CN109104395B - Method and device for scanning, discovering and identifying service of Internet assets - Google Patents

Method and device for scanning, discovering and identifying service of Internet assets Download PDF

Info

Publication number
CN109104395B
CN109104395B CN201710475038.8A CN201710475038A CN109104395B CN 109104395 B CN109104395 B CN 109104395B CN 201710475038 A CN201710475038 A CN 201710475038A CN 109104395 B CN109104395 B CN 109104395B
Authority
CN
China
Prior art keywords
internet
scanning
data packet
service
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710475038.8A
Other languages
Chinese (zh)
Other versions
CN109104395A (en
Inventor
郝长久
赵贵阳
周春楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yiyang Safety Technology Co ltd
Original Assignee
Yiyang Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yiyang Safety Technology Co ltd filed Critical Yiyang Safety Technology Co ltd
Priority to CN201710475038.8A priority Critical patent/CN109104395B/en
Publication of CN109104395A publication Critical patent/CN109104395A/en
Application granted granted Critical
Publication of CN109104395B publication Critical patent/CN109104395B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method and a device for scanning, discovering and identifying services of internet assets, wherein an execution main body of the method is a computer which is accessed to the internet and is provided with a scanning pool, and the method comprises the following steps: determining idle nodes in the Internet; sending the disguised scanning data packet to the Internet assets corresponding to the IP address in the scanning pool, and locally caching the IP address and the port of the Internet assets; then sending a session confirmation data packet to the idle node; receiving a feedback data packet returned by an idle node in an asynchronous mode; determining the internet assets corresponding to the feedback data packet according to the local cache, and judging whether the port of the internet assets is in an open state or not according to the identity number in the feedback data packet; and if the port of the internet asset is in an open state, identifying the service provided by the internet asset according to a preset port and service characteristic contrast relation library. This application can effectively improve internet asset scanning efficiency through above-mentioned means.

Description

Method and device for scanning, discovering and identifying service of Internet assets
Technical Field
The present application relates to the field of computer network technologies, and in particular, to a method and an apparatus for internet asset scanning discovery and service identification.
Background
With the development of internet technology, more and more services are deployed on the internet, however, with the increase of internet assets, the security risk faced by an enterprise will be more, how to strengthen the risk management of the internet assets will become a significant challenge for security administrators, and the assets exposed on the internet by the enterprise often become the primary object of hacking.
The network asset scanning and service identification is a technology for detecting the potential safety hazard of a local computer system and a remote computer system, and the technology is used for sending a detection data packet to a local host or a remote host, acquiring the response of the host, and analyzing the data packet fed back by the host, thereby acquiring the port development condition of the host and the service information provided by the host, helping people to discover the weaknesses and the loopholes of the host, improving the network safety and preventing hacker attacks.
The existing network asset scanning and service identification technology mainly uses an open-source tool for scanning, including Internet Control Message Protocol (ICMP) survival detection, port open service detection, and the like, and aims to find specific assets exposed in the Internet and exposed services on the assets, so as to perform reinforcement, network blocking, and the like in time and ensure the security of the assets and the services. However, the existing tool cannot give consideration to the improvement of efficiency and accuracy, and the open-source scanning tool also has security holes, so that the effect of efficient and accurate scanning cannot be achieved, and the user experience effect is poor.
Disclosure of Invention
The application provides a method and a device for scanning, discovering and service identifying of internet assets, which are used for solving the problem that the internet assets cannot be efficiently and accurately scanned and discovered in the prior art.
The application discloses a method for scanning, discovering and identifying services of internet assets, the execution subject of the method is a computer accessed to the internet, the computer is provided with a scanning pool, and an IP address, an IP address field or a plurality of IP address fields of assets to be scanned are preset in the scanning pool, and the method comprises the following steps: determining an IP address of a free node in the Internet; sending a disguised scanning data packet to the Internet asset corresponding to the IP address in the scanning pool, and locally caching the IP address and the port of the Internet asset; the source address of the scanning data packet is the IP address of the idle node; then sending a session confirmation data packet to the idle node; receiving a feedback data packet returned by the idle node in an asynchronous mode; the scanning data packet, the session confirmation data packet and the feedback data packet all comprise ports and identification numbers of the internet assets; determining the internet assets corresponding to the feedback data packet according to the local cache, and judging whether the corresponding ports of the internet assets are in an open state or not according to the identity numbers included in the feedback data packet; and if the corresponding port of the internet asset is in an open state, identifying the service provided by the internet asset according to a preset port and service characteristic contrast relation library.
Preferably, the method further comprises the following steps: and repeatedly executing the resource scanning and service identification steps until the scanning and service identification of the internet resources corresponding to all the IP addresses in the scanning pool are completed.
Preferably, the sending of the disguised scan packet to the internet asset corresponding to the IP address in the scan pool specifically includes: sending the disguised scan data packets to a plurality of internet assets in a concurrent manner; and/or identifying the service provided by the internet assets according to a preset port and service characteristic comparison relation library, specifically: and storing the IP address of the Internet asset and the port in the open state in a local buffer area, and identifying the service provided by the Internet asset in a concurrent mode.
Preferably, before the step of sending the disguised scan packets to the plurality of internet assets in a concurrent manner, the method further comprises: and the IP address fields in the scanning pool are discretely divided, so that the resource of the same IP address field is prevented from being scanned at the same time.
Preferably, the method further comprises the following steps: and controlling the sending rate of the scanning data packet according to the receiving condition of the feedback data packet.
Preferably, before identifying the service provided by the internet asset according to the preset port and service feature cross-reference relation library, the method further includes: and establishing a port blacklist, and excluding internet resource ports which do not need to be identified.
Preferably, after the service provided by the internet asset is identified according to the cross-correlation between the port and the service characteristic, the method further comprises the following steps: for services which cannot be identified according to the port and service characteristic comparison relationship, carrying out fuzzy identification on service signature information fed back by the internet assets based on a preset basic service characteristic library; the probe set dispatches a corresponding probe to carry out accurate identification of service according to the fuzzy identification content; the probe includes connection instruction initiation, instruction echoing capture, and regular matching of echoing information for the service.
