IdS ddlZddlZddlZddlZddlZddlZddlZddlmZm Z ddl m Z m Z m Z mZddlmZddlmZddlmZddlZddlmZddlmZdd lmZmZmZdd lmZdd lmZdd lm Z dd lm!Z!ddl"m#Z#ddl$Z$ddl%m&Z&m'Z'm(Z(ddl)m*Z*ddl+m,Z,m-Z-m.Z.m/Z/ddl0m1Z1ddl2m3Z3ddl2m4Z4ddl5m6Z6ddl7m8Z8ddl9Z9dZ:dZ;dZdddddddddZ?hdZ@dZAdeAz ZBdZCdZDe8eE ZFd!ZGd"ZHd#ZIGd$d%eJZKGd&d'eLZMd(ZNd)ZOGd*d+eLZPGd,d-eLZQGd.d/eLZRGd0d1eRZSdd2ZTd3ZUd4ZVd5ZWGd6d7eLZXdd8ZYid9d:d;d<d=d<d>d<d?d<d@d<dAd:dBd<dCd<dDd<dEd<dFd<dGd:dHd:dId<dJd:ZZidKdLdMdNdOdPdQdRdSdTdUdVdWdXdYdZd[d\d]d^d_d`dadbdcdddedfdgdhdidjdkdlidmdndodpdqdrdsdtdudvdwdxdydzd{d|d}d~ddddddddddXddddZddiddddddddddddddddlddnddddddddddddddddidddddddddddddddddddddd“ddēddƓddȓddʓdd̓ddΓiddГddғddԓdd֓ddؓddړddܓddޓdddddddddddddddddddddddddddZ[dZ\dZ]ddZ^ddZ_ ddZ`dZadZbdZceddZddZe ddZfdZgdZhdZiddZjd Zkdd Zl dd Zmd Znd ZodZp ddZqGddeLZrdZsdZtdZudZvdZwdZxy(N)ECHILDESRCH) OrderedDictCounter defaultdict namedtuple)query)traffic_packets)SamDB)LdbError)ClientConnection)securitydrsuapilsa)netlogon)netr_Authenticator)srvsvc)samr) drs_DsBind) CredentialsDONT_USE_KERBEROSMUST_USE_KERBEROS)system_session)UF_NORMAL_ACCOUNTUF_SERVER_TRUST_ACCOUNTUF_TRUSTED_FOR_DELEGATIONUF_WORKSTATION_TRUST_ACCOUNT) SEC_CHAN_BDC)gensec)sd_utils) get_string)get_samba_loggerga2U0*3?-?) dns0smb0x72ldapr(r-3r-2cldapr/dcerpc11r514nbnsr()r'1r-r<r-4r-5r3rAr512r513r515>r*smb2browser smb_netlogong$@)i)namec|tkrF|st|tjyt|t |ztjyy)aPrint a formatted debug message to standard error. :param level: The debug level, message will be printed if it is <= the currently set debug level. The debug level can be set with the -d option. :param msg: The message to be logged, can contain C-Style format specifiers :param args: The parameters required by the format specifiers fileN) DEBUG_LEVELprintsysstderrtuple)levelmsgargss 7/usr/lib/python3/dist-packages/samba/emulate/traffic.pydebugrZes9  #CJJ ' #d ##** 5 cBtjd}td|ddd|ddddtj|D]}t|tj ttj tjj y ) zL Print an unformatted log message to stderr, containing the line number r#)limit rz :z )endrPrON) traceback extract_stackrRrSrTflush)rXtbas rY debug_linenorfws{  q )B !!uQxAq 39<zz" acjj!" szzJJr[c`|r'd}|D]}|dz }||z}|dz}dd|zzfd}|Sd}|S)zReturn a function that prints a coloured line to stderr. The colour of the line depends on a sort of hash of the integer arguments.z [38;5;%dmchtdkDr(|D]"}t|dtj$yy)NrzrOrQrRrSrT)rXreprefixs rYpzrandom_colour_print..ps3QIAFA6SZZHIr[c\tdkDr#|D]}t|tjyy)NrrOrl)rXres rYrnzrandom_colour_print..ps+Q.A!#**-.r[)seedssxrnrms @rYrandom_colour_printrts`  A GA FA HA !BF+ I H  . Hr[c eZdZy)FakePacketErrorN)__name__ __module__ __qualname__rpr[rYrvrvsr[rvcdeZdZdZdZdZedZddZdZ dZ dZ d Z d Z d Zd ZddZy )PacketzDetails of a network packet timestamp ip_protocol stream_numbersrcdestprotocolopcodedescextra endpointsc *||_||_||_||_||_||_||_||_| |_|j|jkr|j|jf|_ y|j|jf|_ yNr|) selfr}r~rrrrrrrs rY__init__zPacket.__init__s{"&*      88dii "hh 2DN"ii2DNr[c |jdjd}|dd\}}}}}}} } |dd} t|}t|}t|}|||||||| | | S)N  )rstripsplitfloatint) clslinefieldsr}r~rrrrrrrs rY from_linezPacket.from_linesT"((.      qr )$ #h4y9k=#tVT52 2r[c  dj|j}|j|z}|d||j|jxsd|j |j |j|j|j|f zfS)z5Format the packet as a traffic_summary line. rz%f %s %s %d %d %s %s %s %s) joinrr}r~rrrrrr)r time_offsetrts rY as_summaryzPacket.as_summarys~ $**% NN[ (7!!##)r   r[c &d|j|j|j|jxsd|j|j |j |j|jr$ddj|jzdzf zSdf zS)Nz:%.3f: %d -> %d; ip %s; strm %s; prot %s; op %s; desc %s %sr$«r^»r) r}rrr~rrrrrrrs rY__str__zPacket.__str__sL499d6F6F6M###T]]DKK8< $$**--4MM NIKMM Nr[c d|zS)Nz rprs rY__repr__zPacket.__repr__s $$r[c |j|j|j|j|j|j |j |j|j|j Sr) __class__r}r~rrrrrrrrs rYcopyz Packet.copysU~~dnn".."00"hh"ii"mm"kk"ii"jj* *r[c<|jd|j}|S)N:rr)rrs rYas_packet_typezPacket.as_packet_types}}dkk 2r[cz|j|jf}|tvr t|S|tvr t| Sy)zA positive number means we think it is a client; a negative number means we think it is a server. Zero means no idea. range: -1 to 1. )rr CLIENT_CLUES SERVER_CLUES)rkeys rY client_scorezPacket.client_scoresB}}dkk* , $ $ ,  %% %r[c d|jd|j} tt|}|jdk7rtdd|j d |tj} ||||rKtj}||z }t d ||j |j|j|fzyy#t$r5}t d|j d|tjYd}~yd}~wwxYw#t$rU}tj}||z }t d ||j |j|j||fzYd}~yd}~wwxYw) zSend the packet over the network, if required. Some packets are ignored, i.e. for protocols not handled, server response messages, or messages that are generated by the protocol layer associated with other packets. packet__z Conversation(z) Missing handler rONkerberosr#z) Calling handler z%f %s %s %s %f True z%f %s %s %s %f False %s) rrgetattrr AttributeErrorrRconversation_idrSrTrZtime Exception) r conversationcontextfn_namefnestartr`durations rYplayz Packet.playsH%)MM4;;? '2B ==J & !"22G= >  .$ g.iik;2L88$--{{H../ /  //:zz #   , .))+CU{H 1 44dmm;;!-- . . .s1C.AD D +C==D E#A EE#c4|j|jz Srr}rothers rY__cmp__zPacket.__cmp__+s~~//r[NcBt|j|jSr)is_a_real_packetrr)rmissing_packet_statss rYis_really_a_packetzPacket.is_really_a_packet.s t{{;;r[)rr)rwrxry__doc__ __slots__r classmethodrrrrrrrrrrrpr[rYr{r{sT% I3 22& N % * &.P0"(-(-"(-!(-(-(-(-(-(;  ((*r[clt}td|jz||j|j}|j |j tjdgdg}i}dgi}|D]}t|j}djd|jdDj}|j|g} | j||j!d s|dj|t#|j%D]n} | d dd k7r | dd } | d dd k(r| dd } | d dd k(rt'd D]:} | d z } | | k7r&| |vr"t)d | d| t*j,3|| || <<p||_||_i|_|j |j tjdgd}djd|D} dj5| |j2d<d}dD]%}|dj5||j z }'dj5||j2d<d|j2d<|j dtj6dg}dj5|dd|j2d<y) N ldap://%s)url session_info credentialsrzpaged_results:1:1000dn)scopecontrolsattrs invocationId,c3BK|]}|jddyw)Nr#)lstrip.0rss rY z.sE!qxxz"1~EszCN=NTDS Settings,rLz,DCzdn_map collision r^rOz"(objectclass=groupPolicyContainer))rr expressionrc3DK|]}dj|dyw)z(distinguishedName={0})rN)format)rrWs rYrz.s XS6==c$iHXs z(|{0})gPCFileSysPath)zDomain Controllers,ztraffic_replay,rz(distinguishedName={0}{1})gpLinkz'(objectCategory=pKICertificateTemplate)pKIExtendedKeyUsagehighestCommittedUSN)rrz(usnChanged>={0})r usnChanged)rr rrrsearch domain_dnldb SCOPE_SUBTREEstrrrrupper setdefaultappend startswithlistkeysrangerRrSrTdn_mapattribute_clue_mapsearch_filtersr  SCOPE_BASE)rsessiondbresrrrrpatternr'krni gpos_by_dnou_strrs rYrz)ReplayContext.generate_ldap_search_tabless " {T[[0 '#zzgg ii !//"8!9#f& B  >AQTTBhhErxx}EEKKMG##GR0C JJrN}}01">299"=  >fkkm$ &Av#2ABC&E/crFBC&E/1X &U 6a6ka;"zz+"1Iq  & & "4 !ii c.?.?v#GIWWXTWXX 19 0K,-@ NB 299"bllnM MF N(0(?H% 6 12 ii#..9N8OiP  & &s1v.C'D E L)r[c|jjD]}||vs|j|cS|dk(rt|_|jj|j|jj |j |jj |j|jj|j|jj|j|jj|jt|_|jj|j|jj |j |jj |jdd|jj|j|jj|jt|_|jj|j|jj |j |jj |j|jj|j|jj!|jj#t$j&z|jj|j|jj)|j*t|_|j,j|j|j,j |j |j,j |jdd|j,j|j|j,j!|j,j#t$j&z|j,j|j|j,j)|j*y)a;Generate the conversation specific user Credentials. Each Conversation has an associated user account used to simulate any non Administrative user traffic. Generates user credentials with good and bad passwords and ldap simple bind credentials with good and bad passwords. N)r user_credsguessrset_workstationr: set_passwordr= set_usernamer< set_domainrset_kerberos_stateruser_creds_badsimple_bind_credsset_gensec_featuresget_gensec_featuresr FEATURE_SEAL set_bind_dnrBsimple_bind_creds_badrs rYrDz!ReplayContext.generate_user_creds1s&- dgg& ''(9(9: $$T]]3 $$T]]3 ""4;;/ **4+>+>?)m !!