a WaS^@sddlmZmZddlZddlZddlZddlZddlZddlZddl Z ddl m Z m Z ddl mZmZmZmZddlmZddlmZddlmZddlZddlmZdd lmZdd lmZmZmZdd lm Z dd l!m"Z"dd lm#Z#ddlm$Z$ddl%m&Z&ddl'Z'ddl(m)Z)m*Z*m+Z+ddl,m-Z-ddl.m/Z/m0Z0m1Z1m2Z2ddl3m4Z4ddl5m6Z6ddl5m7Z7ddl8m9Z9ddl:m;Z;ddldZ?dZ@dddddddddd ZAdddddddddZBhdZCdZDdeDZEd ZFdZGe;eHd!ZId"d#ZJd$d%ZKd&d'ZLGd(d)d)eMZNGd*d+d+eOZPd,d-ZQd.d/ZRGd0d1d1eOZSGd2d3d3eOZTGd4d5d5eOZUGd6d7d7eUZVdd9d:ZWd;d<ZXd=d>ZYd?d@ZZGdAdBdBeOZ[ddDdEZ\dFdGdGdGdGdGdFdGdGdGdGdGdFdFdGdFdHZ]dIdJdKdLdMdNdOdPdQdRdSdTdUdVdWdXdYdZd[d\d]d^d_d`dadbdcdddedfdOdgdPdhdidjdkdldmdndodYdZdpdqdrdsdtdudvdwdxdydzd{d|d}d~dddddddddddddddddddddddddddddd}dddddd]Z^ddZ_ddZ`dddZadddZbdddZcddZdddZeddZfeddZgddZhdddZiddZjddZkddZldddÄZmddńZndddDŽZodddɄZpdd˄Zqdd̈́ZrddτZsdddфZtGddӄdeOZuddՄZvddׄZwddلZxddۄZydd݄Zzdd߄Z{dS))print_functiondivisionN)ECHILDESRCH) OrderedDictCounter defaultdict namedtuple)query)traffic_packets)SamDB)LdbError)ClientConnection)securitydrsuapilsa)netlogon)netr_Authenticator)srvsvc)samr) drs_DsBind) CredentialsDONT_USE_KERBEROSMUST_USE_KERBEROS)system_session)UF_NORMAL_ACCOUNTUF_SERVER_TRUST_ACCOUNTUF_TRUSTED_FOR_DELEGATIONUF_WORKSTATION_TRUST_ACCOUNT) SEC_CHAN_BDC)gensec)sd_utils) get_string)get_samba_loggerga2U0*3?-?) dns0smbZ0x72ldapr)r-3r-2cldapr/dcerpc11r514nbnsr))r(1r-r<r-4r-5r3rAr512r513r515>browserr+ smb_netlogonsmb2g$@)inamecGs6|tkr2|st|tjdnt|t|tjddS)aPrint a formatted debug message to standard error. :param level: The debug level, message will be printed if it is <= the currently set debug level. The debug level can be set with the -d option. :param msg: The message to be logged, can contain C-Style format specifiers :param args: The parameters required by the format specifiers fileN) DEBUG_LEVELprintsysstderrtuple)levelmsgargsrY7/usr/lib/python3/dist-packages/samba/emulate/traffic.pydebugfs r[cGsftjdd}td|dd|ddfdtjd|D]}t|tjdq8ttjdtjd S) zK Print an unformatted log message to stderr, contaning the line number r$)limitz %s:%s r )endrPrON) traceback extract_stackrRrSrTflush)rXtbarYrYrZ debug_linenoxs  recsP|rDd}|D]}|d7}||9}|d;}q dd|fdd}ndd}|S)zReturn a function that prints a coloured line to stderr. The colour of the line depends on a sort of hash of the integer arguments.z [38;5;%dmcs,tdkr(|D]}td|ftjdq dS)Nrz %s%srOrQrRrSrTrXrdprefixrYrZpszrandom_colour_print..pcWs$tdkr |D]}t|tjdq dS)NrrOrirjrYrYrZrmsrY)ZseedssxrmrYrkrZrandom_colour_prints  rpc@s eZdZdS)FakePacketErrorN)__name__ __module__ __qualname__rYrYrYrZrqsrqc@steZdZdZdZddZeddZddd Zd d Z d d Z ddZ ddZ ddZ ddZddZdddZdS)PacketzDetails of a network packet timestamp ip_protocol stream_numbersrcdestprotocolopcodedescextra endpointsc Csd||_||_||_||_||_||_||_||_| |_|j|jkrR|j|jf|_ n|j|jf|_ dSNrv) selfrwrxryrzr{r|r}r~rrYrYrZ__init__s zPacket.__init__c Csh|dd}|dd\}}}}}}} } |dd} t|}t|}t|}|||||||| | | S)N  )rstripsplitfloatint) clslinefieldsrwrxryrzr{r|r}r~rrYrYrZ from_lines"   zPacket.from_linec CsFd|j}|j|}|d||j|jp(d|j|j|j|j|j |f fS)z5Format the packet as a traffic_summary line. rz%f %s %s %d %d %s %s %s %s) joinrrwrxryrzr{r|r}r~)rZ time_offsetrtrYrYrZ as_summarys  zPacket.as_summaryc CsHd|j|j|j|jpd|j|j|j|j|jr@dd |jdndf S)Nz:%.3f: %d -> %d; ip %s; strm %s; prot %s; op %s; desc %s %sr%«r^»r) rwrzr{rxryr|r}r~rrrrYrYrZ__str__s zPacket.__str__cCsd|S)Nz rYrrYrYrZ__repr__szPacket.__repr__c Cs,||j|j|j|j|j|j|j|j|j Sr) __class__rwrxryrzr{r|r}r~rrrYrYrZcopysz Packet.copycCsd|j|jf}|S)Nz%s:%sr|r})rrrYrYrZas_packet_typeszPacket.as_packet_typecCs2|j|jf}|tvrt|S|tvr.t| SdS)zA positive number means we think it is a client; a negative number means we think it is a server. Zero means no idea. range: -1 to 1. r)r|r} CLIENT_CLUES SERVER_CLUES)rkeyrYrYrZ client_scores   zPacket.client_scorec Csd|j|jf}ztt|}Wn>ty\}z&td|j|ftjdWYd}~dSd}~00|jdkr|t dd|j|ft }z<||||rt }||}td||j|j|j|fWnTt y}z:t }||}td ||j|j|j||fWYd}~n d}~00dS) zSend the packet over the network, if required. Some packets are ignored, i.e. for protocols not handled, server response messages, or messages that are generated by the protocol layer associated with other packets. packet_%s_%sz#Conversation(%s) Missing handler %srONkerberosr$z#Conversation(%s) Calling handler %sz%f %s %s %s %f True z%f %s %s %s %f False %s) r|r}getattrr AttributeErrorrRconversation_idrSrTr[time Exception) r conversationcontextfn_namefnestartr_durationrYrYrZplays@     z Packet.playcCs |j|jSrrwrotherrYrYrZ__cmp__,szPacket.__cmp__NcCst|j|jSr)is_a_real_packetr|r})rZmissing_packet_statsrYrYrZis_really_a_packet/szPacket.is_really_a_packet)r)N)rrrsrt__doc__ __slots__r classmethodrrrrrrrrrrrYrYrYrZrus     (rucCsj|tvr dS|dkr |dkr dSd||f}tt|d}|durXtjd|tjddS|tjurfdSdS) zdIs the packet one that can be ignored? If so removing it will have no effect on the replay Fr-rrNzmissing packet %srOT)SKIPPED_PROTOCOLSrr LOGGERr[rSrTZ null_packet)r|r}rrrYrYrZr3s   rcCs&|dkr dS||fdvrdSt||S)zReturn true if a packet generates traffic in its own right. Some of these will generate traffic in certain contexts (e.g. ldap unbind after a bind) but not if the conversation consists only of these packets. waitF)rrr0rGr516)rrrYrYrZis_a_traffic_generating_packetIs  rc @seZdZdZddddddddddejdddf ddZddZdd Z d d Z d d Z ddZ ddZ d+ddZd,ddZd-ddZd.ddZd/ddZd0ddZd1dd Zd2d!d"Zd#d$Zd%d&Zd'd(Zd)d*ZdS)3 ReplayContextaWState/Context for a conversation between an simulated client and a server. Some of the context is shared amongst all conversations and should be generated before the fork, while other context is specific to a particular conversation and should be generated *after* the fork, in generate_process_local_config(). NZDOMAINcCs||_d|_||_||_|r$t|_nt|_| |_| |_| |_ ||_ ||_ | |_ | d|_| |_||_d|_d|_d|_d|_d|_d|_d|_d|_||_|dS)NrealmF)servernetlogon_connectioncredslprkerberos_stateroubase_dndomainstatsdirglobal_tempdir domain_sidgetr instance_idbadpassword_frequencylast_lsarpc_badlast_lsarpc_named_badlast_simple_bind_bad last_bind_badlast_srvsvc_badlast_drsuapi_badlast_netlogon_badZlast_samlogon_badtotal_conversationsgenerate_ldap_search_tables)rrrrrrZprefer_kerberostempdirrrrrrrrYrYrZrbs4 zReplayContext.__init__cCst}td|j||j|jd}|j|tjdgdgd}i}dgi}|D]Z}t |j }d dd | dD }||g} | ||d rL|d|qLt|D]} | d dd krq| dd } | d dd kr| dd } qtd D]D} | d 7} | | kr4| |vr4td| | ftjdq|| || <qq||_||_i|_|j|tjdgdd}d dd |D} d| |jd<d}dD]}|d||7}qd||jd<d|jd<|jdtjdgd}d|dd|jd<dS) N ldap://%s)url session_info credentialsrzpaged_results:1:1000dn)scopeZcontrolsattrsZ invocationId,css|]}|ddVqdS)Nr$)lstrip.0rorYrYrZ z.zCN=NTDS Settings,rLz,DCzdn_map collison %s %srOz"(objectclass=groupPolicyContainer))rr expressionrcss|]}d|dVqdS)z(distinguishedName={0})rN)format)rrWrYrYrZrrz(|{0})ZgPCFileSysPath)zDomain Controllers,ztraffic_replay,rz(distinguishedName={0}{1})ZgpLinkz'(objectCategory=pKICertificateTemplate)ZpKIExtendedKeyUsageZhighestCommittedUSN)rrz(usnChanged>={0})rZ usnChanged)rr rrrsearch domain_dnldbZ SCOPE_SUBTREEstrrrrupper setdefaultappend startswithlistkeysrangerRrSrTdn_mapattribute_clue_mapsearch_filtersrZ SCOPE_BASE)rsessiondbresrrrrpatternr(krmiZ gpos_by_dnZou_strrrYrYrZrsh         z)ReplayContext.generate_ldap_search_tablescCsT|jD]}||vr |j|Sq |dkrPt|j}t|j|}d|SdS)NzDC,DCz((&(sAMAccountName=%s)(objectClass=user))z(objectClass=*))rrrandomr user_namer)rrZdn_sigrrZrandom_user_idZ account_namerYrYrZguess_search_filters z!ReplayContext.guess_search_filtercCsg|_g|_g|_g|_g|_g|_g|_|j|_|j|_|j |_ |j |_ t |j d|j |_|jd|j|jd|j|jd|j|jddd|_d|j|jf|_d|j |jf|_||dS) Nzconversation-%dz private dirzlock dirzstate directoryztls verify peerZno_checkz/root/ncalrpc_as_systemcn=%s,%s)ldap_connectionsdcerpc_connectionslsarpc_connectionslsarpc_connections_nameddrsuapi_connectionssrvsvc_connections