CN113132366A - Method, system, storage medium and computer device for interactive protocol reversal - Google Patents
Method, system, storage medium and computer device for interactive protocol reversal Download PDFInfo
- Publication number
- CN113132366A CN113132366A CN202110376221.9A CN202110376221A CN113132366A CN 113132366 A CN113132366 A CN 113132366A CN 202110376221 A CN202110376221 A CN 202110376221A CN 113132366 A CN113132366 A CN 113132366A
- Authority
- CN
- China
- Prior art keywords
- data
- data packet
- client
- server
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000002452 interceptive effect Effects 0.000 title claims abstract description 68
- 238000000034 method Methods 0.000 title claims abstract description 61
- 230000008859 change Effects 0.000 claims abstract description 78
- 230000004044 response Effects 0.000 claims abstract description 74
- 238000004590 computer program Methods 0.000 claims abstract description 22
- 230000003993 interaction Effects 0.000 claims description 16
- 238000004458 analytical method Methods 0.000 claims description 13
- 238000005192 partition Methods 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 description 12
- 230000006870 function Effects 0.000 description 4
- 238000007405 data analysis Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Communication Control (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention is suitable for the technical field of data processing, and provides an interactive protocol reverse method, which comprises the following steps: acquiring a data packet sent by a client; detecting whether an interactive network environment exists between the client and the server; if the network environment exists, carrying out region division on the data packet according to a preset reference rule, and sequentially changing the data blocks corresponding to each region to respectively generate a plurality of corresponding changed data packets; and analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet. A system for interactive protocol reversal, a storage medium for storing a computer program for performing the method, and a computer apparatus implementing the method are also provided. Therefore, the invention can improve the success rate and efficiency of protocol reversal.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method, a system, a storage medium, and a computer device for interactive protocol inversion.
Background
The reverse direction of an unknown protocol is always a subject in the aspect of network security, and mainly aims at an encrypted/private network protocol to analyze the format, syntax and semantics of the protocol, so that the specific user behavior using the protocol can be identified on gateway equipment; the concrete expression is that the message of a data packet is divided into protocol formats, and the concrete meaning represented by each part of content in the formats is obtained.
At present, there are two ways for the reverse of unknown protocols, one is reverse based on network traffic, and the other is reverse based on decompilation of client programs. The traditional network flow-based reverse direction is static analysis, and does not interact with a client/server using a protocol in the analysis process; the method is limited by the limitation of static analysis, the reverse accuracy is not high, and the reverse result cannot be well verified.
As can be seen, the conventional method has many problems in practical use, and therefore, needs to be improved.
Disclosure of Invention
In view of the foregoing drawbacks, the present invention provides an interactive protocol inversion method, system, storage medium and computer device thereof, which improve the success rate and efficiency of protocol inversion.
In order to achieve the above object, the present invention provides a method for inverting an interactive protocol, comprising the steps of:
acquiring a data packet sent by a client;
detecting whether an interactive network environment exists between the client and the server;
if the network environment exists, carrying out region division on the data packet according to a preset reference rule, and sequentially changing the data blocks corresponding to each region to respectively generate a plurality of corresponding changed data packets;
and analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet.
Optionally, the obtaining the data packet sent by the client specifically includes:
and acquiring the data packet sent by the client in a packet capturing mode.
Optionally, the step of detecting whether an interactive network environment exists between the client and the server specifically includes:
and detecting whether the server generates a response after receiving the data packet sent by the client, wherein if the server generates the response, the interactive network environment exists.
Optionally, if the network environment exists, the step of performing area division on the data packet according to a preset reference rule, and sequentially changing the data blocks corresponding to each area to generate a plurality of corresponding changed data packets specifically includes:
dividing the data packet into a plurality of regions according to the reference rule;
acquiring at least one change data corresponding to each region;
and sequentially replacing the data blocks of each region of the data packet with the corresponding change data so as to respectively generate a plurality of corresponding change data packets.
Optionally, the step of obtaining at least one change data corresponding to each of the areas includes:
and extracting at least one change data configured in the corresponding area from a preset database.
Optionally, the step of sequentially replacing the data blocks of each region of the data packet with the corresponding change data to generate a plurality of corresponding change data packets respectively specifically includes:
and respectively constructing the change data packets corresponding to the replaced areas according to the areas where the data blocks which are replaced in sequence are located.