$''* ++D,=,=> ((s);< ((7 ..t/B/BC"- $$TWW- ..t/@/@A ++DMM: ++DMM: 22  " " 6 6 86;N;N N P 11$2E2EF **4<<8%0]" ""((1 ""2243D3DE ""// cr0BC ""// > ""66  & & : : <     ! ""55d6I6IJ ""..t||.connects)==$++!>!%!&( (r[)r8rMrPrWrrrrkrsrms` rYget_srvsvc_connectionz#ReplayContext.get_srvsvc_connectionsw  " "3**2. . (  , ,W-1__-1-@-@-1-A-A C "D &&q)r[cjr|sjdSfd}j|jjj\}_jj ||S)Nrjcld}tjdjd|dj|S)Nzschannel,seal,sign ncacn_ip_tcp:[]rlsarpcrr)rbinding_optionsrs rYrsz4ReplayContext.get_lsarpc_connection..connects12O::#{{O="gg#% %r[)r5rMr`rbrrrts` rYget_lsarpc_connectionz#ReplayContext.get_lsarpc_connectionsy  " "3**2. . %  , ,W-1-?-?-1-C-C-1-A-A C "D &&q)r[cjr|sjdSfd}j|jjj\}_jj ||S)Nrjc`tjdjzj|Srqr{rrs rYrsz?ReplayContext.get_lsarpc_named_pipe_connection..connects)::mt{{;"gg#% %r[)r6rMr`rbrrrts` rY get_lsarpc_named_pipe_connectionz.ReplayContext.get_lsarpc_named_pipe_connectionsy  ( (004 4 %  , ,W-1-?-?-1-C-C-1-G-G I (D & %%,,Q/r[cjr|sjd}|Sfd}j|jjj\}_t |\}}||f}jj ||S)zget a (drs, drs_handle) tuplerjcpd}djd|d}tj|j|S)Nsealrxryrz)rrr)rr}binding_stringrs rYrsz:ReplayContext.get_drsuapi_connection_pair..connects/$O"kk?477EB Br[)r7rMrPrWrrr)rrkunbindrmrsdrs drs_handlesupported_extensionss` rYget_drsuapi_connection_pairz)ReplayContext.get_drsuapi_connection_pairs  # #C((,AH C  , ,W-1__-1-@-@-1-B-B D %d# .8_*) *    ''*r[czjr|sjdSfd}fd}|r;j|jjj\}_n:j|j j j\}_jj||S)NrjcNtdjz|jS)a$ To run simple bind against Windows, we need to run following commands in PowerShell: Install-windowsfeature ADCS-Cert-Authority Install-AdcsCertificationAuthority -CAType EnterpriseRootCA Restart-Computer z ldaps://%srrr rrrrs rY simple_bindz6ReplayContext.get_ldap_connection..simple_binds' 3%* GG% %r[cNtdjz|jS)Nrrrrrs rY sasl_bindz4ReplayContext.get_ldap_connection..sasl_binds%t{{2%* GG% %r[) r3rMrXr]rrPrWrr)rrksimplerrsamdbs` rYget_ldap_connectionz!ReplayContext.get_ldap_connections  ((, , % % 00151G1G151K1K151J1JL /UD-0015151D1D151C1CE (UD& $$U+ r[c|jr|rE|jjt|j|j|j |jdS)N)rrrj)r9r SamrContextrrr)rrks rYget_samr_contextzReplayContext.get_samr_context sK!!S    % %DKKDGG4::F H!!"%%r[cjr jSfd}j|jjj\}_|_|S)Nc`tjdjzj|S)Nzncacn_ip_tcp:%s[schannel,seal])rrrrrs rYrsz6ReplayContext.get_netlogon_connection..connects/$$%E&*kk&3%)WW%*, ,r[)rrMr`rbr)rrsrms` rYget_netlogon_connectionz%ReplayContext.get_netlogon_connectionsf  # #++ + ,  , ,W-1-?-?-1-C-C-1-C-C E $D " $% r[c|jdfS)NArrs rYguess_a_dns_lookupz ReplayContext.guess_a_dns_lookup$s C  r[c|jj}t}|dDcgc]}t|tr|n t |!c}|j _|d|_t}||fScc}w)N credentialr}) r`new_client_authenticatorr isinstancerordcreddatar})rauthcurrentrs subsequents rYget_authenticatorzReplayContext.get_authenticator'sy!!::<%'&*<&8:!"#-Q"4Q#a&@:  -') $$ :s$A:c tjj|j|}t |d}|j D]\}}t |d|||jy)zWrite arbitrary key/value pairs to a file in our stats directory in order for them to be picked up later by another process working out statistics.wz: rON)ospathrropenitemsrRclose)rfilenamekwargsrHr%vs rY write_statszReplayContext.write_stats1sY77<< x8 3 LLN -DAq a#! , -  r[r)F)FF)rwrxryrrenvironrrrr/rFrMrDrCrhrnrur~rrrrrrrrrpr[rYrrZs%)'+!% x0 !*+XPFn!$#>*8,=\G2,$($.$L& $!%r[rc$eZdZdZddZdZdZy)rz5State/Context associated with a samr connection. Ncd|_d|_d|_d|_d|_d|_d|_||_||_||_ yr) connectionhandle domain_handler group_handle user_handleridsrrr)rrrrs rYrzSamrContext.__init__?sK!! !!!!! # " r[c|js>tjd|jz|j|j|_|jS)Nzncacn_ip_tcp:%s[seal])lp_ctxr)rrrrrrs rYget_connectionzSamrContext.get_connectionKs?"ii'4;;7ww JJ(DO r[c|js5|j}|jdtj|_|jSr)rrConnect2rSEC_FLAG_MAXIMUM_ALLOWED)rrms rY get_handlezSamrContext.get_handleTs9{{##%A**T8+L+LMDK{{r[NN)rwrxryrrrrrpr[rYrr<s #r[rcpeZdZdZ ddZdZdZ ddZdZeZ dZ d Z d Z d Z dd Zdd ZdZdZy) ConversationzADetails of a converation between a simulated client and a server.Nc||_||_g|_t||_d|_||_|D]}|j|y)Nr) start_timerpacketsrtrWclient_balanceradd_short_packet)rrrseqrrns rYrzConversation.__init__]sR$" &y1!. &A !D ! !1 % &r[c|j|jyy|jy|j|jz S)Nrrjr_)rrs rYrzConversation.__cmp__hsB ?? "'    #!1!111r[cp|j}|j|j|_|j|j|_|j|jk7r%t d|jd|j|xj|jzc_|j |jdk(r$|xj |jzc_n#|xj |jz c_|jr|jj|yy)zmAdd a packet object to this conversation, making a local copy with a conversation-relative timestamp.NzConversation endpoints z don't matchpacket endpoints r) rrr}rrvrrrrrr)rpacketrns rY add_packetzConversation.add_packetqs KKM ?? "kkDO >> ![[DN ;;$.. (!#'>>1;;#@A A t& 55AKKN "   1>>#3 3    1>>#3 3    ! LL   " "r[c |r t||sy|j\}}|s||}}||f} tj| d} tj|d} t ||j z | d||||| | } | j| jdk(r$|xj| jzc_ n#|xj| jz c_ | jr|jj| yy)zCreate a packet from a timestamp, and 'protocol:opcode' pair, and a (possibly empty) list of extra data. If client is True, assume this packet is from the client to the server. Nr06r)rguess_client_serverOP_DESCRIPTIONSr IP_PROTOCOLSr{rrrrrrrr) rr}rrrclientskip_unused_packetsrrrrr~rs rYrzConversation.add_short_packets '7&'I ,,. TcC ""3+"&&x6  DOO3[C &$7 ::))!, ,   6#6#6#8 8    6#6#6#8 8   $ $ & LL   ' 'r[cvd|j|j|jt|jfzS)Nz-)rrrlenrrs rYrzConversation.__str__s5?%%t~~tT\\"$$ %r[c,t|jSr)iterrrs rY__iter__zConversation.__iter__sDLL!!r[c,t|jSr)rrrs rY__len__zConversation.__len__s4<<  r[ct|jdkry|jdj|jdjz S)Nr#rrj)rrr}rs rY get_durationzConversation.get_durations> t|| q ||B))DLLO,E,EEEr[cr|jDcgc]}|j|jc}Scc}wr)rrr)rrns rYreplay_as_summary_linesz$Conversation.replay_as_summary_liness'7;||D! T__-DDDs"4c|j}tj|z }||z }|tz }|dkDrtj|tj|z |z }|j d||fzd} d} tj} |j D]} tj| z }|| j z }|| kDr|} |dkr\| tz }|dkDrMtj|tj| z }|| j z | kDr|| j z } | j||| || fS)zMReplay the conversation at the right time. (We're already in a fork).rzstarting %s [miss %.3f]r)rrSLEEP_OVERHEADsleeprWrr}r) rrrrErnowgap sleep_timemissmax_gapmax_sleep_missp_startrns rYreplay_with_delayzConversation.replay_with_delays0 OOiikE!#g>) > JJz " e#q( *dD\9:))+ "A))+'C #CW}Qw!TN2 >JJz* g-A1;;7)*Q[[ FF4 ! "n,,r[c~|j\}}|jdkr||fS|jdk(r ||k(r||fS||fS)zhHave a go at deciding who is the server and who is the client. returns (client, server) r)rr)r server_cluerebs rYrz Conversation.guess_client_serversQ~~1    "q6M   ! # q(8q6M1v r[c|jDcgc]}||jcxkr|ksnn|c}|_|jr|jdj|_yd|_ycc}w)zPrune any packets outside the time window we're interested in :param s: start of the window :param e: end of the window rNrr}r)rrrrrns rYforget_packets_outside_windowz*Conversation.forget_packets_outside_windowsQ $(<<Ia1 3Hq3HI 7;||$,,q/33Js A,A,c|jD]}|xj|zc_|j|xj|zc_yy)z=Adjust the packet start times relative to the new start time.Nr)rrrns rYrenormalise_timeszConversation.renormalise_timessB &A KK: %K & ?? & OOz )O 'r[)NNrpN)TTrr)rwrxryrrrrrrrrrrrrrrrrpr[rYrr[s\K<>!% &2#6;?(8% H"!F E!-F"N*r[rc.eZdZdZddZdZddZddZy) DnsHammerzOA lightweight conversation that generates a lot of dns:0 packets on the flyNct||z}t|Dcgc]}tjd|c}|_|jj ||_||_d|_|j||_ ycc}w)Nr query_file) rrr*uniformtimessortraterr_get_query_choices query_choices)rdns_raterrnr&s rYrzDnsHammer.__init__sq 8# $;@8DafnnQ1D     !44 4K EsBc`dt|j|j|jfzS)Nz-)rrrrrs rYrzDnsHammer.__str__s)?TZZ$--;< =r[cP|rt|d5}|j}dddg}jD]Y}|j}|s|j dr(|j d}t |dk(sJ|j|[|SgdS#1swY}xYw)z Read dns query choices from a file, or return default rname may contain format string like `{realm}` realm can be fetched from context.realm r#N#r) )r{realm}ryes)r_rNSr )r# *.{realm}rno)rdr r r ) _msdcs.{realm}rr ) rr r ) nx.realm.comrr )rr r )*.nx.realm.comrr )rr r )rread splitlinesstriprrrr)rrrHtextchoicesrrXs rYrzDnsHammer._get_query_choicess j#& !vvx G) )zz| 4::c?Dt9>)>NN4(  ) N    s BB%c |sJ|jsJtj}|jD]}tj|z }||z }|tz }|dkDrtj|t j |j\}}} } |j|j}d} tj} t|| } | dk(r t| sd} tj}|| z }td|||| fzy#t$rd} Y;wxYw#tj}|| z }td|||| fzwxYw)NrrTr Fz%f DNS dns %s %f %s ) rrrrrr*rerr  dns_queryrrrR)rrrrrrrrrnamertypeexistsuccess packet_startanswersr`rs rYreplayzDnsHammer.replay4sCw}}}  WA))+%Cc'C~-JA~ :&*0--8J8J*K 'FE5%LLw}}L5EG99;L W#E51E>#g,#Giik-2c68W5UUV+ W   iik-2c68W5UUVs$ D D&#D)%D&&D))-Er)rwrxryrrrrr#rpr[rYrrsL=BWr[rctt}g}|D]}t|tr t |}t d|j tj|D]T}tj|}|jdk(r|dk7r||jxxdz cc<D|j|V|j|sgdfStd|D}t!d|D}t d tjt#} t%|D]f\} }|xj&|zc_| j)|j*} | t-| d z } | | |j*<| j/|hg} | j1D]"} t3| dk7s| j| $t5||z } t3| | z }| || |fS) zLLoad a summary traffic summary file and generated Converations from it. z Ingesting rOr'includer_rc34K|]}|jywrrrrns rYrz#ingest_summaries..fs2QQ[[2c34K|]}|jywrrr's rYrz#ingest_summaries..gs3aakk3r(z$gathering packets into conversationsr#)r)rrrrrrRrMrSrTr{rrrrrminmaxr enumerater}rrrrvaluesrr)filesdns_mode dns_countsrrHrrnr last_packet conversationsr&rmconversation_listr mean_intervals rYingest_summariesr5PsS!JG   a QA (szz: "D  &AzzU"x9'<188$)$q!  "    1u 2'22J3733K 0szzBMM'"1 z!   akk * 9a!e5A)*M!++ & Q   ! ! #( q6Q;  $ $Q '([:-.H &1M mXz AAr[ct}|D]}|j|j|r|jddSy)Nr_r)rupdater most_common)r2 addressesrms rYguess_server_addressr:sH I &%&$$Q'**r[cfi}|jD]\}}dj|}|||<|SNr)rr)rsyr%rk2s rYstringify_keysr?s= A 1 YYq\" Hr[ci}|jD]-\}}tt|jd}|||</|Sr<)rrUrr)rsr=r%rrs rYunstringify_keysrAsG A 1 #a&,,t$ %! Hr[cReZdZd dZd dZdZdZ d dZdZdZ d d Z y) TrafficModelcvi|_i|_||_tt|_d|_ddg|_y)Nrrr_)ngrams query_detailsrrr dns_opcountscumulative_duration packet_rate)rrs rYrzTrafficModel.__init__s9 ',#& q6r[Nc |i}d}d}tf|jdz z}t|}|jD]\}}|j|xx|z cc<t |dkDro|dj } d} | dz} |D]3} | t | z } t| | jdj} 5| |jd<| | z |jd<|D]]} | j|\} }|| jz }tf|jdz z}| D]}|j| k7r|j|z }|j}|tkDr]dtj td|t"zz}|j$j'|gj)||dd|fz}|j+}|j,j'|gj)t/|j0|j$j'|gj)||dd|fz}`|xj2|z c_|j$j'|gj)ty)Nrr_rg?rjwait:%dr%) NON_PACKETrr:rrGrrr+rr}rIrrrWAIT_THRESHOLDmathlog WAIT_SCALErErrrrFrUrrH)rr2rGprev cum_durationrrr%rfirsttotallastrmrrnelapsedrshort_ps rYlearnzTrafficModel.learnsj  L mtvvz*%m4 &&( &DAq   a A %  & }  !!!$//EE3;D" :Q42!8!89 :#(D  Q "&,D  Q  +A226:NFF ANN, ,L-466A:.C +55F?++,{{^+$S5.s',801=>DIIaL3,F,8s!)rErFrHrIversionr'rr#)indent)rErrdictrrFrHrICURRENT_MODEL_VERSIONrGrrrjsondump)rrHrEr%rrFds rYsavezTrafficModel.savesKK%%' )DAq ! AWQZ(F1I ) &&,,. 9DAq#G,856,8%8 9M!  9 *#'#;#;++,  $$% a Q A !Qq!r[c 0t|tr t|}tj|} |d}|t krt d|t fz |djD]\}}tt|jd}|jj|g}|jD]#\}}|jt|g|z%|j|djD]\}}|jjt|g}|jD]V\}}|dk(r|jdg|z!|jtt|jdg|zX|jd |vr2|d jD]\}}|j |xx|z cc<|d |_|d |_y#t$rt dt zwxYw) Nr[z4the model file is version %d; version %d is requiredz=the model file lacks a version number; version %d is requiredrErrFr$rpr'rHrI)rrrr_loadREQUIRED_MODEL_VERSION ValueErrorKeyErrorrrUrrErextendrrFrGrHrI) rrHrar[r%rr-rncounts rYrdzTrafficModel.loads a QA IIaL ; lG// ":")+A!B"CDD0hK%%' DAqc!fll4()A[[++Ar2FGGI 05 s1vh./ 0 KKM  o&,,. DAq''223q62>FGGI G58MM2$,/MM5Qd);#<"="EF  G KKM  A:%( *1!!!$)$ *$%%:#; ]+5 ; ":"8":;; ;s "G99Hcg}tf|jdz z}||dz } tj|jj |tf}|tk(ry||kr |Stj|kDr#t d||fztj |Sdtjddz}t d|ztj||jvr#tj|j|} ng} |jd d\} } | d k(rEt| tjz} tj| t|zz } || z }nWtj t"}tj||z } || z }|||kDr |S||k\r|j%|| | | f|dd|fz}|d ddd k(r"|d ddd k(rtf|jdz z})zUConstruct an individual conversation packet sequence from the model. r_Nz"ending after %s (persistence %.1f)rOrKr ztrying %s instead of endrrzwait:rj)rLrr*rerErrRrSrT randrangerFrrrNexprPrNO_WAIT_LOG_TIME_RANGEr)rr} hard_stop replay_speed ignore_before persistencermrrnrrr log_wait_timerlog_waits rYconstruct_conversation_sequencez,TrafficModel.construct_conversation_sequences mtvvz*  %MM dkkoocJ=ABAJ},FE==?[0>#{ASS"zz+>; 0 0B 770143::FD&&& d&8&8&;< wwsA Hf6! #F fmmo = xx .*|2KLT! !>>+ABxx)L8T! (Y-B -HHi65ABab'QD.C2wr{g%#b'"1+*@"mtvvz2Kr[c0|j\}}||z|z SrrI)rscalerate_nrate_ts rYscale_to_packet_ratez!TrafficModel.scale_to_packet_ratePs **v~&&r[c0|j\}}||z|z Srrx)rppsrzr{s rYpacket_rate_to_scalez!TrafficModel.packet_rate_to_scaleTs **f v%%r[cd|z}t||z}g}d}||krmtj| |} |j| ||d|} | D]\} } } }t | | snM|j | |t | z }||krm|j|}td||t |||fztj|j|S)zsearchResEntryr@)r-rz*** Unknown ***)r|r8lsa_LookupNames)r|rHlsa_LookupSids)r|39lsa_QueryTrustedDomainInfoBySid)r|40lsa_SetTrustedDomainInfo)r|6lsa_OpenPolicy)r|76lsa_LookupSids3)r|77lsa_LookupNames4r9)r:r<)r21NetrLogonDummyRoutine1)r26NetrServerAuthenticate3)r29NetrLogonGetDomainInfo)r30NetrServerPasswordSet2)rrNetrLogonSamLogonEx)rrDsrEnumerateDomainTrusts)r45NetrLogonSamLogonWithFlags)rr?NetrServerReqChallenge)rr(Connect)rrGetAliasMembership)r17 LookupNames)r18 LookupRids)r19 OpenGroup)rr<Close)r25QueryGroupMember)r34OpenUser)r36 QueryUserInfo)rrGetGroupsForUser)rr/ QuerySecurity)rrA LookupDomain)r64Connect5)rr EnumDomains)r7 OpenDomain)r8QueryDomainInfo)r*0x04z Close (0x04))r*0x24zLocking AndX (0x24))r*0x2ezRead AndX (0x2e))r*0x32z Trans2 (0x32))r*0x71zTree Disconnect (0x71)r)zNegotiate Protocol (0x72))r*0x73zSession Setup AndX (0x73))r*0x74zLogoff AndX (0x74))r*0x75zTree Connect AndX (0x75))r*0xa2zNT Create AndX (0xa2))rIr(NegotiateProtocol)rIr6Ioctl)rIr8Find)rIrGetInfo)rIrBreak)rIr< SessionSetup)rIr1 SessionLogoff)rIr/ TreeConnectTreeDisconnectCreateReadz$SAM LOGON request from client (0x12)z3SAM Active Directory Response - user unknown (0x17)NetShareGetInfo NetSrvGetInfo))rIr?)rIrA)rIr)rIr)rK0x12)rK0x17)rr)rrc|jdd\}}tj||fd}tj|d}||d|||||g} | j |dj | S)Nrr_rrr)rrrrrhr) rnr}rrrrrrr~rs rYexpand_short_packetrsowwsAHf   &12 6D""8T2K {BT8VT JDKK 99T?r[ctjjtjjt j dy)zSignal handler closes standard out and error. Triggered by a sigterm, ensures that the log messages are flushed to disk and not lost. rN)rSrTrstdoutr_exit)signalframes rYflushing_signal_handlerr s/ JJJJHHQKr[c|dztjddz}tjj tj j t j}|dk7r|S tj|||f}d} |dd} t| |||} tjtjt|j|| tjjt jdt j j#|j$d| j&z} t)| d} tjjt jd| t_t1j0|z }| |z }|t2z }|dkDrt1j4|| j7|| \}}}t9d |zt9d |zt9d |ztj jtjjt jB| y #t*$r#}t,j/d|zYd }~d }~wwxYw#t:$ryd} t9dt j< fztj t?j@tj tj j YwxYw#tj jtjjt jB wxYw)z8Fork a new process and replay the conversation sequence.ri)rrzstats-conversation-%drr_stdout closing failed with %sN)rrzMaximum lag: %fz Start lag: %fzMax sleep miss: %fz*EXCEPTION in child PID %d, conversation %srO)"r*randintrSrrcrTrforkseedrrSIGTERMrrFstdinrrrrrrIOErrorrinforrrrrRrgetpidra print_excr)csrrrE client_id server_idrpidrstatusrrmrrHrrrrmax_lag start_lagrs rYreplay_seq_in_forkr s t fnnQ4 4DJJJJ '')C ax * D *  qE!H I2y I fnn&=>--gq9   77<< 0 02I ! 1 1323 3  = JJ    HHQK iikE!#g>) > JJz "-.-@-@uIP.A.R*N ')* o )* "^34   3 = KK7!; < < =  ;ryy{A>NN:: CJJ'     sR5C"J3I( B J( J1J JJJA>LLLLAM/ctjjtjjt j }|dk7r|Stj jt jd tjjt jdtjj|jd}t|dt_ d}tjtj t"t%|||}|j'|tjjtjjt j2|y#t$r#}tjd|zYd}~d}~wwxYw#t($rXd}t+dt j,ztj t/j0tjYwxYw#tjjtjjt j2wxYw) Nrr_rz stats-dnsrr)rz)EXCEPTION in child PID %d, the DNS hammerrO)rSrrcrTrrrrrrwarnrrrrrrrrr#rrRrrarr) rrrrrrrr hammers rYdnshammer_in_forkrSsJJJJ '')C ax IIOOHHQK9   ww||G,,k:Hh$CJ  fnn&=>8X*E g &   % 9 3a7889 ( :biikJ:: CJJ' (   s? 3F?A G  G$GG AH+(H.*H++H..AJc ptd|||t|d| } t|t|kr"tdt|t|fztjt|dz} t j | z} ||ddd|z}t d| ztjt d|| zztjt d |ztj| |zd z}tjd t||fz| jd t|td |Di} |rt||| |}d||<t|D]#\}}||}|dz}t|| | ||}|||<%t j }t d|| z | z|| z fztjt j |kr|rt j d tj"dtj$\}}|rM|j-|d}t.dkDr*t d||t|fztj| r|dk7rnt j |kr|r| jdt|dD]v}t dt||fztj|D]} tj6||t j dt j dz}|r tj"dtj$\}}dk7r|j-|d}|_t d|ztjj;tj<j;tj>dt d||t|fztjt j |k\rn|r|snt j dy|r't dt|ztj tj@ddy#t&$r}|j(t*k7rYd}~d}~wwxYw#t0$r3t dtjt3j4Y?wxYw#t&$r}|j(t8k7rYd}~d}~wwxYw#t&$r}|j(t*k7rYd}~d}~wwxYw#tB$rt dtjYywxYw#| jdt|dD]}t dt||fztj|D]C} tj6||#t&$r}|j(t8k7rYd}~=d}~wwxYwt j dt j dz}|r tj"dtj$\}}n*#t&$r}|j(t*k7rYd}~nd}~wwxYwdk7r|j-|d}|_t d|ztjj;tj<j;tj>dt d||t|fztjt j |k\rn|r|snt j d|r't dt|ztj tj@ddw#tB$rt dtjYwwxYwxYw) N)rrrrz(we have %d accounts but %d conversationsg{Gz?rjrzWe will start in %.1f secondsrOzWe will stop after %.1f secondszruntime %.1f secondsr%z6Replaying traffic for %u conversations over %d seconds intentionsc32K|]}t|ywr)rrs rYrzreplay..s+MqCF+Ms)Planned_conversationsPlanned_packetsrr_r#z,all forks done in %.1f seconds, waiting %.1fg~jth?z-process %d finished conversation %d; %d to gozEXCEPTION in parent unfinished)Unfinished_conversations)rrzkilling %d children with -%d?zchildren is %s, no pid foundz)kill -%d %d KILLED conversation; %d to goz%d children are missingzignoring fake ^Crp)"rrrfrsetpgrprrRrSrTrrrsumrr,r rwaitpidWNOHANGOSErrorerrnorpoprQrrarkillrrcrrkillpgKeyboardInterrupt)conversation_seqhostrraccountsrdns_query_filerlatency_timeoutstop_on_any_errorrrdelayrr`childrenrr&rrErrr rrmrrs rYr#r#us&4"'!034D0E&% &G  8}s+,,Dx=#.>*?@AC C JJL  !D (E IIK% E$B'+A.@ )E 1zz +x%/? @zz 8 +zz ( S C KKH ! "H -./  .12B.C(++Mr[cg}td|dzD]}d|dzz }|j|||_|j||_y)z6Probability distribution of a group containing a user.r_g?N)rr group_weightsr group_dist)rrrrsrns rYrz,GroupAssignments.generate_group_distributionBsW q!a% AQV A NN1   %66w?r[ctj|jtj}tj|jtj}||fS)z2Returns a randomly generated user-group membership)bisectrr*rrrLrRs rYgenerate_random_membershipz+GroupAssignments.generate_random_membershipPsB}}T^^V]]_= doov}}?U{r[c |j|Sr)r})rrRs rYusers_in_groupzGroupAssignments.users_in_group\s&&r[c6|jjSr)r}rrs rY get_groupszGroupAssignments.get_groups_s$$&&r[ct|j|}||k\rZtjdj ||d|j |dz <|j |j }||_yy)z?Prevent the group's membership from exceeding the max specifiedzGroup {0} has {1} membersrr_N)rr}rrr rrr)rrRrv num_membersnew_dists rYcap_group_membershipz%GroupAssignments.cap_group_membershipbsq$**512 + % KK3::5+N O-.D  uqy )33D4F4FGH&DO &r[c||j|vr3|j|j||xjdz c_|jr|j ||jyy)Nr_)r}rrirvrrs rYadd_assignmentzGroupAssignments.add_assignmentnsc t''. .   U # * *4 0 JJ!OJ     % %eT-=-= > r[c|dkrytjt|t|t|z z}|jrt ||j|z}||z dz }||z dz }|j |krJ|j \}} | |kDs||kDr|j|dz| dz|j |krIyy)a Allocate users to groups. The intention is to have a few users that belong to most groups, while the majority of users belong to a few groups. A few groups will contain most users, with the remaining only having a few users. rNr_)rNceilrrvr*rTrr) rrtrzrsr|ruexisting_usersexisting_groupsrLrRs rYrzGroupAssignments.assign_groupszs  ! !II # $ ; %"8 8 :;    #$5$($4$47G$G!I *[8A=*\9A=jjl..99;KD%&$*?##D1Heai8 jjl..r[c|jSrrirs rYrTzGroupAssignments.totals zzr[N)rwrxryrrrrrrrrrrrTrpr[rYrprp s; ;"?4 @ '' ' ?9Br[rpcd|j}d}d}|jD]}|j|}t|dk(r#t dt|dD]N}|||dz} t |||| |t| z }|dz }|dzdk(s5t jd||fzPy)zDTakes the assignments of users to groups and applies them to the DB.rrr_r^zAdded %u/%u membershipsN)rTrrrradd_group_membersrr) r!rr}rTrirdrRrchunkchunk_of_userss rYrqrqs    E E E'')H$33E: ~ ! #  1c.148 HE+E%$,?N b+un E S( (E QJErzQ 5FG HHr[cj t|| fd}|t||}tj}tj|||_|D]J}|t ||}dt|z} tj|tjd|| <L|j|y)z(Adds the given users to group specified.cd|dS)Nr2rrp)rMrs rYbuild_dnz#add_group_members..build_dns!2&'r[zmember-memberN) r0rgrMessageDnrr+rMessageElement FLAG_MOD_ADDmodify) r!rrRrrgroup_dnmrLrBidxrs @rYrrs [ !B( ;67H A 66"h ADI9[$78#d)###GS-=-=xH#I IIaLr[ctjj}d}d}d}i}t}t }| |j } nd} | ddddd} dddd} t j|D]} t jj|| } t| d5}|D]} |jdjd }|d }|d }|d }t|d }t|d}t||z |}t||}||f}|j|gj!||ddk(r|d z }n|d z }||xxd z cc<|j#|| | ddd||z }|dk(rd}n||z }|dk(rd}n||z }t/|}t+d|zt+d||fzt+d||fzt1| j3D](\}}t+d|j5dddz|fz*t1| j3D](\}}t+d|j5dddz|fz*t+di}|D]*\}}||vr t ||<||j#|,t1|j7} | D]}t1||t8}!|!D]}||f}||}"t1|"}"t/|"}#||}t;|"|#z }$t=|"d}%t=|"d}&|"d|"dz }'|"d}(t>jA|d})t+d|||)|#||$|%|&|'|(f zy#t$t&f$rd|vrq|jdd \}}|| vrtt|| || |<nW|| vrtt)|| || |<n7t+|tj,nt+|tj,YXwxYw#1swYxYw) z/Generate and print the summary stats for a run.rNcyrrp)rss rYtwzgenerate_stats..tws r[z2time conv protocol type duration successful error )z Maximum lagz Start lagzMax sleep miss)rrrr#rrr_r#rdrrTruerrOzTotal conversations: %10dz-Successful operations: %10d (%.3f per second)z-Failed operations: %10d (%.3f per second)z%-28s %frr^z%-28s %dzProtocol Op Code Description Count Failed Mean Median 95% Range Max)rrgffffff?rjrz?%-12s %4s %-35s %12d %12d %12.6f %12.6f %12.6f %12.6f %12.6f)!rS float_infor+rr?writerlistdirrrrrrrr*rrr5rf IndexErrorrrRrTrsortedrreplacer opcode_keyrcalc_percentilerr)*r timing_filerSrU successfulfailed latenciesfailuresunique_conversationsr float_values int_valuesrrrHrrrr packet_typelatencyropr%rr success_rate failure_rater2opsprotor protocols packet_typesr-rimeanmedian percentilerngmaxvrs* rYgenerate_statsrs##EDJFIH5    BCL "#$%J JJx(&5ww||Hh/ $_$ 5# 5"5#';;t#4#:#:4#@F#)!9L#)!9H#)!9K#(#3GfQi(A#&q7{E#:E#&q$q//CLO*_,/A0:1 -?JqM"$SZZ8d4 5/$ 5$ 5s2"P)CM-PBO> :P=O> >PP cB dt|zS#t$r|cYSwxYw)zCSort key for the operation code to ensure that it sorts numericallyz%03d)rrf)rs rYrrM s)A s  c|syt|dz |z}tj|}tj|}||k(r|t |S|t |||z z}|t |||z z}||zS)ztCalculate the specified percentile from the list of values. Assumes the list is sorted in ascending order. rr_)rrNfloorrr)r-rr%rHrmd0d1s rYrrU s  VqJ&A 1 A ! AAvc!f~ A1q5 !B A1q5 !B 7Nr[ctjj|}tjd}tj|tj||S)zuIn a testenv we end up with 0777 directories that look an alarming green colour with ls. Use umask to avoid that.?)rrrumaskmkdir)rramasks rYr>r>g s>  dA 88E?DHHQKHHTN Hr[r)r_r#)r_r) NNNNrNNr%F)T)rLrC)yrrr*r_rNrSrrrr collectionsrrrr dns.resolverr r samba.emulater samba.samdbr rr samba.dcerpcr rrrrsamba.dcerpc.netlogonrrrsamba.drs_utilsrrasamba.credentialsrrr samba.authr samba.dsdbrrrrsamba.dcerpc.miscrsambarr samba.commonr! samba.loggerr"rr^rerrLrrrrPrMrorQrwrrZrfrtrrvobjectr{rrrrrrr5r:r?rArCrrrrrr rr#r.r0r7r8r=rJrPrSr+r[rar:rergrjrnr~rprqrrrrr>rpr[rYrsM( EE+) )//!4&OO% +#)      ?   "" x (6$  0 i Od*6d*NKW KW\2Bj+  _6_D 4D 4   D   D  T d D d 4ttD d  D! &_3_6_:_9 _ ? _ ; _O_O_Y_f_j_j_o_*_g_ Z!_"'#_$*%_&h'_(~)_**+_,j-_.o/_0&1_2+3_4%5_6b7_8=9_:>;_<?=_>??_@#A_B?C_D#E_F'G_H&I_J7K_L0M_N%O_P'Q_R(S_T7U_V:W_X4Y_Z5[_\4]_^4__`1a_b6c_d8e_f3g_hIi_j(k_lMm_nLo_pKq_r7s_t&u_vJw_xOy_z&{_|?}_~>_@JA_B=C_Dg_h?i_j=k_l$D 5'%}_D<~F"P7fE :""8#/0 ,0 22$ + ,  - /3"+  BF*%ZQvQhH0(D$ r[