CN109495466A - A kind of recognition methods and system of unknown miniport service - Google Patents
A kind of recognition methods and system of unknown miniport service Download PDFInfo
- Publication number
- CN109495466A CN109495466A CN201811316961.8A CN201811316961A CN109495466A CN 109495466 A CN109495466 A CN 109495466A CN 201811316961 A CN201811316961 A CN 201811316961A CN 109495466 A CN109495466 A CN 109495466A
- Authority
- CN
- China
- Prior art keywords
- http
- unknown
- information
- module
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/04—Protocols for data compression, e.g. ROHC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides the recognition methods and system of a kind of unknown miniport service, comprising: S1, attempts TCP connection acquisition return information;S2, HTTP or HTTPS connection acquisition http response is attempted;S3, using the HTTP request of illegal HTTP request method and illegal URL path configuration deformity, to attempt to trigger HTTP error message;Service release information in S4, retrieval http response body.The present invention attempts to obtain response message by carrying out TCP, HTTP, HTTPS connection to unknown port, then possible service release information is retrieved from response message, to realize the identification to unknown miniport service, effective information on services of unknown serve port is obtained as far as possible, whole flow process passes through program code automated execution, the validity to the identification of unknown miniport service is improved, prevents unknown serve port from threatening safely to system, effective lifting system safety.
Description
Technical field
The present invention relates to field of information security technology, the especially a kind of recognition methods and system of unknown miniport service.
Background technique
It is grown rapidly along with Internet technology in the whole world, people are providing great convenience, however, information-based giving
While people bring various substances and culture to enjoy, we are all also just by the security threat for carrying out automatic network got worse
Such as the blabber of the data burglar of network, the invasion of hacker, virus distribution person or even internal system.Although we are extensive
Ground uses the software technology of various complexity, such as firewall, proxy server, invasion detector, channel controlling mechanism, still, nothing
By in developed country, or in developing country (including China), activities of hacker is more and more savage, they are all-pervasive, to society
Serious harm is will cause.At the same time, more allow people uneasy, hacker website is also being continuously increased on internet, is learnt
Hacking technique, acquisition hacking tool become easy.In this way, making originally that just very fragile internet more seems not
Safety.So reinforcing we itself safety precaution, it is quite necessary to.
When carrying out security protection or penetration attack, it is often necessary to which to Target IP, open port is scanned, to find
Unsafe service, but current common port scan tool often can not correctly obtain it to the port of unknown service and be provided
The effective information of service.
Summary of the invention
The object of the present invention is to provide the recognition methods and system of a kind of unknown miniport service, it is intended to solve in the prior art
The problem of common port scan tool can not obtain the effective information of its service provided to unknown serve port is realized unknown
Quick, the accurate acquisition of the effective information on services of serve port, effective lifting system safety.
To reach above-mentioned technical purpose, the present invention provides a kind of recognition methods of unknown miniport service, the method packets
Include following steps:
S1, attempt TCP connection obtain return information, using return information as final result if successfully obtaining, otherwise into
Enter next step;
S2, HTTP or HTTPS connection acquisition http response is attempted, if successfully obtained, using server field as most
A part of termination fruit, and enter next step;If http response can not be obtained successfully, completes entire service and identified
Journey;
S3, using the HTTP request of illegal HTTP request method and illegal URL path configuration deformity, to attempt to trigger
HTTP error message enters next step if status code is not 200 in the http response head returned;If status code is
200, complete entire service identification process;
Service release information in S4, retrieval http response body, if there is version number information, then by the html where it
All the elements in label are taken out, a part as final result;If there is no version number information, then institute in previous step
Entire service identification process is completed in all parts of the server field information of acquisition as final result.
Preferably, the service release information in the retrieval http response body includes following operation:
If there are Content-Encoding fields in http response head, compression corresponding to the field value is used
Algorithm unzips it, and does not otherwise need to unzip it.
Preferably, the retrieval of the version number carries out regular expression matching by using re module.
Preferably, which is characterized in that the TCP connection uses the connect method using socket module.
Preferably, the HTTP connection is connected using the HTTPConnection method of httplib module, described
HTTPS connection is connected using the HTTPSConnection method of httplib module.
The present invention also provides a kind of identifying system of unknown miniport service, the system comprises:
TCP connection module obtains return information for attempting TCP connection;
HTTP link block obtains http response for attempting HTTP or HTTPS connection;
Illegal HTTP request module, for using illegal HTTP request method and illegal URL path configuration deformity
HTTP request, to attempt to trigger HTTP error message;
Version information retrieval module, for retrieving the service release information in http response body.
Preferably, the retrieval of the version number carries out regular expression matching by using re module.
Preferably, the TCP connection uses the connect method using socket module.
Preferably, the HTTP connection is connected using the HTTPConnection method of httplib module, described
HTTPS connection is connected using the HTTPSConnection method of httplib module.
The effect provided in summary of the invention is only the effect of embodiment, rather than invents all whole effects, above-mentioned
A technical solution in technical solution have the following advantages that or the utility model has the advantages that
Compared with prior art, the present invention is rung by carrying out TCP, HTTP, HTTPS connection to unknown port to attempt to obtain
Information is answered, possible service release information is then retrieved from response message, to realize the identification to unknown miniport service, to the greatest extent
Effective information on services of unknown serve port may be obtained, whole flow process is improved by program code automated execution to not
Know the validity of miniport service identification, unknown serve port can not be obtained by solving port scan tool common in the art
The problem of taking the effective information of its service provided realizes quick, the accurate acquisition of the effective information on services of unknown serve port, prevents
Only unknown serve port threatens safely to system, effective lifting system safety.
Detailed description of the invention
Fig. 1 is a kind of recognition methods flow chart of unknown miniport service provided in the embodiment of the present invention;
Fig. 2 is a kind of identifying system structural block diagram of unknown miniport service provided in the embodiment of the present invention.
Specific embodiment
In order to clearly illustrate the technical characterstic of this programme, below by specific embodiment, and its attached drawing is combined, to this
Invention is described in detail.Following disclosure provides many different embodiments or example is used to realize different knots of the invention
Structure.In order to simplify disclosure of the invention, hereinafter the component of specific examples and setting are described.In addition, the present invention can be with
Repeat reference numerals and/or letter in different examples.This repetition is that for purposes of simplicity and clarity, itself is not indicated
Relationship between various embodiments and/or setting is discussed.It should be noted that illustrated component is not necessarily to scale in the accompanying drawings
It draws.Present invention omits the descriptions to known assemblies and treatment technology and process to avoid the present invention is unnecessarily limiting.
Be provided for the embodiments of the invention with reference to the accompanying drawing a kind of unknown miniport service recognition methods and system into
Row is described in detail.
As shown in Figure 1, the embodiment of the invention discloses a kind of recognition methods of unknown miniport service, the method includes with
Lower step:
S1, attempt TCP connection obtain return information, using return information as final result if successfully obtaining, otherwise into
Enter next step;
S2, HTTP or HTTPS connection acquisition http response is attempted, if successfully obtained, using server field as most
A part of termination fruit, and enter next step;If http response can not be obtained successfully, completes entire service and identified
Journey;
S3, using the HTTP request of illegal HTTP request method and illegal URL path configuration deformity, to attempt to trigger
HTTP error message enters next step if status code is not 200 in the http response head returned;If status code is
200, complete entire service identification process;
Service release information in S4, retrieval http response body, if there is version number information, then by the html where it
All the elements in label are taken out, a part as final result;If there is no version number information, then institute in previous step
Entire service identification process is completed in all parts of the server field information of acquisition as final result.
TCP connection information is obtained first.
TCP connection is carried out to unknown port first, attempts to obtain return information, if successfully obtained, by return information
As final result, entire service identification process is completed, is otherwise performed the next step rapid.