Optionally, the step of analyzing the field information of the corresponding data block according to the response generated by the server after receiving the change data packet specifically includes:
detecting a response return state and/or response content of the server after receiving the change data packet;
and analyzing the field information of the data block replaced by the change data packet according to the response return state and/or the response content.
Optionally, after the step of analyzing the field information of the corresponding data block according to the response generated by the server after receiving the change data packet, the method further includes:
and identifying the protocol content of the data packet according to the field information of each data block of the data packet.
Also provided is a system for interactive protocol reversal, comprising:
the acquisition unit is used for acquiring a data packet sent by a client;
the interaction detection unit is used for detecting whether an interactive network environment exists between the client and the server;
the division changing unit is used for carrying out region division on the data packets according to a preset reference rule and sequentially changing the data blocks corresponding to the regions to respectively generate a plurality of corresponding changed data packets if the network environment exists;
and the response analysis unit is used for analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet.
Optionally, the obtaining unit is specifically configured to:
and acquiring the data packet sent by the client in a packet capturing mode.
Optionally, the interaction detection unit is specifically configured to:
and detecting whether the server generates a response after receiving the data packet sent by the client, wherein if the server generates the response, the interactive network environment exists.
Optionally, the partition changing unit specifically includes:
a dividing subunit, configured to divide the data packet into a plurality of regions according to the reference rule;
a data acquiring subunit, configured to acquire at least one change data corresponding to each of the areas;
and the data replacement subunit is configured to sequentially replace the data blocks of each region of the data packet with the corresponding change data, so as to generate a plurality of corresponding change data packets respectively.
Optionally, the data obtaining subunit is specifically configured to:
and extracting at least one change data configured in the corresponding area from a preset database.
Optionally, the data replacement subunit is specifically configured to:
and respectively constructing the change data packets corresponding to the replaced areas according to the areas where the data blocks which are replaced in sequence are located.
Optionally, the response analysis unit specifically includes:
the response detection subunit is used for detecting the response return state and/or the response content of the server after receiving the change data packet;
and the data analysis subunit is used for analyzing the field information of the data block replaced by the change data packet according to the response return state and/or the response content.
Optionally, the method further includes:
and the protocol identification unit is used for identifying the protocol content of the data packet according to the field information of each data block of the data packet.
In addition, a storage medium and a computer device are provided, the storage medium storing a computer program for executing the above interactive protocol inversion method.
The computer device comprises a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the method for reversing the interactive protocol described above when executing the computer program.
The method and the system for the interactive protocol reverse direction acquire a data packet sent by a client; detecting whether an interactive network environment exists between the client and the server; if the network environment exists, carrying out region division on the data packet according to a preset reference rule, and sequentially changing the data blocks corresponding to each region to respectively generate a plurality of corresponding changed data packets; and analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet. Therefore, the invention interacts with the client/server using the protocol in the reverse process, carries out protocol reverse through the interaction result, improves the reverse accuracy, and can verify the reverse result in real time in the reverse process.
Drawings
FIG. 1 is a flowchart illustrating steps of a method for interactive protocol inversion according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating the steps of the partition change procedure of the method for interactive protocol reversion according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating the steps of response analysis of a method for interactive protocol inversion according to an embodiment of the present invention;
FIG. 4 is a block diagram illustrating a system for interactive protocol inversion according to an embodiment of the present invention;
fig. 5 is a block diagram schematically illustrating a structure of the partition change unit of the system for interactive protocol reversal according to an embodiment of the present invention;
fig. 6 is a block diagram illustrating a structure of the response analysis unit of the system for interactive protocol inversion according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It should be noted that references in the specification to "one embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not intended to refer to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
Moreover, where certain terms are used throughout the description and following claims to refer to particular components or features, those skilled in the art will understand that manufacturers may refer to a component or feature by different names or terms. This specification and the claims that follow do not intend to distinguish between components or features that differ in name but not function. In the following description and in the claims, the terms "include" and "comprise" are used in an open-ended fashion, and thus should be interpreted to mean "include, but not limited to. In addition, the term "connected" as used herein includes any direct and indirect electrical connection. Indirect electrical connection means include connection by other means.
