			`LOG.debug("Caught exception in tunnel lookup: %s", exc)`
			`continue`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00
			`return None`

code organization 2015-11-30 16:56:20 +08:00
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`def quit_tunnel(address, timeout=DEFAULT_TIMEOUT):`
			`try:`
			`sock = _set_multicast_socket(timeout)`
			`sock.sendto("-", (address, MCAST_PORT))`
			`sock.close()`
			`LOG.debug("Success quitting tunnel")`
			`except Exception, exc:`
			`LOG.debug("Exception quitting tunnel: %s", exc)`
			`return`


			`class MonkeyTunnel(Thread):`
			`def __init__(self, proxy_class, target_addr=None, target_port=None, timeout=DEFAULT_TIMEOUT):`
			`self._target_addr = target_addr`
			`self._target_port = target_port`
			`self._proxy_class = proxy_class`
			`self._broad_sock = None`
			`self._timeout = timeout`
			`self._stopped = False`
			`self._clients = []`
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`self.local_port = None`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`super(MonkeyTunnel, self).__init__()`
tunnel bugs fix 2015-10-12 19:56:44 +08:00			`self.daemon = True`
code organization 2015-11-30 16:56:20 +08:00			`self.l_ips = None`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00
			`def run(self):`
			`self._broad_sock = _set_multicast_socket(self._timeout)`
tunneling bug fix 2015-11-26 22:30:49 +08:00			`self.l_ips = local_ips()`
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`self.local_port = get_free_tcp_port()`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`if not self.local_port:`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`return`

added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`if not firewall.listen_allowed(localport=self.local_port):`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`LOG.info("Machine firewalled, listen not allowed, not running tunnel.")`
			`return`

added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`proxy = self._proxy_class(local_port=self.local_port, dest_host=self._target_addr, dest_port=self._target_port)`
code organization #3 2015-12-02 17:18:27 +08:00			`LOG.info("Running tunnel using proxy class: %s, listening on port %s, routing to: %s:%s",`
			`proxy.__class__.__name__,`
			`self.local_port,`
			`self._target_addr,`
			`self._target_port)`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`proxy.start()`

			`while not self._stopped:`
			`try:`
			`search, address = self._broad_sock.recvfrom(BUFFER_READ)`
			`if '?' == search:`
tunneling bug fix 2015-11-26 22:30:49 +08:00			`ip_match = get_close_matches(address[0], self.l_ips) or self.l_ips`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`if ip_match:`
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`answer = '%s:%d' % (ip_match[0], self.local_port)`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`LOG.debug("Got tunnel request from %s, answering with %s", address[0], answer)`
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`self._broad_sock.sendto(answer, (address[0], MCAST_PORT))`
add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`elif '+' == search:`
			`if not address[0] in self._clients:`
			`self._clients.append(address[0])`
			`elif '-' == search:`
			`self._clients = [client for client in self._clients if client != address[0]]`

			`except socket.timeout:`
			`continue`

			`LOG.info("Stopping tunnel, waiting for clients")`
			`stop_time = time.time()`
			`while self._clients and (time.time() - stop_time < QUIT_TIMEOUT):`
			`try:`
			`search, address = self._broad_sock.recvfrom(BUFFER_READ)`
			`if '-' == search:`
			`self._clients = [client for client in self._clients if client != address[0]]`
			`except socket.timeout:`
			`continue`
			`LOG.info("Closing tunnel")`
			`self._broad_sock.close()`
			`proxy.stop()`
			`proxy.join()`

added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`def set_tunnel_for_host(self, host):`
			`assert isinstance(host, VictimHost)`
tunneling bug fix 2015-11-26 22:30:49 +08:00			`ip_match = get_close_matches(host.ip_addr, local_ips()) or self.l_ips`
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00			`host.default_tunnel = '%s:%d' % (ip_match[0], self.local_port)`

add support for c&c tunneling "GC-3595 #resolve" 2015-10-08 18:39:52 +08:00			`def stop(self):`
code organization 2015-11-30 16:56:20 +08:00			`self._stopped = True`