samr_contexts netbios_name machinepassusernameuserpass mk_masked_dirrrrrsetZ remoteAddressrZ samlogon_dnuser_dngenerate_machine_credsgenerate_user_creds)raccountrrYrYrZgenerate_process_local_configs:  z+ReplayContext.generate_process_local_configcCsR|sB|jr>t|jkr>z ||Wnty6Yn0d}nd}||}||fS)aExecute the supplied logon function, randomly choosing the bad credentials. Based on the frequency in badpassword_frequency randomly perform the function with the supplied bad credentials. If run with bad credentials, the function is re-run with the good credentials. failed_last_time is used to prevent consecutive bad credential attempts. So the over all bad credential frequency will be lower than that requested, but not significantly. TF)rrr)rfZgoodZbadZfailed_last_timeresultrYrYrZwith_random_bad_credentialss    z)ReplayContext.with_random_bad_credentialscCst|_|j|j|j|j|j|j|j|j |j |j |j |j t|_|j|j|j|j|j|jdd|j|j |j |j t|_|j|j|j|j|j|j|j|j |j|jtjB|j |j |j|jt|_|j|j|j|j|j|jdd|j|j |j|jtjB|j |j |j|jdS)a;Generate the conversation specific user Credentials. Each Conversation has an associated user account used to simulate any non Administrative user traffic. Generates user credentials with good and bad passwords and ldap simple bind credentials with good and bad passwords. N)r user_credsguessrset_workstationr  set_passwordr  set_usernamer  set_domainrset_kerberos_stateruser_creds_badsimple_bind_credsZset_gensec_featuresZget_gensec_featuresr Z FEATURE_SEALZ set_bind_dnrsimple_bind_creds_badrrYrYrZr2sF z!ReplayContext.generate_user_credscCst|_|j|j|j|j|jt|j|j |j |jd|j |j |j |jt|_|j|j|j|j|jt|j|j dd|j |jd|j |jdS)zGenerate the conversation specific machine Credentials. Each Conversation has an associated machine account. Generates machine credentials with good and bad passwords. $Nr)r machine_credsrrrr Zset_secure_channel_typerrr rrrrrmachine_creds_badrrYrYrZr`s  z$ReplayContext.generate_machine_credscCsT|j|}|rt|S|}|rN||jvr@t|j|S|dd}q"|jS)N)rrrchoicerrr)rrZ attributesZ attr_cluerYrYrZget_matching_dnys   zReplayContext.get_matching_dnFcCs@d}|jr|s|jdStd|j|df|j}|j||S)Nz$12345678-1234-abcd-ef00-01234567cffbzncacn_ip_tcp:%sr])rrrrr)rnewZguidcrYrYrZget_dcerpc_connections     z#ReplayContext.get_dcerpc_connectioncsLjr|sjdSfdd}|jjj\}_j||S)Nr)cstdjj|SNz ncacn_np:%s)rrrrrrYrZconnects z4ReplayContext.get_srvsvc_connection..connect)rrrr rrrr*r/r+rYrrZget_srvsvc_connections    z#ReplayContext.get_srvsvc_connectioncsLjr|sjdSfdd}|jjj\}_j||S)Nr)csd}tdj|fj|S)Nzschannel,seal,signncacn_ip_tcp:%s[%s]rlsarpcrr)rbinding_optionsrrYrZr/sz4ReplayContext.get_lsarpc_connection..connect)rrr$r%rrr0rYrrZget_lsarpc_connections    z#ReplayContext.get_lsarpc_connectioncsLjr|sjdSfdd}|jjj\}_j||S)Nr)cstdjj|Sr-r3r.rrYrZr/s z?ReplayContext.get_lsarpc_named_pipe_connection..connect)rrr$r%rrr0rYrrZ get_lsarpc_named_pipe_connections    z.ReplayContext.get_lsarpc_named_pipe_connectioncsdjr|sjd}|Sfdd}|jjj\}_t|\}}||f}j||S)zget a (drs, drs_handle) tupler)cs"d}dj|f}t|j|S)NZsealr2)rrr)rr5Zbinding_stringrrYrZr/s z:ReplayContext.get_drsuapi_connection_pair..connect)rrrr rrr)rr*Zunbindr+r/ZdrsZ drs_handleZsupported_extensionsrYrrZget_drsuapi_connection_pairs     z)ReplayContext.get_drsuapi_connection_paircszjr|sjdSfdd}fdd}|rN|jjj\}_n|jjj\}_j||S)Nr)cstdj|jdS)a$ To run simple bind against Windows, we need to run following commands in PowerShell: Install-windowsfeature ADCS-Cert-Authority Install-AdcsCertificationAuthority -CAType EnterpriseRootCA Restart-Computer z ldaps://%srrr rrr.rrYrZ simple_binds z6ReplayContext.get_ldap_connection..simple_bindcstdj|jdS)Nrr9r:r.rrYrZ sasl_binds z4ReplayContext.get_ldap_connection..sasl_bind) rrr!r"rrr rr)rr*simpler;r<ZsamdbrYrrZget_ldap_connections&      z!ReplayContext.get_ldap_connectioncCs0|jr |r&|jt|j|j|jd|jdS)N)rrr))r r SamrContextrrr)rr*rYrYrZget_samr_context s  zReplayContext.get_samr_contextcs>jr jSfdd}|jjj\}_|_|S)Ncstdjj|S)Nzncacn_ip_tcp:%s[schannel,seal])rrrr.rrYrZr/s z6ReplayContext.get_netlogon_connection..connect)rrr$r%r)rr/r+rYrrZget_netlogon_connections z%ReplayContext.get_netlogon_connectioncCs |jdfS)NArrrYrYrZguess_a_dns_lookup%sz ReplayContext.guess_a_dns_lookupcCs>|j}t}dd|dD|j_|d|_t}||fS)NcSs"g|]}t|tr|nt|qSrY) isinstancerordrrYrYrZ +sz3ReplayContext.get_authenticator..Z credentialrw)r$Znew_client_authenticatorrZcreddatarw)rZauthZcurrentZ subsequentrYrYrZget_authenticator(s   zReplayContext.get_authenticatorcKsLtj|j|}t|d}|D]\}}td||f|dq"|dS)zWrite arbitrary key/value pairs to a file in our stats directory in order for them to be picked up later by another process working out statistics.wz%s: %srON)ospathrropenitemsrRclose)rfilenamekwargsrrvrYrYrZ write_stats2s  zReplayContext.write_stats)N)F)F)F)F)FF)FF)F)rrrsrtrrKenvironrrrrrrrrr(r,r1r6r7r8r>r@rArDrIrSrYrYrYrZr[sB  ,W.      &  rc@s*eZdZdZd ddZddZddZdS) r?z5State/Context associated with a samr connection. NcCs@d|_d|_d|_d|_d|_d|_d|_||_||_||_ dSr) connectionhandleZ domain_handlerZ group_handleZ user_handleZridsrrr)rrrrrYrYrZr@szSamrContext.__init__cCs(|js"tjd|j|j|jd|_|jS)Nzncacn_ip_tcp:%s[seal])Zlp_ctxr)rUrrrrrrYrYrZget_connectionLszSamrContext.get_connectioncCs$|js|}|dtj|_|jSr)rVrWZConnect2rZSEC_FLAG_MAXIMUM_ALLOWED)rr+rYrYrZ get_handleUszSamrContext.get_handle)NN)rrrsrtrrrWrXrYrYrYrZr?=s  r?c@seZdZdZdddZddZdd Zd d d Zd dZeZ ddZ ddZ ddZ ddZ d!ddZd"ddZddZddZdS)# ConversationzADetails of a converation between a simulated client and a server.NrYcCs@||_||_g|_t||_d|_||_|D]}|j|q,dS)Nr) start_timerpacketsrprWclient_balanceradd_short_packet)rrZrseqrrmrYrYrZr^s zConversation.__init__cCs6|jdur|jdurdSdS|jdur*dS|j|jS)Nrr)r])rZrrYrYrZris   zConversation.__cmp__cCs|}|jdur|j|_|jdur,|j|_|j|jkrLtd|j|jf|j|j8_|j|jdkr|j|8_n|j|7_|r|j |dS)zmAdd a packet object to this conversation, making a local copy with a conversation-relative timestamp.Nz8Conversation endpoints %s don't matchpacket endpoints %sr) rrZrwrrqrzr\rrr[r)rpacketrmrYrYrZ add_packetrs    zConversation.add_packetTc Cs|rt||sdS|\}}|s,||}}||f} t| d} t|d} t||j| d||||| | } | j| jdkr|j | 8_ n|j | 7_ | r|j | dS)zCreate a packet from a timestamp, and 'protocol:opcode' pair, and a (possibly empty) list of extra data. If client is True, assume this packet is from the client to the server. Nr06r)rguess_client_serverOP_DESCRIPTIONSr IP_PROTOCOLSrurZrzrr\rrr[r) rrwr|r}rclientZskip_unused_packetsrzr{rr~rxr_rYrYrZr]s"     zConversation.add_short_packetcCsd|j|j|jt|jfS)Nz-)rrrZlenr[rrYrYrZrs  zConversation.__str__cCs t|jSr)iterr[rrYrYrZ__iter__szConversation.__iter__cCs t|jSr)rfr[rrYrYrZ__len__szConversation.__len__cCs*t|jdkrdS|jdj|jdjS)Nr$rr))rfr[rwrrYrYrZ get_durationszConversation.get_durationcsfddjDS)Ncsg|]}|jqSrY)rrZrrmrrYrZrGrz8Conversation.replay_as_summary_lines..)r[rrYrrZreplay_as_summary_linessz$Conversation.replay_as_summary_linesc Cs|j}t|}||}|t}|dkr4t|t||}|d||fd} d} t} |jD]z} t| }|| j}|| kr|} |dkr| t}|dkrt|t| }|| j| kr|| j} | ||ql| || fS)zMReplay the conversation at the right time. (We're already in a fork).rzstarting %s [miss %.3f]r)rZrSLEEP_OVERHEADsleeprWr[rwr) rrrrrnowgap sleep_timeZmissZmax_gapmax_sleep_missZp_startrmrYrYrZreplay_with_delays2         zConversation.replay_with_delaycCs>|j\}}|jdkr||fS|jdkr6||kr6||fS||fS)zhHave a go at deciding who is the server and who is the client. returns (client, server) r)rr\)rZ server_cluerdbrYrYrZrbs   z Conversation.guess_client_servercs4fdd|jD|_|jr*|jdjnd|_dS)zPrune any packets outside the timne window we're interested in :param s: start of the window :param e: end of the window cs*g|]"}|jkrkrnq|qSrYrrkrrnrYrZrGrz>Conversation.forget_packets_outside_window..rNr[rwrZ)rrnrrYrurZforget_packets_outside_windowsz*Conversation.forget_packets_outside_windowcCs6|jD]}|j|8_q|jdur2|j|8_dS)z=Adjust the packet start times relative to the new start time.Nrv)rrZrmrYrYrZrenormalise_timess  zConversation.renormalise_times)NNrYN)TT)NN)N)rrrsrtrrrr`r]rrrhrirjrlrsrbrwrxrYrYrYrZrY\s$    #  rYc@s6eZdZdZd ddZddZd ddZd d d ZdS) DnsHammerzOA lightweight conversation that generates a lot of dns:0 packets on the flyNcsRt|}fddt|D|_|j||_|_d|_|j|d|_dS)Ncsg|]}tdqS)r)runiform)rrrrYrZrG rz&DnsHammer.__init__..r query_file) rrtimessortraterrZ_get_query_choices query_choices)rdns_raterr}nrYr{rZrs  zDnsHammer.__init__cCsdt|j|j|jfS)Nz-)rfr~rrrrYrYrZrszDnsHammer.__str__cCs|rt|d}|}Wdn1s,0Yg}|D]>}|}|rB|dsB|d}t|dksvJ||qB|SgdSdS)z Read dns query choices from a file, or return default rname may contain format string like `{realm}` realm can be fetched from context.realm rN#r) )r{realm}rByes)r]rNSr)r$ *.{realm}rBno)r&rrr) _msdcs.{realm}rBr) rrr) nx.realm.comrBr)rrr)*.nx.realm.comrBr)rrr)rMread splitlinesstriprrrfr)rr}rtextchoicesrrXrYrYrZrs &   zDnsHammer._get_query_choicesc Cs|sJ|jsJt}|jD]}t|}||}|t}|dkrRt|t|j\}}} } |j|jd}d} t} zbz"t || } | dkrt | sd} Wnt yd} Yn0Wt}|| }t d|||| fq t}|| }t d|||| f0q dS)NrrCTrFz%f DNS dns %s %f %s ) rrr~rmrnrr'rr dns_queryrfrrR)rrrrrorprqr}ZrnameZrtypeZexistZsuccessZ packet_startZanswersr_rrYrYrZreplay5s2       zDnsHammer.replay)N)N)N)rrrsrtrrrrrrYrYrYrZrys   !rycountcCsvtt}g}|D]x}t|tr&t|}td|jftjd|D]>}t |}|j dkrt|dkrt||j d7<q@| |q@|q|sgdfStdd|D}td d|D}td tjdt} t|D]N\} }|j|8_| |j} | d urt| d d } | | |j<| |qg} | D]} t| dkr2| | q2t||} t| | }| || |fS)zLLoad a summary traffic summary file and generated Converations from it. z Ingesting %srOr(Zincluder]rcss|] }|jVqdSrrrkrYrYrZrgrz#ingest_summaries..css|] }|jVqdSrrrkrYrYrZrhrz$gathering packets into conversationsNr$)r)rrrErrMrRrNrSrTrurr|r}rrOminmaxr enumeraterwrrrYr`valuesrfr)filesZdns_modeZ dns_countsr[rrrmrZZ last_packet conversationsrr+Zconversation_listrZ mean_intervalrYrYrZingest_summariesQs@           rcCs2t}|D]}||jq |r.|ddSdS)Nr]r)rupdater most_common)rZ addressesr+rYrYrZguess_server_addresss rcCs,i}|D]\}}d|}|||<q |SNr)rNr)royrrRZk2rYrYrZstringify_keyss   rcCs4i}|D]"\}}tt|d}|||<q |Sr)rNrUrr)rorrrRrrYrYrZunstringify_keyss  rc@sVeZdZdddZifddZddZdd ZdddZddZddZ dddZ d S) TrafficModelr&cCs0i|_i|_||_tt|_d|_ddg|_dS)Nrrr])ngrams query_detailsrrr dns_opcountscumulative_duration packet_rate)rrrYrYrZrs  zTrafficModel.__init__c Csd}d}tf|jd}t|}|D]\}}|j||7<q(t|dkr|dj} d} | d} |D]"} | t| 7} t| | jdj } qj| |j d<| | |j d<|D]} | |\} }|| 7}tf|jd}| D]}|j | krq|j |}|j }|tkrDdttd|t}|j|g||dd|f}|}|j|gt|j|j|g||dd|f}qq|j|7_|j|gtdS)Nrr]rg?r)wait:%dr&) NON_PACKETrrrNrrfrZrr[rwrrbrjrzWAIT_THRESHOLDmathlog WAIT_SCALErrrrrrUrr)rrrprevZ cum_durationrrrrRfirsttotallastr+rermelapsedrZshort_prYrYrZlearnsP         zTrafficModel.learncCsi}|jD]"\}}d|}tt|||<qi}|jD]"\}}ttdd|D||<q@|||j|jtd}|j |d<t |t rt |d}t j||dddS) Nrcss |]}|rd|ndVqdS)rr%N)rrrYrYrZrsz$TrafficModel.save..)rrrrversionr(rJr$)indent)rrNrdictrrrrCURRENT_MODEL_VERSIONrrErrMjsondump)rrrrrRrdrYrYrZsaves&     zTrafficModel.savec Cst|trt|}t|}z$|d}|tkr>td|tfWnty^tdtYn0|dD]V\}}t t| d}|j |g}|D]\}}| t|g|q|ql|dD]n\}}|j t|g}|D]B\}}|dkr| dg|q| t t| dg|q|qd |vrt|d D]\}}|j||7<qV|d |_|d |_dS) Nrz4the model file is version %d; version %d is requiredz=the model file lacks a version number; version %d is requiredrrrr%rYr(rr)rErrMrloadREQUIRED_MODEL_VERSION ValueErrorKeyErrorrNrUrrrextendrrrrr) rrrrrrRrrmrrYrYrZrs>           zTrafficModel.loadrNr]rcCsg}tf|jd}|dur$|d}t|j|tf}|tkr||krNqt|krttd||ftjdqdt dd}td|tjd||j vrt|j |} ng} | d d\} } | d krt | t} t | t|} || 7}nTtjt}t ||} || 7}|dur2||kr2q||krN||| | | f|dd|f}|d ddd kr$|d ddd kr$tf|jd}q$|S)zUConstruct an individual conversation packet sequence from the model. r]Nz"ending after %s (persistence %.1f)rOrr ztrying %s instead of end:rzwait:r))rrrr'rrrRrSrTZ randrangerrrrZexprrzNO_WAIT_LOG_TIME_RANGEr)rrw hard_stop replay_speed ignore_before persistencer+rrmrr|r}Z log_wait_timerZlog_waitrYrYrZconstruct_conversation_sequencesD      (z,TrafficModel.construct_conversation_sequencecCs|j\}}|||Srr)rscalerate_nrate_trYrYrZscale_to_packet_rateOs z!TrafficModel.scale_to_packet_ratecCs|j\}}|||Srr)rZppsrrrYrYrZpacket_rate_to_scaleSs z!TrafficModel.packet_rate_to_scalecCsd|}t||}g}d}||krt| |} |j| ||d|d} | D]\} } } }t| | rJqhqJq|| |t| 7}q||}td||t|||ft j d| |S)zr@)r-r)r4r8)r4rH)r439)r440)r46)r4Z76)r4Z77r9)r:r<)r21)rZ26)rZ29)rZ30)rr)rr)rZ45)rr?)rr))rr)rZ17)r18)rZ19)rr<)rZ25)rZ34)rZ36)rr)rr/)rrA)rZ64)rr)r7)r8)r+Z0x04)r+Z0x24)r+Z0x2e)r+Z0x32)r+Z0x71r*)r+Z0x73)r+Z0x74)r+Z0x75)r+Z0xa2)rKr))rKr6)rKr8)rKr)rKr)rKr<)rKr1)rKr/)rKr?)rKrA)rKr)rKr)rJZ0x12)rJZ0x17)rr)rrc CsT|dd\}}t||fd}t|d}||d|||||g} | |d| S)Nrr]rrar)rrcrrdrr) rmrwrzr{rr|r}r~rxrrYrYrZexpand_short_packets   rcCs"tjtjtddS)zSignal handler closes standard out and error. Triggered by a sigterm, ensures that the log messages are flushed to disk and not lost. rN)rSrTrOstdoutrK_exit)signalframerYrYrZflushing_signal_handlers  rc Cs|dtdd}tjtjt}|dkr<|Szz@t|||f}d} |dd} t | |||d} t t j t | || tjtdtj|jd| j} t| d} ztjtdWn4ty}ztd|WYd }~n d }~00| t_t|}| |}|t}|dkrHt|| j||d \}}}td |td |td |WnHtyd} tdt| ftjdt tjtjYn0Wtjtjt!| n tjtjt!| 0d S)z8Fork a new process and replay the conversation sequence.ri)r^rzstats-conversation-%drJr]stdout closing failed with %sN)rrzMaximum lag: %fz Start lag: %fzMax sleep miss: %fz*EXCEPTION in child PID %d, conversation %srO)"rZrandintrSrrbrTrKforkseedrYrSIGTERMrrstdinrOrLrrrrMIOErrorrinforrmrnrsrRrgetpidr` print_excr)csrrr client_idZ server_idrpidrstatusrr+rPrrrorprqZmax_lagZ start_lagrrrYrYrZreplay_seq_in_forksf                     rc CsXtjtjt}|dkr(|StjtdztjtdWn2ty}zt d|WYd}~n d}~00tj |j d}t|dt_zz0d}ttjtt|||d}|j|dWn:tyd}tdttjd ttjYn0Wtjtjt|n tjtjt|0dS) Nrr]rz stats-dnsrJr|)rz)EXCEPTION in child PID %d, the DNS hammerrO)rSrrbrTrKrrrOrrwarnrLrrrMrrrryrrrRrr`rr) rrrr}rrrPrZhammerrYrYrZdnshammer_in_forkSs@           rFc Ks<tf|||t|d| } t|t|krDtdt|t|ftt|d} t| } |dur|ddd|}td| tjdtd|| tjdtd |tjd| |d }t d t||f| j d t|t d d|Ddi}zZzP|r(t ||| |d}d||<t|D]2\}}||}|d}t|| | ||}|||<q0t}td|| | || ftjdt|krV|rVtdztdtj\}}WnBty}z(|jtkrWYd}~qVWYd}~n d}~00|r||d}tdkr>td||t|ftjd| r|dkrqVqWn*tytdtjdtYn0W| j dt|ddD]l}tdt||ftjd|D]L}zt||Wn4ty}z|jtkrWYd}~n d}~00qtdtd}|rztdtj\}}Wn4tyt}z|jtkr`WYd}~n d}~00|dkr||d}|durtd|tjtjtdtd||t|ftjdt|kr$qq$|sq tdq|r(tdt|tjdzt ddWn"t!yZtdtjdYn0n| j dt|ddD]l}tdt||ftjd|D]L}zt||Wn4ty}z|jtkr΂WYd}~n d}~00qtdtd}|rztdtj\}}Wn4tyN}z|jtkr:WYd}~n d}~00|dkr||d}|durtd|tjtjtdtd||t|ftjdt|krq̐q|sqtdqv|rtdt|tjdzt ddWn"t!y4tdtjdYn00dS) N)rrrrz(we have %d accounts but %d conversationsg{Gz?r)rzWe will start in %.1f secondsrOzWe will stop after %.1f secondszruntime %.1f secondsr&z6Replaying traffic for %u conversations over %d secondsZ intentionscss|]}t|VqdSr)rfrrYrYrZrrzreplay..)Planned_conversationsPlanned_packetsr|r]r$z,all forks done in %.1f seconds, waiting %.1fg~jth?z-process %d finished conversation %d; %d to gozEXCEPTION in parentZ unfinished)Unfinished_conversations)rrzkilling %d children with -%d?zchildren is %s, no pid foundz)kill -%d %d KILLED conversation; %d to goz%d children are missingzignoring fake ^C)"rrfrrKsetpgrprrRrSrTrrrSsumrrrrnwaitpidWNOHANGOSErrorerrnorpoprQrr`rkillrrbrrkillpgKeyboardInterrupt)Zconversation_seqhostrraccountsrZdns_query_filerZlatency_timeoutZstop_on_any_errorrQrZdelayrr_Zchildrenrrrrrrrrr+rnrYrYrZrvsP         $                                  rcCs"t}td||dg||d}|S)Nrzmodules:paged_searches)rrZoptionsrr)rr )r rrrrrYrYrZopenLdb sr cCsd||fS)z(Generate an ou name from the instance idz#ou=instance-%d,ou=traffic_replay,%s)r)rrrYrYrZou_namesrc Cst||}z ||dddddWn8tyb}z |j\}}|dkrNWYd}~n d}~00z||ddWn8ty}z |j\}}|dkrWYd}~n d}~00|S)zCreate an ou, all created user and machine accounts will belong to it. This allows all the created resources to be cleaned up easily. rr]Zorganizationalunit)r objectclassDN)raddrr rXrrrrr_rYrYrZ create_ous$     rConversationAccounts)r r r r c CsHg}td|dD]0}t||}t||}t||||}||q|S)z;Generate a series of unique machine and user account names.r])r machine_namerrr) rrnumberpasswordr rr r rrYrYrZgenerate_replay_accounts=s   rTc Cs`t||}d||f}dt|d}|r:tttB}ntt}||dd|||ddS)z"Create a machine account via ldap.r"%s" utf-16-lecomputerz%s$rrsAMAccountNameZuserAccountControlZ unicodePwdN)rr"encoderrrrr) rrr r traffic_accountrrutf16pwZaccount_controlsrYrYrZcreate_machine_accountKs  r"cCs\t||}d||f}dt|d}||d|tt|dt|}||ddS)zCreate a user account via ldap.rrruserrz (A;;WP;;;PS)N) rr"rrrrr!ZSDUtilsZ dacl_add_ace)rrr r rrr!ZsdutilsrYrYrZcreate_user_accountds   r$cCs,t||}d||f}||d|ddS)zCreate a group via ldap.rgroup)rrrN)rr)rrrNrrrYrYrZ create_groupvs  r&cCs d||fS)z-Generate a user name based in the instance idz STGU-%d-%drYrrrYrYrZrsrr#rcs(|jd|gd}fdd|DS)z'Seach objectclass, return attr in a setz(objectClass={}))rrcsh|]}t|qSrY)r)robjattrrYrZ rz%search_objectclass..)rr)rrr*ZobjsrYr)rZsearch_objectclasss r,cCslt|dd}d}t|ddD]J}t||}||vrt|||||d7}|ddkrtd||fq|S)zAdd users to the serverr#rrr)r]2zCreated %u/%u users)r,rrr$rr)rrrrexisting_objectsZusersrrNrYrYrZgenerate_userss   r0cCs |rd||fSd||fSdS)z1Generate a machine account name from instance id.z STGM-%d-%dzPC-%d-%dNrY)rrr rYrYrZrs rc Cstt|dd}d}t|ddD]R}t|||}|d|vrt||||||d7}|ddkrtd||fq|S) z"Add machine accounts to the serverrr-rr)r#r]r.zCreated %u/%u machine accounts)r,rrr"rr) rrrrr r/addedrrNrYrYrZgenerate_machine_accountss     r2cCs d||fS)z'Generate a group name from instance id.z STGG-%d-%drYr'rYrYrZ group_namesr3cCsjt|dd}d}t|ddD]H}t||}||vrt||||d7}|ddkrtd||fq|S)z3Create the required number of groups on the server.r%r-rr)r]rzCreated %u/%u groups)r,rr3r&rr)rrrr/groupsrrNrYrYrZgenerate_groupss    r5c CsZt||}z||dgWn8tyT}z |j\}}|dkr@WYd}~n d}~00dS)z7Remove the created accounts and groups from the server.z tree_delete:1 N)rdeleter rXrrYrYrZclean_up_accountss  r8c Csd} d} d} t||tdt||||} tdt|||||} |dkrftdt|||} |dkrtdt|| || ||} tdt||| | } | dkr| dkr|| krt dtd| | | | fd S) zTGenerate the required users and groups, allocating the users to those groups.rzGenerating dummy user accountsz!Generating dummy machine accountszGenerating dummy groupszAssigning users to groupszAdding users to groupsz(The added groups will contain no membersz:Added %d users (%d machines), %d groups and %d membershipsN) rrrr0r2r5GroupAssignmentsadd_users_to_groupsrZwarning)rrrnumber_of_usersnumber_of_groupsgroup_memberships max_membersZmachine_accountsZtraffic_accountsZmemberships_added groups_addedZcomputers_added users_added assignmentsrYrYrZgenerate_users_and_groupssF         rBc@sdeZdZddZddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ dS)r9cCsBd|_|||||||_tt|_||||||dS)Nr)rgenerate_group_distributiongenerate_user_distributionr>rrrA assign_groups)rr<r?r;r@r=r>rYrYrZr s    zGroupAssignments.__init__cCs@g}t|}|dkrdSd}|D]}||7}|||q |S)Nrr)rr)rweightsZdistrZ cumulativeZ probabilityrYrYrZcumulative_distributionsz(GroupAssignments.cumulative_distributioncCsj|dkrd}n |dkrd}n|dkr*d}nd}g}td|dD]}t|}||q@|||_d S) zAProbability distribution of a user belonging to a group. i@KLg@ig@ig@g?r]N)rrZ paretovariaterrG user_dist)rZ num_usersZnum_membershipsshaperFrormrYrYrZrD)s   z+GroupAssignments.generate_user_distributioncCsDg}td|dD]}d|d}||q||_|||_dS)z6Probability distribution of a group containing a user.r]g?N)rr group_weightsrG group_dist)rrrFrormrYrYrZrCCs   z,GroupAssignments.generate_group_distributioncCs,t|jt}t|jt}||fS)z2Returns a randomly generated user-group membership)bisectrHrrKrr#r%rYrYrZgenerate_random_membershipQsz+GroupAssignments.generate_random_membershipcCs |j|Sr)rA)rr%rYrYrZusers_in_group]szGroupAssignments.users_in_groupcCs |jSr)rArrrYrYrZ get_groups`szGroupAssignments.get_groupscCsLt|j|}||krHtd||d|j|d<||j}||_dS)z?Prevent the group's membership from exceeding the max specifiedzGroup {0} has {1} membersrr]N)rfrArrrrJrGrK)rr%r>Z num_membersZnew_distrYrYrZcap_group_membershipcs  z%GroupAssignments.cap_group_membershipcCsD||j|vr,|j|||jd7_|jr@|||jdS)Nr])rArrr>rQrMrYrYrZadd_assignmentos zGroupAssignments.add_assignmentc Cs|dkr dStt|t|t|}|jr@t||j|}||d}||d}||kr|\}} | |ks||krX||d| dqXdS)a Allocate users to groups. The intention is to have a few users that belong to most groups, while the majority of users belong to a few groups. A few groups will contain most users, with the remaining only having a few users. rNr])rceilrr>rrrNrR) rr<r?r;r@r=Zexisting_usersZexisting_groupsr#r%rYrYrZrE{s"     zGroupAssignments.assign_groupscCs|jSr)rrrYrYrZrszGroupAssignments.totalN)rrrsrtrrGrDrCrNrOrPrQrRrErrYrYrYrZr9 s    !r9c Cs|}d}d}|D]}||}t|dkr4qtdt|dD]T}|||d} t|||| |t| 7}|d7}|ddkrDtd||fqDqdS)zDTakes the assignments of users to groups and applies them to the DB.rrr]r.zAdded %u/%u membershipsN)rrPrOrfradd_group_membersrr) rrrArrr1r%rOchunkZchunk_of_usersrYrYrZr:s     r:c st||fdd}|t||}t}t|||_|D]2}|t||}dt|} t|tj d|| <q>| |dS)z(Adds the given users to group specified.cs d|fS)NrrYrMrrYrZbuild_dnsz#add_group_members..build_dnzmember-memberN) rr3rZMessageZDnrrrZMessageElementZ FLAG_MOD_ADDZmodify) rrr%rOrWZgroup_dnmr#ridxrYrVrZrTs   rTc*Cstjj}d}d}d}i}t}t}|dur4|j} ndd} | ddddd} dddd} t|D]} tj || } t | dj}|D]R}z| d  d }|d }|d }|d }t |d}t |d}t|||}t||}||f}||g||ddkr|d 7}n|d 7}||d 7<||| |Wqttfyd|vr| dd \}}|| vrtt || || |<n0|| vrtt|| || |<nt|tjdnt|tjdYq0qWdqf1s0Yqf||}|dkrd}n||}|dkr4d}n||}t|}td|td||ftd||ft| D]&\}}td|ddd|fq|t| D]&\}}td|ddd|fqtdi}|D],\}}||vrt||<|||qt|} | D]}t||td}!|!D]}||f}||}"t|"}"t|"}#||}t|"|#}$t|"d}%t|"d}&|"d|"d}'|"d}(t |d})td |||)|#||$|%|&|'|(f q>q&dS)!z/Generate and print the summary stats for a run.rNcSsdSrrY)rorYrYrZtwszgenerate_stats..twz2time conv protocol type duration successful error )z Maximum lagz Start lagzMax sleep miss)rrrrrrr]r$r&rrTruerrOzTotal conversations: %10dz-Successful operations: %10d (%.3f per second)z-Failed operations: %10d (%.3f per second)z%-28s %frr^z%-28s %dzProtocol Op Code Description Count Failed Mean Median 95% Range Max)rrgffffff?r)rz?%-12s %4s %-35s %12d %12d %12.6f %12.6f %12.6f %12.6f %12.6f)!rS float_inforrrwriterKlistdirrLrrMrrrrrrrr IndexErrorrrRrTrfsortedrNreplacer opcode_keyrcalc_percentilercr)*rZ timing_filerrZ successfulZfailedZ latenciesZfailuresZunique_conversationsr[Z float_valuesZ int_valuesrPrLrrrrr|Z packet_typeZlatencyroprrRrZ success_rateZ failure_rateropsprotor_Z protocolsZ packet_typesrrZmeanZmedian percentilerngZmaxvr~rYrYrZgenerate_statss            8             rjcCs*zdt|WSty$|YS0dS)zCSort key for the operation code to ensure that it sorts numericallyz%03dN)rr)rRrYrYrZrcN s rccCsp|sdSt|d|}t|}t|}||kr@|t|S|t|||}|t|||}||S)ztCalculate the specified percentile from the list of values. Assumes the list is sorted in ascending order. rr])rfrZfloorrSr)rrhrrr+Zd0Zd1rYrYrZrdV s   rdcGs.tjj|}td}t|t||S)zuIn a testenv we end up with 0777 directories that look an alarming green colour with ls. Use umask to avoid that.?)rKrLrumaskmkdir)rLrmaskrYrYrZrh s     r)r)r]r$)r])N) NNNNrNNr&F)T)r#r)T)T)T)|Z __future__rrrrKrrrrSrrrr collectionsrrrr Z dns.resolverr rZ samba.emulater Z samba.samdbr rr Z samba.dcerpcrrrrrZsamba.dcerpc.netlogonrrrZsamba.drs_utilsrr`Zsamba.credentialsrrrZ samba.authrZ samba.dsdbrrrrZsamba.dcerpc.miscrZsambar r!Z samba.compatr"Z samba.loggerr#rLrrrmrrrrrrrrQrrrr[rerprrqobjectrurrrr?rYryrrrrrrrdrcrrrrrr rrrrr"r$r&rr,r0rr2r3r5r8rBr9r:rTrjrcrdrrYrYrYrZs                    e(N 5 a b  @ $        -