CN113259208B - Operating system fingerprint information security detection method and device based on SMB protocol - Google Patents
Operating system fingerprint information security detection method and device based on SMB protocol Download PDFInfo
- Publication number
- CN113259208B CN113259208B CN202110787966.4A CN202110787966A CN113259208B CN 113259208 B CN113259208 B CN 113259208B CN 202110787966 A CN202110787966 A CN 202110787966A CN 113259208 B CN113259208 B CN 113259208B
- Authority
- CN
- China
- Prior art keywords
- data
- smbv2
- data packet
- operating system
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
- H04L43/065—Generation of reports related to network devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
Abstract
The invention provides an operating system fingerprint information security detection method and device based on an SMB protocol, wherein the method comprises the following steps: detecting and determining a protocol type; construct the structure of SMBv1 and instantiate the structure of SMBv 1; and analyzing the data in the SMBV2 message, extracting verification information from the SMBV2 message, constructing a data packet for sending a detection host name and a detection host operating system, receiving a returned negotiation data packet, analyzing the data in the SMBV2 message, and extracting workgroup information, host name information and operating system version information from the data. According to the method, the legal detection data packet is constructed according to different versions, and fingerprint detection aiming at the operating system is realized.
Description
Technical Field
The invention relates to the field of network security, in particular to a method and a device for safely detecting operating system fingerprint information based on an SMB protocol.
Background
The network asset detection refers to a process of tracking and mastering network asset conditions, and generally comprises host discovery, IP address discovery, host port detection, operating system fingerprint identification, service identification, network architecture identification and the like, is an important premise for realizing network security management, and has a wide application value in network security related work. On one hand, from the perspective of network asset management, network asset detection can provide an information basis for work such as unifying software and hardware versions, updating and upgrading software and equipment, and the like. The old version of software can be found through network asset detection, response measures are accurately started according to the latest threat information, and threats brought by existing vulnerabilities are avoided; illegal assets can be found, convenience is provided for timely analysis and processing, and loss caused by safety problems is reduced to the maximum extent. On the other hand, an attacker can also find out the weak point of the defender by means of asset detection to carry out targeted attack.
Operating system fingerprinting is one of the important aspects of asset detection, and generally, operating system fingerprinting can identify operating version information in a probabilistic form. The fingerprint identification technology of the current mainstream operating system comprises a fingerprint scanning identification technology based on a TCP/IP protocol stack and a scanning identification technology based on an SMB protocol. The scanning tool such as Nmap based on TCP/IP protocol stack fingerprint needs to run under ROOT or administrator authority, an original socket is constructed by modifying a TCP message, a received response result is judged, and the fingerprint of an operating system is probabilistically identified. The other method is operating system fingerprint detection through the SMB protocol, which requires a 445 port to connect to a remote host. Zoomeye, Shodan, Censys, FOFA, etc. are publicly known asset detection platforms worldwide, and the number of hosts with open 445 ports is 11,039,833 and 1,481,614, respectively queried from the Zoomeye and FOFA platforms. Currently, tools supporting SMB detection include Nmap, meterperter and the like, the host name and detailed operating system information of a remote host can be detected through an SMB protocol, and it is found through analysis that these tools generally only support detection for the SMBv1 protocol, but do not support the SMBv1 protocol in Windows 2012 and later operating systems by default, so existing detection based on the SMB protocol cannot acquire fingerprint information of high-version operating systems such as Windows 2012, Windows 2016, Windows 2019 and Windows 10.
The existing fingerprint identification technology of an operating system based on protocol stack scanning generally needs to run under the highest authority of the system, has probability in operating system identification, and cannot acquire information such as a host name working group and the like. The existing operating system fingerprint detection technology based on the SMB protocol is only suitable for the SMBV1 protocol and does not support the SMBV2 protocol.
Disclosure of Invention
In order to solve the technical problems and improve the asset detection capability, the invention provides the operating system fingerprint information safety detection method and device based on the SMB protocol, which can support the SMBV1 and SMBV2 protocols and realize fingerprint identification covering from Windows XP to the latest Windows 10.
According to a first aspect of the present invention, there is provided an operating system fingerprint information security detection method based on an SMB protocol, the method including the following steps:
step S101: constructing the negotiation data of the SMBV1 and sending the negotiation data to the remote host, if the negotiation is successful, determining that the operating system of the remote host supports the SMBV1 protocol, and entering the step S104; otherwise, go to step S102;
step S102: constructing the negotiation data of the SMBV2 and sending the negotiation data to the remote host, if the negotiation is successful, determining that the operating system of the remote host supports the SMBV2 protocol, and entering the step S105; otherwise, go to step S103;
step S103: determining that the target server opening port is in an abnormal state, and ending the method;
step S104: constructing a data packet of a detection host name and a detection host operating system, constructing a structure of SMBV1 and instantiating the structure of SMBV1, sending the constructed data packet to a 445 port of a remote host, receiving data returned by the remote host, extracting the data according to the instantiated structure of SMBV1, and ending the method;
step S105: constructing and sending an SMBV2 negotiation data packet, receiving the negotiation data packet returned by the remote host, analyzing data in an SMBV2 message in the negotiation data packet returned by the remote host, judging whether a subsequent data packet needs to be signed, if so, extracting signature verification data, and entering the step S106; if not, go to step S107;
step S106: constructing and sending a detection host name and a data packet of a detection host operating system, signing the detection data packet according to a negotiated signature algorithm, and entering step S108;
step S107: constructing and sending a detection host name and a data packet of a detection host operating system;
step S108: and receiving a message data packet in the SMBV2 format returned by the remote host, analyzing data in the message data packet in the SMBV2 format, and extracting the workgroup information, the host name information and the operating system version information from the data packet.
According to a second aspect of the present invention, there is provided an operating system fingerprint information security detection apparatus based on an SMB protocol, the apparatus comprising:
a first judgment module: configuring to construct the negotiation data of the SMBV1 and sending the negotiation data to the remote host, and if the negotiation is successful, determining that the operating system of the remote host supports the SMBV1 protocol;
a second judging module: configuring to construct the negotiation data of the SMBV2 and sending the negotiation data to the remote host, and if the negotiation is successful, determining that the operating system of the remote host supports the SMBV2 protocol;
a determination module: the method comprises the steps of configuring to determine that an opening port of a target server is in an abnormal state;
SMBv1 build module: the system is configured to construct a data packet of a detection host name and a detection host operating system, construct a structure of SMBV1 and instantiate the structure of SMBV1, send the constructed data packet to a 445 port of a remote host, receive data returned by the remote host, and extract data according to the instantiated structure of SMBV 1;
SMBv2 build module: configuring and sending an SMBV2 negotiation data packet, receiving the negotiation data packet returned by the remote host, analyzing data in an SMBV2 message in the negotiation data packet returned by the remote host, judging whether a subsequent data packet needs to be signed or not, and extracting signature verification data if the subsequent data packet needs to be signed;
a first packet construction module: configuring and sending a detection host name and a data packet of a detection host operating system, and signing the detection data packet according to a negotiated signing algorithm;
a second packet construction module: a data packet configured to construct and send a probe host name and a probe host operating system;
and a result returning module: the system is configured to receive a message data packet in an SMBV2 format returned by the remote host, parse data in the message data packet in the SMBV2 format and extract workgroup information, host name information and operating system version information from the data packet.
According to a third aspect of the present invention, there is provided an operating system fingerprint information security detection system based on SMB protocol, including:
a processor for executing a plurality of instructions;
a memory to store a plurality of instructions;
the instructions are used for being stored by the memory and loaded and executed by the processor, wherein the operating system fingerprint information security detection method based on the SMB protocol is as described above.
According to a fourth aspect of the present invention, there is provided a computer readable storage medium having a plurality of instructions stored therein; the instructions are used for loading and executing the operating system fingerprint information security detection method based on the SMB protocol by the processor.
According to the scheme, aiming at the problems of low universality and limited detection range of the existing operating system fingerprint detection based on the SMB protocol, the fingerprint detection of the Windows mainstream operating system is realized by identifying the version of the SMB protocol and then constructing legal detection data packets according to different versions. The following effects are mainly realized: (1) judging whether the port opened by the remote host supports the SMB protocol or not; (2) the SMB protocol version supported by the remote host can be judged; (3) constructing a data packet for detecting the host name and the working group based on the identified SMB version protocol; (4) a data packet is constructed that probes the operating system version based on the identified SMB protocol. After the device is operated, the host name and the detailed version information of the operating system of the remote host can be printed out.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention. In the drawings:
fig. 1 is a flowchart of an operating system fingerprint information security detection method based on an SMB protocol according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an operating system fingerprint information security detection method based on an SMB protocol according to an embodiment of the present invention;
FIG. 3 is a schematic flow diagram of SMBV 1-based detection according to one embodiment of the present invention;
fig. 4 is a schematic diagram of a data packet structure based on SMBv2 according to an embodiment of the present invention;
FIG. 5 is a schematic flow diagram of SMBV 2-based detection according to one embodiment of the present invention;
fig. 6 is a block diagram of an operating system fingerprint information security detection apparatus based on the SMB protocol according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the specific embodiments of the present invention and the accompanying drawings. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Firstly, an operating system fingerprint information security detection method based on the SMB protocol is described as an embodiment of the present invention with reference to fig. 1-2. The method comprises the following steps:
step S101: constructing the negotiation data of the SMBV1 and sending the negotiation data to the remote host, if the negotiation is successful, determining that the operating system of the remote host supports the SMBV1 protocol, and entering the step S104; otherwise, go to step S102;
step S102: constructing the negotiation data of the SMBV2 and sending the negotiation data to the remote host, if the negotiation is successful, determining that the operating system of the remote host supports the SMBV2 protocol, and entering the step S105; otherwise, go to step S103;
step S103: determining that the target server opening port is in an abnormal state, and ending the method;
step S104: constructing a data packet of a detection host name and a detection host operating system, constructing a structure of SMBV1 and instantiating the structure of SMBV1, sending the constructed data packet to a 445 port of a remote host, receiving data returned by the remote host, extracting the data according to the instantiated structure of SMBV1, and ending the method;
step S105: constructing and sending an SMBV2 negotiation data packet, receiving the negotiation data packet returned by the remote host, analyzing data in an SMBV2 message in the negotiation data packet returned by the remote host, judging whether a subsequent data packet needs to be signed, if so, extracting signature verification data, and entering the step S106; if not, go to step S107;
step S106: constructing and sending a detection host name and a data packet of a detection host operating system, signing the detection data packet according to a negotiated signature algorithm, and entering step S108;
step S107: constructing and sending a detection host name and a data packet of a detection host operating system;
step S108: and receiving a message data packet in the SMBV2 format returned by the remote host, analyzing data in the message data packet in the SMBV2 format, and extracting the workgroup information, the host name information and the operating system version information from the data packet.
In this embodiment, the purpose of steps S101 to S103 is to perform version determination of SMB, and by analyzing the structure of the SMB protocol header, the negotiation data of SMBv1 is first constructed, if the negotiation is successful, it indicates that the SMBv1 protocol is supported, otherwise, the negotiation data of SMBv2 is reconstructed, if the negotiation is successful, it indicates that the SMBv2 is supported, otherwise, it indicates that the target server is abnormal in opening a port, and exits. The current SMBv3 protocol relies on SMBv2 and cannot operate independently, so only the SMBv2 needs to be identified by the probe.
And aiming at SMBV1 and SMBV2, data packets are constructed and data acquisition is realized according to protocols of different versions respectively.
As shown in fig. 3, the operating systems such as Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 2008, etc. can be generally identified based on the structure extraction data of the instantiated, structured SMBv 1.
The step S104: constructing a data packet of a detection host name and a detection host operating system, constructing a structure of SMBV1 and instantiating the structure of SMBV1, sending the constructed data packet to a 445 port of a remote host, receiving data returned by the remote host, extracting the data according to the instantiated structure of SMBV1, and ending the method, which comprises the following steps:
step S1041: constructing data packets of a detection host name and a detection host operating system, wherein the data packets are a payload message format data and a Session Setup message format data respectively;
step S1042: constructing an SMBV1 header structure, wherein the structure comprises an SMB protocol header, a message type, a message state and a message data field;
step S1043: filling the structured Negotiate message format data and Session Setup message format data into a message data field of an SMBV1 header structure respectively;
step S1044: fill the remaining fields of the header structure of SMBv1 and set the command word;
step S1045: constructing and filling a NetBios head structure, wherein the structure consists of a data type and a data length;
step S1046: sending the filled NetBios header, SMBV1 header and message data to a 445 port of the remote host;
step S1047: receiving returned data of the remote host;
step S1048: the data is extracted in accordance with the structure of the constructed SMBv 1.
Step S105: constructing and sending an SMBV2 negotiation data packet, receiving the negotiation data packet returned by the remote host, analyzing data in an SMBV2 message in the negotiation data packet returned by the remote host, judging whether a subsequent data packet needs to be signed, if so, extracting signature verification data, and entering the step S106; if not, go to step S107, wherein:
as shown in fig. 4, the data packet in the SMBv2SMBv2 format is composed of a NetBios header in which the length of all subsequent data is set, an SMBv2 header in which the type of the SMBv2 message is determined by a command field in an SMBv2 header structure, which needs to be performed according to this structure when constructing a probe data packet and parsing the data packet, an SMBv2 message is a negotiation data packet, and other additional data is Negotiate message format data.
The constructing and sending SMBv2 negotiation packet includes:
and setting the command field in the SMBV2 header to 0x00, namely constructing the SMBV2 message data according to the negotiation data message format for the negotiation data message.
Step S106: constructing and sending a data packet of a detection host name and/or a detection host operating system, signing the detection data packet according to a negotiated signature algorithm, and entering step S108, wherein the steps comprise:
and setting a command field in the SMBV2 header to 0x01, namely constructing message data of the SMBV2 according to a session creation message format for the session creation message, and signing the data packet according to a negotiated signing algorithm.
The step S107: constructing and transmitting a probe host name and a probe host operating system data packet, comprising:
the command field in the SMBv2 header is set to 0x01, that is, the message data of the SMBv2 is constructed according to the session creation message format for the session creation message.
The main flow of implementing detection based on SMBv2 is shown in fig. 5, and typically, operating systems such as Windows 2012, Windows 2016, Windows 2019, and Windows10 can be identified.
In the embodiment, the remote host supports the SMB protocol, the data packet is constructed according to the characteristics of different protocol versions, and a data signature mechanism is started by default in the SMBV2 version, so that a corresponding signature algorithm needs to be realized according to the SMBV2 protocol. In contrast, SMBv2 has much improved security compared with v1 version, and also increases the difficulty of constructing legal data packets. The invention realizes the identification of the detailed fingerprint of the Windows operating system by deep analysis and reproduction of the SMB protocol.
Aiming at the problems of low universality and limited detection range of the existing operating system fingerprint detection based on the SMB protocol, the invention realizes the fingerprint detection of the Windows mainstream operating system by identifying the version of the SMB protocol and then constructing legal detection data packets according to different versions.
The embodiment of the invention further provides an operating system fingerprint information security detection device based on the SMB protocol, as shown in fig. 6, the device comprises:
a first judgment module: configuring to construct the negotiation data of the SMBV1 and sending the negotiation data to the remote host, and if the negotiation is successful, determining that the operating system of the remote host supports the SMBV1 protocol;
a second judging module: configuring to construct the negotiation data of the SMBV2 and sending the negotiation data to the remote host, and if the negotiation is successful, determining that the operating system of the remote host supports the SMBV2 protocol;
a determination module: the method comprises the steps of configuring to determine that an opening port of a target server is in an abnormal state;
SMBv1 build module: the system is configured to construct a data packet of a detection host name and a detection host operating system, construct a structure of SMBV1 and instantiate the structure of SMBV1, send the constructed data packet to a 445 port of a remote host, receive data returned by the remote host, and extract data according to the instantiated structure of SMBV 1;
SMBv2 build module: configuring and sending an SMBV2 negotiation data packet, receiving the negotiation data packet returned by the remote host, analyzing data in an SMBV2 message in the negotiation data packet returned by the remote host, judging whether a subsequent data packet needs to be signed or not, and extracting signature verification data if the subsequent data packet needs to be signed;
a first packet construction module: configuring and sending a detection host name and a data packet of a detection host operating system, and signing the detection data packet according to a negotiated signing algorithm;
a second packet construction module: a data packet configured to construct and send a probe host name and a probe host operating system;
and a result returning module: the system is configured to receive a message data packet in an SMBV2 format returned by the remote host, parse data in the message data packet in the SMBV2 format and extract workgroup information, host name information and operating system version information from the data packet.
The embodiment of the invention further provides an operating system fingerprint information safety detection system based on the SMB protocol, which comprises the following steps:
a processor for executing a plurality of instructions;
a memory to store a plurality of instructions;
the instructions are used for being stored by the memory and loaded and executed by the processor, wherein the operating system fingerprint information security detection method based on the SMB protocol is as described above.
The embodiment of the invention further provides a computer readable storage medium, wherein a plurality of instructions are stored in the storage medium; the instructions are used for loading and executing the operating system fingerprint information security detection method based on the SMB protocol by the processor.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a physical machine Server, or a network cloud Server, etc., and needs to install a Windows or Windows Server operating system) to perform some steps of the method according to various embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification, equivalent change and modification made to the above embodiment according to the technical spirit of the present invention are still within the scope of the technical solution of the present invention.
Claims (10)
1. An operating system fingerprint information security detection method based on SMB protocol is characterized by comprising the following steps:
step S101: constructing the negotiation data of the SMBV1 and sending the negotiation data to the remote host, if the negotiation is successful, determining that the operating system of the remote host supports the SMBV1 protocol, and entering the step S104; otherwise, go to step S102;
step S102: constructing the negotiation data of the SMBV2 and sending the negotiation data to the remote host, if the negotiation is successful, determining that the operating system of the remote host supports the SMBV2 protocol, and entering the step S105; otherwise, go to step S103;
step S103: determining that the target server opening port is in an abnormal state, and ending the method;
step S104: constructing a data packet of a detection host name and a detection host operating system, constructing a structure of SMBV1 and instantiating the structure of SMBV1, sending the constructed data packet to a 445 port of a remote host, receiving data returned by the remote host, extracting the data according to the instantiated structure of SMBV1, and ending the method;
step S105: constructing and sending an SMBV2 negotiation data packet, receiving the negotiation data packet returned by the remote host, analyzing data in an SMBV2 message in the negotiation data packet returned by the remote host, judging whether a subsequent data packet needs to be signed, if so, extracting signature verification data, and entering the step S106; if not, go to step S107;
step S106: constructing and sending a detection host name and a data packet of a detection host operating system, signing the detection data packet according to a negotiated signature algorithm, and entering step S108;
step S107: constructing and sending a detection host name and a data packet of a detection host operating system;
step S108: and receiving a message data packet in the SMBV2 format returned by the remote host, analyzing data in the message data packet in the SMBV2 format, and extracting the workgroup information, the host name information and the operating system version information from the data packet.
2. The SMB protocol-based operating system fingerprint information security detection method of claim 1, wherein said step S104: constructing a data packet of a detection host name and a detection host operating system, constructing a structure of SMBV1 and instantiating the structure of SMBV1, sending the constructed data packet to a 445 port of a remote host, receiving data returned by the remote host, extracting the data according to the instantiated structure of SMBV1, and ending the method, which comprises the following steps:
step S1041: constructing data packets of a detection host name and a detection host operating system, wherein the data packets are a payload message format data and a Session Setup message format data respectively;
step S1042: constructing an SMBV1 header structure, wherein the structure comprises an SMB protocol header, a message type, a message state and a message data field;
step S1043: filling the structured Negotiate message format data and Session Setup message format data into a message data field of an SMBV1 header structure respectively;
step S1044: fill the remaining fields of the header structure of SMBv1 and set the command word;
step S1045: constructing and filling a NetBios head structure, wherein the structure consists of a data type and a data length;
step S1046: sending the filled NetBios header, SMBV1 header and message data to a 445 port of the remote host;
step S1047: receiving returned data of the remote host;
step S1048: the data is extracted in accordance with the structure of the constructed SMBv 1.
3. The SMB protocol-based security detection method for operating system fingerprint information according to claim 2, wherein a data packet in SMBv2 format is composed of a NetBios header in which the length of all subsequent data is set, an SMBv2 header in which the type of the SMBv2 message is determined by a command field in an SMBv2 header structure, and a SMBv2 message according to this structure is required when constructing a probe data packet and parsing the data packet, the SMBv2 message is a negotiation data packet, and the other additional data is Negotiate message format data.
4. The SMB protocol-based operating system fingerprint information security detection method of claim 3, wherein said constructing and sending an SMBv2 negotiation packet, comprises:
and setting the command field in the SMBV2 header to 0x00, namely constructing the SMBV2 message data according to the negotiation data message format for the negotiation data message.
5. An operating system fingerprint information security detection device based on SMB protocol, characterized in that the device includes:
a first judgment module: configuring to construct the negotiation data of the SMBV1 and sending the negotiation data to the remote host, and if the negotiation is successful, determining that the operating system of the remote host supports the SMBV1 protocol;
a second judging module: configuring to construct the negotiation data of the SMBV2 and sending the negotiation data to the remote host, and if the negotiation is successful, determining that the operating system of the remote host supports the SMBV2 protocol;
a determination module: the method comprises the steps of configuring to determine that an opening port of a target server is in an abnormal state;
SMBv1 build module: the system comprises a data packet, a 445 port, a data packet and an instantiated SMBV1, wherein the data packet is used for constructing a detection host name and a detection host operating system, constructing a structure of SMBV1 and instantiating the structure of SMBV1, sending the constructed data packet to the remote host, receiving data returned by the remote host and extracting data according to the instantiated SMBV 1;
SMBv2 build module: the system is used for constructing and sending an SMBV2 negotiation data packet, receiving the negotiation data packet returned by the remote host, analyzing data in an SMBV2 message in the negotiation data packet returned by the remote host, judging whether a subsequent data packet needs to be signed or not, and extracting signature verification data if the subsequent data packet needs to be signed;
a first packet construction module: configuring and sending a detection host name and a data packet of a detection host operating system, and signing the detection data packet according to a negotiated signature algorithm;
a second packet construction module: a data packet configured to construct and send a probe host name and a probe host operating system;
and a result returning module: the system is configured to receive a message data packet in an SMBV2 format returned by the remote host, parse data in the message data packet in the SMBV2 format and extract workgroup information, host name information and operating system version information from the data packet.
6. The SMB protocol-based operating system fingerprint information security detection apparatus of claim 5, wherein said SMBv1 configuration module comprises:
a first construction submodule: the method comprises the steps that a data packet of a detection host name and a detection host operating system is constructed, wherein the data packet is a Negotiate message format data and a Session Setup message format data;
a second construction submodule: is configured to construct an SMBv1 header structure including an SMB protocol header, a message type, a message status, a message data field;
a first fill submodule: the message data field is configured to fill the structured Negotiate message format data and Session Setup message format data into an SMBV1 header structure respectively;
a second fill submodule: configured to fill the remaining fields of the header structure of SMBv1 and set a command word;
a third fill submodule: the method comprises the steps of configuring and filling a NetBios head structure, wherein the structure is composed of a data type and a data length;
a send command submodule: a 445 port configured to send the populated NetBios header, SMBv1 header, message data to the remote host;
a data receiving submodule: configured to receive data returned by the remote host;
a data extraction submodule: configured to extract the data in accordance with the structured SMBv1 structure.
7. An operating system fingerprint information security detection apparatus based on SMB protocol as claimed in claim 6, wherein the data packet of SMBV2 format is composed of NetBios header, SMBV2 header, SMBV2 message, and other additional data, wherein the length of all the following data is set in the NetBios header, the command field in the SMBV2 header structure determines the type of SMBV2 message, which needs to be followed when constructing the probe data packet and parsing the data packet, the SMBV2 message is a negotiation data packet, and the other additional data is Negotiate message format data.
8. The SMB protocol-based operating system fingerprint information security detection apparatus of claim 7, wherein said constructing and sending an SMBv2 negotiation packet, comprises:
and setting the command field in the SMBV2 header to 0x00, namely constructing the SMBV2 message data according to the negotiation data message format for the negotiation data message.
9. An operating system fingerprint information security detection system based on SMB protocol, comprising:
a processor for executing a plurality of instructions;
a memory to store a plurality of instructions;
wherein the instructions are used for being stored by the memory and loaded and executed by the processor, and the operating system fingerprint information security detection method based on the SMB protocol is claimed in any one of claims 1 to 4.
10. A computer-readable storage medium having stored therein a plurality of instructions; the instructions are used for loading and executing the SMB protocol-based operating system fingerprint information security detection method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110787966.4A CN113259208B (en) | 2021-07-13 | 2021-07-13 | Operating system fingerprint information security detection method and device based on SMB protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110787966.4A CN113259208B (en) | 2021-07-13 | 2021-07-13 | Operating system fingerprint information security detection method and device based on SMB protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113259208A CN113259208A (en) | 2021-08-13 |
| CN113259208B true CN113259208B (en) | 2021-09-10 |
Family
ID=77191135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110787966.4A Active CN113259208B (en) | 2021-07-13 | 2021-07-13 | Operating system fingerprint information security detection method and device based on SMB protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113259208B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108449345A (en) * | 2018-03-22 | 2018-08-24 | 深信服科技股份有限公司 | A kind of networked asset continues method for safety monitoring, system, equipment and storage medium |
| CN111079144A (en) * | 2019-11-25 | 2020-04-28 | 杭州迪普科技股份有限公司 | Virus propagation behavior detection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2638662A1 (en) * | 2010-11-11 | 2013-09-18 | McAfee, Inc. | Method and system for fingerprinting operating systems running on nodes in a communication network |
| KR20200061699A (en) * | 2018-11-26 | 2020-06-03 | 한국인터넷진흥원 | Method and apparatus for identifying operating system based on multi layer operating system fingerprint rule |
-
2021
- 2021-07-13 CN CN202110787966.4A patent/CN113259208B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108449345A (en) * | 2018-03-22 | 2018-08-24 | 深信服科技股份有限公司 | A kind of networked asset continues method for safety monitoring, system, equipment and storage medium |
| CN111079144A (en) * | 2019-11-25 | 2020-04-28 | 杭州迪普科技股份有限公司 | Virus propagation behavior detection method and device |
Non-Patent Citations (5)
| Title |
|---|
| Fingerprinting_Protocol_at_Bit-Level_Granularity_A_Graph-Based_Approach_Using_Cell_Embedding;Yafei Sang,et al.;《2017 IEEE 23rd International Conference on Parallel and Distributed Systems》;20171231;全文 * |
| IHMU_Remote_installation_of_OS__system_software__application_software__patch_installation__version_anomaly_detection_and_system_health_monitoring_in_distributed_system;Sumit Jain,et al.;《3rd IEEE International Conference on "Computational Intelligence and Communication Technology" (IEEE-CICT 2017)》;20171231;全文 * |
| 一种基于SMB协议的远程Windows操作系统指纹主动识别机制;蔡瑞强;《2011年通信与信息技术新进展—第八届中国通信学会学术年会论文集》;20111231;全文 * |
| 主机操作系统指纹探测技术分析;李红伟等;《网络安全技术与应用》;20201231;全文 * |
| 操作系统指纹识别工具Nmap与Xprobe的分析和研究;张琦;《科技传播》;20100430;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113259208A (en) | 2021-08-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1566920A1 (en) | Information processing device, server client system, method, and computer program | |
| US20100235917A1 (en) | System and method for detecting server vulnerability | |
| KR20000054538A (en) | System and method for intrusion detection in network and it's readable record medium by computer | |
| CN108833447B (en) | Network camera weak password detection method and system | |
| CN114338068A (en) | Multi-node vulnerability scanning method and device, electronic equipment and storage medium | |
| CN110768948A (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN111464513A (en) | Data detection method, device, server and storage medium | |
| CN111865996A (en) | Data detection method and device and electronic equipment | |
| US20170366600A1 (en) | Operating system fingerprint detection | |
| US10097418B2 (en) | Discovering network nodes | |
| CN112822146A (en) | Network connection monitoring method, device, system and computer readable storage medium | |
| CN110768950A (en) | Permeation instruction sending method and device, storage medium and electronic device | |
| CN113259208B (en) | Operating system fingerprint information security detection method and device based on SMB protocol | |
| US20160301667A1 (en) | System for dividing network using virtual private network and method therefor | |
| CN115190042B (en) | Network target range target access state detection system and method | |
| CN115883574A (en) | Access equipment identification method and device in industrial control network | |
| CN214042311U (en) | X86 card-based restoration platform for network data packet important materials | |
| CN110162276B (en) | Network printer security scanning method and system | |
| US20160308893A1 (en) | Interrogating malware | |
| CN112822204A (en) | NAT detection method, device, equipment and medium | |
| CN110995738A (en) | Violent cracking behavior identification method and device, electronic equipment and readable storage medium | |
| KR100862321B1 (en) | Method and apparatus for detecting and blocking network attack without attack signature | |
| CN114328190B (en) | Method, system and server for automatically splitting IPS (in-plane switching) event | |
| CN115242467B (en) | Network data identification method and system | |
| CN116015876B (en) | Access control method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |