CN109495466A - A kind of recognition methods and system of unknown miniport service - Google Patents

A kind of recognition methods and system of unknown miniport service Download PDF

Info

Publication number
CN109495466A
CN109495466A CN201811316961.8A CN201811316961A CN109495466A CN 109495466 A CN109495466 A CN 109495466A CN 201811316961 A CN201811316961 A CN 201811316961A CN 109495466 A CN109495466 A CN 109495466A
Authority
CN
China
Prior art keywords
http
unknown
information
module
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811316961.8A
Other languages
Chinese (zh)
Inventor
刘雁鸣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201811316961.8A priority Critical patent/CN109495466A/en
Publication of CN109495466A publication Critical patent/CN109495466A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/04Protocols for data compression, e.g. ROHC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides the recognition methods and system of a kind of unknown miniport service, comprising: S1, attempts TCP connection acquisition return information;S2, HTTP or HTTPS connection acquisition http response is attempted;S3, using the HTTP request of illegal HTTP request method and illegal URL path configuration deformity, to attempt to trigger HTTP error message;Service release information in S4, retrieval http response body.The present invention attempts to obtain response message by carrying out TCP, HTTP, HTTPS connection to unknown port, then possible service release information is retrieved from response message, to realize the identification to unknown miniport service, effective information on services of unknown serve port is obtained as far as possible, whole flow process passes through program code automated execution, the validity to the identification of unknown miniport service is improved, prevents unknown serve port from threatening safely to system, effective lifting system safety.

Description

A kind of recognition methods and system of unknown miniport service
Technical field
The present invention relates to field of information security technology, the especially a kind of recognition methods and system of unknown miniport service.
Background technique
It is grown rapidly along with Internet technology in the whole world, people are providing great convenience, however, information-based giving While people bring various substances and culture to enjoy, we are all also just by the security threat for carrying out automatic network got worse Such as the blabber of the data burglar of network, the invasion of hacker, virus distribution person or even internal system.Although we are extensive Ground uses the software technology of various complexity, such as firewall, proxy server, invasion detector, channel controlling mechanism, still, nothing By in developed country, or in developing country (including China), activities of hacker is more and more savage, they are all-pervasive, to society Serious harm is will cause.At the same time, more allow people uneasy, hacker website is also being continuously increased on internet, is learnt Hacking technique, acquisition hacking tool become easy.In this way, making originally that just very fragile internet more seems not Safety.So reinforcing we itself safety precaution, it is quite necessary to.
When carrying out security protection or penetration attack, it is often necessary to which to Target IP, open port is scanned, to find Unsafe service, but current common port scan tool often can not correctly obtain it to the port of unknown service and be provided The effective information of service.
Summary of the invention
The object of the present invention is to provide the recognition methods and system of a kind of unknown miniport service, it is intended to solve in the prior art The problem of common port scan tool can not obtain the effective information of its service provided to unknown serve port is realized unknown Quick, the accurate acquisition of the effective information on services of serve port, effective lifting system safety.
To reach above-mentioned technical purpose, the present invention provides a kind of recognition methods of unknown miniport service, the method packets Include following steps:
S1, attempt TCP connection obtain return information, using return information as final result if successfully obtaining, otherwise into Enter next step;
S2, HTTP or HTTPS connection acquisition http response is attempted, if successfully obtained, using server field as most A part of termination fruit, and enter next step;If http response can not be obtained successfully, completes entire service and identified Journey;
S3, using the HTTP request of illegal HTTP request method and illegal URL path configuration deformity, to attempt to trigger HTTP error message enters next step if status code is not 200 in the http response head returned;If status code is 200, complete entire service identification process;
Service release information in S4, retrieval http response body, if there is version number information, then by the html where it All the elements in label are taken out, a part as final result;If there is no version number information, then institute in previous step Entire service identification process is completed in all parts of the server field information of acquisition as final result.
Preferably, the service release information in the retrieval http response body includes following operation:
If there are Content-Encoding fields in http response head, compression corresponding to the field value is used Algorithm unzips it, and does not otherwise need to unzip it.
Preferably, the retrieval of the version number carries out regular expression matching by using re module.
Preferably, which is characterized in that the TCP connection uses the connect method using socket module.
Preferably, the HTTP connection is connected using the HTTPConnection method of httplib module, described HTTPS connection is connected using the HTTPSConnection method of httplib module.
The present invention also provides a kind of identifying system of unknown miniport service, the system comprises:
TCP connection module obtains return information for attempting TCP connection;
HTTP link block obtains http response for attempting HTTP or HTTPS connection;
Illegal HTTP request module, for using illegal HTTP request method and illegal URL path configuration deformity HTTP request, to attempt to trigger HTTP error message;
Version information retrieval module, for retrieving the service release information in http response body.
Preferably, the retrieval of the version number carries out regular expression matching by using re module.
Preferably, the TCP connection uses the connect method using socket module.
Preferably, the HTTP connection is connected using the HTTPConnection method of httplib module, described HTTPS connection is connected using the HTTPSConnection method of httplib module.
The effect provided in summary of the invention is only the effect of embodiment, rather than invents all whole effects, above-mentioned A technical solution in technical solution have the following advantages that or the utility model has the advantages that
Compared with prior art, the present invention is rung by carrying out TCP, HTTP, HTTPS connection to unknown port to attempt to obtain Information is answered, possible service release information is then retrieved from response message, to realize the identification to unknown miniport service, to the greatest extent Effective information on services of unknown serve port may be obtained, whole flow process is improved by program code automated execution to not Know the validity of miniport service identification, unknown serve port can not be obtained by solving port scan tool common in the art The problem of taking the effective information of its service provided realizes quick, the accurate acquisition of the effective information on services of unknown serve port, prevents Only unknown serve port threatens safely to system, effective lifting system safety.
Detailed description of the invention
Fig. 1 is a kind of recognition methods flow chart of unknown miniport service provided in the embodiment of the present invention;
Fig. 2 is a kind of identifying system structural block diagram of unknown miniport service provided in the embodiment of the present invention.
Specific embodiment
In order to clearly illustrate the technical characterstic of this programme, below by specific embodiment, and its attached drawing is combined, to this Invention is described in detail.Following disclosure provides many different embodiments or example is used to realize different knots of the invention Structure.In order to simplify disclosure of the invention, hereinafter the component of specific examples and setting are described.In addition, the present invention can be with Repeat reference numerals and/or letter in different examples.This repetition is that for purposes of simplicity and clarity, itself is not indicated Relationship between various embodiments and/or setting is discussed.It should be noted that illustrated component is not necessarily to scale in the accompanying drawings It draws.Present invention omits the descriptions to known assemblies and treatment technology and process to avoid the present invention is unnecessarily limiting.
Be provided for the embodiments of the invention with reference to the accompanying drawing a kind of unknown miniport service recognition methods and system into Row is described in detail.
As shown in Figure 1, the embodiment of the invention discloses a kind of recognition methods of unknown miniport service, the method includes with Lower step:
S1, attempt TCP connection obtain return information, using return information as final result if successfully obtaining, otherwise into Enter next step;
S2, HTTP or HTTPS connection acquisition http response is attempted, if successfully obtained, using server field as most A part of termination fruit, and enter next step;If http response can not be obtained successfully, completes entire service and identified Journey;
S3, using the HTTP request of illegal HTTP request method and illegal URL path configuration deformity, to attempt to trigger HTTP error message enters next step if status code is not 200 in the http response head returned;If status code is 200, complete entire service identification process;
Service release information in S4, retrieval http response body, if there is version number information, then by the html where it All the elements in label are taken out, a part as final result;If there is no version number information, then institute in previous step Entire service identification process is completed in all parts of the server field information of acquisition as final result.
TCP connection information is obtained first.
TCP connection is carried out to unknown port first, attempts to obtain return information, if successfully obtained, by return information As final result, entire service identification process is completed, is otherwise performed the next step rapid.
The TCP connection uses the connect method using socket module.
Then HTTP link information is obtained.
HTTP connection is carried out to unknown port, is connected using the HTTPConnection method of httplib module, is attempted Http response is obtained, HTTPS connection is executed again if unsuccessful, uses the HTTPSConnection method of httplib module It connects, attempts to obtain http response, if successfully obtained, using server field value as a part of final result; Then HTTP request and the transmission of illegal HTTP request method and illegal URL path configuration deformity are reused, is used The request method of httplib module is realized, to attempt to trigger HTTP error message, if in the http response head returned Status code is not 200, then needs to retrieve in http response body with the presence or absence of service release information;If status code is 200, no It needs to retrieve http response body, completes entire service identification process;If HTTP is connected with HTTPS can not successfully obtain HTTP Entire service identification process is then completed in response.
Finally retrieve the service release information in http response body.
If there are Content-Encoding fields in http response head, compression corresponding to the field value is used Algorithm unzips it, and does not otherwise need to unzip it, and is decompressed in the embodiment of the present invention using zlib or gzip module Contracting;Then version number information is retrieved in response body, if there is version number information, then by the institute in the html label where it There is content taking-up, as a part of final result, i.e., in the version number's character string being matched to, forwardly and rearwardly matches angle brackets As the beginning and end of this part character string, entire service identification process is completed;If there is no version number information, then upper one Entire service identification process is completed in all parts of the acquired server field information as final result in step.
The retrieval of the version number carries out regular expression matching by using re module, and regular expression can be d+ (d+) { 1,3 } indicates that number is intermediate and is separated with point number, can there is 1-3 point number.
The embodiment of the present invention is attempted to obtain response message by carrying out TCP, HTTP, HTTPS connection to unknown port, so Possible service release information is retrieved from response message afterwards, to realize the identification to unknown miniport service, is obtained as far as possible Effective information on services of unknown serve port, whole flow process are improved and are taken to unknown port by program code automated execution It is engaged in the validity of identification, solves port scan tool common in the art it can not be obtained to unknown serve port and mentioned For service effective information the problem of, realize quick, the accurate acquisition of the effective information on services of unknown serve port, prevent unknown clothes Business port threatens safely to system, effective lifting system safety.
As shown in Fig. 2, the embodiment of the invention also discloses a kind of identifying system of unknown miniport service, the system packet It includes:
TCP connection module obtains return information for attempting TCP connection;If successfully obtained, using return information as Final result completes entire service identification process;
HTTP link block obtains http response for attempting HTTP or HTTPS connection;It, will if successfully obtained The a part of server field as final result;If http response can not be obtained successfully, completes entire service and identified Journey;
Illegal HTTP request module, for using illegal HTTP request method and illegal URL path configuration deformity HTTP request, to attempt to trigger HTTP error message;If status code is not 200 in the http response head returned, version is retrieved This information;If status code is 200, entire service identification process is completed;
Version information retrieval module, for retrieving the service release information in http response body;If in http response head There are Content-Encoding fields, then are unziped it using compression algorithm corresponding to the field value, be otherwise not required to It unzips it, is unziped it in the embodiment of the present invention using zlib or gzip module;Then version is retrieved in response body This number information is then taken out all the elements in the html label where it, if there is version number information as final result A part forwardly and rearwardly match beginning of the angle brackets as this part character string that is, in the version number's character string being matched to And ending, complete entire service identification process;If there is no version number information, then acquired server field information is made For all parts of final result, entire service identification process is completed.
The retrieval of the version number carries out regular expression matching by using re module, and regular expression can be d+ (d+) { 1,3 } indicates that number is intermediate and is separated with point number, can there is 1-3 point number.
The TCP connection uses the connect method using socket module.
The HTTP connection is connected using the HTTPConnection method of httplib module, and the HTTPS connection makes It is connected with the HTTPSConnection method of httplib module.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.

Claims (9)

1. a kind of recognition methods of unknown miniport service, which is characterized in that the described method comprises the following steps:
S1, TCP connection acquisition return information is attempted, using return information as final result if successfully obtaining, under otherwise entering One step;
S2, HTTP or HTTPS connection acquisition http response is attempted, if successfully obtained, using server field as most terminating A part of fruit, and enter next step;If http response can not be obtained successfully, entire service identification process is completed;
S3, using the HTTP request of illegal HTTP request method and illegal URL path configuration deformity, to attempt triggering HTTP Error message enters next step if status code is not 200 in the http response head returned;If status code is 200, Complete entire service identification process;
Service release information in S4, retrieval http response body, if there is version number information, then by the html label where it In all the elements take out, a part as final result;It is if there is no version number information, then acquired in previous step All parts of the server field information as final result, complete entire service identification process.
2. a kind of recognition methods of unknown miniport service according to claim 1, which is characterized in that the retrieval HTTP is rung The service release information of Ying Tizhong includes following operation:
If there are Content-Encoding fields in http response head, compression algorithm corresponding to the field value is used It unzips it, does not otherwise need to unzip it.
3. a kind of recognition methods of unknown miniport service according to claim 2, which is characterized in that the inspection of the version number Rope carries out regular expression matching by using re module.
4. a kind of recognition methods of unknown miniport service according to claim 1 to 3, which is characterized in that described TCP connection uses the connect method using socket module.
5. a kind of recognition methods of unknown miniport service according to claim 1 to 3, which is characterized in that described HTTP connection is connected using the HTTPConnection method of httplib module, and the HTTPS connection uses httplib mould The HTTPSConnection method of block connects.
6. a kind of identifying system of unknown miniport service, which is characterized in that the system comprises:
TCP connection module obtains return information for attempting TCP connection;
HTTP link block obtains http response for attempting HTTP or HTTPS connection;
Illegal HTTP request module, for using the HTTP of illegal HTTP request method and illegal URL path configuration deformity Request, to attempt to trigger HTTP error message;
Version information retrieval module, for retrieving the service release information in http response body.
7. a kind of identifying system of unknown miniport service according to claim 6, which is characterized in that the inspection of the version number Rope carries out regular expression matching by using re module.
8. a kind of identifying system of unknown miniport service according to claim 6, which is characterized in that the TCP connection is adopted With the connect method for using socket module.
9. a kind of identifying system of unknown miniport service according to claim 6, which is characterized in that the HTTP connection makes It is connected with the HTTPConnection method of httplib module, the HTTPS connection uses httplib module HTTPSConnection method connects.
CN201811316961.8A 2018-11-06 2018-11-06 A kind of recognition methods and system of unknown miniport service Pending CN109495466A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811316961.8A CN109495466A (en) 2018-11-06 2018-11-06 A kind of recognition methods and system of unknown miniport service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811316961.8A CN109495466A (en) 2018-11-06 2018-11-06 A kind of recognition methods and system of unknown miniport service

Publications (1)

Publication Number Publication Date
CN109495466A true CN109495466A (en) 2019-03-19

Family

ID=65693945

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811316961.8A Pending CN109495466A (en) 2018-11-06 2018-11-06 A kind of recognition methods and system of unknown miniport service

Country Status (1)

Country Link
CN (1) CN109495466A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365689A (en) * 2019-07-19 2019-10-22 北京搜狐新媒体信息技术有限公司 Port detecting method, apparatus and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100070972A1 (en) * 2008-09-16 2010-03-18 Ricoh Company, Ltd. Apparatus, method, and computer program product for processing information
CN104618181A (en) * 2015-01-13 2015-05-13 国家电网公司 Method for detecting intranet operation system of power system based on NMAP (Network Mapper)
CN107395651A (en) * 2017-09-07 2017-11-24 赛尔网络有限公司 Service system and information processing method
CN108255675A (en) * 2018-01-10 2018-07-06 北京知道创宇信息技术有限公司 A kind of port diagnostic extracting method, device and computing device
CN108628722A (en) * 2018-05-11 2018-10-09 华中科技大学 A kind of distributed Web Component services detection system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100070972A1 (en) * 2008-09-16 2010-03-18 Ricoh Company, Ltd. Apparatus, method, and computer program product for processing information
CN104618181A (en) * 2015-01-13 2015-05-13 国家电网公司 Method for detecting intranet operation system of power system based on NMAP (Network Mapper)
CN107395651A (en) * 2017-09-07 2017-11-24 赛尔网络有限公司 Service system and information processing method
CN108255675A (en) * 2018-01-10 2018-07-06 北京知道创宇信息技术有限公司 A kind of port diagnostic extracting method, device and computing device
CN108628722A (en) * 2018-05-11 2018-10-09 华中科技大学 A kind of distributed Web Component services detection system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LOUISNIE: "渗透测试之服务扫描", 《HTTPS://BLOG.CSDN.NET/QQ_39353923/ARTICLE/DETAILS/82147066》 *
SARLEON: "谈谈端口探测的经验与原理", 《HTTPS://WWW.FREEBUF.COM/ARTICLES/NETWORK/146087.HTML》 *
SPACEWANDER: "nmap服务识别和操作系统探测", 《HTTPS://SEGMENTFAULT.COM/A/1190000011871145》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365689A (en) * 2019-07-19 2019-10-22 北京搜狐新媒体信息技术有限公司 Port detecting method, apparatus and system
CN110365689B (en) * 2019-07-19 2021-11-23 北京搜狐新媒体信息技术有限公司 Port detection method, device and system

Similar Documents

Publication Publication Date Title
CN108881265B (en) Network attack detection method and system based on artificial intelligence
CN106650436B (en) A kind of safety detection method and device based on local area network
CN110677381B (en) Penetration test method and device, storage medium and electronic device
CA2840992A1 (en) Syntactical fingerprinting
CN110557405B (en) High-interaction SSH honeypot implementation method
CN103634306A (en) Security detection method and security detection server for network data
CN103401863B (en) A kind of network data analysis method and apparatus based on cloud security
CN112769827B (en) Network attack agent end detection and tracing method and device
CN115632878B (en) Data transmission method, device, equipment and storage medium based on network isolation
CN110221977A (en) Website penetration test method based on ai
CN111884989B (en) Vulnerability detection method and system for electric power web system
CN107222491A (en) A kind of inbreak detection rule creation method based on industrial control network mutation attacks
CN105306414A (en) Port vulnerability detection method, device and system
CN107911355A (en) A kind of website back door based on attack chain utilizes event recognition method
CN104202206A (en) Message processing device and method
CN109495466A (en) A kind of recognition methods and system of unknown miniport service
CN106341377A (en) Method and device for preventing Web server from being attacked
US20200099715A1 (en) Method and Mechanism for Detection of Pass-the-Hash Attacks
CN113300977B (en) Application flow identification and classification method based on multi-feature fusion analysis
CN109474567B (en) DDOS attack tracing method and device, storage medium and electronic equipment
US11134080B2 (en) Method for authenticating a terminal equipment, device, server equipment and related computer program
CN113382006A (en) Internet of things terminal security and risk assessment and evaluation method
CN102904940A (en) Method and device for Web server recognition
CN107454043A (en) The monitoring method and device of a kind of network attack
CN110381008A (en) A kind of Dynamic Defense System of Network Security and method based on big data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190319