Preferably, the method further comprises the following steps: and automatically updating a preset port and service characteristic comparison relation library according to the service and interface corresponding relation accurately identified by the probe group.
The application discloses a device of internet asset scanning discovery and service identification includes: the system comprises a scanning pool, a data processing unit and a data processing unit, wherein the scanning pool is preset with an IP address, an IP address field or a multi-IP address field of assets to be scanned; the idle node determining module is used for determining the IP address of an idle node in the Internet; the first scanning initiating module is used for sending a disguised scanning data packet to the Internet asset corresponding to the IP address in the scanning pool and locally caching the IP address and the port of the Internet asset; the source address of the scanning data packet is the IP address of the idle node; the second scanning initiating module is used for sending a session confirmation data packet to the idle node after the first scanning initiating module sends a scanning data packet to the Internet asset; a feedback packet receiving module, configured to receive a feedback data packet returned by the idle node in an asynchronous manner; the scanning data packet, the session confirmation data packet and the feedback data packet all comprise ports and identification numbers of internet assets; the port state judging module is used for determining the internet assets corresponding to the feedback data packet according to the local cache and judging whether the corresponding ports of the internet assets are in an open state or not according to the identity identification number included in the feedback data packet; and the first service identification module is used for identifying the service provided by the internet asset according to a preset port and service characteristic comparison relation library when the corresponding port of the internet asset is in an open state.
Preferably, the apparatus further comprises: and the cycle control module is used for repeatedly scheduling the first scanning initiating module, the second scanning initiating module, the feedback packet receiving module, the port state judging module and the first service identification module to scan and identify the internet resources corresponding to the IP addresses in the scanning pool until the scanning and the service identification of the internet resources corresponding to all the IP addresses in the scanning pool are completed.
Preferably, the first scan initiating module sends the disguised scan data packet as follows: sending the disguised scan packets to a plurality of internet assets in a concurrent manner; and/or the first service identification module identifies the service provided by the internet asset in the following way: and storing the IP address of the Internet asset and the port in the open state in a local buffer area, and identifying the service provided by the Internet asset in a concurrent mode.
Preferably, the scan pool is further configured to perform discrete division on IP address segments in the scan pool before the first scan initiation module sends disguised scan packets to the multiple internet assets in a concurrent manner, so as to avoid scanning resources of the same IP address segment at the same time; and/or the cycle control module is also used for controlling the sending rate of the scanning data packet according to the receiving condition of the feedback data packet.
Preferably, the apparatus further comprises: the blacklist establishing module is used for establishing a port blacklist and eliminating internet resource ports which do not need to be identified; the second service identification module is used for carrying out fuzzy identification on the service signature information fed back by the internet assets on the basis of a preset basic service feature library; scheduling corresponding probes in the probe set to carry out accurate service identification according to the fuzzy identification content; the probe includes connection instruction initiation, instruction echoing capture, and regular matching of echoing information for the service.
Preferably, the apparatus further comprises: and the characteristic library updating module is used for automatically updating a preset port and service characteristic comparison relation library according to the service and interface corresponding relation accurately identified by the probe group.
Compared with the prior art, the method has the following advantages:
the preferred embodiment of the application sends the scanning data packet to the internet assets to be scanned in a stateless connection mode through the disguised idle node, does not occupy TCP/IP protocol stack resources, does not need to maintain the states of request connection (SYN), response (ACK), connection closing (FIN) and the like, can avoid network overhead brought by other application background flow, and can improve the internet asset scanning efficiency to a greater extent. By caching the IP address and the port information of the Internet resource, storing the necessary information in the scanning data packet to support asynchronous scanning and identify the service provided by the asynchronous scanning (after receiving the feedback data packet in an asynchronous mode, the corresponding Internet resource can be identified according to the necessary information stored in the packet), the verification accuracy can be ensured on the basis of meeting the requirements of high scanning and identification efficiency.
Drawings
The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flowchart of a first embodiment of a method for Internet asset scanning discovery and service identification according to the present application;
FIG. 2 is a flowchart of a second embodiment of a method for Internet asset scanning discovery and service identification according to the present application;
fig. 3 is a schematic structural diagram of an embodiment of an apparatus for internet asset scanning discovery and service identification according to the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
In the description of the present application, it is to be understood that the terms "first", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. The meaning of "plurality" is two or more unless explicitly defined otherwise. The terms "comprising," including, "and the like are to be construed as open-ended terms, i.e.," including/including but not limited to. The term "based on" is "based, at least in part, on". The term "an embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment". Relevant definitions for other terms will be given in the following description.
Referring to fig. 1, a flow of a first embodiment of the internet asset scanning discovery and service identification method of the present application is shown, and an execution subject is a computer accessing the internet, and the computer is provided with a scanning pool, and an IP address, an IP address field, or multiple IP address fields of assets to be scanned are preset in the scanning pool. The preferred method embodiment comprises the steps of:
s103: and determining the IP address of the idle node in the Internet.
S105: and sending the disguised scanning data packet to the Internet asset corresponding to the IP address in the scanning pool, and locally caching the IP address and the port of the Internet asset.
And the source address of the scanning data packet is the IP address of the idle node.
S107: and sending a session confirmation data packet to the idle node.
S109: and receiving a feedback data packet returned by the idle node in an asynchronous mode.
The scan data packet, the session confirmation data packet and the feedback data packet all include a port and an identification number of the internet asset.
S111: and determining the internet assets corresponding to the feedback data packet according to the local cache.
S113: judging whether the corresponding port of the internet asset is in an open state or not according to the identity number included in the feedback data packet; if yes, go to step S115; if not, the flow is ended.
S115: and identifying the service provided by the Internet asset according to a preset port and service characteristic comparison relation library.
Referring to fig. 2, a flowchart of a second embodiment of the internet asset scanning discovery and service identification method according to the present application is shown, where the execution subject is a computer accessing the internet, and the method includes:
s101: and writing the IP address, the IP address field or the multiple IP address fields of the assets to be scanned into the scanning pool.
S103: and determining the IP address of the idle node in the Internet.
S105: and sending the disguised scanning data packet to the Internet asset corresponding to the IP address in the scanning pool, and locally caching the IP address and the port of the Internet asset.
Wherein, the source address of the scanning data packet is the IP address of the idle node; the scan data packet includes a port and an identification number of the internet asset.
In particular implementations, in order to further improve scanning efficiency, disguised scan packets may be sent to multiple internet assets in a concurrent manner. For example, a single thread may be used to detect the resource utilization rate of the CPU of the scanning computer, how to dynamically control the number of concurrent scanning threads according to the resource utilization rate, and ensure the maximum utilization rate of the scanner.
S107: and then sending a session confirmation data packet to the idle node.
Wherein the session confirmation data packet includes the port and the identification number of the internet asset. It should be noted that step S107 needs to be performed after step S105.
S109: and receiving a feedback data packet returned by the idle node in an asynchronous mode.
The feedback data packets all comprise the port and the identification number of the internet asset.
S111: and determining the internet assets corresponding to the feedback data packet according to the local cache.
S113: judging whether the corresponding port of the internet asset is in an open state or not according to the identity number included in the feedback data packet, if so, turning to step S115; otherwise, go to step S117.
S115: identifying the service provided by the Internet asset according to a preset port and service characteristic contrast relation library;
the port-to-service feature comparison relation library may be preset in a specific implementation process, for example, 21 ports of File Transfer Protocol (FTP) service, 22 ports of Secure Shell Protocol (SSH) service, 25 ports of Simple Mail Transfer Protocol (SMTP) service, 23 ports of remote terminal Protocol (Telnet) service, and 110 ports of Post Office Protocol Version 3 (POP 3, Post Office Protocol Version 3) service.
In specific implementation, in order to further improve the service identification efficiency, the IP of the internet asset and the open port thereof may be saved in a local buffer, and the service provided by the internet asset may be identified in a concurrent manner. For example, the concurrent service identification thread number can be dynamically controlled by the resource utilization rate of the CPU and the like of the computer, so that the computer utilization rate is improved.
S117: judging whether all the IP addresses and the ports thereof in the scanning pool are scanned completely, if so, ending the process; otherwise, go to step S105 to perform a new round of scanning and service identification of the IP address and its different ports.
Wherein, in order to prevent the continuous scanning from triggering the defense system of the internet asset itself, for the case of an IP address field or multiple IP address fields, before sending the disguised scanning data packet to multiple internet assets in a concurrent manner (i.e. step S105), S104 may be further included: and the IP address fields in the scanning pool are discretely divided, so that the resource scanning of the same IP address field at the same time is avoided.
In addition, the sending rate of the scanning data packet can be controlled according to the receiving condition of the feedback data packet, the scanning efficiency and the identification accuracy are guaranteed, and meanwhile, the network flow can be well controlled.
The principle of judging whether the corresponding port of the internet asset is open or not in the embodiment of the method is as follows: each IP packet on the internet has an identity number (IPID) which is typically incremented by the operating system simply so that analysis of the last IPID can calculate how many packets have been sent to the internet resource node. The following examples are given.
Assume that internet node Z is idle and has no network communication with other nodes. Since the node Z has not sent the connection request packet (SYN) to the execution main body (assumed to be the node T) of this embodiment, the node Z returns a reset connection packet (RST) to the node T after receiving the SYN/ACK packet, and the RST packet is appended with the IPID (assumed to be 31311).
When a SYN packet created by node T masquerading as node Z's IP address is sent to a port (e.g., port number 21) of real host a to be scanned, host Z does not know that if it sent a packet, its IPID is not affected. Then, the node T sends a SYN/ACK packet to the node Z, the node Z returns a RST packet, and the open state of the port 21 of the host a can be determined by the IPID in the RST packet, where:
when the port 21 of the host a is in an open state, the host a receives the SYN packet of the node T, and the host a returns a SYN/ACK packet because the port 21 is open. At this point, the source IP in the SYN packet is the IP address of node Z, and host a sends a SYN/ACK packet to node Z. After receiving the SYN/ACK packet, node Z sends a RST packet to host a because it does not have a 21-port connection request (i.e., SYN) to host Z, and communication between host a and node Z is terminated.
At this time, when the node Z actively sends the RST packet, the IPID is automatically incremented (the IPID in this RST packet is 31312). Therefore, when node T subsequently sends a SYN/ACK packet to node Z, the IPID in the RST packet returned by node Z becomes 31313.
When host a's 21 port is closed or filtered, host a receives node T's SYN packet, returns a RST packet because the port is not open or filtered, and sends the RST packet to node Z. Since node Z has not sent the SYN packet, the received RST packet is directly discarded. In this process, Z does not send any data packet, so when node T later sends SYN/ACK packet to node Z, IPID in RST packet returned by node Z becomes 31312.
In another embodiment of the method, in order to further improve the service identification efficiency, it is not necessary to waste system resources for some known and careless ports, such as drive class ports (including cameras, printers, etc.) and network ports 80, 443, etc., to scan identification. For this reason, before step S115, S114 may be further included: and establishing a port blacklist, and excluding Internet resource ports which do not need to be scanned and identified.
In a further method embodiment, services that cannot be identified based on port-to-service feature matching can be further identified by building a base service feature library and probe sets. Specifically, after step S115, the method may include:
s116-1: and for services which cannot be identified according to the port and service characteristic comparison relationship, carrying out fuzzy identification on the service signature information fed back by the Internet assets based on a preset basic service characteristic library.
S116-2: the probe set dispatches a corresponding probe to carry out accurate identification of service according to the fuzzy identification content; the probe includes connection instruction initiation, instruction echoing capture, and regular matching of echoing information for the service.
The probes are a set of a series of detection actions, the probe set is a set of a series of probes, and a certain type of specified probes can be scheduled to perform instruction initiation, detail echoing capture and specific information regular matching according to specific fuzzy recognition contents. The echoing of each probe has a corresponding unique identifier, the probe set has asynchronous monitoring capability, and when the probes are simultaneously used for probe detection, the probe set can schedule the corresponding probes to carry out next processing for a certain return until the probes meet the accurate identification of a preset strategy.
S116-3: and automatically updating a preset port and service characteristic comparison relation library according to the service and interface corresponding relation accurately identified by the probe group.
In addition, after the scanning is finished, the scanning information can be recorded to a designated Application Programming Interface (API) for receiving and storing or directly pushed to a cache server for data analysis and recording, and meanwhile, the port survival can be periodically scanned and identified for service discovery.
For simplicity of description, the foregoing method embodiments are described as a series of acts or combination of acts, but those skilled in the art will appreciate that the present application is not limited by the order of acts described, as some steps may, in accordance with the present application, occur in other orders and concurrently; further, those skilled in the art should also appreciate that the above-described method embodiments are preferred embodiments and that the acts and modules involved are not necessarily required for the application.
The present application also discloses a storage medium having recorded thereon a program for executing the above method. The storage media includes any mechanism configured to store or transfer information in a form readable by a computer (by way of example, a computer). For example, storage media includes Read Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media, optical storage media, flash memory media, electrical, optical, acoustical or other form of propagated signals (e.g., carrier waves, infrared signals, digital signals, etc.), and others.
Referring to fig. 3, a block diagram of an embodiment of the apparatus for internet asset scanning discovery and service identification of the present application is shown, including:
a scan pool 20, which is preset with the asset IP address to be scanned, IP address field, or multiple IP address fields.
And the idle node determining module 21 is configured to determine an IP address of an idle node in the internet.
A first scanning initiating module 22, configured to send a disguised scanning packet (such as SYN in TCP protocol) to the internet asset corresponding to the IP address in the scanning pool, and locally cache the IP address and the port of the internet asset; and the source address of the scanning data packet is the IP address of the idle node.
In particular implementations, to further improve scanning efficiency, the first scan initiation module 22 may send disguised scan packets to multiple internet assets in a concurrent manner.
A second scan initiation module 23, configured to send a session acknowledgement packet (e.g., SYN/ACK in TCP protocol) to the idle node after the first scan initiation module 22 sends a scan packet to an internet asset;
a feedback packet receiving module 24, configured to receive a feedback data packet (e.g. an ACK in the TCP protocol) returned by the idle node in an asynchronous manner; the scanning data packet, the session confirmation data packet and the feedback data packet all comprise ports and identification numbers of internet assets;
a port state judgment module 25, configured to determine, according to the local cache, an internet asset corresponding to the feedback data packet, and judge, according to the identity number included in the feedback data packet, whether a port corresponding to the internet asset is in an open state;
the first service identification module 26 is configured to identify a service provided by the internet asset according to a preset port and service feature comparison relation library when a corresponding port of the internet asset is in an open state.
In specific implementation, in order to further improve the service identification efficiency, the IP address of the internet asset and the port in the open state may be saved in a local buffer, and the service provided by the internet asset may be identified in a concurrent manner.
And the cycle control module 27 is configured to repeatedly schedule the functional modules, such as the first scan initiating module 22, the second scan initiating module 23, the feedback packet receiving module 24, the port state judging module 25, and the first service identification module 26, to perform scan identification on the internet resources corresponding to the IP addresses in the scan pool 20 until the scan and service identification of the internet resources corresponding to all the IP addresses in the scan pool are completed.
In order to prevent continuous scanning from triggering the defense system of the internet asset, the scanning pool 20 is further configured to discretely divide the IP address field or multiple IP address fields, so as to avoid scanning the resources of the same IP address field at the same time. The cycle control module 27 is further configured to control the sending rate of the scanning data packet according to the receiving condition of the feedback data packet, so as to control the network traffic while ensuring the scanning efficiency and the recognition accuracy
In another embodiment of the apparatus, to further improve the service identification efficiency, the apparatus may further include a blacklist establishing module: the method is used for establishing the port blacklist and excluding the Internet resource ports which do not need to be scanned and identified.
In an embodiment of the further apparatus, a second service identification module is further provided, which is capable of further identifying services that cannot be identified according to the port-to-service feature comparison relationship: the system comprises a server, a service characteristic library, a probe set and a service signature database, wherein the server is used for carrying out fuzzy recognition on service signature information fed back by the Internet assets on the basis of a preset basic service characteristic library and scheduling corresponding probes in the probe set to carry out accurate recognition on services according to fuzzy recognition content; the probe includes connection instruction initiation, instruction echoing capture, and regular matching of echoing information for the service.
In addition, the system can further comprise a feature library updating module: and the automatic updating module is used for automatically updating a preset port and service characteristic comparison relation library according to the service and interface corresponding relation accurately identified by the probe group.
It should be noted that the above embodiments of the apparatus belong to the preferred embodiments, and the units and modules involved are not necessarily essential to the present application.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the device embodiments of the present application, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the description of the method embodiments. The above-described apparatus and apparatus embodiments are merely illustrative, wherein the modules described as separate components may or may not be physically separate, may be located in one place or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The method and the device for internet asset scanning discovery and service identification provided by the application are introduced in detail, and a specific example is applied in the method to explain the principle and the implementation of the application, and the description of the embodiment is only used for helping to understand the method and the core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (5)

1. A method for Internet asset scanning discovery and service identification is characterized in that an execution subject of the method is a computer accessing to the Internet, the computer is provided with a scanning pool, and an IP address, an IP address field or multiple IP address fields of assets to be scanned are preset in the scanning pool, and the method comprises the following steps:
determining an IP address of a free node in the Internet;
sending the disguised scanning data packet to the Internet assets corresponding to the IP address in the scanning pool, and locally caching the IP address and the port of the Internet assets; the source address of the scanning data packet is the IP address of the idle node;
then sending a session confirmation data packet to the idle node;
receiving a feedback data packet returned by the idle node in an asynchronous mode; the scanning data packet, the session confirmation data packet and the feedback data packet all comprise ports and identification numbers of the internet assets;
determining the internet assets corresponding to the feedback data packet according to the local cache, and judging whether the corresponding ports of the internet assets are in an open state or not according to the identity numbers included in the feedback data packet;
if the corresponding port of the internet asset is in an open state, identifying the service provided by the internet asset according to a preset port and service characteristic contrast relation library; for services which cannot be identified according to the port and service characteristic comparison relation, carrying out fuzzy identification on service signature information fed back by the Internet assets based on a preset basic service characteristic library; the probe set dispatches a corresponding probe to carry out accurate identification of service according to the fuzzy identification content; the probe comprises connection instruction initiation, instruction echoing capture and regular matching of echoing information aiming at the service;
repeatedly executing the resource scanning and service identification steps until the scanning and service identification of the internet resources corresponding to all the IP addresses in the scanning pool are completed; the IP address fields in the scanning pool are divided discretely, so that the resource of the same IP address field is prevented from being scanned at the same time; controlling the sending rate of the scanning data packet according to the receiving condition of the feedback data packet;
the sending of the disguised scanning data packet to the internet asset corresponding to the IP address in the scanning pool specifically includes: sending the disguised scan packets to a plurality of internet assets in a concurrent manner;
and/or the presence of a gas in the gas,
the step of identifying the service provided by the internet asset according to the preset port and service characteristic contrast relation library specifically comprises the following steps: and storing the IP address of the Internet asset and the port in the open state in a local buffer area, and identifying the service provided by the Internet asset in a concurrent mode.
2. The method of claim 1, further comprising, prior to identifying the service provided by the internet asset based on a pre-defined cross-reference library of port and service characteristics:
and establishing a port blacklist, and excluding internet resource ports which do not need to be identified.
3. The method of claim 1, further comprising:
and automatically updating a preset port and service characteristic comparison relation library according to the service and interface corresponding relation accurately identified by the probe group.
4. An apparatus for internet asset scanning discovery and service identification, comprising:
the scanning pool is preset with an IP address, an IP address field or a plurality of IP address fields of assets to be scanned;
the idle node determining module is used for determining the IP address of an idle node in the Internet;
the first scanning initiating module is used for sending a disguised scanning data packet to the Internet asset corresponding to the IP address in the scanning pool and locally caching the IP address and the port of the Internet asset; the source address of the scanning data packet is the IP address of the idle node;
the second scanning initiating module is used for sending a session confirmation data packet to the idle node after the first scanning initiating module sends a scanning data packet to the Internet asset;
a feedback packet receiving module, configured to receive a feedback data packet returned by the idle node in an asynchronous manner; the scanning data packet, the session confirmation data packet and the feedback data packet all comprise ports and identification numbers of internet assets;
the port state judging module is used for determining the internet assets corresponding to the feedback data packet according to the local cache and judging whether the corresponding ports of the internet assets are in an open state or not according to the identity numbers included in the feedback data packet;
the first service identification module is used for identifying the service provided by the Internet asset according to a preset port and service characteristic contrast relation library when the corresponding port of the Internet asset is in an open state;
the first scanning initiating module sends the disguised scanning data packet in the following mode: sending the disguised scan packets to a plurality of internet assets in a concurrent manner;
the first service identification module identifies the service provided by the internet asset in the following way: storing the IP address of the Internet asset and the port in an open state in a local buffer area, and identifying the service provided by the Internet asset in a concurrent mode;
the blacklist establishing module is used for establishing a port blacklist and eliminating internet resource ports which do not need to be identified;
the second service identification module is used for carrying out fuzzy identification on the service signature information fed back by the internet assets on the basis of a preset basic service feature library; scheduling corresponding probes in the probe set to perform accurate service identification according to the fuzzy identification content; the probe comprises connection instruction initiation, instruction echoing capture and regular matching of echoing information aiming at the service;
the cycle control module is used for repeatedly scheduling the first scanning initiating module, the second scanning initiating module, the feedback packet receiving module, the port state judging module and the first service identification module to scan and identify the internet resources corresponding to the IP addresses in the scanning pool until the scanning and the service identification of the internet resources corresponding to all the IP addresses in the scanning pool are completed; the cycle control module is also used for controlling the sending rate of the scanning data packet according to the receiving condition of the feedback data packet;
the scanning pool is also used for discretely dividing the IP address field in the scanning pool before the first scanning initiating module sends the disguised scanning data packets to the plurality of Internet assets in a concurrent manner, so as to avoid scanning the resources of the same IP address field at the same time.
5. The apparatus of claim 4, further comprising:
and the characteristic library updating module is used for automatically updating a preset port and service characteristic comparison relation library according to the service and interface corresponding relation accurately identified by the probe group.
CN201710475038.8A 2017-06-21 2017-06-21 Method and device for scanning, discovering and identifying service of Internet assets Active CN109104395B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710475038.8A CN109104395B (en) 2017-06-21 2017-06-21 Method and device for scanning, discovering and identifying service of Internet assets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710475038.8A CN109104395B (en) 2017-06-21 2017-06-21 Method and device for scanning, discovering and identifying service of Internet assets

Publications (2)

Publication Number Publication Date
CN109104395A CN109104395A (en) 2018-12-28
CN109104395B true CN109104395B (en) 2022-08-23

Family

ID=64796146

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710475038.8A Active CN109104395B (en) 2017-06-21 2017-06-21 Method and device for scanning, discovering and identifying service of Internet assets

Country Status (1)

Country Link
CN (1) CN109104395B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109726763B (en) * 2018-12-29 2021-05-28 绿盟科技集团股份有限公司 Information asset identification method, device, equipment and medium
CN110336684B (en) * 2019-03-21 2022-03-18 北京天防安全科技有限公司 Intelligent network asset identification method and system
CN110380935B (en) * 2019-07-23 2021-02-12 杭州数梦工场科技有限公司 Port scanning method and device
CN111447201A (en) * 2020-03-24 2020-07-24 深信服科技股份有限公司 Scanning behavior recognition method and device, electronic equipment and storage medium
CN112491791B (en) * 2020-10-20 2021-08-03 广州数智网络科技有限公司 Method and device for rapidly identifying HTTP proxy IP address and electronic equipment
CN113420303A (en) * 2021-07-14 2021-09-21 广东电网有限责任公司广州供电局 Port scanning-based substation host security vulnerability detection method and system
CN115225530B (en) * 2022-07-02 2023-09-05 北京华顺信安科技有限公司 Asset state monitoring method, device, equipment and medium
CN115314425B (en) * 2022-07-12 2024-02-23 清华大学 Network scanning device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055771A (en) * 2011-01-24 2011-05-11 上海红神信息技术有限公司 Device and method for controlling cloud service-oriented multiple concurrent service flow
US20140330976A1 (en) * 2013-05-06 2014-11-06 Jeroen van Bemmel Stateless load balancing of connections
CN106713449A (en) * 2016-12-21 2017-05-24 中国电子科技网络信息安全有限公司 Method for quickly identifying networked industrial control device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103561048B (en) * 2013-09-02 2016-08-31 北京东土科技股份有限公司 A kind of method and device determining that tcp port scans

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055771A (en) * 2011-01-24 2011-05-11 上海红神信息技术有限公司 Device and method for controlling cloud service-oriented multiple concurrent service flow
US20140330976A1 (en) * 2013-05-06 2014-11-06 Jeroen van Bemmel Stateless load balancing of connections
CN106713449A (en) * 2016-12-21 2017-05-24 中国电子科技网络信息安全有限公司 Method for quickly identifying networked industrial control device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《Nmap空闲扫描》;colorknight;《https://blog.csdn.net/colorknight/article/details/43125487》;20150125;全文 *

Also Published As

Publication number Publication date
CN109104395A (en) 2018-12-28

Similar Documents

Publication Publication Date Title
CN109104395B (en) Method and device for scanning, discovering and identifying service of Internet assets
US20190075049A1 (en) Determining Direction of Network Sessions
WO2019178966A1 (en) Network attack defense method and apparatus, and computer device and storage medium
US20170013077A1 (en) Managing transfer of data in a data network
US20150058983A1 (en) Revival and redirection of blocked connections for intention inspection in computer networks
US9444821B2 (en) Management server, communication cutoff device and information processing system
US20210344689A1 (en) Distributed threat sensor data aggregation and data export
US20210344690A1 (en) Distributed threat sensor analysis and correlation
CN111709009A (en) Detection method and device for networked industrial control system, computer equipment and medium
CN105634660B (en) Data packet detection method and system
CN111756761A (en) Network defense system and method based on flow forwarding and computer equipment
WO2017206576A1 (en) Gateway service processing method and apparatus
US20210099481A1 (en) System and method for detecting and blocking malicious attacks on a network
CN113179280B (en) Deception defense method and device based on malicious code external connection behaviors and electronic equipment
US20170134413A1 (en) System and method for connection fingerprint generation and stepping-stone traceback based on netflow
US9755833B2 (en) Identification information management system, method of generating and managing identification information, terminal, and generation and management programs
CN106559485B (en) A kind of method and device of control server shutdown
CN107070851B (en) System and method for connecting fingerprint generation and stepping stone tracing based on network flow
CN107690004B (en) Method and device for processing address resolution protocol message
CN113271299A (en) Login method and server
CN111953810B (en) Method, device and storage medium for identifying proxy internet protocol address
CN106789655B (en) Method and device for sending route announcement message
CN110971599A (en) Vulnerability scanning method and device
WO2016201780A1 (en) Gateway management method and apparatus
JP3892322B2 (en) Unauthorized access route analysis system and unauthorized access route analysis method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant