CN111835693A - Vulnerability detection system and detection method for network monitoring camera - Google Patents
Vulnerability detection system and detection method for network monitoring camera Download PDFInfo
- Publication number
- CN111835693A CN111835693A CN201910326681.3A CN201910326681A CN111835693A CN 111835693 A CN111835693 A CN 111835693A CN 201910326681 A CN201910326681 A CN 201910326681A CN 111835693 A CN111835693 A CN 111835693A
- Authority
- CN
- China
- Prior art keywords
- camera
- vulnerability
- data packet
- network
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N17/00—Diagnosis, testing or measuring for television systems or their details
- H04N17/002—Diagnosis, testing or measuring for television systems or their details for television cameras
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Multimedia (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Closed-Circuit Television Systems (AREA)
Abstract
The invention discloses a system and a method for detecting loopholes of a network monitoring camera, wherein the system comprises the following steps: the camera identification feature library module takes the brand or model of the camera as an index, and stores open services of the cameras with various models and equipment features; the camera host discovery module is used for reading the camera identification feature library, sending a specific data packet to a network, and comparing whether the returned data packet is consistent with the record in the identification feature library; and the camera vulnerability library module takes the brand or the model of the network service or the camera as an index and stores a plurality of known vulnerability verification scripts. The invention can detect the loophole of the network camera by quickly and accurately identifying the model of the network camera and the provided network service, so as to find the security loophole of the network camera, generate a detection report which can be read by a system administrator or a user, and provide corresponding loophole slow-release measures and repair suggestions.
Description
Technical Field
The invention relates to the field of network space security, in particular to a system and a method for detecting vulnerability of a network monitoring camera.
Background
With the development of the internet of things, more and more network monitoring camera products appear in the market at present. Especially in public places such as civil aviation airports and the like, the demand of network monitoring camera products is very large. However, because the camera product is deployed in the local area network, the camera product is generally rarely connected with the internet, and meanwhile, the camera manufacturer is mainly interested in seizing the market and often neglects the problem of safety. Meanwhile, even if a manufacturer releases a security patch, a user can hardly know whether the user is affected and how to repair the security patch. The existing camera vulnerability detection system is developed mainly based on a Web vulnerability detection system, and mainly comprises the steps of finding a camera through port scanning, identifying a brand and a model, and then carrying out remote vulnerability verification according to a constructed vulnerability library system.
However, firstly, port scanning is a slow process, and the known ports of TCP and UDP are more than 1000, so that if the ports are scanned all over, much time is needed; meanwhile, in the existing camera system, a port scanning tool may be shielded, so that the open port cannot be effectively detected by using Ping scanning or even SYN scanning technology, and thus, the whole vulnerability detection process is involved in a port scanning stage.
Then, most of the existing leak library systems are constructed based on camera type numbers, but the camera products are various, and the leak library cannot be updated in real time. Although the theoretical efficiency is high, in practice, because the supported camera models are limited, once a new model or an unknown model of camera is encountered, the real efficiency is not high, and even a bug cannot be successfully detected.
Meanwhile, because many of the existing vulnerability library systems are based on service description, a certain vulnerability is discovered for a certain service, so that the new camera vulnerability library cannot be compatible with the existing vulnerability library system and cannot utilize the achievements of the traditional vulnerability library system.
Therefore, although the application scene of the camera vulnerability detection is considered in the prior art, the essence of the application scene is not considered carefully, so that the application scene is dependent on manual maintenance too much, and the practical value is not great.
Disclosure of Invention
The invention aims to provide a system and a method for detecting loopholes of a network monitoring camera, which aim to solve the problems in the background technology.
In order to achieve the purpose, the invention provides the following technical scheme: a network surveillance camera vulnerability detection system, comprising:
the camera identification feature library module takes the brand or model of the camera as an index, and stores open services of the cameras with various models and equipment features;
the camera host discovery module is used for reading the camera identification feature library, sending a specific data packet to a network, and comparing whether the returned data packet is consistent with the record in the identification feature library;
the camera vulnerability library module takes the brand or the model of the network service or the camera as an index and stores a plurality of known vulnerability verification scripts;
the camera vulnerability detection module is used for executing a vulnerability verification script and performing vulnerability verification;
and the camera vulnerability detection report generation module is used for generating a vulnerability detection report for a system administrator or a user to read.
Further, the device characteristics stored in the camera identification characteristic library are a group of data packets, including a specific data packet to be transmitted and a specific response data packet made by the target device.
A detection method of a vulnerability detection system of a network monitoring camera comprises the following steps:
step S102, reading characteristics: reading a camera identification feature library through a camera host discovery module, sending a specific data packet to a network, and comparing whether the returned data packet is consistent with records in the identification feature library or not so as to judge whether the data packet is read to obtain information of a target camera host or not;
step S104, vulnerability detection: according to the model of the camera host obtained in the last step and the opened service, verifying the vulnerability through a camera vulnerability detection module according to a camera vulnerability library module, so as to reduce the number of scripts to be used, execute a vulnerability verification script, perform vulnerability verification and judge whether the vulnerability exists;
step S106, report generation: and according to the result, generating a vulnerability detection report through a camera vulnerability detection report generating module so as to be read by a system administrator or a user.
Further, in step S102, the method for determining whether to read the data packet to obtain the information of the target camera host includes reading the data packet and obtaining the information of the target camera host if the comparison result of the data packet has a record higher than the matching degree set by the user, to obtain a specific model of the target camera host, and inquiring whether the user initiates a conventional port scan if there is no corresponding record.
Further, in step S104, the method for determining whether a vulnerability exists includes verifying that a vulnerability exists if the returned data of the target host meets the expectation of the vulnerability verification script, and otherwise, determining that a vulnerability does not exist.
Compared with the prior art, the invention has the beneficial effects that:
1. in the aspect of system architecture, a camera identification feature library module is added, and camera detailed information and a specific sending datagram-response data packet are stored. And supporting an accurate scanning method based on the recognition feature library.
2. In the aspect of target identification, an accurate scanning mode based on an identification feature library is used instead of a traditional port scanning mode, so that the detection efficiency and accuracy are improved. Meanwhile, when the accurate scanning mode is unsuccessful, the method can be compatible with the traditional port scanning mode.
3. In the aspect of vulnerability detection, a network service is additionally arranged in the vulnerability database as an index mode, so that the vulnerability database is compatible with a traditional vulnerability database based on a network service index, and vulnerability detection capability is enhanced, particularly vulnerability detection capability under the condition that the model of equipment cannot be identified.
Drawings
FIG. 1 is a schematic diagram of a vulnerability detection system of a network monitoring camera according to the present invention;
FIG. 2 is a main flowchart of a detection method of the vulnerability detection system of the network monitoring camera according to the present invention;
fig. 3 is a block diagram of a detection method of the vulnerability detection system of the network monitoring camera according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-3, the present invention provides a technical solution: a network monitoring camera vulnerability detection system and a detection method thereof are disclosed, wherein each module and the implementation method are as follows:
1. camera recognition characteristic library module
And taking the brand or model of the camera as an index, and storing the open services of the cameras of various models and the equipment characteristics. For example, the following is a record in the feature library:
camera brand: haikangwei vision
Camera open service: HTTP, HTTPS, SSH, RTSP, FTP
And (3) sending a data packet:
and (3) source IP: native IP
Destination IP: 239.255.255.250
Protocol: UDP
Source port: 37020
Destination port: 37020
UDP payload content:
<?xml version="1.0"encoding="utf-8"?>
<Probe>
<Uuid></Uuid>
<Types>inquiry</Types>
</Probe>
responding to the data packet:
and (3) source IP: target device IP
Destination IP: native IP
Protocol: UDP
Source port: 37020
Destination port: 37020
UDP payload content:
<?xml version="1.0"encoding="UTF-8"?>
<ProbeMatch>
< Uuid > [ UUID at the time of transmission ]
[ detailed information of apparatus ]
</ProbeMatch>
The record is almost effective for the cameras of Haikangwei brand, the detailed information part of the equipment can carry the detailed configuration information of the target equipment, and the source of the record is obtained by analyzing the communication protocol of the Haikangwei brand cameras by security analysts, so that the record has high reliability.
2. Camera host discovery module
And reading the camera identification feature library, sending a specific data packet to the network, and comparing whether the returned data packet is consistent with the record in the identification feature library.
Step S102, reading characteristics: assuming that we need to find a Haikangwei brand camera or want to know whether the target camera is a Haikangwei brand, the module only needs to read the record exemplified in 1, send the "send data packet" part to the network by using a frame such as Python Scapy, and wait for a reply on the network. If the returned data packet can be analyzed by using the format in the response data packet, the camera can be determined to be the Haekwev camera, and if no reply is made or the reply content is not in the format, the possibility of the Haekvvv camera can be eliminated. The method can determine whether the camera is a Haekwover camera by only sending one packet, and the traditional port scanning mode can determine whether the camera is a Haekwover camera by continuously sending data packets to different ports.
3. Camera vulnerability library module
The vulnerability database takes the brand or model of the network service or the camera as an index and stores a plurality of known vulnerability verification scripts. This is for example a record in the vulnerability library:
and numbering a vulnerability CVE: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880
Vulnerability applicable brands: haikangwei vision
Vulnerability adaptation service: RTSP service
Vulnerability level: fatal disease
Vulnerability verification script: hikvision _ rtsp _ buffer _ overflow _ poc
Vulnerability hazard: since Hikvision monitoring equipment improperly processes RTSP (real time streaming protocol) requests, the vulnerability attacker can perform denial of service attack on the equipment, even directly acquire the highest authority of the equipment.
The vulnerability repairing method comprises the following steps: updating device firmware
Leak slow release measures: and closing the RTSP service, or enabling the firewall to shield an RTSP default port from the external network.
4. Camera leak detection module
Step S104, vulnerability detection: and according to the model of the camera host obtained in the last step and the opened service, reducing the number of scripts to be used, executing a vulnerability verification script, performing vulnerability verification, if the returned data of the target host meets the expectation of the vulnerability verification script, proving that a vulnerability exists, otherwise, considering that the vulnerability does not exist.
The vulnerability detection method is divided into two modes: the method comprises a general detection mode (vulnerability verification is carried out as accurately as possible to ensure speed) and a wide detection mode (vulnerability verification scripts are tried as many as possible to ensure comprehensiveness), and meets the requirements under different scenes.
In the general detection mode: only if the target device is detected to be the Haikangwei brand in the step S102, the vulnerability verification script stored in the camera vulnerability library module is started to try to perform vulnerability verification.
In the broad detection mode: in step S102, a specific camera brand or a non-Haokawav brand cannot be identified, but it is identified that the device opens the RTSP service, and similar vulnerabilities may exist in consideration of different brands of cameras sometimes having the same service. The system will also try to use the script, which can improve the compatibility and detection effect of the unknown brand camera.
If the system cannot identify the camera brand in step S102, the system automatically switches to the wide detection mode.
5. Camera leak detection report generation module
Step S106, report generation: generating user-friendly readable vulnerability detection reports
The invention carries out vulnerability detection on the network camera by quickly and accurately identifying the model of the network camera and the provided network service so as to discover the security vulnerability of the network camera, generate a detection report which can be read by a system administrator or a user, and provide corresponding vulnerability slow-release measures and repair suggestions.
Compared with the traditional camera vulnerability library, the vulnerability library module in the system provided by the invention has the advantages that the vulnerability library module has higher scanning speed for the cameras with known models because the network service type is introduced as the index; the method has stronger compatibility for the camera models of strange models, and is convenient for introducing the samples of the existing network leak library.
Compared with the traditional Web vulnerability scanning system and a host vulnerability scanning system, the vulnerability detection module in the system provided by the invention can more effectively and pertinently discover the security vulnerability and the vulnerability of the network monitoring camera and provide corresponding vulnerability slow-release measures and repair suggestions.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (5)
1. The utility model provides a first vulnerability detection system of network surveillance camera which characterized in that includes:
the camera identification feature library module takes the brand or model of the camera as an index, and stores open services of the cameras with various models and equipment features;
the camera host discovery module is used for reading the camera identification feature library, sending a specific data packet to a network, and comparing whether the returned data packet is consistent with the record in the identification feature library;
the camera vulnerability library module takes the brand or the model of the network service or the camera as an index and stores a plurality of known vulnerability verification scripts;
the camera vulnerability detection module is used for executing a vulnerability verification script and performing vulnerability verification;
and the camera vulnerability detection report generation module is used for generating a vulnerability detection report for a system administrator or a user to read.
2. The system of claim 1, wherein the device characteristics stored in the camera identification characteristic library are a set of data packets, including a specific data packet to be transmitted and a specific response data packet made by the target device.
3. A detection method of a vulnerability detection system of a network monitoring camera is characterized by comprising the following steps:
step S102, reading characteristics: reading a camera identification feature library through a camera host discovery module, sending a specific data packet to a network, and comparing whether the returned data packet is consistent with records in the identification feature library or not so as to judge whether the data packet is read to obtain information of a target camera host or not;
step S104, vulnerability detection: according to the model of the camera host obtained in the last step and the opened service, verifying the vulnerability through a camera vulnerability detection module according to a camera vulnerability library module, so as to reduce the number of scripts to be used, execute a vulnerability verification script, perform vulnerability verification and judge whether the vulnerability exists;
step S106, report generation: and according to the result, generating a vulnerability detection report through a camera vulnerability detection report generating module so as to be read by a system administrator or a user.
4. The method according to claim 3, wherein in step S102, the method for determining whether to read the data packet to obtain the information of the target camera host includes reading the data packet and obtaining the information of the target camera host if the comparison result of the data packet has a record with a matching degree higher than that set by a user, so as to obtain a specific model of the target camera host, and inquiring whether the user initiates a conventional port scan if there is no corresponding record.
5. The method for detecting the vulnerability of the network monitoring camera according to claim 3, wherein in the step S104, the method for judging whether the vulnerability exists comprises the steps of if the returned data of the target host meets the expectation of the vulnerability verification script, then the vulnerability is proved to exist, otherwise, the vulnerability is considered to not exist.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910326681.3A CN111835693A (en) | 2019-04-23 | 2019-04-23 | Vulnerability detection system and detection method for network monitoring camera |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910326681.3A CN111835693A (en) | 2019-04-23 | 2019-04-23 | Vulnerability detection system and detection method for network monitoring camera |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111835693A true CN111835693A (en) | 2020-10-27 |
Family
ID=72912392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910326681.3A Pending CN111835693A (en) | 2019-04-23 | 2019-04-23 | Vulnerability detection system and detection method for network monitoring camera |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111835693A (en) |
-
2019
- 2019-04-23 CN CN201910326681.3A patent/CN111835693A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11374835B2 (en) | Apparatus and process for detecting network security attacks on IoT devices | |
US7565693B2 (en) | Network intrusion detection and prevention system and method thereof | |
US8015605B2 (en) | Scalable monitor of malicious network traffic | |
CN109063486B (en) | Safety penetration testing method and system based on PLC equipment fingerprint identification | |
CN111447089A (en) | Terminal asset identification method and apparatus, and computer-readable storage medium | |
CN111541892A (en) | Method for identifying camera device in local area network, data exchange equipment and system | |
CN112818352B (en) | Database detection method and device, storage medium and electronic device | |
CN112235161A (en) | Camera network protocol fuzzy test method based on FSM | |
CN110768949A (en) | Vulnerability detection method and device, storage medium and electronic device | |
CN105656730A (en) | Network application quick discovery method and system based on TCP data packet | |
CN114500115B (en) | Auditing device, system and method for flow data packet | |
Shi et al. | The penetration testing framework for large-scale network based on network fingerprint | |
CN112291213A (en) | Abnormal flow analysis method and device based on intelligent terminal | |
CN111526109B (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
Rodríguez et al. | Superspreaders: Quantifying the role of IoT manufacturers in device infections | |
CN105515909A (en) | Data collection test method and device | |
CN111193727A (en) | Operation monitoring system and operation monitoring method | |
Pashamokhtari et al. | Progressive monitoring of iot networks using sdn and cost-effective traffic signatures | |
CN112769635B (en) | Service identification method and device for multi-granularity feature analysis | |
CN116070218B (en) | Industrial asset detection method, terminal equipment and storage medium | |
KR20190106103A (en) | Preemptive response system for new information security vulnerability, and method thereof | |
CN111835693A (en) | Vulnerability detection system and detection method for network monitoring camera | |
CN110620661A (en) | System and method for writing key into intelligent equipment | |
Ishibashi et al. | Which packet did they catch? Associating NIDS alerts with their communication sessions | |
KR100920528B1 (en) | Method and system of detecting and defensing arp spoofing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20201027 |
|
WD01 | Invention patent application deemed withdrawn after publication |