CN104200167A - Automatic penetration testing method and system - Google Patents
Automatic penetration testing method and system Download PDFInfo
- Publication number
- CN104200167A CN104200167A CN201410381582.2A CN201410381582A CN104200167A CN 104200167 A CN104200167 A CN 104200167A CN 201410381582 A CN201410381582 A CN 201410381582A CN 104200167 A CN104200167 A CN 104200167A
- Authority
- CN
- China
- Prior art keywords
- penetration testing
- scanning
- engineering
- module
- leak
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to penetration testing and aims to provide an automatic penetration testing method and system. The automatic penetration testing method includes the steps that system parameter information is configured, administrator users and common users are set up, and a target project needing to be penetrated is set; by using the scanning mode configured in the target project, vulnerability scanning, recognition and classification are carried out on the target project through a scanning tool; penetration testing is performed on the target project, and finally a result of penetration testing is output. The automatic penetration testing system comprises a system management module, a project management module, a vulnerability scanning module, a penetration testing module and a result displaying module. According to the automatic penetration testing method and system, the technical means, including information collecting, vulnerability scanning, vulnerability using, used in any penetration testing process and the right control means after vulnerability is used are all integrated and processed at the background according to the configuration information, so that a more efficient and accurate fully-automatic penetration technology is achieved.
Description
Technical field
The invention relates to infiltration defence mapping contrast technology, leak infiltration intelligent logical control technology and information and transform translation technology field, particularly robotization penetration testing method and system.
Background technology
Life along with the fast development of the various application in internet (Web bank, ecommerce, personal space, microblogging, large data, the cloud storage etc.) people that deepen continuously, if there is hidden danger in these internet, applications of carrying bulk information, victim malicious exploitation, personal information or even whole application system all can face security risk so.
Along with carrying internet, applications flourish of numerous and disorderly various and mass data information, everybody also more and more pays close attention to internet, applications information security.For common internet application management person, the management based on safety takies a large amount of working times and need to know art of attack and defense knowledge and constantly study new method and technology.It is high that current known various leak security tools enter gate threshold, and this is very large for keeper's challenge, and from leak, is found to the cost of labor that the tests such as leak utilization need to cost a lot of money.
To sum up, the method for penetration testing is all based on half instrument, semi-artificial in the prior art.And from leak, excavate the tests such as leak utilization and need to expend a large amount of time, repeatedly operation, also needs artificial input command to carry out penetration testing with the configuration surroundings step by step with different instruments.
Summary of the invention
Fundamental purpose of the present invention is to overcome deficiency of the prior art, provide a kind of by the technological means of using in any penetration testing process, comprise information, vulnerability scanning, leak utilization, the penetration testing report the test control of authority means after generating, all robotizations a kind of more efficiently, infiltration technology accurately.For solving the problems of the technologies described above, solution of the present invention is:
Robotization penetration testing method is provided, specifically comprises the steps:
Step 1: configuration-system parameter information, and be kept in database; Parameter information comprises: System Operation Log, dictionary, new record more;
Step 2: set up administrator and domestic consumer for after logining, use administrator or domestic consumer's login, set the target engineering that needs infiltration, carry out the establishment of target engineering, the test scan mode that target setting engineering adopts, and configuration information is kept in database; Configuration information comprises: engineering name, scan address, scan mode, policy selection and advanced parameters;
Described scan mode comprises that (web scanning refers to and utilizes web application weakness scanner webscan for full-automatic infiltration, web scanning, configuration web vulnerability scanning strategy permeates), (weak passwurd scanning refers to and utilizes violence Advanced Mailbox Password Recovery in weak passwurd scanning, password dictionary permeates) and main frame scanning (main frame scanning refer to and utilize buffer overflow instrument, main frame overflows strategy and permeates); Full-automatic infiltration comprises web scanning, weak passwurd scanning, main frame scanning;
Described policy selection comprises automatic recognition strategy, self-defined strategy; Strategy refers to each service load (payload) of specifying leak to attack in pre-defined every kind of leak type, and is kept in database;
Described advanced parameters comprise the overtime setting of scanning, scanning give out a contract for a project the time interval arrange, scanning ids walks around settings, specify that cookie arranges, sql injects and replaces setting and the setting of http authentication information;
Step 3: use the scan mode configuring in target engineering, utilize scanning tools to carry out target engineering vulnerability scanning, identification and classification;
Step 4: use the strategy configuring in target engineering, utilize the leak of identifying in step 3, carry out target engineering penetration testing, penetration testing method comprises sql injection, buffer overflow, Brute Force, host information detection and collects;
Step 5: by the penetration testing result obtaining in step 3, step 4, export by result display module.
In the present invention, described database adopts MYSQL database.
In the present invention, described scanning tools comprises: main frame scanning tools, weak passwurd scanning tools, web application weakness scanning tools webscan, buffer overflow instrument and Brute Force instrument.
In the present invention, the super keeper of described robotization penetration testing system default initial user, possesses highest weight limit.
In the present invention, the penetration testing type in described step 4 comprises that artificial permeation tests and automatic penetration testing; Artificial permeation test refers to the penetration attack instrument that utilizes, and according to the leak of vulnerability scanning module scanning, carries out association analysis, according to the result of analyzing carry out sql injection, overflow, the penetration testing of Brute Force; Automatically penetration testing refers to that system attempts penetration attack test automatically according to strategy, and attack pattern comprises that Brute Force, sql inject, overflow.
The robotization penetration testing system that robotization penetration testing method based on described is provided, comprises system management module, engineering management module, vulnerability scanning module, penetration testing module, result display module;
Described system management module, for login user, system update and the system basic setup of management automation penetration testing system, logs in by super keeper, carries out interpolation, deletion and the modification of user account, and system setting;
Described engineering management module is used for the information of management objectives engineering, comprises target engineering is created, and configuration information is also kept at lane database; Configuration information comprises: engineering name, scan address, address explanation, scan mode, policy selection and advanced parameters;
Described vulnerability scanning module is for after starting the scanning of target engineering, (engineering objective scan address enters vulnerability scanning module after carrying out information and analyze on system backstage, uses the script in vulnerability database to check whether target engineering scan address exists leak in vulnerability scanning module for performance objective engineering vulnerability scanning, identification and classification; Vulnerability scanning module is that integrating third-party instrument is realized);
Described penetration testing module is for after starting target engineering penetration testing, and the vulnerability information that utilizes vulnerability scanning module to obtain, adopts selected strategy to carry out penetration testing;
Described result display module, for after penetration testing completes, according to penetration testing result, carries out formatted message processing to penetration testing result, by format conversion, is the visual form of user.
In the present invention, described user is divided into super keeper, keeper, domestic consumer; Super keeper logs in interpolation, deletion and the modification that can carry out user account, and system setting; Domestic consumer logs in and can carry out basic setup, comprises Modify password.
In the present invention, described formatted message is processed and is referred to the information that penetration testing is obtained, and comprises that leak type, leak grade, leak distribute and leak utilizes result, is output as the document of (word, pdf etc.) textual form after concluding and arranging.
Principle of work of the present invention: robotization penetration testing system is supported the penetration testing of conventional internet structure at all levels, comprising: host operating system layer, network layer, database aspect, contour accurate, full-automatic, the extendible percdation of WebApp application layer.After its robotization infiltration refers to that target engineering has configured, initiating task automatically completes information, automatically loads vulnerability detection, automatically loads leak utilization, automatically carries out the association analysis of weakness/vulnerability information; Percdation includes but not limited to: back-up system layer leak, the infiltration of network enabled equipment, support Web application layer, supporting database layer, support social engineering infiltration (password guess, path reasoning, mail deception, mail fishing); High precisely infiltration comprises and being not limited to: support the infiltration of CVE leak numbering coupling comprehensively, support first to find leak, surveying leak by hand, precisely analyzing infiltration target, environment-identification; Can extension penetration comprise and being not limited to: can customize attack script, can customize dictionary, port etc., can customize control of authority mode: order line controls that (bounce-back is controlled, initiatively connected), webshell control, graphically managing agreement (RDP etc.).
Compared with prior art, the invention has the beneficial effects as follows:
Can be according to configuration information, by the technological means of using in any penetration testing process, comprise information, vulnerability scanning, leak utilization, and the control of authority means after leak utilization, whole integrated, background process, realizes more efficiently, whole robotization infiltration technologies accurately.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of robotization penetration testing method.
Fig. 2 is the modules schematic diagram of robotization penetration testing system.
Fig. 3 is penetration testing schematic flow sheet in embodiment.
Embodiment
First it should be noted that, the present invention relates to information security attacking and defending automatic technology, is that computer technology is in a kind of application of information security field.In implementation procedure of the present invention, can relate to the application of a plurality of software function modules.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, in conjunction with existing known technology in the situation that, those skilled in the art can use the software programming technical ability of its grasp to realize the present invention completely.Aforementioned software functional module comprises but is not limited to: system management module, engineering management module, vulnerability scanning module, penetration testing module, result display module etc., and this category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
Below in conjunction with accompanying drawing and embodiment, the present invention is described in further detail:
Be the schematic flow sheet of robotization penetration testing method and system as shown in Figure 1, concrete steps are as follows:
Step 1, sets parameter information, and configuration parameter information is kept in database; Described database is MYSQL database, and the type of described database is not limited to technical scheme of the present invention, therefore do not limit in the present invention program embodiment.Parameter information comprises: System Operation Log, dictionary, new record more.How to understand parameters with those skilled in the art know that.
Step 2, is used administrator or domestic consumer's login, proceeds as follows: set the target engineering that needs infiltration, carry out interpolation, deletion, the modification of target engineering.Configuration needs the scan mode of the test that the target of penetration testing need to permeate, and configuration information is kept in database; Configuration information comprises: engineering name, scan address, scan mode, policy selection.
Step 3, is used the scan mode configuring in target engineering to carry out target engineering vulnerability scanning, and scan mode comprises: full-automatic infiltration, web scanning, weak passwurd scanning, main frame scanning.
The integrated authority's of described scan mode scanning tools comprises and being not limited to: main frame scanning tools, weak passwurd scanning tools, web application weakness scanning tools webscan.
Step 4, is used the strategy of target engineering configuration to carry out target engineering penetration testing, utilizes the leak of identifying in step 3.
Policy selection comprises: automatically other, self-defined.Strategy refers to each service load (payload) of specifying leak to attack in pre-defined every kind of leak type, and it is kept at specified database.
Penetration testing comprises artificial permeation, automatically infiltration.Described full-automatic infiltration refers to that system attempts penetration attack test automatically according to strategy, and attack pattern comprises that Brute Force, sql inject, overflow.Artificial permeation utilizes penetration attack instrument, according to the leak of vulnerability scanning module scanning, carries out association analysis, according to the result of analyzing carry out sql injection, overflow, the penetration testing of Brute Force.
Step 5, result display module is as output.
As shown in Figure 2, the modules of robotization penetration testing system is described in detail:
1, system management module
Use java exploitation, can in different operating system platforms, use.For managing the login user of osmosis system and the basic setup of system.User can log on user management part with super keeper can carry out user account interpolation, deletes, and revises.Super administrator can carry out user account interpolation, deletes, and revises system setting.User is divided into super keeper, keeper, domestic consumer.While using domestic consumer to log in, user can only carry out basic setup, only includes Modify password etc.
2, engineering management module
This module is mainly the information of management objectives engineering.Target engineering is created etc.User domestic consumer enters after system, and configuration needs the target engineering of penetration testing, scan mode, and scanning strategy, and configuration information is kept to lane database.Configuration information comprises: engineering name, scan address, address explanation, scan mode, policy selection.
3, vulnerability scanning module
User enters after system with domestic consumer, starts the scanning of target engineering.That backstage acquiescence is carried out herein.
4, penetration testing module
User domestic consumer enters after system, starts target engineering and scans after vulnerability information identification in vulnerability scanning module, utilizes vulnerability information to adopt selected strategy to carry out penetration testing.Penetration testing is divided into two kinds of automatic infiltration and artificial permeations.Automatically infiltration is that backstage acquiescence is carried out, and artificial permeation utilizes vulnerability information to carry out association analysis to carry out manual infiltration.
5, result display module
Automatically, after penetration testing completes, according to penetration testing result, penetration testing result is carried out to formatted message processing, and be the visual form of user by format conversion.The target of format is the information that penetration testing is obtained, be generally leak type, leak grade, leak distribution and leak and utilize cutline of result, after being concluded and arranged, this type of information is output as the document of the textual forms such as word, pdf, so that Information Security Engineer checks.
Fig. 3 is the schematic diagram of penetration testing flow process in one embodiment of the present of invention, and step comprises:
1) user signs in to system, and new destination engineering is also kept in specified database, starts engineering scanning;
2) use the scan mode configuring in target engineering to scan the leak in described target engineering address, call corresponding end osmotic engine, scan target engineering leak;
3) after having scanned, adopt the selected strategy of target engineering, thereby carry out leak utilization, complete penetration testing;
4) after penetration testing completes automatically, according to penetration testing result, result is carried out to formatted message processing, and be the visual form of user by format conversion.
Finally, it should be noted that above what enumerate is only specific embodiments of the invention.Obviously, the invention is not restricted to above embodiment, can also have a lot of distortion.All distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention, all should think protection scope of the present invention.
Claims (8)
1. robotization penetration testing method, is characterized in that, specifically comprises the steps:
Step 1: configuration-system parameter information, and be kept in database; Parameter information comprises: System Operation Log, dictionary, new record more;
Step 2: set up administrator and domestic consumer for after logining, use administrator or domestic consumer's login, set the target engineering that needs infiltration, carry out the establishment of target engineering, the test scan mode that target setting engineering adopts, and configuration information is kept in database; Configuration information comprises: engineering name, scan address, scan mode, policy selection and advanced parameters;
Described scan mode comprises full-automatic infiltration, web scanning, weak passwurd scanning and main frame scanning; Full-automatic infiltration comprises web scanning, weak passwurd scanning, main frame scanning;
Described policy selection comprises automatic recognition strategy, self-defined strategy; Strategy refers to each service load of specifying leak to attack in pre-defined every kind of leak type, and is kept in database;
Described advanced parameters comprise the overtime setting of scanning, scanning give out a contract for a project the time interval arrange, scanning ids walks around settings, specify that cookie arranges, sql injects and replaces setting and the setting of http authentication information;
Step 3: use the scan mode configuring in target engineering, utilize scanning tools to carry out target engineering vulnerability scanning, identification and classification;
Step 4: use the strategy configuring in target engineering, utilize the leak of identifying in step 3, carry out target engineering penetration testing, penetration testing method comprises sql injection, buffer overflow, Brute Force, host information detection and collects;
Step 5: by the penetration testing result obtaining in step 3, step 4, export by result display module.
2. robotization penetration testing method according to claim 1, is characterized in that, described database adopts MYSQL database.
3. robotization penetration testing method according to claim 1, is characterized in that, described scanning tools comprises: main frame scanning tools, weak passwurd scanning tools, web application weakness scanning tools webscan, buffer overflow instrument and Brute Force instrument.
4. robotization penetration testing method according to claim 1, is characterized in that, the super keeper of described robotization penetration testing system default initial user possesses highest weight limit.
5. robotization penetration testing method according to claim 1, is characterized in that, the penetration testing type in described step 4 comprises that artificial permeation tests and automatic penetration testing; Artificial permeation test refers to the penetration attack instrument that utilizes, and according to the leak of vulnerability scanning module scanning, carries out association analysis, according to the result of analyzing carry out sql injection, overflow, the penetration testing of Brute Force; Automatically penetration testing refers to that system attempts penetration attack test automatically according to strategy, and attack pattern comprises that Brute Force, sql inject, overflow.
6. the robotization penetration testing system based on robotization penetration testing method claimed in claim 1, is characterized in that, comprises system management module, engineering management module, vulnerability scanning module, penetration testing module, result display module;
Described system management module, for login user, system update and the system basic setup of management automation penetration testing system, logs in by super keeper, carries out interpolation, deletion and the modification of user account, and system setting;
Described engineering management module is used for the information of management objectives engineering, comprises target engineering is created, and configuration information is also kept at lane database; Configuration information comprises: engineering name, scan address, address explanation, scan mode, policy selection and advanced parameters;
Described vulnerability scanning module is used for after starting the scanning of target engineering, performance objective engineering vulnerability scanning, identification and classification;
Described penetration testing module is for after starting target engineering penetration testing, and the vulnerability information that utilizes vulnerability scanning module to obtain, adopts selected strategy to carry out penetration testing;
Described result display module, for after penetration testing completes, according to penetration testing result, carries out formatted message processing to penetration testing result, by format conversion, is the visual form of user.
7. robotization penetration testing system according to claim 6, is characterized in that, described user is divided into super keeper, keeper, domestic consumer; Super keeper logs in interpolation, deletion and the modification that can carry out user account, and system setting; Domestic consumer logs in and can carry out basic setup, comprises Modify password.
8. robotization penetration testing system according to claim 6, it is characterized in that, described formatted message is processed and is referred to the information that penetration testing is obtained, and comprises that leak type, leak grade, leak distribute and leak utilizes result, is output as the document of textual form after concluding and arranging.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410381582.2A CN104200167B (en) | 2014-08-05 | 2014-08-05 | Automate penetration testing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410381582.2A CN104200167B (en) | 2014-08-05 | 2014-08-05 | Automate penetration testing method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104200167A true CN104200167A (en) | 2014-12-10 |
| CN104200167B CN104200167B (en) | 2017-08-18 |
Family
ID=52085458
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410381582.2A Active CN104200167B (en) | 2014-08-05 | 2014-08-05 | Automate penetration testing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104200167B (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105608381A (en) * | 2015-12-18 | 2016-05-25 | 北京奇虎科技有限公司 | Application test method and system |
| CN105827642A (en) * | 2016-05-16 | 2016-08-03 | 深圳市安络科技有限公司 | Automatic penetration testing method and system |
| CN106407811A (en) * | 2016-10-10 | 2017-02-15 | 合肥红珊瑚软件服务有限公司 | SQL injection loophole positioning detection system |
| CN106411906A (en) * | 2016-10-10 | 2017-02-15 | 合肥红珊瑚软件服务有限公司 | SQL (Structured Query Language) injection flaw positioning and detecting method |
| CN106911665A (en) * | 2016-12-27 | 2017-06-30 | 深圳市安之天信息技术有限公司 | A kind of method and system for recognizing malicious code weak passwurd intrusion behavior |
| CN107330010A (en) * | 2017-06-14 | 2017-11-07 | 北京知道未来信息技术有限公司 | A kind of backstage path blasting method based on machine learning |
| CN107392033A (en) * | 2017-08-30 | 2017-11-24 | 杭州安恒信息技术有限公司 | A kind of Android device Permeation Test System and its automation penetration testing method |
| CN107426227A (en) * | 2017-08-02 | 2017-12-01 | 江苏省邮电规划设计院有限责任公司 | One kind automation safe penetration method of testing |
| CN109120643A (en) * | 2018-10-11 | 2019-01-01 | 北京知道创宇信息技术有限公司 | Penetration test method and device |
| CN109284611A (en) * | 2018-09-20 | 2019-01-29 | 北京计算机技术及应用研究所 | The method of test macro and realization internet security test based on Metasploit frame |
| CN109344624A (en) * | 2018-10-26 | 2019-02-15 | 深信服科技股份有限公司 | Penetration test method, platform, equipment and storage medium based on cloud cooperation |
| CN109861987A (en) * | 2019-01-02 | 2019-06-07 | 广州大学 | Automate Permeation Test System, method and robot |
| CN110532435A (en) * | 2019-08-12 | 2019-12-03 | 广州海颐信息安全技术有限公司 | The method and device of dynamic extending privilege account scanning system integrating external system |
| CN110677381A (en) * | 2019-08-14 | 2020-01-10 | 奇安信科技集团股份有限公司 | Penetration testing method and device, storage medium and electronic device |
| CN110717184A (en) * | 2019-09-27 | 2020-01-21 | 北京计算机技术及应用研究所 | Distributed safety test system |
| CN110768948A (en) * | 2019-08-14 | 2020-02-07 | 奇安信科技集团股份有限公司 | Vulnerability detection method and device, storage medium and electronic device |
| CN111027074A (en) * | 2019-12-05 | 2020-04-17 | 国网浙江省电力有限公司电力科学研究院 | Vulnerability automatic utilization method and system |
| CN111310194A (en) * | 2020-02-14 | 2020-06-19 | 全球能源互联网研究院有限公司 | Vulnerability penetration verification method and device |
| CN111783105A (en) * | 2020-07-08 | 2020-10-16 | 国家计算机网络与信息安全管理中心 | Penetration testing method, device, equipment and storage medium |
| CN111898133A (en) * | 2020-07-23 | 2020-11-06 | 昆山领创信息科技有限公司 | Penetration testing device and method based on automation |
| CN112165473A (en) * | 2020-09-22 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Method, device and medium for detecting random account password reset logic loophole |
| CN112347485A (en) * | 2020-11-10 | 2021-02-09 | 远江盛邦(北京)网络安全科技股份有限公司 | Multi-engine vulnerability acquisition and automatic penetration processing method |
| CN113051571A (en) * | 2019-12-27 | 2021-06-29 | 中国移动通信集团湖南有限公司 | Method and device for detecting false alarm vulnerability and computer equipment |
| TWI738078B (en) * | 2019-10-08 | 2021-09-01 | 可立可資安股份有限公司 | Penetration test monitoring server and system |
| CN113868659A (en) * | 2021-10-20 | 2021-12-31 | 前锦网络信息技术(上海)有限公司 | Vulnerability detection method and system |
| CN114666104A (en) * | 2022-03-09 | 2022-06-24 | 国能信息技术有限公司 | Penetration testing method, system, computer equipment and storage medium |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110880983A (en) * | 2019-08-14 | 2020-03-13 | 奇安信科技集团股份有限公司 | Penetration testing method and device based on scene, storage medium and electronic device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automatic penetration testing system and method for WEB system |
| CN101808093A (en) * | 2010-03-15 | 2010-08-18 | 北京安天电子设备有限公司 | System and method for automatically detecting WEB security |
| US20110035803A1 (en) * | 2009-08-05 | 2011-02-10 | Core Security Technologies | System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy |
| CN102136051A (en) * | 2011-05-06 | 2011-07-27 | 南开大学 | Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model |
| CN102468985A (en) * | 2010-11-01 | 2012-05-23 | 北京神州绿盟信息安全科技股份有限公司 | Method and system for carrying out penetration test on network safety equipment |
| CN103532793A (en) * | 2013-10-28 | 2014-01-22 | 中国航天科工集团第二研究院七〇六所 | Automatic penetration testing method for information system security |
-
2014
- 2014-08-05 CN CN201410381582.2A patent/CN104200167B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automatic penetration testing system and method for WEB system |
| US20110035803A1 (en) * | 2009-08-05 | 2011-02-10 | Core Security Technologies | System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy |
| CN101808093A (en) * | 2010-03-15 | 2010-08-18 | 北京安天电子设备有限公司 | System and method for automatically detecting WEB security |
| CN102468985A (en) * | 2010-11-01 | 2012-05-23 | 北京神州绿盟信息安全科技股份有限公司 | Method and system for carrying out penetration test on network safety equipment |
| CN102136051A (en) * | 2011-05-06 | 2011-07-27 | 南开大学 | Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model |
| CN103532793A (en) * | 2013-10-28 | 2014-01-22 | 中国航天科工集团第二研究院七〇六所 | Automatic penetration testing method for information system security |
Non-Patent Citations (2)
| Title |
|---|
| 严俊龙: "基于Metasploit框架自动化渗透测试研究", 《信息网络安全》 * |
| 陈思琪: "基于自动化渗透性测试的军交网络安全研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105608381A (en) * | 2015-12-18 | 2016-05-25 | 北京奇虎科技有限公司 | Application test method and system |
| CN105827642A (en) * | 2016-05-16 | 2016-08-03 | 深圳市安络科技有限公司 | Automatic penetration testing method and system |
| CN106407811A (en) * | 2016-10-10 | 2017-02-15 | 合肥红珊瑚软件服务有限公司 | SQL injection loophole positioning detection system |
| CN106411906A (en) * | 2016-10-10 | 2017-02-15 | 合肥红珊瑚软件服务有限公司 | SQL (Structured Query Language) injection flaw positioning and detecting method |
| CN106911665A (en) * | 2016-12-27 | 2017-06-30 | 深圳市安之天信息技术有限公司 | A kind of method and system for recognizing malicious code weak passwurd intrusion behavior |
| CN107330010A (en) * | 2017-06-14 | 2017-11-07 | 北京知道未来信息技术有限公司 | A kind of backstage path blasting method based on machine learning |
| CN107426227B (en) * | 2017-08-02 | 2019-09-10 | 中通服咨询设计研究院有限公司 | A kind of automation safe penetration test method |
| CN107426227A (en) * | 2017-08-02 | 2017-12-01 | 江苏省邮电规划设计院有限责任公司 | One kind automation safe penetration method of testing |
| CN107392033A (en) * | 2017-08-30 | 2017-11-24 | 杭州安恒信息技术有限公司 | A kind of Android device Permeation Test System and its automation penetration testing method |
| CN107392033B (en) * | 2017-08-30 | 2019-12-31 | 杭州安恒信息技术股份有限公司 | Android device penetration test system and automatic penetration test method thereof |
| CN109284611A (en) * | 2018-09-20 | 2019-01-29 | 北京计算机技术及应用研究所 | The method of test macro and realization internet security test based on Metasploit frame |
| CN109284611B (en) * | 2018-09-20 | 2021-05-18 | 北京计算机技术及应用研究所 | Test system based on Metasplait framework and method for realizing network security test |
| CN109120643B (en) * | 2018-10-11 | 2020-11-20 | 北京知道创宇信息技术股份有限公司 | Penetration testing method and device |
| CN109120643A (en) * | 2018-10-11 | 2019-01-01 | 北京知道创宇信息技术有限公司 | Penetration test method and device |
| CN109344624A (en) * | 2018-10-26 | 2019-02-15 | 深信服科技股份有限公司 | Penetration test method, platform, equipment and storage medium based on cloud cooperation |
| CN109344624B (en) * | 2018-10-26 | 2022-02-18 | 深信服科技股份有限公司 | Penetration testing method, platform, equipment and storage medium based on cloud cooperation |
| CN109861987A (en) * | 2019-01-02 | 2019-06-07 | 广州大学 | Automate Permeation Test System, method and robot |
| CN110532435B (en) * | 2019-08-12 | 2022-05-17 | 广州海颐信息安全技术有限公司 | Method and device for integrating external system with dynamically extensible privileged account scanning system |
| CN110532435A (en) * | 2019-08-12 | 2019-12-03 | 广州海颐信息安全技术有限公司 | The method and device of dynamic extending privilege account scanning system integrating external system |
| CN110677381A (en) * | 2019-08-14 | 2020-01-10 | 奇安信科技集团股份有限公司 | Penetration testing method and device, storage medium and electronic device |
| CN110768948A (en) * | 2019-08-14 | 2020-02-07 | 奇安信科技集团股份有限公司 | Vulnerability detection method and device, storage medium and electronic device |
| CN110677381B (en) * | 2019-08-14 | 2023-05-09 | 奇安信科技集团股份有限公司 | Penetration test method and device, storage medium and electronic device |
| CN110717184A (en) * | 2019-09-27 | 2020-01-21 | 北京计算机技术及应用研究所 | Distributed safety test system |
| TWI738078B (en) * | 2019-10-08 | 2021-09-01 | 可立可資安股份有限公司 | Penetration test monitoring server and system |
| CN111027074B (en) * | 2019-12-05 | 2022-03-15 | 国网浙江省电力有限公司电力科学研究院 | Vulnerability automatic utilization method and system |
| CN111027074A (en) * | 2019-12-05 | 2020-04-17 | 国网浙江省电力有限公司电力科学研究院 | Vulnerability automatic utilization method and system |
| CN113051571A (en) * | 2019-12-27 | 2021-06-29 | 中国移动通信集团湖南有限公司 | Method and device for detecting false alarm vulnerability and computer equipment |
| CN111310194A (en) * | 2020-02-14 | 2020-06-19 | 全球能源互联网研究院有限公司 | Vulnerability penetration verification method and device |
| CN111783105A (en) * | 2020-07-08 | 2020-10-16 | 国家计算机网络与信息安全管理中心 | Penetration testing method, device, equipment and storage medium |
| CN111783105B (en) * | 2020-07-08 | 2024-03-29 | 国家计算机网络与信息安全管理中心 | Penetration test method, device, equipment and storage medium |
| CN111898133A (en) * | 2020-07-23 | 2020-11-06 | 昆山领创信息科技有限公司 | Penetration testing device and method based on automation |
| CN112165473A (en) * | 2020-09-22 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Method, device and medium for detecting random account password reset logic loophole |
| CN112347485A (en) * | 2020-11-10 | 2021-02-09 | 远江盛邦(北京)网络安全科技股份有限公司 | Multi-engine vulnerability acquisition and automatic penetration processing method |
| CN112347485B (en) * | 2020-11-10 | 2024-05-28 | 远江盛邦(北京)网络安全科技股份有限公司 | Processing method for acquiring loopholes and automatically penetrating multiple engines |
| CN113868659A (en) * | 2021-10-20 | 2021-12-31 | 前锦网络信息技术(上海)有限公司 | Vulnerability detection method and system |
| CN114666104A (en) * | 2022-03-09 | 2022-06-24 | 国能信息技术有限公司 | Penetration testing method, system, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104200167B (en) | 2017-08-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104200167A (en) | Automatic penetration testing method and system | |
| CN104009881B (en) | A kind of method and device of system penetration testing | |
| CN101894230B (en) | Static and dynamic analysis technology-based host system security evaluation method | |
| CN104468267B (en) | A kind of electrical power distribution automatization system information security penetration testing method | |
| CN103999089B (en) | For the system and method for scanning computer leak in a network environment | |
| CN106982194A (en) | Vulnerability scanning method and device | |
| CN103365699B (en) | System API based on APK and the extracting method of character string and system when running | |
| CN109344624B (en) | Penetration testing method, platform, equipment and storage medium based on cloud cooperation | |
| CN104821950B (en) | distributed host vulnerability scanning method | |
| CN111353151B (en) | Vulnerability detection method and device for network application | |
| CN104184728A (en) | Safety detection method and device for Web application system | |
| CN107463839A (en) | A kind of system and method for managing application program | |
| CN111046415A (en) | Intelligent grading early warning system and method for confidential files | |
| CN103544449A (en) | Document circulation method and system based on hierarchical control | |
| Ibrahim et al. | Penetration testing using SQL injection to recognize the vulnerable point on web pages | |
| CN109359251A (en) | Audit method for early warning, device and the terminal device of application system service condition | |
| CN108965244A (en) | A kind of Formal Safety Assessment method of network semi-automation | |
| CN115827610A (en) | Method and device for detecting effective load | |
| CN110837646A (en) | Risk investigation device of unstructured database | |
| KR20200018966A (en) | Method and apparatus for processing cyber threat information | |
| CN105656936A (en) | Data encryption and storage method | |
| CN113824736B (en) | Asset risk handling method, device, equipment and storage medium | |
| CN115529142A (en) | Login management method, device, equipment and medium | |
| Aarya et al. | Web scanning: existing techniques and future | |
| CN101453388B (en) | Inspection method for Internet service operation field terminal safety |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15 Patentee after: Dbappsecurity Co.,Ltd. Address before: Hangzhou City, Zhejiang province 310051 Binjiang District and Zhejiang road in the 15 storey building Patentee before: Dbappsecurity Co.,ltd. |
|
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Patentee after: Dbappsecurity Co.,Ltd. Address before: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15 Patentee before: Dbappsecurity Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220906 Address after: Room 709, 7th Floor, No. 188, Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province 310000 Patentee after: Hangzhou Anheng Vehicle Network Security Technology Co.,Ltd. Address before: 310051 15-storey Zhejiang Zhongcai Building, No. 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee before: Dbappsecurity Co.,Ltd. |