Fig. 1 illustrates a method for reversing an interactive protocol provided in an embodiment of the present invention, including:
step S101: acquiring a data packet sent by a client; the data packet is the protocol to be reversed. In a specific implementation, the step S101 includes: and acquiring the data packet sent by the client in a packet capturing mode. Firstly, acquiring specific protocol content to be reversed in a packet capturing mode; for example, for an unknown network protocol, the client sends packet a as follows:
3366000800081001000000000100000052000000000203000000ff000000651002030000001d6f30466e5876726b326b525a53734a4e4e7047326b63496e4f5a4b3100000000000000000000000100000000。
step S102: and detecting whether an interactive network environment exists between the client and the server. Optionally, step S102 includes: and detecting whether the server generates a response after receiving the data packet sent by the client, wherein if the server generates the response, the interactive network environment exists. For example, the data packet a is sent from the client to the server, and if the server receives the data packet a at this time, a response is generated to confirm that an interactive network environment exists between the client and the server; sending a data packet A in a data packet constructing mode, observing whether a server responds, and if the server responds, judging that an interactive network environment exists and performing subsequent work; in specific implementation, after the server receives the data packet a, the data packet B responded by the server is:
336600080008100201000000010000003000000010021048614a41394858517638476b5556573800000004000000000061c1d9b1276ba954cb3d4b438e236251。
step S103: and if the network environment exists, performing region division on the data packet according to a preset reference rule, and sequentially changing the data blocks corresponding to each region to respectively generate a plurality of corresponding changed data packets. The reference rule comprises a protocol segmentation rule for a data packet and a prediction type of a corresponding area; and the reference rule can be configured according to a preset reference data packet.
Step S104: and analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet. Analyzing and deducing field information of the replaced data block by an interaction result generated by the server after the data packet is changed; the field information comprises information such as protocol format, specific semantics and value range. That is, the embodiment interacts with the client/server using the protocol in the reverse process, and the protocol is reversed through the interaction result, so that the reverse accuracy is improved, and the reverse result can be verified in real time in the reverse process.
Referring to fig. 2, in an embodiment, step S103 specifically includes:
step S1031: and dividing the data packet into a plurality of areas according to the reference rule. When the method is concretely implemented, the protocol content of the data packet is divided into a plurality of specific areas; each region contains a block of data, i.e., the packet is divided into blocks of data.
Step S1032: and acquiring at least one piece of change data corresponding to each area.
Optionally, step S1032 specifically includes: and extracting at least one change data configured in the corresponding area from a preset database. The database stores the change data aiming at any specific area of the data packet in advance, and the step preferentially extracts the change data different from the data block from the database; for the change of the data block on the specific area, the changed new data packet can be analyzed out the corresponding type information in the subsequent interaction with the server.
Step S1033: and sequentially replacing the data blocks of each region of the data packet with the corresponding change data so as to respectively generate a plurality of corresponding change data packets. Namely, aiming at each area, the original data block is replaced by other data; after the data block of each region is replaced, a corresponding change data packet can be constructed and generated, so that if the data packet is divided into 5 regions, at least 5 change data packets can be constructed.
Optionally, step S1033 specifically includes: and respectively constructing change data packets corresponding to the replaced areas according to the areas where the data blocks which are sequentially replaced are located. If the header 336600 of the above-mentioned packet a is changed to 000000, the reconstructed packet a1 is:
0000000800081001000000000100000052000000000203000000ff000000651002030000001d6f30466e5876726b326b525a53734a4e4e7047326b63496e4f5a4b3100000000000000000000000100000000。
referring to fig. 3, in an embodiment, step S104 specifically includes:
s1041: and detecting the response return state and/or response content of the server after receiving the change data packet. That is, the client transmits a change packet in which the specific area is changed to the server, and detects a feedback situation of the server, such as whether or not a response is generated, what kind of response is generated, and the like.
S1042: and analyzing the field information of the data block replaced by the change data packet according to the response return state and/or the response content. According to the situation that the constructed change data packet with the replaced specific area is fed back on the server, field information represented by the data block of the area, such as information of a protocol format, specific semantics, a value range and the like, is analyzed.
The data blocks in different areas are respectively provided with specific analysis and judgment rules; for example, after the constructed packet a1 is sent to the server, it is found that the server does not respond to the request when the server result is obtained; it can be determined 336600 to be a defined field for the protocol because the protocol is fixed to begin with 336600 and if not 336600, the server will not respond. For another example, the 0065 position in the data packet a can be determined by finding that the server will only respond to a value range 0063 and 0066 after checking the response of the server after changing data for many times, and then can infer the data of the part as a variable identification field of the protocol, whose range is 0036 and 0065. And after the data is changed, the changed data packet is retransmitted, and in specific implementation, the specific semantics, namely type information, of the currently changed data area can be analyzed and judged according to the matching information configured by the reference rule. The response analysis process can be processed manually or automatically.
Optionally, after step S104, the method further includes: and identifying the protocol content of the data packet according to the field information of each data block of the data packet. After the content of each area of the data packet is identified, the complete protocol content of the data packet can be analyzed according to all the field information.
Fig. 4 shows a system 100 for interactive protocol inversion according to an embodiment of the present invention, which includes an obtaining unit 10, an interaction detecting unit 20, a partition changing unit 30, and a response analyzing unit 40, where:
the acquiring unit 10 is configured to acquire a data packet sent by a client; the interaction detection unit 20 is configured to detect whether an interactable network environment exists between the client and the server; the partition changing unit 30 is configured to, if the network environment exists, perform area partition on the data packets according to a preset reference rule, and sequentially change data blocks corresponding to each area to generate a plurality of corresponding changed data packets; the response analysis unit 40 is configured to analyze the field information of the corresponding data block according to a response generated by the server after receiving the change data packet.
Analyzing and deducing field information of the replaced data block by an interaction result generated by the server after the data packet is changed; the field information comprises information such as protocol format, specific semantics and value range. That is, the embodiment interacts with the client/server using the protocol in the reverse process, and the protocol is reversed through the interaction result, so that the reverse accuracy is improved, and the reverse result can be verified in real time in the reverse process.
The embodiment provides an interactive protocol reverse mode, which is characterized in that the protocol reverse mode is interacted with a client/server using the protocol in a reverse process, the protocol reverse can be manually/automatically performed through an interaction result, the reverse accuracy is improved, and the reverse result can be verified in real time in the reverse process.
Optionally, the obtaining unit 10 is specifically configured to: and acquiring the data packet sent by the client in a packet capturing mode.
Optionally, the interaction detecting unit 20 is specifically configured to: and detecting whether the server generates a response after receiving the data packet sent by the client, wherein if the server generates the response, the interactive network environment exists.
Referring to fig. 5, in one embodiment, the partition changing unit 30 includes a partition subunit 301, a data acquiring subunit 302, and a data replacing subunit 303, where:
the dividing unit 301 is configured to divide the data packet into a plurality of regions according to the reference rule; the data acquiring subunit 302 is configured to acquire at least one change data corresponding to each of the areas; the data replacing subunit 303 is configured to sequentially replace the data blocks of each area of the data packet with the corresponding change data, so as to generate a plurality of corresponding change data packets respectively.
Optionally, the data obtaining subunit 302 is specifically configured to: and extracting at least one change data configured in the corresponding area from a preset database.
Optionally, the data replacing subunit 303 is specifically configured to: and respectively constructing the change data packets corresponding to the replaced areas according to the areas where the data blocks which are replaced in sequence are located.
Referring to fig. 6, in an alternative embodiment, the response analyzing unit 40 includes a response detecting subunit 401 and a data analyzing subunit 402, wherein:
the response detection subunit 401 is configured to detect a response return state and/or response content of the server after receiving the change data packet; the data analysis subunit 402 is configured to analyze, according to the response return status and/or the response content, field information of the data block replaced by the change data packet.
Optionally, the apparatus further includes a protocol identification unit, configured to identify protocol content of the data packet according to the field information of each data block of the data packet.
The present invention also provides a storage medium for storing a computer program for the method of interactive protocol reversion as described in fig. 1-3. Such as computer program instructions, which when executed by a computer, may invoke or otherwise provide methods and/or techniques in accordance with the present application through the operation of the computer. Program instructions which invoke the methods of the present application may be stored on fixed or removable storage media and/or transmitted via a data stream over a broadcast or other signal-bearing medium and/or stored on a storage medium of a computer device operating in accordance with the program instructions. Here, according to an embodiment of the present application, a computer device including a system for interactive protocol reversal as shown in fig. 4 preferably includes a storage medium for storing a computer program and a processor for executing the computer program, wherein when the computer program is executed by the processor, the computer device is triggered to execute a method and/or a technical solution according to the foregoing embodiments.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, implemented using Application Specific Integrated Circuits (ASICs), general purpose computers or any other similar hardware devices. In one embodiment, the software programs of the present application may be executed by a processor to implement the above steps or functions. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
The method according to the invention can be implemented on a computer as a computer-implemented method, or in dedicated hardware, or in a combination of both. Executable code for the method according to the invention or parts thereof may be stored on a computer program product. Examples of computer program products include memory devices, optical storage devices, integrated circuits, servers, online software, and so forth. Preferably, the computer program product comprises non-transitory program code means stored on a computer readable medium for performing the method according to the invention when said program product is executed on a computer.
In a preferred embodiment, the computer program comprises computer program code means adapted to perform all the steps of the method according to the invention when the computer program is run on a computer. Preferably, the computer program is embodied on a computer readable medium.
In summary, the method and system for reversing interactive protocol described in the present invention obtain the data packet sent by the client; detecting whether an interactive network environment exists between the client and the server; if the network environment exists, carrying out region division on the data packet according to a preset reference rule, and sequentially changing the data blocks corresponding to each region to respectively generate a plurality of corresponding changed data packets; and analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet. Therefore, the invention interacts with the client/server using the protocol in the reverse process, carries out protocol reverse through the interaction result, improves the reverse accuracy, and can verify the reverse result in real time in the reverse process.
The present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof, and it should be understood that various changes and modifications can be effected therein by one skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.
Also provided is a1, a method for interactive protocol reversal, comprising the steps of:
acquiring a data packet sent by a client;
detecting whether an interactive network environment exists between the client and the server;
if the network environment exists, carrying out region division on the data packet according to a preset reference rule, and sequentially changing the data blocks corresponding to each region to respectively generate a plurality of corresponding changed data packets;
and analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet.
A2, the method for reverse interactive protocol according to a1, wherein the acquiring the data packets sent by the client specifically includes:
and acquiring the data packet sent by the client in a packet capturing mode.
A3, the method for conversing the interactive protocol according to a1, wherein the step of detecting whether an interactive network environment exists between the client and the server specifically comprises:
and detecting whether the server generates a response after receiving the data packet sent by the client, wherein if the server generates the response, the interactive network environment exists.
A4, the method for reversing the interactive protocol according to a1, wherein if the network environment exists, the method specifically includes the steps of performing region division on the data packets according to a preset reference rule, and sequentially changing data blocks corresponding to each region to generate a plurality of corresponding changed data packets, respectively:
dividing the data packet into a plurality of regions according to the reference rule;
acquiring at least one change data corresponding to each region;
and sequentially replacing the data blocks of each region of the data packet with the corresponding change data so as to respectively generate a plurality of corresponding change data packets.
A5, the method according to the reverse direction of the interactive protocol of a4, wherein the step of obtaining at least one change datum associated with each of the zones comprises:
and extracting at least one change data configured in the corresponding area from a preset database.
A6, according to the method for interactive protocol inversion described in a4, the step of sequentially replacing the data blocks of each area of the data packet with the corresponding changed data to generate a plurality of corresponding changed data packets respectively specifically includes:
and respectively constructing the change data packets corresponding to the replaced areas according to the areas where the data blocks which are replaced in sequence are located.
A7, the method according to the interactive protocol reversal of a1, wherein the step of analyzing the field information of the corresponding data block according to the response generated by the server after receiving the change data packet specifically includes:
detecting a response return state and/or response content of the server after receiving the change data packet;
and analyzing the field information of the data block replaced by the change data packet according to the response return state and/or the response content.
A8, the method for conversing the interactive protocol according to any one of a1 to a7, wherein the step of analyzing the field information of the corresponding data block according to the response generated by the server after receiving the change data packet further comprises:
and identifying the protocol content of the data packet according to the field information of each data block of the data packet.
B9, a system for interactive protocol reversal, comprising:
the acquisition unit is used for acquiring a data packet sent by a client;
the interaction detection unit is used for detecting whether an interactive network environment exists between the client and the server;
the division changing unit is used for carrying out region division on the data packets according to a preset reference rule and sequentially changing the data blocks corresponding to the regions to respectively generate a plurality of corresponding changed data packets if the network environment exists;
and the response analysis unit is used for analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet.
B10, the system according to the interactive protocol reversal of B9, wherein the obtaining unit is specifically configured to:
and acquiring the data packet sent by the client in a packet capturing mode.
B11, the system according to the interactive protocol of B9 being specifically configured to:
and detecting whether the server generates a response after receiving the data packet sent by the client, wherein if the server generates the response, the interactive network environment exists.
B12, the system according to the interactive protocol reversal of B9, wherein the partition change unit specifically includes:
a dividing subunit, configured to divide the data packet into a plurality of regions according to the reference rule;
a data acquiring subunit, configured to acquire at least one change data corresponding to each of the areas;
and the data replacement subunit is configured to sequentially replace the data blocks of each region of the data packet with the corresponding change data, so as to generate a plurality of corresponding change data packets respectively.
B13, the data acquisition subunit being specifically configured to, in accordance with the interactive protocol inversion system of B12:
and extracting at least one change data configured in the corresponding area from a preset database.
B14, the system according to the interactive protocol inverse of B12, wherein the data replacement subunit is specifically configured to:
and respectively constructing the change data packets corresponding to the replaced areas according to the areas where the data blocks which are replaced in sequence are located.
B15, the system according to the interactive protocol reverse of B9, wherein the response analysis unit specifically comprises:
the response detection subunit is used for detecting the response return state and/or the response content of the server after receiving the change data packet;
and the data analysis subunit is used for analyzing the field information of the data block replaced by the change data packet according to the response return state and/or the response content.
B16, the system for conversing interactive protocol according to any one of B9-B15, further comprising:
and the protocol identification unit is used for identifying the protocol content of the data packet according to the field information of each data block of the data packet.
C17, a storage medium storing a computer program for performing a method for reversing the interactive protocol of any one of a 1-a 8 is also provided.
There is also provided D18, a computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the method for interactive protocol reversal of any of a 1-a 8 when executing the computer program.
Claims (10)
1. A method for interactive protocol reversal, comprising the steps of:
acquiring a data packet sent by a client;
detecting whether an interactive network environment exists between the client and the server;
if the network environment exists, carrying out region division on the data packet according to a preset reference rule, and sequentially changing the data blocks corresponding to each region to respectively generate a plurality of corresponding changed data packets;
and analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet.
2. The method of claim 1, wherein the obtaining the data packets sent by the client specifically comprises:
and acquiring the data packet sent by the client in a packet capturing mode.
3. The method according to claim 1, wherein the step of detecting whether an interactive network environment exists between the client and the server specifically comprises:
and detecting whether the server generates a response after receiving the data packet sent by the client, wherein if the server generates the response, the interactive network environment exists.
4. The method according to claim 1, wherein if the network environment exists, the step of performing area division on the data packet according to a preset reference rule and sequentially changing the data blocks corresponding to the areas to generate a plurality of corresponding changed data packets respectively specifically includes:
dividing the data packet into a plurality of regions according to the reference rule;
acquiring at least one change data corresponding to each region;
and sequentially replacing the data blocks of each region of the data packet with the corresponding change data so as to respectively generate a plurality of corresponding change data packets.
5. A system for interactive protocol reversal, comprising:
the acquisition unit is used for acquiring a data packet sent by a client;
the interaction detection unit is used for detecting whether an interactive network environment exists between the client and the server;
the division changing unit is used for carrying out region division on the data packets according to a preset reference rule and sequentially changing the data blocks corresponding to the regions to respectively generate a plurality of corresponding changed data packets if the network environment exists;
and the response analysis unit is used for analyzing the field information of the corresponding data block according to the response generated after the server receives the change data packet.
6. The system according to claim 5, wherein the obtaining unit is specifically configured to:
and acquiring the data packet sent by the client in a packet capturing mode.
7. The system of claim 5, wherein the interaction detection unit is specifically configured to:
and detecting whether the server generates a response after receiving the data packet sent by the client, wherein if the server generates the response, the interactive network environment exists.
8. The system according to claim 5, wherein the partition changing unit specifically includes:
a dividing subunit, configured to divide the data packet into a plurality of regions according to the reference rule;
a data acquiring subunit, configured to acquire at least one change data corresponding to each of the areas;
and the data replacement subunit is configured to sequentially replace the data blocks of each region of the data packet with the corresponding change data, so as to generate a plurality of corresponding change data packets respectively.
9. A storage medium storing a computer program for executing the method of reversing the interactive protocol of any of claims 1 to 4.
10. A computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the method for interactive protocol reversal of any of claims 1-4 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110376221.9A CN113132366B (en) | 2021-04-07 | 2021-04-07 | Method, system, storage medium and computer device for interactive protocol reversal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110376221.9A CN113132366B (en) | 2021-04-07 | 2021-04-07 | Method, system, storage medium and computer device for interactive protocol reversal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113132366A true CN113132366A (en) | 2021-07-16 |
| CN113132366B CN113132366B (en) | 2023-03-21 |
Family
ID=76775271
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110376221.9A Active CN113132366B (en) | 2021-04-07 | 2021-04-07 | Method, system, storage medium and computer device for interactive protocol reversal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113132366B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105763392A (en) * | 2016-02-19 | 2016-07-13 | 中国人民解放军理工大学 | Industrial control protocol fuzzing test method based on protocol state |
| CN110505111A (en) * | 2019-07-09 | 2019-11-26 | 杭州电子科技大学 | The industry control agreement fuzz testing method reset based on flow |
| CN111327636A (en) * | 2020-03-10 | 2020-06-23 | 西北工业大学 | S7-300PLC private protocol reverse method relating to network security |
| CN111723181A (en) * | 2020-06-17 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Industrial control protocol reverse analysis method based on active learning |
-
2021
- 2021-04-07 CN CN202110376221.9A patent/CN113132366B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105763392A (en) * | 2016-02-19 | 2016-07-13 | 中国人民解放军理工大学 | Industrial control protocol fuzzing test method based on protocol state |
| CN110505111A (en) * | 2019-07-09 | 2019-11-26 | 杭州电子科技大学 | The industry control agreement fuzz testing method reset based on flow |
| CN111327636A (en) * | 2020-03-10 | 2020-06-23 | 西北工业大学 | S7-300PLC private protocol reverse method relating to network security |
| CN111723181A (en) * | 2020-06-17 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Industrial control protocol reverse analysis method based on active learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113132366B (en) | 2023-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1769379B1 (en) | Inferring server state in a stateless communication protocol | |
| US11973768B2 (en) | Method and system for detecting malicious payloads | |
| US7389343B2 (en) | Method, system and program product for tracking web user sessions | |
| US20130332456A1 (en) | Method and system for detecting operating systems running on nodes in communication network | |
| CN106470214B (en) | Attack detection method and device | |
| CN111641658A (en) | Request intercepting method, device, equipment and readable storage medium | |
| CN110611684A (en) | Method, system and storage medium for detecting periodic Web access behavior | |
| JP2017016650A (en) | Method and system for detecting and identifying resource on computer network | |
| CN111371651A (en) | Industrial communication protocol reverse analysis method | |
| CN111555988A (en) | Big data-based network asset mapping and discovering method and device | |
| CN109275045B (en) | DFI-based mobile terminal encrypted video advertisement traffic identification method | |
| US20180316702A1 (en) | Detecting and mitigating leaked cloud authorization keys | |
| US11038789B2 (en) | System and method for automated generation of web decoding templates | |
| CN109347785A (en) | A kind of terminal type recognition methods and device | |
| CN111182002A (en) | Zombie network detection device based on HTTP (hyper text transport protocol) first question-answer packet clustering analysis | |
| US20170220218A1 (en) | Automatic Generation of Regular Expression Based on Log Line Data | |
| US7991827B1 (en) | Network analysis system and method utilizing collected metadata | |
| CN113630418A (en) | Network service identification method, device, equipment and medium | |
| CN113132366B (en) | Method, system, storage medium and computer device for interactive protocol reversal | |
| EP3718284B1 (en) | Extending encrypted traffic analytics with traffic flow data | |
| Antunes et al. | ReverX: Reverse engineering of protocols | |
| Park et al. | Rule-Based User Behavior Detection System for SaaS Application | |
| CN113872980B (en) | Identification method and device of industrial control equipment information, storage medium and equipment | |
| CN105703930A (en) | Session log processing method and session log processing device based on application | |
| CN107066538B (en) | Data statistics method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 518000, 3rd Floor, Building A2, Nanshan Zhiyuan, No. 1001 Xueyuan Avenue, Changyuan Community, Taoyuan Street, Nanshan District, Shenzhen, Guangdong Province Patentee after: Shenzhen 3600 Smart Life Technology Co.,Ltd. Country or region after: China Address before: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.) Patentee before: SHENZHEN QIHU INTELLIGENT TECHNOLOGY CO.,LTD. Country or region before: China |