The TCP connection uses the connect method using socket module.
Then HTTP link information is obtained.
HTTP connection is carried out to unknown port, is connected using the HTTPConnection method of httplib module, is attempted
Http response is obtained, HTTPS connection is executed again if unsuccessful, uses the HTTPSConnection method of httplib module
It connects, attempts to obtain http response, if successfully obtained, using server field value as a part of final result;
Then HTTP request and the transmission of illegal HTTP request method and illegal URL path configuration deformity are reused, is used
The request method of httplib module is realized, to attempt to trigger HTTP error message, if in the http response head returned
Status code is not 200, then needs to retrieve in http response body with the presence or absence of service release information;If status code is 200, no
It needs to retrieve http response body, completes entire service identification process;If HTTP is connected with HTTPS can not successfully obtain HTTP
Entire service identification process is then completed in response.
Finally retrieve the service release information in http response body.
If there are Content-Encoding fields in http response head, compression corresponding to the field value is used
Algorithm unzips it, and does not otherwise need to unzip it, and is decompressed in the embodiment of the present invention using zlib or gzip module
Contracting;Then version number information is retrieved in response body, if there is version number information, then by the institute in the html label where it
There is content taking-up, as a part of final result, i.e., in the version number's character string being matched to, forwardly and rearwardly matches angle brackets
As the beginning and end of this part character string, entire service identification process is completed;If there is no version number information, then upper one
Entire service identification process is completed in all parts of the acquired server field information as final result in step.
The retrieval of the version number carries out regular expression matching by using re module, and regular expression can be d+
(d+) { 1,3 } indicates that number is intermediate and is separated with point number, can there is 1-3 point number.
The embodiment of the present invention is attempted to obtain response message by carrying out TCP, HTTP, HTTPS connection to unknown port, so
Possible service release information is retrieved from response message afterwards, to realize the identification to unknown miniport service, is obtained as far as possible
Effective information on services of unknown serve port, whole flow process are improved and are taken to unknown port by program code automated execution
It is engaged in the validity of identification, solves port scan tool common in the art it can not be obtained to unknown serve port and mentioned
For service effective information the problem of, realize quick, the accurate acquisition of the effective information on services of unknown serve port, prevent unknown clothes
Business port threatens safely to system, effective lifting system safety.
As shown in Fig. 2, the embodiment of the invention also discloses a kind of identifying system of unknown miniport service, the system packet
It includes:
TCP connection module obtains return information for attempting TCP connection;If successfully obtained, using return information as
Final result completes entire service identification process;
HTTP link block obtains http response for attempting HTTP or HTTPS connection;It, will if successfully obtained
The a part of server field as final result;If http response can not be obtained successfully, completes entire service and identified
Journey;
Illegal HTTP request module, for using illegal HTTP request method and illegal URL path configuration deformity
HTTP request, to attempt to trigger HTTP error message;If status code is not 200 in the http response head returned, version is retrieved
This information;If status code is 200, entire service identification process is completed;
Version information retrieval module, for retrieving the service release information in http response body;If in http response head
There are Content-Encoding fields, then are unziped it using compression algorithm corresponding to the field value, be otherwise not required to
It unzips it, is unziped it in the embodiment of the present invention using zlib or gzip module;Then version is retrieved in response body
This number information is then taken out all the elements in the html label where it, if there is version number information as final result
A part forwardly and rearwardly match beginning of the angle brackets as this part character string that is, in the version number's character string being matched to
And ending, complete entire service identification process;If there is no version number information, then acquired server field information is made
For all parts of final result, entire service identification process is completed.
The retrieval of the version number carries out regular expression matching by using re module, and regular expression can be d+
(d+) { 1,3 } indicates that number is intermediate and is separated with point number, can there is 1-3 point number.
The TCP connection uses the connect method using socket module.
The HTTP connection is connected using the HTTPConnection method of httplib module, and the HTTPS connection makes
It is connected with the HTTPSConnection method of httplib module.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.
Claims (9)
1. a kind of recognition methods of unknown miniport service, which is characterized in that the described method comprises the following steps:
S1, TCP connection acquisition return information is attempted, using return information as final result if successfully obtaining, under otherwise entering
One step;
S2, HTTP or HTTPS connection acquisition http response is attempted, if successfully obtained, using server field as most terminating
A part of fruit, and enter next step;If http response can not be obtained successfully, entire service identification process is completed;
S3, using the HTTP request of illegal HTTP request method and illegal URL path configuration deformity, to attempt triggering HTTP
Error message enters next step if status code is not 200 in the http response head returned;If status code is 200,
Complete entire service identification process;
Service release information in S4, retrieval http response body, if there is version number information, then by the html label where it
In all the elements take out, a part as final result;It is if there is no version number information, then acquired in previous step
All parts of the server field information as final result, complete entire service identification process.
2. a kind of recognition methods of unknown miniport service according to claim 1, which is characterized in that the retrieval HTTP is rung
The service release information of Ying Tizhong includes following operation:
If there are Content-Encoding fields in http response head, compression algorithm corresponding to the field value is used
It unzips it, does not otherwise need to unzip it.
3. a kind of recognition methods of unknown miniport service according to claim 2, which is characterized in that the inspection of the version number
Rope carries out regular expression matching by using re module.
4. a kind of recognition methods of unknown miniport service according to claim 1 to 3, which is characterized in that described
TCP connection uses the connect method using socket module.
5. a kind of recognition methods of unknown miniport service according to claim 1 to 3, which is characterized in that described
HTTP connection is connected using the HTTPConnection method of httplib module, and the HTTPS connection uses httplib mould
The HTTPSConnection method of block connects.
6. a kind of identifying system of unknown miniport service, which is characterized in that the system comprises:
TCP connection module obtains return information for attempting TCP connection;
HTTP link block obtains http response for attempting HTTP or HTTPS connection;
Illegal HTTP request module, for using the HTTP of illegal HTTP request method and illegal URL path configuration deformity
Request, to attempt to trigger HTTP error message;
Version information retrieval module, for retrieving the service release information in http response body.
7. a kind of identifying system of unknown miniport service according to claim 6, which is characterized in that the inspection of the version number
Rope carries out regular expression matching by using re module.
8. a kind of identifying system of unknown miniport service according to claim 6, which is characterized in that the TCP connection is adopted
With the connect method for using socket module.
9. a kind of identifying system of unknown miniport service according to claim 6, which is characterized in that the HTTP connection makes
It is connected with the HTTPConnection method of httplib module, the HTTPS connection uses httplib module
HTTPSConnection method connects.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811316961.8A CN109495466A (en) | 2018-11-06 | 2018-11-06 | A kind of recognition methods and system of unknown miniport service |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811316961.8A CN109495466A (en) | 2018-11-06 | 2018-11-06 | A kind of recognition methods and system of unknown miniport service |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109495466A true CN109495466A (en) | 2019-03-19 |
Family
ID=65693945
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811316961.8A Pending CN109495466A (en) | 2018-11-06 | 2018-11-06 | A kind of recognition methods and system of unknown miniport service |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109495466A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365689A (en) * | 2019-07-19 | 2019-10-22 | 北京搜狐新媒体信息技术有限公司 | Port detecting method, apparatus and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100070972A1 (en) * | 2008-09-16 | 2010-03-18 | Ricoh Company, Ltd. | Apparatus, method, and computer program product for processing information |
CN104618181A (en) * | 2015-01-13 | 2015-05-13 | 国家电网公司 | Method for detecting intranet operation system of power system based on NMAP (Network Mapper) |
CN107395651A (en) * | 2017-09-07 | 2017-11-24 | 赛尔网络有限公司 | Service system and information processing method |
CN108255675A (en) * | 2018-01-10 | 2018-07-06 | 北京知道创宇信息技术有限公司 | A kind of port diagnostic extracting method, device and computing device |
CN108628722A (en) * | 2018-05-11 | 2018-10-09 | 华中科技大学 | A kind of distributed Web Component services detection system |
-
2018
- 2018-11-06 CN CN201811316961.8A patent/CN109495466A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100070972A1 (en) * | 2008-09-16 | 2010-03-18 | Ricoh Company, Ltd. | Apparatus, method, and computer program product for processing information |
CN104618181A (en) * | 2015-01-13 | 2015-05-13 | 国家电网公司 | Method for detecting intranet operation system of power system based on NMAP (Network Mapper) |
CN107395651A (en) * | 2017-09-07 | 2017-11-24 | 赛尔网络有限公司 | Service system and information processing method |
CN108255675A (en) * | 2018-01-10 | 2018-07-06 | 北京知道创宇信息技术有限公司 | A kind of port diagnostic extracting method, device and computing device |
CN108628722A (en) * | 2018-05-11 | 2018-10-09 | 华中科技大学 | A kind of distributed Web Component services detection system |
Non-Patent Citations (3)
Title |
---|
LOUISNIE: "渗透测试之服务扫描", 《HTTPS://BLOG.CSDN.NET/QQ_39353923/ARTICLE/DETAILS/82147066》 * |
SARLEON: "谈谈端口探测的经验与原理", 《HTTPS://WWW.FREEBUF.COM/ARTICLES/NETWORK/146087.HTML》 * |
SPACEWANDER: "nmap服务识别和操作系统探测", 《HTTPS://SEGMENTFAULT.COM/A/1190000011871145》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365689A (en) * | 2019-07-19 | 2019-10-22 | 北京搜狐新媒体信息技术有限公司 | Port detecting method, apparatus and system |
CN110365689B (en) * | 2019-07-19 | 2021-11-23 | 北京搜狐新媒体信息技术有限公司 | Port detection method, device and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108881265B (en) | Network attack detection method and system based on artificial intelligence | |
CN106650436B (en) | A kind of safety detection method and device based on local area network | |
CN110677381B (en) | Penetration test method and device, storage medium and electronic device | |
CA2840992A1 (en) | Syntactical fingerprinting | |
CN110557405B (en) | High-interaction SSH honeypot implementation method | |
CN103634306A (en) | Security detection method and security detection server for network data | |
CN103401863B (en) | A kind of network data analysis method and apparatus based on cloud security | |
CN112769827B (en) | Network attack agent end detection and tracing method and device | |
CN115632878B (en) | Data transmission method, device, equipment and storage medium based on network isolation | |
CN110221977A (en) | Website penetration test method based on ai | |
CN111884989B (en) | Vulnerability detection method and system for electric power web system | |
CN107222491A (en) | A kind of inbreak detection rule creation method based on industrial control network mutation attacks | |
CN105306414A (en) | Port vulnerability detection method, device and system | |
CN107911355A (en) | A kind of website back door based on attack chain utilizes event recognition method | |
CN104202206A (en) | Message processing device and method | |
CN109495466A (en) | A kind of recognition methods and system of unknown miniport service | |
CN106341377A (en) | Method and device for preventing Web server from being attacked | |
US20200099715A1 (en) | Method and Mechanism for Detection of Pass-the-Hash Attacks | |
CN113300977B (en) | Application flow identification and classification method based on multi-feature fusion analysis | |
CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
US11134080B2 (en) | Method for authenticating a terminal equipment, device, server equipment and related computer program | |
CN113382006A (en) | Internet of things terminal security and risk assessment and evaluation method | |
CN102904940A (en) | Method and device for Web server recognition | |
CN107454043A (en) | The monitoring method and device of a kind of network attack | |
CN110381008A (en) | A kind of Dynamic Defense System of Network Security and method based on big data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190319 |