CN117579361A - Network penetration method, system and storage medium - Google Patents

Network penetration method, system and storage medium Download PDF

Info

Publication number
CN117579361A
CN117579361A CN202311599704.0A CN202311599704A CN117579361A CN 117579361 A CN117579361 A CN 117579361A CN 202311599704 A CN202311599704 A CN 202311599704A CN 117579361 A CN117579361 A CN 117579361A
Authority
CN
China
Prior art keywords
transparent transmission
network
access terminal
information
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311599704.0A
Other languages
Chinese (zh)
Inventor
陈长君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xinhua Zhiyun Technology Co ltd
Original Assignee
Xinhua Zhiyun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinhua Zhiyun Technology Co ltd filed Critical Xinhua Zhiyun Technology Co ltd
Priority to CN202311599704.0A priority Critical patent/CN117579361A/en
Publication of CN117579361A publication Critical patent/CN117579361A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

A network penetration method, a system and a storage medium relate to the technical field of data transmission, and comprise the following steps: the transparent transmission server monitors through a port, establishes a network channel communicated with the access terminal according to a connection request remotely sent by the access terminal, and receives the data of the access terminal; unpacking the received data to obtain site information of a site to be forwarded by an access terminal, and matching in a transparent transmission server according to the site information to obtain target site information comprising an environment ID; matching corresponding privately-owned environment network channels according to the obtained environment ID; and packaging all the information into a protocol data packet, and writing the protocol data packet into a corresponding privately-owned environment network channel. According to the method and the system, complex logic is unified and concentrated on the transparent transmission server, so that the updating and the maintenance of the transparent transmission system are facilitated.

Description

Network penetration method, system and storage medium
Technical Field
The invention relates to the technical field of data transmission, in particular to a network penetration system and a penetration method.
Background
After the application system is deployed in the privately owned intranet environment provided by the client, the application system needs to be maintained and managed, and the application system is generally solved by a plurality of remote intranet access technologies under the condition that technicians are not dispatched to the client. For example: virtual Private Networks (VPN), remote desktop protocols, port mapping (Port Forwarding), HTTP reverse proxy, proprietary intranet penetration tools or business services, etc.
However, in the above-mentioned various transparent transmission systems, certain defects and problems exist in the actual landing process. For example, in the prior art, complex logic is generally concentrated on a client, and the client is located in a privately owned intranet environment, so that upgrading and maintenance are difficult.
There is a need to develop a network penetration method, system and storage medium to solve the problems in the prior art.
Disclosure of Invention
The invention aims to provide a network penetration method, a network penetration system and a storage medium, which are used for uniformly concentrating complex logic on a transparent transmission server so as to solve the problem that the transparent transmission system provided in the background art is difficult to maintain when the transparent transmission system has defects.
In order to achieve the above purpose, the present invention provides the following technical solutions:
a network penetration method, comprising the steps of:
the transparent transmission server monitors through a port, establishes a privately-owned environment network channel communicated with the privately-owned network environment according to a connection request of a transparent transmission client positioned in the privately-owned network environment, and acquires an environment ID of the privately-owned network environment;
the transparent transmission server side obtains the request data of the access side and forwards the request data of the access side to the transparent transmission client side;
the transparent transmission server side sends the request data to the target site through the transparent transmission client side;
the transparent transmission server acquires the request data of the access terminal and forwards the request data of the access terminal to the transparent transmission client, and the transparent transmission server performs the following steps:
the transparent transmission server monitors through a port, establishes a network channel communicated with the access terminal according to a connection request remotely sent by the access terminal, and receives data of the access terminal;
unpacking the received data to obtain the site information of the site requested by the access terminal, and matching in the transparent transmission server according to the site information to obtain the target site information comprising the environment ID;
matching corresponding privately-owned environment network channels according to the obtained target site information comprising the environment ID and the obtained environment ID of the privately-owned network environment;
and packaging all the information into a protocol data packet, and writing the protocol data packet into a corresponding privately-owned environment network channel.
The site information of the requested site at least comprises information such as target IP or target port;
when matching is carried out in the transparent transmission server according to the site information, the matching is particularly carried out in a database in the transparent transmission server; the database comprises environment data and site data stored in the transparent server after the proprietary environment management and site management module manages the site information in the proprietary environment to be transparent and distributes a globally unique environment ID for each proprietary environment.
Further, the method also comprises the following steps:
the transparent transmission server side obtains response result data of the target site to the request data through the transparent transmission client side;
and the transparent transmission server forwards the response result data to the access terminal.
When the transparent server side obtains the response result data of the target site to the request data through the transparent client side,
the transparent transmission client performs the following steps: the transparent transmission client receives response result data of the target site to the request data and returns the response result data to the transparent transmission server;
further, before the transparent server side obtains the request data of the access side, the access side initiates a connection request to the transparent server side, and the access side specifically performs the following steps:
the access terminal initiates an internet request of an HTTP protocol;
when the access terminal installs and starts the network proxy software, the access terminal forwards the request to the transparent server through the network proxy software;
or when the access terminal is provided with the Hosts configuration software, the access terminal forwards the request to the transparent transmission service terminal through the Hosts configuration software.
The access terminal obtains the interface information of the transparent transmission server terminal through the call of the network proxy software or the Hosts configuration software to the update interface according to the update interface provided by the transparent transmission server terminal;
when the access terminal forwards the request to the transparent transmission server terminal through the network proxy software, the method specifically comprises the following steps:
the network proxy software obtains relevant rules through an updating interface provided by the transparent transmission server; performing relevant rule matching according to an internet request of an HTTP protocol initiated by an access terminal; when the related rules are matched, forwarding the request of the access terminal to the transparent transmission server terminal;
when the access terminal forwards the request to the transparent transmission service terminal through the Hosts configuration software, the method specifically comprises the following steps:
the Hosts configuration software obtains relevant Hosts configuration rules through an updating interface provided by the transparent transmission server; performing domain name matching according to an internet request of an HTTP protocol initiated by an access terminal; when the domain name is matched, forwarding a request of the access terminal to the transparent transmission server;
specifically, the specific step of forwarding the request through the network proxy software or the Hosts configuration software is the prior art, and is not repeated in the present application.
Further, when the site information is matched, if the target access site is not matched, constructing corresponding prompt information, and replying the prompt information to the access terminal;
when the corresponding privately-owned environment network channel is matched, if the corresponding privately-owned environment network channel is not matched, corresponding prompt information is constructed, and the prompt information is returned to the access terminal.
Further, before all the information is encapsulated into the protocol data packet and written into the corresponding privately-owned environment network channel, the method further comprises the following steps:
authenticating the currently requested user information, comprising the steps of:
step 2.10.1: acquiring user information in a current request Cookie, and verifying the correctness of user login information; if the login information is empty or verification fails, the step 2.10.2 is entered;
step 2.10.2: acquiring user token information in the request parameters, verifying the token information with the single sign-on server, and if the token information passes the verification and user information of a login user is acquired, entering a step 2.10.3; if the token information is null or the verification fails, the step 2.10.4 is entered;
step 2.10.3: saving the user information obtained in the step 2.10.2 to a network channel context;
step 2.10.4: when the user authentication fails, constructing corresponding prompt information and replying the information to the access terminal.
Further, when all information is encapsulated into a protocol data packet, all the encapsulated information includes: environment ID, destination address, destination port, user channel ID currently connected to the access terminal, and request data of the access terminal.
Further, the transparent transmission server forwards the returned response result data to the access terminal, which comprises the following steps: receiving and analyzing a response data packet responded by the transparent client, restoring the network channel context requested by the current access terminal according to the user channel ID in the response data packet, and judging whether the user information recorded in the step 2.10.3 exists in the network channel context;
if the user information exists, HTTP protocol analysis of the response data packet is carried out, relevant HTTP protocol response header data is modified, the user information is written into the Cookie, and meanwhile the user information in the context of the network channel is cleared.
Further, the transparent transmission server forwards the returned response result data to the access terminal, and the method further comprises the following steps:
if the network channel context does not contain user information, the response data packet of HTTP does not need to be analyzed, the network channel requested by the current access end is directly retrieved according to the user channel ID in the response data packet, and the original data responded from the privately-owned target site is written into the network channel requested by the access end.
A network penetration system, comprising:
the access terminal is used for initiating a request to the transparent transmission terminal and receiving data returned by the transparent transmission server terminal from the transparent transmission client terminal;
the transparent transmission server is arranged in a public network environment and is used for forwarding the request data received from the access terminal to the transparent transmission client and forwarding the data responded by the transparent transmission client to the access terminal;
the transparent transmission client is arranged in the private network environment and used for forwarding the request data forwarded by the transparent transmission server to the target site, receiving the response result data of the target site and returning the result data to the transparent transmission server.
A computer storage medium having a computer program stored therein, which when executed by a processor, implements the network penetration method.
Compared with the prior art, the invention has the beneficial effects that: the transparent transmission server takes over the functions of privately-owned network environment management, privately-owned site management, route matching calculation of privately-owned site access requests, public network access user identity authentication and the like, namely, the complex work of all information management and route matching is concentrated on the transparent transmission server, so that the program logic of the transparent transmission client is greatly simplified. The transparent client is focused on the establishment of a long connection channel with the transparent server for maintaining a TCP transmission layer and the data transmission of the TCP layer of the target site. The design has the advantages that the extremely simple transparent client program design provides a stable transparent client program, and complex logic is unified and concentrated on the transparent server program. Because the transparent transmission service end is deployed on the public network environment, the system can be conveniently and intensively upgraded and maintained even if the system has defects, and the whole technical architecture scheme improves the maintainability of the system.
The extremely simple transparent transmission client design only needs to realize three logic function points of TCP long connection with the transparent transmission server, TCP layer network request of the target site, unpacking and packaging of the self-defined protocol data and the like. The network protocol only needs to be concerned with the TCP layer, and does not need to be concerned with the application layer protocol above the TCP layer, so that the programming is greatly simplified.
Other features and advantages of the present invention will be disclosed in the following detailed description of the invention and the accompanying drawings.
Drawings
FIG. 1 is a schematic diagram of the preparation of each end prior to a pass-through access;
FIG. 2 is a schematic diagram of a data transparent transmission process;
fig. 3 is a schematic diagram of a user authentication flow.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," "secured" and the like are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communicated with the inside of two elements or the interaction relationship of the two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.
A network penetration system, comprising:
the access terminal is used for initiating a request to the transparent transmission terminal and receiving data returned by the transparent transmission server terminal from the transparent transmission client terminal;
the access terminal comprises software for initiating access by a user and can be a browser; and proxy plugin software or Hosts configuration software for forwarding a request for a specified site to the pass-through server.
The transparent transmission server is arranged in a public network environment and used for forwarding request data received from the access terminal to the transparent transmission client and forwarding data responded by the transparent transmission client to the access terminal, so that the access terminal can access a certain proprietary environment target site.
The forwarding of the request data received from the access terminal to the transparent client terminal comprises the following steps: and the transparent transmission server receives the request data of the access terminal and forwards the data to the transparent transmission client of the target environment after the user identity authentication is completed.
The transparent transmission client is arranged in the private network environment and used for forwarding the request data forwarded by the transparent transmission server to the target site, receiving the response result data of the target site and returning the result data to the transparent transmission server.
The transparent transmission service end specifically comprises:
the privatization environment request transparent transmission module is used for forwarding the received request data of the access terminal to the transparent transmission client and forwarding the data responded by the transparent transmission client to the access terminal;
the privatization environment management and site management module is used for managing site information under the privatization environment needing transparent transmission, distributing globally unique environment IDs for each privatization environment, and storing management data information such as the privatization environment, the privatization site and the like in the database.
And the access terminal site information updating interface is used for providing an updating interface of the access terminal privately-owned site information.
And the channel registration module is used for providing network connection and network channel registration capability of the TCP transmission layer with the transparent client and the access terminal through port monitoring.
Optionally, unified management is performed on all the privately-owned sites, a unified navigation page for site access is provided, and simultaneously, a site information automatic updating strategy of proxy software or Hosts configuration software is matched, so that low-cost access of an access terminal is realized, and the method specifically comprises the following steps:
a. generating a data format which accords with the requirements of agent software or Hosts configuration software, and enabling an access terminal to realize the automatic updating capability of domain name information of all target sites;
b. the transparent transmission server side provides unified navigation pages of all environment target sites, so that the access side can conveniently access all accessible privately-owned sites through one entry page;
the network penetration method specifically comprises the following steps:
the programs at each end need to do some preliminary preparation before the remote privateization station system accesses, as shown in figure one.
The method comprises the following steps:
selecting an access terminal of network proxy software or Hosts configuration software, and calling an update interface of software corresponding to the access terminal to a transparent transmission server terminal by the access terminal;
the transparent transmission client side in the privately-owned network environment performs network connection to the transparent transmission server side in the public network environment, registers a network connection channel, and transmits the unique identification ID of the privately-owned network environment to the transparent transmission server side.
The method comprises the following specific steps:
step 1.1: if an access terminal for forwarding by using network proxy software is selected, site information to be forwarded needs to be configured for the proxy software, and most proxy software can provide a timing automatic updating function through an HTTP remote interface. In the step, the site information updating interface meeting the data format of the corresponding proxy software, which is provided by the transparent transmission server, is configured to the proxy software, so that the automatic updating capability of the proxy site information of the access terminal is realized.
Step 1.2: if the Hosts configuration software is selected to perform domain name resolution hijacking to realize the access end of forwarding capability, the site information to be hijacked needs to be configured, and here, management software supporting automatic update of Hosts configuration can be selected. The Hosts site updating interface provided by the transparent transmission server is also required to be configured on configuration software so as to realize the automatic domain name updating capability.
The method can be matched with network proxy software or Hosts configuration software of a third party, and can automatically forward a request of a target site to be transmitted to the transparent transmission server side when the access side accesses a remote site by combining a corresponding data format interface provided by the transparent transmission server side.
Step 1.3: the transparent transmission server runs in a public network environment, provides the information of the target site of the privately-owned network environment and an update interface corresponding to the configuration format, and is called by the access terminal in the step 1.1 or the step 1.2.
Step 1.4: the transparent client runs in the privately-owned network environment and is configured with the unique identification ID of the privately-owned network environment. When the program is started, the transparent client actively performs network connection to the transparent server of the public network environment and registers a network connection channel, and simultaneously brings the unique identification ID of the current privately-used network environment to the transparent server. In addition, when the connection channel is abnormal, the transparent transmission client has the capability of automatically maintaining reconnection, and ensures the available connection state of the channel.
Step 1.5: and the transparent transmission server monitors and receives a connection request of the transparent transmission client through a port, establishes a Transmission Control Protocol (TCP) long connection network channel of the transparent transmission server and the privately owned network environment, records the mapping relation between the environment ID and the channel connection information into a global context, and is convenient for inquiring during the subsequent transparent transmission and forwarding of data. Also, when a channel disconnection occurs, the channel connection information in the global context corresponding to the environment ID is deleted.
When the programs of all the terminals in the stage one are ready, the access terminal can access the target site of the privately-owned network environment, and the whole steps are shown in a figure II. The method specifically comprises the following steps:
step 2.1: the access terminal initiates an internet request of the HTTP protocol, and typically adopts a browser.
Step 2.2: judging whether the access terminal installs and starts the network proxy software, if yes, carrying out the matching of the relevant rule of the current request, and synchronizing the data of the rule by the network proxy software to the corresponding interface of the transparent transmission server terminal. If the rules are matched, corresponding interface information is obtained, and the step 2.5 is carried out to request the transparent transmission server; if the rules are not matched or the network proxy software is not installed, the system enters the DNS query phase of the domain name in the step 2.3.
Step 2.3: the system firstly carries out domain name matching with the current Hosts configuration information, if the domain name is matched, the remote IP address of the transparent transmission server is directly obtained, and at the moment, the browser can directly send a request to the transparent transmission server. If the domain name is not matched, the routing system enters step 2.4 to perform normal domain name resolution and Internet access flow. The above IP mapping between the hotts site and the transparent server may be obtained from the corresponding interface of the transparent server by the hotts configuration software or manually configured by a person, which is the prior art.
Step 2.4: this step is the internet HTTP protocol request that the access end is normally initiating, independent of the application system of this patent.
Step 2.5: and (3) according to the IP address or interface information of the transparent transmission service end obtained in the step (2.2) or the step (2.3), the access end initiates a remote connection request to the transparent transmission service end. This step is done internally by the browser software of the access side.
Step 2.6: the transparent transmission server monitors through a port, receives a connection request remotely sent by the access terminal based on a TCP (transmission control protocol) transmission layer protocol, establishes a network channel communicated with the access terminal when receiving a new connection request data packet so as to transmit data with the access terminal, and records the mapping relation between the channel ID of the access terminal and channel connection information into a global context. Also, when a channel disconnection occurs, it is necessary to delete the channel connection information in the global context corresponding to the channel ID.
The monitoring port for port monitoring by the transparent server provides all data connection requests of the access end which needs to access the privately-owned network station, and realizes the HTTP request proxy forwarding work of one monitoring port to the station under all privately-owned environments.
Step 2.7: unpacking the received data by using an HTTP protocol specification, and paying attention to the fact that Body data in the HTTP protocol is not analyzed in the current step, only HTTP header information is needed to be analyzed so as to improve processing performance.
Step 2.8: and (3) matching the information of the HTTP request header with all site information in the database, if the information of the HTTP request header is not matched with the target site, entering a step 2.8.1, and if the information of the HTTP request header is matched with the target site, writing the information of the environment ID, the target IP, the target port and the like of the target site into the network channel context of the current connection channel, and entering the step 2.9. And writing information into the network channel context, so that the data of the site matching result can be shared in the same connection conveniently, and site information matching is not required to be carried out on each data packet, so that the processing performance is improved.
Step 2.8.1: when the request is not matched with the target access site, constructing corresponding prompt information, and replying the prompt information to the access terminal through step 3.5.
Step 2.9: and (3) matching the corresponding privately-owned environment network channel from the network channels registered in the step (1.5) according to the environment ID in the target site information obtained in the step (2.8), entering the step (2.10) if the network channels are matched, and entering the step (2.9.1) if the network channels are not matched.
Step 2.9.1: when the network channel of the target environment cannot be found, corresponding prompt information is constructed, and the information is returned to the access terminal through the step 3.5.
Step 2.10: the currently requested user information is authenticated, and the authentication proceeds to step 2.11, but not to step 2.10.4. The user authentication is not realized in the application system, and can be integrated with a third party single sign-on system. See figure three for a detailed step flow chart.
Step 2.10.1: and acquiring user information in the current request Cookie, and verifying the correctness of the user login information. If the verification is passed, directly entering the step 2.11; if the login information is empty or the verification fails, the step 2.10.2 is entered.
Step 2.10.2: acquiring user token information in the request parameters, verifying the token information with the single sign-on server, and if the token information passes the verification and user information of a login user is acquired, entering a step 2.10.3; if the token information is null or the authentication fails, the process proceeds to step 2.10.4.
Step 2.10.3: the user information obtained in step 2.10.2 is saved in the network channel context and used in the processing of response data in the subsequent step 3.4.
Step 2.10.4: when the user authentication fails, constructing corresponding prompt information, and replying the information to the access terminal through the step 3.5. In this step, a three-party user authentication system can be integrated to prompt the user to log in and jump to the user authentication interface.
Based on the data interception of the HTTP protocol layer, the integration of the three-party single sign-on system and the implantation of the user authentication function are realized through the reading of HTTP request data and the tampering of response head data, and the access security of the privately-owned site is improved.
Step 2.11: and (3) serially packaging all information such as the environment ID, the target address, the target port, the user channel ID currently connected with the access terminal, the request data of the access terminal and the like recorded in the network channel context into a protocol data packet, and writing the protocol data packet into the privately-owned environment network channel matched in the step (2.9). The data serialization protocol can be selected according to practical situations (for example, protobuf protocol), so that the transparent transmission server and the transparent transmission client can be ensured to select the same serialization and anti-serialization protocols.
Step 2.12: and the transparent transmission client receives the protocol data packet and adopts the same serialization protocol as the transparent transmission server to perform the anti-serialization of the protocol data packet.
Step 2.13: and initiating remote connection of TCP according to the address and the port of the target server in the protocol data packet, and transmitting the access terminal request data in the protocol data packet to the target site unchanged.
The method specifically comprises the following steps of feeding back a request of an access terminal to a target site:
step 3.1: the transparent client receives response result data written back by the target site.
Step 3.2: and serially packaging the originally received information such as the environment ID, the target address, the target port, the user channel ID, the result data responded by the target site and the like into a response data packet, finding a network channel connected with the transparent transmission server, and writing the response data packet.
Step 3.3: the transparent server receives the response data packet of the transparent client and analyzes the data into information such as environment ID, target address, target port, user channel ID, response result data and the like.
Step 3.4: restoring the network channel context of the current access end request according to the user channel ID in the response data packet, and judging whether the user information recorded in the step 2.10.3 exists in the network channel context;
if the user information exists, HTTP protocol analysis of the response data packet is carried out, relevant HTTP protocol response header data is modified, the user information is written into the Cookie, and meanwhile the user information in the context of the network channel is cleared;
if the user information does not exist, the HTTP response data packet does not need to be analyzed, and the step 3.5 is directly carried out.
And the user single sign-on of the current site is realized by using the Cookie of the response data to tamper with the user information.
The method and the device realize additional unified user authentication expansion before the access of the target privately-owned site based on data interception and tampering based on the HTTP protocol, can be integrated with a single sign-on user authentication system, and improve the security of the system access of the privately-owned site.
Step 3.5: and (3) searching the network channel requested by the current access terminal according to the user channel ID in the response data packet, and writing the original data responded from the privately-owned target site or the data processed in the step (3.4) into the network channel.
Step 3.6: the access terminal receives information such as response result data of the transparent transmission server terminal and the like, and the information is presented by a program of the access terminal.
The method and the system realize the internet access capability of the privately-owned intranet environment site through the long-connection network technology, and enable tasks such as remote system assistance and maintenance to be possible.
The transparent transmission server takes over the functions of privately-owned network environment management, privately-owned site management, route matching calculation of privately-owned site access requests, public network access user identity authentication and the like, namely, the complex work of all information management and route matching is concentrated on the transparent transmission server, so that the program logic of the transparent transmission client is greatly simplified. The transparent client is focused on the establishment of a long connection channel with the transparent server for maintaining a TCP transmission layer and the data transmission of the TCP layer of the target site. The design has the advantages that the extremely simple transparent client program design provides a stable transparent client program, and complex logic is unified and concentrated on the transparent server program. Because the transparent transmission service end is deployed on the public network environment, the system can be conveniently and intensively upgraded and maintained even if the system has defects, and the whole technical architecture scheme improves the maintainability of the system.
The extremely simple transparent transmission client design only needs to realize three logic function points of TCP long connection with the transparent transmission server, TCP layer network request of the target site, unpacking and packaging of the self-defined protocol data and the like. The network protocol only needs to be concerned with the TCP layer, and does not need to be concerned with the application layer protocol above the TCP layer, so that the programming is greatly simplified.
The domain name information of the HTTP protocol is used as the basis of the routing of the specific site, and specifically, the transparent transmission server can realize the HTTP request proxy forwarding work of the site in all the privately owned network environments through one monitoring port. The port receives the request data sent by all the access terminals, finds out the matched transparent client terminals according to the domain name information of the HTTP protocol and forwards the data, and finally realizes the public network request of the privately-owned service site.
According to the method and the system, the fixed public network IP of the intranet server provided with the transparent client is only required to be arranged on the access white list of the network firewall which cannot be connected with the public network and the privateization environment, so that the client can access the privateization site under the privateization network in any environment which can access the Internet on the premise that the existing network architecture is not required to be adjusted and the account of remote access related software is not required to be distributed.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Furthermore, it should be understood that although the present disclosure describes embodiments, not every embodiment is provided with a separate embodiment, and that this description is provided for clarity only, and that the disclosure is not limited to the embodiments described in detail below, and that the embodiments described in the examples may be combined as appropriate to form other embodiments that will be apparent to those skilled in the art.

Claims (10)

1. A network penetration method, comprising the steps of:
the transparent transmission server monitors through a port, establishes a privately-owned environment network channel communicated with the privately-owned network environment according to a connection request of a transparent transmission client positioned in the privately-owned network environment, and acquires an environment ID of the privately-owned network environment;
the transparent transmission server side obtains the request data of the access side and forwards the request data of the access side to the transparent transmission client side;
the transparent transmission server side sends the request data to the target site through the transparent transmission client side;
the transparent transmission server acquires request data of the access terminal and forwards the request data of the access terminal to the transparent transmission client, and the transparent transmission server comprises the following steps:
the transparent transmission server monitors through a port, establishes a network channel communicated with the access terminal according to a connection request sent by the access terminal, and receives data of the access terminal;
unpacking the received data to obtain site information, and matching in a transparent transmission server according to the site information to obtain target site information comprising environment ID;
matching corresponding privately-owned environment network channels according to the obtained environment ID;
and packaging all the information into a protocol data packet, and writing the protocol data packet into a corresponding privately-owned environment network channel.
2. The network penetration method of claim 1, further comprising the steps of:
the transparent transmission server side obtains response result data of the target site to the request data through the transparent transmission client side;
and the transparent transmission server forwards the response result data to the access terminal.
3. The network penetration method according to claim 2, wherein before the transparent server obtains the request data of the access terminal, the access terminal initiates a connection request to the transparent server, and specifically includes the following steps:
the access terminal initiates an internet request of an HTTP protocol;
when the access terminal installs and starts the network proxy software, the access terminal forwards the request to the transparent server through the network proxy software;
or when the access terminal is provided with the Hosts configuration software, the access terminal forwards the request to the transparent transmission service terminal through the Hosts configuration software.
4. The network penetration method of claim 2, wherein when matching is performed according to site information, if a target access site is not matched, constructing corresponding prompt information, and replying the prompt information to the access terminal;
when the corresponding privately-owned environment network channel is matched, if the corresponding privately-owned environment network channel is not matched, corresponding prompt information is constructed, and the prompt information is returned to the access terminal.
5. The network penetration method of claim 2, wherein when encapsulating all information into protocol data packets, the encapsulated information includes: environment ID, destination address, destination port, user channel ID currently connected to the access terminal, and request data of the access terminal.
6. The network penetration method of claim 2, further comprising, prior to encapsulating all information into protocol packets and writing into corresponding privately owned ambient network tunnels:
authenticating the currently requested user information, comprising the steps of:
step 2.10.1: acquiring user information in a current request Cookie, and verifying the correctness of user login information; if the login information is empty or verification fails, the step 2.10.2 is entered;
step 2.10.2: acquiring user token information in the request, verifying the token information with the single sign-on server, and if the token information passes the verification and the user information is acquired, entering a step 2.10.3; if the token information is null or the verification fails, the step 2.10.4 is entered;
step 2.10.3: saving the user information obtained in the step 2.10.2 to a network channel context;
step 2.10.4: when the user authentication fails, constructing corresponding prompt information and replying the information to the access terminal.
7. The network penetration method according to claim 6, wherein the transparent transmission server forwards the returned response result data to the access terminal, and the method comprises the following steps: receiving and analyzing a response data packet responded by the transparent client, restoring the network channel context requested by the current access terminal according to the user channel ID in the response data packet, and judging whether the user information recorded in the step 2.10.3 exists in the network channel context; if the user information exists in the network channel context, HTTP protocol analysis of the response data packet is carried out, relevant HTTP protocol response header data is modified, the user information is written into the Cookie, and meanwhile the user information in the network channel context is cleared.
8. The network penetration method according to claim 7, wherein the transparent service end forwards the returned response result data to the access end, and further comprising the steps of: if the network channel context does not have the user information, the response data packet is not required to be analyzed, the network channel requested by the current access end is directly retrieved according to the user channel ID in the response data packet, and the original data responded from the privately-owned target site is written into the network channel requested by the access end.
9. A network penetration system, comprising:
the access terminal is used for initiating a request to the transparent transmission terminal and receiving data returned by the transparent transmission server terminal from the transparent transmission client terminal;
the transparent transmission server is arranged in the public network environment and is used for forwarding the request data received from the access terminal to the transparent transmission client and forwarding the data responded by the transparent transmission client to the access terminal;
the transparent transmission client is arranged in the private network environment and used for forwarding the request data forwarded by the transparent transmission server to the target site, receiving the response result data of the target site and returning the result data to the transparent transmission server.
10. A computer storage medium having a computer program stored therein, which, when executed by a processor, implements the method provided in any one of claims 1 to 8.
CN202311599704.0A 2023-11-28 2023-11-28 Network penetration method, system and storage medium Pending CN117579361A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311599704.0A CN117579361A (en) 2023-11-28 2023-11-28 Network penetration method, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311599704.0A CN117579361A (en) 2023-11-28 2023-11-28 Network penetration method, system and storage medium

Publications (1)

Publication Number Publication Date
CN117579361A true CN117579361A (en) 2024-02-20

Family

ID=89889765

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311599704.0A Pending CN117579361A (en) 2023-11-28 2023-11-28 Network penetration method, system and storage medium

Country Status (1)

Country Link
CN (1) CN117579361A (en)

Similar Documents

Publication Publication Date Title
US7945676B2 (en) Processing requests transmitted using a first communication protocol directed to an application that uses a second communication protocol
US20190173951A1 (en) Vehicle communication using publish-subscribe messaging protocol
US8095786B1 (en) Application-specific network-layer virtual private network connections
US8549286B2 (en) Method and system for forwarding data between private networks
US20040049702A1 (en) Secure intranet access
US20140143414A1 (en) Method for sending information and gateway
US20040249926A1 (en) System and methd for common information model object manager proxy interface and management
RU2344473C2 (en) Network system, proxy-server, method of session control
US20090204810A1 (en) Architecture and Design for Central Authentication and Authorization in an On-Demand Utility Environment
JP2002217943A (en) Relay server and communication system
CN109548022B (en) Method for mobile terminal user to remotely access local network
JP7476366B2 (en) Relay method, relay system, and relay program
US10033830B2 (en) Requesting web pages and content rating information
US20100128714A1 (en) Method and system for synchronizing data between mobile terminal and internet phone
CN115996381B (en) Network security management and control method, system, device and medium for wireless private network
CN112751870A (en) NFS (network file system) safety transmission device and method based on proxy forwarding
CN117579361A (en) Network penetration method, system and storage medium
CN110049024A (en) A kind of data transmission method, transfer server and access site server
CN113114643B (en) Operation and maintenance access method and system of operation and maintenance auditing system
CN113709741A (en) Authentication access system of local area network
KR102176429B1 (en) Method and system for message transmission based on identifier and location area
CN117714519A (en) Remote assistance method, device, equipment and storage medium
CN117527566A (en) Configuration system and method of DHCP6 server based on Scapy under Windows operating system
CN116886334A (en) Lightweight CoAP secure communication method and system based on DTLS
CN116996316A (en) System and method for authenticating services in online and instant mode

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination