CN109547294B - Networking equipment model detection method and device based on firmware analysis - Google Patents

Networking equipment model detection method and device based on firmware analysis Download PDF

Info

Publication number
CN109547294B
CN109547294B CN201811612328.3A CN201811612328A CN109547294B CN 109547294 B CN109547294 B CN 109547294B CN 201811612328 A CN201811612328 A CN 201811612328A CN 109547294 B CN109547294 B CN 109547294B
Authority
CN
China
Prior art keywords
model
list
fingerprint
firmware
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811612328.3A
Other languages
Chinese (zh)
Other versions
CN109547294A (en
Inventor
解炜
罗振豪
唐勇
陈曙晖
王宝生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN201811612328.3A priority Critical patent/CN109547294B/en
Publication of CN109547294A publication Critical patent/CN109547294A/en
Application granted granted Critical
Publication of CN109547294B publication Critical patent/CN109547294B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/065Generation of reports related to network devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a networking equipment model detection method and a networking equipment model detection device based on firmware analysis, wherein the method comprises the following steps: s1, when model information used for identifying the model of target equipment does not exist in port flag information of the target equipment, extracting all resource file names in the port flag information, and respectively using all the resource file names as keywords to search to form an initial IP list; s2, acquiring firmware of the target equipment and extracting fingerprints of equipment models from the acquired firmware to form a model fingerprint list of the target equipment; and S3, respectively taking out the IP addresses from the initial IP list, taking out the fingerprints from the model fingerprint list, combining the fingerprints into URL addresses and sending a request, and screening all the IP addresses in the initial IP list according to a response result of the request to obtain a final IP list of the target equipment. The invention has the advantages of simple realization method, high detection success rate and detection precision, low missing report and false report rate and the like.

Description

Networking equipment model detection method and device based on firmware analysis
Technical Field
The invention relates to the technical field of Internet of things, in particular to a networking equipment model detection method based on firmware analysis.
Background
With the development and popularization of the technology of the internet of things, a large number of intelligent devices are accessed to the internet, online internet of things device search can be achieved by using famous device search engines such as Shodan, Zoomeye and the like, the Shodan device search engine can identify devices including network cameras, printers, routers, traffic lights, intelligent home devices, industrial control systems and other networking devices, about 5 networking devices and services can be searched on the internet every month, unlike Shodan based on NMap scanning software, Censys uses ZAp scanning software based on stateless requests, can more quickly scan the whole internet to search all networking devices and collect relevant information, and returns a total report of configuration and deployment information of related resources (such as devices, websites and certificates); similar search engines exist in China, such as FOFA and zoomEye (the eye of Zhongkui), ZoomEye can lock a vulnerable area of a network space by mapping the global network space and combining equipment vulnerability information, network management is carried out in time, and national network defense capability is improved; zoomeye provides an API interface for research institutions, supports secondary development, can be used by researchers to obtain interested target equipment IP lists, has similar FOFA functions to Zoomeye, and can also search network components and equipment from different dimensions, such as regions, port numbers, network services, operating systems, network protocols and the like.
For model detection of internet-of-things equipment, the IP addresses of equipment of specific manufacturers and models can be searched by using equipment search engines such as Shodan, Zoomeye and the like as a search webpage, the technical principle is that the models of the networked equipment are identified by judging whether flag information of ports of the networked equipment contains character strings representing the models of the equipment, namely, common ports of all IP addresses of the whole internet are detected by using a web crawler, and responded flag information is stored, if the flag information contains text information representing the models of the equipment, the models of the equipment can be identified and found by the equipment search engines, but the method has the following problems:
1. missing reports exist: some devices do not include text information indicating the model of the device in the port flag information, and the device cannot be identified by the device search engine, so that a false negative exists. For example, when an existing search engine searches for a router of type RV110W produced by Cisco, and the keyword "RV 110W" is input, no result is obtained, because the character string of "RV 110W" is not included in the returned flag information when the open port of the router is accessed.
2. False alarm exists: when the DIR-815 is used as a keyword to search, the homepage of the website contains a character string of the DIR-815, so that the device search engine can feed back the IP address of the website as the IP address of the device of the model to a user, and false alarm occurs.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: aiming at the technical problems in the prior art, the invention provides the networking equipment model detection method and device based on the firmware analysis, which have the advantages of simple realization method, high detection success rate and detection precision, and low missing report and false report rate.
In order to solve the technical problems, the technical scheme provided by the invention is as follows:
a networking equipment model detection method based on firmware analysis comprises the following steps:
s1, generating an initial IP table: when the port flag information of the target equipment does not have model information used for representing the model of the target equipment, extracting all resource file names in the port flag information, respectively using all the resource file names as key words to search, and forming an initial IP list by all searched IP addresses;
s2 firmware analysis: acquiring firmware of target equipment, extracting fingerprints containing model information of the target equipment from the acquired firmware, and forming a model fingerprint list of the target equipment by all the extracted fingerprints;
s3 fingerprint scan: and respectively taking out the IP addresses from the initial IP list, taking out the fingerprints from the model fingerprint list, combining the fingerprints into URL (uniform resource locator) addresses, sending a request, and screening all the IP addresses in the initial IP list according to a response result of the request to obtain a final IP list of the target equipment.
As a further improvement of the invention: when the fingerprint of the device model is extracted in step S2, the Web directory in the firmware of the target device is located, a file having model information indicating the model of the target device in the Web directory is searched, and a path of the target file having the model information with respect to the Web root directory is used as a fingerprint until the search of all files is completed.
As a further improvement of the present invention, the specific steps of step S2 are:
s21, firmware preprocessing: extracting a file system from the firmware of the target equipment and positioning a Web directory in the file system;
s22, fingerprint extraction: searching all files in the Web directory, searching whether model information used for representing the model of target equipment exists in each file, if the model information exists in the target, acquiring a path of the target file relative to the Web root directory and using the path as a fingerprint until the search of all files is completed;
s23, fingerprint list generation: all the fingerprints obtained in step S22 constitute a model fingerprint list of the target device.
As a further improvement of the invention: when screening the IP addresses in the initial IP list in step S3, if the sent request is returned successfully and the response message includes the model information indicating the model of the target device, writing the corresponding IP address in the initial IP list into the final IP list until all the IP addresses are screened, so as to obtain the final IP list of the target device.
As a further improvement of the present invention, the specific steps of step S3 include:
s31, taking an IP address from the initial IP list as a current IP address, and taking a fingerprint from the model fingerprint list as a current fingerprint;
s32, merging the current IP address and the current fingerprint into a URL address, sending an HTTP request for verification, judging whether the request is returned successfully, if so, and if the response message contains model information for representing the model of the target equipment, writing the current IP address into the final IP list; proceed to step S33;
s33, taking out the next fingerprint from the model fingerprint list of the target equipment as the current fingerprint, and returning to execute the step S32 until the verification of the current IP address on all fingerprints in the model fingerprint list is completed;
s34, taking out the next IP address from the initial IP list as the current IP address, returning to execute the step S32 until the verification of all the IP addresses in the initial IP list is completed, and screening to obtain the final IP list of the target device.
As a further improvement of the present invention, before step S1, a keyword extraction step SA is further included, and the specific steps are: accessing a Web service port of target equipment and acquiring the port flag information, extracting model information used for representing the model of the target equipment from the port flag information and using the model information as a first class key word, if the first class key word is not searched, executing step S1, and if the first class key word is searched, searching by using the first class key word to obtain an IP list of the target equipment.
As a further improvement of the invention: if the first class key participle is searched in the step SA, extracting all resource file names in the port flag information and using the resource file names as a second class key participle, combining the first class key participle and the second class key participle to form a plurality of candidate keywords, and searching by using each candidate keyword respectively to obtain an IP list of the target equipment.
As a further improvement of the invention: when a plurality of candidate keywords are formed, the first class key participles and the second class key participles are specifically connected in series to form one candidate keyword.
As a further improvement of the invention: the resource file name comprises a storage path, and the resource file name comprises one or more types of CSS, JS, PNG, JPG and BMP.
The invention further provides a networking device model detection apparatus based on firmware analysis, comprising a computer device programmed to execute the steps of the above networking device model detection method based on firmware analysis.
Compared with the prior art, the invention has the advantages that:
1. the invention relates to a networking equipment model detection method and a device based on firmware analysis, which can obtain an initial IP list by extracting a resource file name to search when model information does not exist in port flag information of target equipment, simultaneously carry out fingerprint scanning analysis on the firmware of the target equipment to obtain a model fingerprint list of the target equipment, screen the initial IP list by using the model fingerprint list to obtain a final IP list of the target equipment, can identify an equipment IP address without the model information in the port flag information, reduce the false alarm rate, simultaneously can effectively reduce the false alarm rate by combining the fingerprint scanning of the firmware compared with the traditional method of searching only by limiting the flag information of an open port, avoid the condition that a website is mistakenly reported as equipment and the like only because a website homepage contains the equipment model name, effectively enhance the accuracy of a search engine, and reduce the false alarm rate of the search engine, And the searching capability realizes the accurate detection of the model of the networking equipment.
2. According to the networking equipment model detection method and device based on firmware analysis, the fingerprints of the equipment models are collected from the whole Web directory of the equipment firmware, online equipment with more types can be found by combining the fingerprints, and meanwhile, screening is carried out by combining the initial IP list and the model fingerprint list, so that the missing report rate and the false report rate can be effectively reduced, and the accuracy and the integrity of equipment model detection are improved.
3. The invention relates to a networking equipment model detection method and device based on firmware analysis, which further uses model information to search equipment containing the model information in port flag information, uses a resource file name to search equipment not containing the model information in the port flag information, uses a search result as an initial IP list, and obtains a final IP list through screening to reduce the missing report IP and the false report IP in the initial IP list, so that the equipment can be accurately detected no matter whether the flag information contains the model information or not.
4. The invention further uses the resource file names in the port flag information to jointly form the searched keywords for the equipment containing the model information in the port flag information besides the model information, thereby improving the accuracy of detection matching and avoiding the condition that the website is misreported as the equipment and the like only because the website homepage contains the equipment model name.
Drawings
Fig. 1 is a schematic flow chart of an implementation of the networking device model detection method based on firmware analysis according to the embodiment.
Fig. 2 is a schematic flow chart of the implementation of the networking device model detection based on firmware analysis in the application embodiment of the invention.
Detailed Description
The invention is further described below with reference to the drawings and specific preferred embodiments of the description, without thereby limiting the scope of protection of the invention.
As shown in fig. 1, the method for detecting a model of a networked device based on firmware analysis in the present embodiment includes the following steps:
s1, generating an initial IP table: when the port flag information of the target equipment does not have model information used for representing the model of the target equipment, all resource file names in the port flag information are extracted, the resource file names are respectively used as key words for searching, and an initial IP list is formed by all searched IP addresses;
s2 firmware analysis: acquiring firmware of target equipment, extracting fingerprints containing model information of the target equipment from the acquired firmware, and forming a model fingerprint list of the target equipment by all the extracted fingerprints;
s3 fingerprint scan: and respectively taking out the IP addresses from the initial IP list, taking out the fingerprints from the model fingerprint list of the target equipment in sequence, combining the fingerprints into a URL address and sending a request, and screening all the IP addresses in the initial IP list according to the response result of the request to obtain a final IP list of the target equipment.
In the embodiment, when no model information exists in the port flag information of the target equipment, the resource file name is extracted to search to obtain the initial IP list, meanwhile, the firmware of the target equipment is subjected to fingerprint scanning analysis to obtain the model fingerprint list of the target equipment, the initial IP list is screened by using the model fingerprint list to obtain the final IP list of the target equipment, the equipment IP address without the model information in the port flag information can be identified, the missing report rate is reduced, meanwhile, compared with the traditional method that the search is carried out only by the flag information limited to an open port, the false report rate can be effectively reduced by combining the fingerprint scanning of the firmware, the condition that the website is falsely reported as the false report of the equipment and the like only when the website homepage contains the equipment model name is avoided, the accuracy and the searching capability of a search engine are effectively enhanced, and the accurate detection of the model.
In this embodiment, the resource file names in the port flag information are specifically searched through the regular expression, the resource extension names include but are not limited to file types such as CSS, JS, PNG, JPG, BMP, and the like, where each type does not distinguish large and small and includes a storage path, and the resource file names are specifically/lang _ pack/en.
In this embodiment, when the fingerprint of the device model is extracted in step S2, a Web directory in firmware of the target device is located, a file having model information indicating the model of the target device is searched for in the Web directory, and a path of the target file having the model information with respect to the Web root directory is used as a fingerprint until the search of all files is completed. According to the method and the device, the fingerprints of the device models are collected from the whole Web directory of the device firmware, and online devices of more types can be found by combining the fingerprints, and meanwhile, the condition of false alarm is avoided.
In this embodiment, the specific steps of step S2 are as follows:
s21, firmware preprocessing: extracting a file system from the firmware of the target equipment and positioning a Web directory in the file system;
s22, fingerprint extraction: searching all files in the Web directory, searching whether model information used for representing the model of target equipment exists in each file, if the model information exists in the target, acquiring a path of the target file relative to the Web root directory and using the path as a fingerprint until the search of all files is completed;
s23, fingerprint list generation: all the fingerprints acquired by step S22 constitute a model fingerprint list of the target device.
In this embodiment, after a Web directory is located from firmware of a target device, all files in the Web directory are searched, whether a text string (e.g., RV 110W) indicating a device model exists in the file is found, and if the text string exists, a path of the file relative to a Web root directory is recorded (e.g.,/lang _ pack/en. js), and the recorded path is used as a fingerprint of the device of the model, until all Web files in all firmware of the target device are searched, a model fingerprint list of the device of the model is formed.
In this embodiment, when each IP address in the initial IP list is screened in step S3, if the request is returned successfully and the response message includes model information (e.g., RV 110W) indicating the model of the target device, the corresponding IP address in the initial IP list is written into the final IP list until all IP addresses are screened, so as to obtain the final IP list of the target device. The IP address taken out from the initial IP list and the fingerprint taken out from the model fingerprint list are merged into a URL address, if the HTTP request is successfully returned and the response message contains equipment model information (such as RV 110W), the IP address is indicated to accord with the equipment model fingerprint, otherwise, the IP address is indicated to not accord with the equipment model fingerprint, and after the IP addresses in the initial IP list are screened, the accuracy and the integrity of equipment model detection can be improved, and meanwhile, the false alarm rate is reduced.
In this embodiment, the specific step of step S3 includes:
s31, taking out an IP address from the initial IP list as the current IP address and taking out a fingerprint from the model fingerprint list as the current fingerprint;
s32, merging the current IP address and the current fingerprint into a URL address, sending an HTTP request for verification, judging whether the request is returned successfully, if so, and if the response message contains model information for representing the model of the target equipment, writing the current IP address into a final IP list; proceed to step S33;
s33, taking out the next fingerprint from the model fingerprint list of the target equipment as the current fingerprint, and returning to execute the step S32 until the verification of all fingerprints in the model fingerprint list by the current IP address is completed;
and S34, taking out the next IP address from the initial IP list as the current IP address, returning to execute the step S32 until the verification of all the IP addresses in the initial IP list is completed, and screening to obtain a final IP list of the target equipment.
In this embodiment, specifically, the IP addresses (including the ports) are sequentially taken out from the initial IP list, and the fingerprint file paths are sequentially taken out from the model fingerprint list and merged into the URL, for example: https: v/192.168.1.1: 8443/lang _ pack/en.js, and sending an http(s) request, if the request is returned successfully and a response message contains a text string (such as RV 110W) indicating the device model, the IP address conforms to the device model fingerprint, the verification is passed, the IP is written into a final IP list, and the next IP is continuously verified; if the verification fails, the next fingerprint of the IP is continuously verified, the judgment is repeated until all the fingerprints of the IP are verified, the verification process is repeated until all the IP in the initial IP list are verified, the fingerprint scanning is completed, and a final IP list of the equipment is obtained.
In a specific application embodiment, the partial program for implementing the fingerprint scanning is as follows:
for IP _ port in initial IP list
for finger print _ file device fingerprint list
URL1=http://ip_port/figerprint_file
URL2=https://ip_port/figerprint_file
response1= response message returned by visiting URL1
response2= response message returned by visiting URL2
if (response1 or response2 contains device model name character string)
Write the IP _ port to the final IP list
Jump out of the inner-layer for loop and test the next ip _ port
In this embodiment, before step S1, a keyword extraction step SA is further included, and the specific steps are: accessing a Web service port of the target equipment and acquiring port flag information, extracting model information used for representing the model of the target equipment from the port flag information and using the model information as a first-class key word, if the first-class key word is not searched, executing the step S1, and if the first-class key word is searched, searching by using the first-class key word to obtain a final IP list of the target equipment. For equipment with the port flag information containing the model information, the model information can be used for searching, for equipment with the port flag information not containing the model information, the resource file name is used for searching, the searching result is used as an initial IP list, and the steps are used for screening to obtain a final IP list so as to reduce the IP missing report and the IP false report, so that the equipment can be accurately detected whether the flag information contains the model information or not.
In this embodiment, if the first category key participles are searched in the step SA, the method further includes extracting all resource file names in the port flag information and using the extracted resource file names as the second category key participles, combining the first category key participles and the second category key participles to form a plurality of candidate keywords, and searching by using each candidate keyword respectively to obtain a final IP list of the target device. In the embodiment, for the equipment containing the model information in the port flag information, besides using the model information, the resource file names in the port flag information are also used to jointly form the searched keywords, so that the accuracy of detection matching can be improved, the situation of misinformation of equipment and the like in a website by containing the equipment model name in a website homepage is avoided, and accurate detection of the model of the networked equipment is realized.
In this embodiment, when a plurality of candidate keywords are formed, the first class key participles and the second class key participles are specifically connected in series to form one candidate keyword.
In this embodiment, the firmware of the target device is downloaded from the device manufacturer website, the firmware is simulated to run, and if the firmware cannot be simulated to run successfully, the firmware is run by using the real device; accessing a Web service port of a simulated or real target device, taking text information fed back by the device as port flag information, extracting keywords from the port flag information for searching, if the port flag information contains a character string (such as RV 110W) representing the model of the device, taking the character string as a first class key participle, simultaneously searching a resource file name in the flag information as a second class key participle, and connecting the first class key participle and the second class key in series to obtain a plurality of candidate keywords, namely, the format of each candidate keyword is the series connection of the first class key participle (if existing) and each second class key participle, namely, the two classes of key participles are in 'and' relationship, and the parallel connection of the candidate keywords is 'or' relationship, for example:
(RV 110W and/lang _ pack/EN. js) or (RV 110W and/image/BT _ Normal. jpg)
The connection symbol of the or relation can be adjusted according to different search engine definition formats, and if the or relation is not supported by the search engine, each candidate keyword can be used for searching respectively, and then search results are combined.
If the first type of key word segmentation exists, obtaining a final IP list after the searching, wherein false alarm IP does not exist, and completing equipment model detection; if there is no first category keyword, i.e. there is no model information in the port flag information, such as the character string "RV 110W" is not in the flag in the above example, then the search is performed using the resource file name, i.e. the keywords used in the search are: and (4) land _ pack/EN.js or/image/BT _ Normal.jpg, and then, turning to the step S1 to take the search result as an initial IP list, and screening through the subsequent steps to obtain a final IP list so as to remove false alarm IP in the final IP list.
As shown in fig. 2, the detailed process of the present invention for implementing the model detection of the networked device in the specific application embodiment by using the above method is as follows:
step 1: downloading the firmware of the target equipment from the equipment manufacturer website, simulating the firmware to run, and if the firmware cannot be simulated to run successfully, running the firmware by using real equipment;
step 2: accessing a Web service port of a simulated or real target device, taking text information fed back by the device as port flag information, and extracting keywords from the port flag information, wherein the keyword extraction step is as follows:
step 2a, if the port flag information contains a text character string representing the equipment model, taking the character string as a first class key word;
step 2b, searching the resource file name in the flag information through a regular expression and using the resource file name as a second key word;
step 2c, the first class key participles and the second class key participles are connected in series to form a plurality of candidate keywords, the keywords used for searching are parallel connection of the candidate keywords, namely the relation between the candidate keywords is 'OR', each candidate keyword is in a format of the first class key participles (if existing) and each second class key participles in series, namely the relation between the two classes of key participles is 'AND', and the connection symbols of the relation are determined according to the definition format of a search engine;
step 2d, if the search engine does not support the 'OR' relationship, each candidate keyword is used for searching respectively, and then search results are merged;
step 2e, if the first-class key word segmentation exists, the search result in the step 2d is a final IP list, and the process is finished; otherwise, taking the search result as an initial IP list, wherein false alarm IP exists, and switching to the step 3 for screening;
and step 3: preprocessing the firmware, namely extracting a file system from the firmware and positioning the file system to a Web directory in the firmware;
and 4, step 4: extracting the device model fingerprint from the firmware, wherein the specific flow is as follows: searching all files in a Web directory, searching whether text character strings representing the model of the equipment exist in the files, if so, recording the path of the files relative to a Web root directory and taking the path as a fingerprint of the equipment of the model, and forming a model fingerprint list of the equipment of the model until all Web files in all downloaded firmware of the equipment are searched;
and 5: and (3) screening the IP addresses in the initial IP list generated in the step (2 d) according to the model fingerprint list of the equipment model to form a final IP list, wherein the screening process is as follows:
step 5a, sequentially taking out IP addresses (including ports) from the initial IP list, sequentially taking out fingerprint file paths from the model fingerprint list and merging the fingerprint file paths into a URL;
step 5b, if the request is returned successfully and the response message contains a text character string representing the equipment model, the IP address accords with the equipment model fingerprint, the verification is passed, the IP is written into a final IP list, and the next IP is continuously verified; otherwise, continuously verifying the next fingerprint of the IP, and repeating the judgment until all the fingerprints aiming at the IP are verified;
and 5c, repeatedly executing the steps 5a-5b until all the IP in the initialized IP list are verified, and finishing screening.
The embodiment further provides a networking device model detection device based on firmware analysis, which comprises a computer device programmed to execute the steps of the networking device model detection method based on firmware analysis.
The foregoing is considered as illustrative of the preferred embodiments of the invention and is not to be construed as limiting the invention in any way. Although the present invention has been described with reference to the preferred embodiments, it is not intended to be limited thereto. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical spirit of the present invention should fall within the protection scope of the technical scheme of the present invention, unless the technical spirit of the present invention departs from the content of the technical scheme of the present invention.

Claims (8)

1. A networking device model detection method based on firmware analysis is characterized by comprising the following steps:
s1, generating an initial IP table: when the port flag information of the target equipment does not have model information used for representing the model of the target equipment, extracting all resource file names in the port flag information, respectively using all the resource file names as key words to search, and forming an initial IP list by all searched IP addresses;
s2 firmware analysis: acquiring firmware of target equipment, extracting fingerprints containing model information of the target equipment from the acquired firmware, and forming a model fingerprint list of the target equipment by all the extracted fingerprints;
s3 fingerprint scan: respectively taking IP addresses from the initial IP list, taking fingerprints from the model fingerprint list, combining the fingerprints into URL addresses and sending a request, and screening all the IP addresses in the initial IP list according to a response result of the request to obtain a final IP list of the target equipment;
when the fingerprint of the device model is extracted in step S2, by locating the Web directory in the firmware of the target device, searching for a file in the Web directory that has model information indicating the model of the target device, and taking the path of the target file having the model information with respect to the Web root directory as a fingerprint until the search of all files is completed;
when screening the IP addresses in the initial IP list in step S3, if the sent request is returned successfully and the response message includes the model information indicating the model of the target device, writing the corresponding IP address in the initial IP list into the final IP list until all the IP addresses are screened, so as to obtain the final IP list of the target device.
2. The method for detecting the model of a networked device based on firmware analysis according to claim 1, wherein the specific steps of step S2 are as follows:
s21, firmware preprocessing: extracting a file system from the firmware of the target equipment and positioning a Web directory in the file system;
s22, fingerprint extraction: searching all files in the Web directory, searching whether model information used for representing the model of target equipment exists in each file, if the model information exists in the target, acquiring a path of the target file relative to the Web root directory and using the path as a fingerprint until the search of all files is completed;
s23, fingerprint list generation: all the fingerprints obtained in step S22 constitute a model fingerprint list of the target device.
3. The method for detecting the model of a networked device based on firmware analysis according to claim 2, wherein the specific step of step S3 includes:
s31, taking an IP address from the initial IP list as a current IP address, and taking a fingerprint from the model fingerprint list as a current fingerprint;
s32, merging the current IP address and the current fingerprint into a URL address, sending an HTTP request for verification, judging whether the request is returned successfully, if so, and if the response message contains model information for representing the model of the target equipment, writing the current IP address into the final IP list; proceed to step S33;
s33, taking out the next fingerprint from the model fingerprint list of the target equipment as the current fingerprint, and returning to execute the step S32 until the verification of the current IP address on all fingerprints in the model fingerprint list is completed;
s34, taking out the next IP address from the initial IP list as the current IP address, returning to execute the step S32 until the verification of all the IP addresses in the initial IP list is completed, and screening to obtain the final IP list of the target device.
4. The firmware analysis-based networking device model detection method according to any one of claims 1 to 3, further comprising a keyword extraction step SA before the step S1, the specific steps being: accessing a Web service port of target equipment and acquiring the port flag information, extracting model information used for representing the model of the target equipment from the port flag information and using the model information as a first class key word, if the first class key word is not searched, executing step S1, and if the first class key word is searched, searching by using the first class key word to obtain an IP list of the target equipment.
5. The firmware analysis-based networking device model detection method of claim 4, wherein: if the first class key participle is searched in the step SA, extracting all resource file names in the port flag information and using the resource file names as a second class key participle, combining the first class key participle and the second class key participle to form a plurality of candidate keywords, and searching by using each candidate keyword respectively to obtain an IP list of the target equipment.
6. The firmware analysis-based networking device model detection method of claim 5, wherein: when a plurality of candidate keywords are formed, the first class key participles and the second class key participles are specifically connected in series to form one candidate keyword.
7. The networking device model detection method based on firmware analysis according to any one of claims 1 to 3, characterized in that: the resource file name comprises a storage path, and the resource file name comprises one or more types of CSS, JS, PNG, JPG and BMP.
8. A firmware analysis based networking device model detection apparatus comprising a computer device, wherein the computer device is programmed to perform the steps of the firmware analysis based networking device model detection method of any one of claims 1 to 7.
CN201811612328.3A 2018-12-27 2018-12-27 Networking equipment model detection method and device based on firmware analysis Active CN109547294B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811612328.3A CN109547294B (en) 2018-12-27 2018-12-27 Networking equipment model detection method and device based on firmware analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811612328.3A CN109547294B (en) 2018-12-27 2018-12-27 Networking equipment model detection method and device based on firmware analysis

Publications (2)

Publication Number Publication Date
CN109547294A CN109547294A (en) 2019-03-29
CN109547294B true CN109547294B (en) 2020-10-30

Family

ID=65857308

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811612328.3A Active CN109547294B (en) 2018-12-27 2018-12-27 Networking equipment model detection method and device based on firmware analysis

Country Status (1)

Country Link
CN (1) CN109547294B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112989315B (en) * 2021-02-03 2023-03-24 杭州安恒信息安全技术有限公司 Fingerprint generation method, device and equipment for terminal of Internet of things and readable storage medium
CN115098151B (en) * 2022-06-21 2024-09-20 中国人民解放军国防科技大学 Fine-granularity intranet equipment firmware version detection method
CN115396157B (en) * 2022-07-29 2024-06-04 中国人民解放军国防科技大学 Automatic detection scheme generation method and system for Internet of things equipment based on feedback
CN116433032B (en) * 2023-04-26 2024-04-09 中国农业科学院农业环境与可持续发展研究所 Intelligent assessment method based on web crawler mode

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104796969A (en) * 2015-04-29 2015-07-22 广州物联家信息科技股份有限公司 Network accessing method and system for equipment of internet of things on basis of recognition codes of internet of things
CN106126646A (en) * 2016-06-21 2016-11-16 广州中国科学院计算机网络信息中心 Set up the method and device of the inverted index of Internet of Things smart machine

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5751121B2 (en) * 2011-10-11 2015-07-22 株式会社リコー Information processing apparatus, information processing method, and program
JP5812840B2 (en) * 2011-12-13 2015-11-17 キヤノン株式会社 Image forming apparatus, network system, and control method for image forming apparatus
CN106411855B (en) * 2016-09-06 2019-03-05 北京邮电大学 A kind of fragility directory search method and device
CN108563458A (en) * 2018-04-09 2018-09-21 济南浪潮高新科技投资发展有限公司 Firmware update and system, Web client, baseboard management controller

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104796969A (en) * 2015-04-29 2015-07-22 广州物联家信息科技股份有限公司 Network accessing method and system for equipment of internet of things on basis of recognition codes of internet of things
CN106126646A (en) * 2016-06-21 2016-11-16 广州中国科学院计算机网络信息中心 Set up the method and device of the inverted index of Internet of Things smart machine

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《基于WEB信息的特定类型物联网终端识别方法》;任春林等;《通信技术》;20170510;第50卷(第5期);正文第1-3节 *
《基于搜索的物联网设备识别框架》;邹宇驰等;《信息安全学报》;20180715;第3卷(第4期);全文 *

Also Published As

Publication number Publication date
CN109547294A (en) 2019-03-29

Similar Documents

Publication Publication Date Title
CN109547294B (en) Networking equipment model detection method and device based on firmware analysis
CN112866023B (en) Network detection method, model training method, device, equipment and storage medium
CN109905288B (en) Application service classification method and device
CN111897962B (en) Asset marking method and device for Internet of things
CN101853300B (en) Method and system for identifying and evaluating video downloading service website
CN107257390B (en) URL address resolution method and system
CN109104421B (en) Website content tampering detection method, device, equipment and readable storage medium
US20170053031A1 (en) Information forecast and acquisition method based on webpage link parameter analysis
CN112989348B (en) Attack detection method, model training method, device, server and storage medium
US20200314135A1 (en) Method for determining duplication of security vulnerability and analysis apparatus using same
CN111104579A (en) Identification method and device for public network assets and storage medium
CN108768982B (en) Phishing website detection method and device, computing equipment and computer storage medium
CN103455758A (en) Method and device for identifying malicious website
US11301522B1 (en) Method and apparatus for collecting information regarding dark web
CN111061972B (en) AC searching optimization method and device for URL path matching
Javed et al. Using application layer banner data to automatically identify IoT devices
CN115098151A (en) Fine-grained intranet equipment firmware version detection method
CN113132340B (en) Phishing website identification method based on vision and host characteristics and electronic device
CN111314109A (en) Weak key-based large-scale Internet of things equipment firmware identification method
CN115314271B (en) Access request detection method, system and computer storage medium
CN107239704A (en) Malicious web pages find method and device
CN110866611A (en) Malicious domain name detection method based on SVM machine learning
Demidova et al. Proactive Brand-Targeting Phishing Website Detection using a Hybrid Feature-based Approach with Machine Learning.
CN112818278B (en) Method and system for checking internet hosting website
CN116150541B (en) Background system identification method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant