Robotization penetration testing method and system
Technical field
The invention relates to infiltration defence mapping contrast technology, leak infiltration intelligent logical control technology and information and transform translation technology field, particularly robotization penetration testing method and system.
Background technology
Life along with the fast development of the various application in internet (Web bank, ecommerce, personal space, microblogging, large data, the cloud storage etc.) people that deepen continuously, if there is hidden danger in these internet, applications of carrying bulk information, victim malicious exploitation, personal information or even whole application system all can face security risk so.
Along with carrying internet, applications flourish of numerous and disorderly various and mass data information, everybody also more and more pays close attention to internet, applications information security.For common internet application management person, the management based on safety takies a large amount of working times and need to know art of attack and defense knowledge and constantly study new method and technology.It is high that current known various leak security tools enter gate threshold, and this is very large for keeper's challenge, and from leak, is found to the cost of labor that the tests such as leak utilization need to cost a lot of money.
To sum up, the method for penetration testing is all based on half instrument, semi-artificial in the prior art.And from leak, excavate the tests such as leak utilization and need to expend a large amount of time, repeatedly operation, also needs artificial input command to carry out penetration testing with the configuration surroundings step by step with different instruments.
Summary of the invention
Fundamental purpose of the present invention is to overcome deficiency of the prior art, provide a kind of by the technological means of using in any penetration testing process, comprise information, vulnerability scanning, leak utilization, the penetration testing report the test control of authority means after generating, all robotizations a kind of more efficiently, infiltration technology accurately.For solving the problems of the technologies described above, solution of the present invention is:
Robotization penetration testing method is provided, specifically comprises the steps:
Step 1: configuration-system parameter information, and be kept in database; Parameter information comprises: System Operation Log, dictionary, new record more;
Step 2: set up administrator and domestic consumer for after logining, use administrator or domestic consumer's login, set the target engineering that needs infiltration, carry out the establishment of target engineering, the test scan mode that target setting engineering adopts, and configuration information is kept in database; Configuration information comprises: engineering name, scan address, scan mode, policy selection and advanced parameters;
Described scan mode comprises that (web scanning refers to and utilizes web application weakness scanner webscan for full-automatic infiltration, web scanning, configuration web vulnerability scanning strategy permeates), (weak passwurd scanning refers to and utilizes violence Advanced Mailbox Password Recovery in weak passwurd scanning, password dictionary permeates) and main frame scanning (main frame scanning refer to and utilize buffer overflow instrument, main frame overflows strategy and permeates); Full-automatic infiltration comprises web scanning, weak passwurd scanning, main frame scanning;
Described policy selection comprises automatic recognition strategy, self-defined strategy; Strategy refers to each service load (payload) of specifying leak to attack in pre-defined every kind of leak type, and is kept in database;
Described advanced parameters comprise the overtime setting of scanning, scanning give out a contract for a project the time interval arrange, scanning ids walks around settings, specify that cookie arranges, sql injects and replaces setting and the setting of http authentication information;
Step 3: use the scan mode configuring in target engineering, utilize scanning tools to carry out target engineering vulnerability scanning, identification and classification;
Step 4: use the strategy configuring in target engineering, utilize the leak of identifying in step 3, carry out target engineering penetration testing, penetration testing method comprises sql injection, buffer overflow, Brute Force, host information detection and collects;
Step 5: by the penetration testing result obtaining in step 3, step 4, export by result display module.
In the present invention, described database adopts MYSQL database.
In the present invention, described scanning tools comprises: main frame scanning tools, weak passwurd scanning tools, web application weakness scanning tools webscan, buffer overflow instrument and Brute Force instrument.
In the present invention, the super keeper of described robotization penetration testing system default initial user, possesses highest weight limit.
In the present invention, the penetration testing type in described step 4 comprises that artificial permeation tests and automatic penetration testing; Artificial permeation test refers to the penetration attack instrument that utilizes, and according to the leak of vulnerability scanning module scanning, carries out association analysis, according to the result of analyzing carry out sql injection, overflow, the penetration testing of Brute Force; Automatically penetration testing refers to that system attempts penetration attack test automatically according to strategy, and attack pattern comprises that Brute Force, sql inject, overflow.
The robotization penetration testing system that robotization penetration testing method based on described is provided, comprises system management module, engineering management module, vulnerability scanning module, penetration testing module, result display module;
Described system management module, for login user, system update and the system basic setup of management automation penetration testing system, logs in by super keeper, carries out interpolation, deletion and the modification of user account, and system setting;
Described engineering management module is used for the information of management objectives engineering, comprises target engineering is created, and configuration information is also kept at lane database; Configuration information comprises: engineering name, scan address, address explanation, scan mode, policy selection and advanced parameters;
Described vulnerability scanning module is for after starting the scanning of target engineering, (engineering objective scan address enters vulnerability scanning module after carrying out information and analyze on system backstage, uses the script in vulnerability database to check whether target engineering scan address exists leak in vulnerability scanning module for performance objective engineering vulnerability scanning, identification and classification; Vulnerability scanning module is that integrating third-party instrument is realized);
Described penetration testing module is for after starting target engineering penetration testing, and the vulnerability information that utilizes vulnerability scanning module to obtain, adopts selected strategy to carry out penetration testing;
Described result display module, for after penetration testing completes, according to penetration testing result, carries out formatted message processing to penetration testing result, by format conversion, is the visual form of user.
In the present invention, described user is divided into super keeper, keeper, domestic consumer; Super keeper logs in interpolation, deletion and the modification that can carry out user account, and system setting; Domestic consumer logs in and can carry out basic setup, comprises Modify password.
In the present invention, described formatted message is processed and is referred to the information that penetration testing is obtained, and comprises that leak type, leak grade, leak distribute and leak utilizes result, is output as the document of (word, pdf etc.) textual form after concluding and arranging.
Principle of work of the present invention: robotization penetration testing system is supported the penetration testing of conventional internet structure at all levels, comprising: host operating system layer, network layer, database aspect, contour accurate, full-automatic, the extendible percdation of WebApp application layer.After its robotization infiltration refers to that target engineering has configured, initiating task automatically completes information, automatically loads vulnerability detection, automatically loads leak utilization, automatically carries out the association analysis of weakness/vulnerability information; Percdation includes but not limited to: back-up system layer leak, the infiltration of network enabled equipment, support Web application layer, supporting database layer, support social engineering infiltration (password guess, path reasoning, mail deception, mail fishing); High precisely infiltration comprises and being not limited to: support the infiltration of CVE leak numbering coupling comprehensively, support first to find leak, surveying leak by hand, precisely analyzing infiltration target, environment-identification; Can extension penetration comprise and being not limited to: can customize attack script, can customize dictionary, port etc., can customize control of authority mode: order line controls that (bounce-back is controlled, initiatively connected), webshell control, graphically managing agreement (RDP etc.).
Compared with prior art, the invention has the beneficial effects as follows:
Can be according to configuration information, by the technological means of using in any penetration testing process, comprise information, vulnerability scanning, leak utilization, and the control of authority means after leak utilization, whole integrated, background process, realizes more efficiently, whole robotization infiltration technologies accurately.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of robotization penetration testing method.
Fig. 2 is the modules schematic diagram of robotization penetration testing system.
Fig. 3 is penetration testing schematic flow sheet in embodiment.
Embodiment
First it should be noted that, the present invention relates to information security attacking and defending automatic technology, is that computer technology is in a kind of application of information security field.In implementation procedure of the present invention, can relate to the application of a plurality of software function modules.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, in conjunction with existing known technology in the situation that, those skilled in the art can use the software programming technical ability of its grasp to realize the present invention completely.Aforementioned software functional module comprises but is not limited to: system management module, engineering management module, vulnerability scanning module, penetration testing module, result display module etc., and this category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
Below in conjunction with accompanying drawing and embodiment, the present invention is described in further detail:
Be the schematic flow sheet of robotization penetration testing method and system as shown in Figure 1, concrete steps are as follows:
Step 1, sets parameter information, and configuration parameter information is kept in database; Described database is MYSQL database, and the type of described database is not limited to technical scheme of the present invention, therefore do not limit in the present invention program embodiment.Parameter information comprises: System Operation Log, dictionary, new record more.How to understand parameters with those skilled in the art know that.
Step 2, is used administrator or domestic consumer's login, proceeds as follows: set the target engineering that needs infiltration, carry out interpolation, deletion, the modification of target engineering.Configuration needs the scan mode of the test that the target of penetration testing need to permeate, and configuration information is kept in database; Configuration information comprises: engineering name, scan address, scan mode, policy selection.
Step 3, is used the scan mode configuring in target engineering to carry out target engineering vulnerability scanning, and scan mode comprises: full-automatic infiltration, web scanning, weak passwurd scanning, main frame scanning.
The integrated authority's of described scan mode scanning tools comprises and being not limited to: main frame scanning tools, weak passwurd scanning tools, web application weakness scanning tools webscan.
Step 4, is used the strategy of target engineering configuration to carry out target engineering penetration testing, utilizes the leak of identifying in step 3.
Policy selection comprises: automatically other, self-defined.Strategy refers to each service load (payload) of specifying leak to attack in pre-defined every kind of leak type, and it is kept at specified database.
Penetration testing comprises artificial permeation, automatically infiltration.Described full-automatic infiltration refers to that system attempts penetration attack test automatically according to strategy, and attack pattern comprises that Brute Force, sql inject, overflow.Artificial permeation utilizes penetration attack instrument, according to the leak of vulnerability scanning module scanning, carries out association analysis, according to the result of analyzing carry out sql injection, overflow, the penetration testing of Brute Force.
Step 5, result display module is as output.
As shown in Figure 2, the modules of robotization penetration testing system is described in detail:
1, system management module
Use java exploitation, can in different operating system platforms, use.For managing the login user of osmosis system and the basic setup of system.User can log on user management part with super keeper can carry out user account interpolation, deletes, and revises.Super administrator can carry out user account interpolation, deletes, and revises system setting.User is divided into super keeper, keeper, domestic consumer.While using domestic consumer to log in, user can only carry out basic setup, only includes Modify password etc.
2, engineering management module
This module is mainly the information of management objectives engineering.Target engineering is created etc.User domestic consumer enters after system, and configuration needs the target engineering of penetration testing, scan mode, and scanning strategy, and configuration information is kept to lane database.Configuration information comprises: engineering name, scan address, address explanation, scan mode, policy selection.
3, vulnerability scanning module
User enters after system with domestic consumer, starts the scanning of target engineering.That backstage acquiescence is carried out herein.
4, penetration testing module
User domestic consumer enters after system, starts target engineering and scans after vulnerability information identification in vulnerability scanning module, utilizes vulnerability information to adopt selected strategy to carry out penetration testing.Penetration testing is divided into two kinds of automatic infiltration and artificial permeations.Automatically infiltration is that backstage acquiescence is carried out, and artificial permeation utilizes vulnerability information to carry out association analysis to carry out manual infiltration.
5, result display module
Automatically, after penetration testing completes, according to penetration testing result, penetration testing result is carried out to formatted message processing, and be the visual form of user by format conversion.The target of format is the information that penetration testing is obtained, be generally leak type, leak grade, leak distribution and leak and utilize cutline of result, after being concluded and arranged, this type of information is output as the document of the textual forms such as word, pdf, so that Information Security Engineer checks.
Fig. 3 is the schematic diagram of penetration testing flow process in one embodiment of the present of invention, and step comprises:
1) user signs in to system, and new destination engineering is also kept in specified database, starts engineering scanning;
2) use the scan mode configuring in target engineering to scan the leak in described target engineering address, call corresponding end osmotic engine, scan target engineering leak;
3) after having scanned, adopt the selected strategy of target engineering, thereby carry out leak utilization, complete penetration testing;
4) after penetration testing completes automatically, according to penetration testing result, result is carried out to formatted message processing, and be the visual form of user by format conversion.
Finally, it should be noted that above what enumerate is only specific embodiments of the invention.Obviously, the invention is not restricted to above embodiment, can also have a lot of distortion.All distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention, all should think protection scope of the present invention.