CN113285965A - Analysis method for RDP text transmission of bastion machine - Google Patents

Analysis method for RDP text transmission of bastion machine Download PDF

Info

Publication number
CN113285965A
CN113285965A CN202010101382.2A CN202010101382A CN113285965A CN 113285965 A CN113285965 A CN 113285965A CN 202010101382 A CN202010101382 A CN 202010101382A CN 113285965 A CN113285965 A CN 113285965A
Authority
CN
China
Prior art keywords
message
transmission
content
current
messages
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010101382.2A
Other languages
Chinese (zh)
Inventor
何建锋
白晨阳
武博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Jiaotong University Jump Network Technology Co ltd
Original Assignee
Xi'an Jiaotong University Jump Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Jiaotong University Jump Network Technology Co ltd filed Critical Xi'an Jiaotong University Jump Network Technology Co ltd
Priority to CN202010101382.2A priority Critical patent/CN113285965A/en
Publication of CN113285965A publication Critical patent/CN113285965A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • G06F9/452Remote windowing, e.g. X-Window System, desktop virtualisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/543User-generated data transfer, e.g. clipboards, dynamic data exchange [DDE], object linking and embedding [OLE]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • G06F9/548Object oriented; Remote method invocation [RMI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/544Remote

Abstract

The invention discloses an analysis method for transmission of an RDP (resource description protocol) text of a bastion station, which is used for analyzing a text copying and pasting message between an operation and maintenance end and a target end to obtain specific functional parameters when the RDP is based on operation and maintenance of an RDP protocol, wherein the analysis process of message data comprises the following steps: acquiring a channel number of a message, and judging whether the message is a clipboard transmission channel; if yes, carrying out the next step; if not, ending the analysis; extracting the content mark byte of the message, and judging whether the message data is clipboard content according to the byte value; if yes, carrying out the next step; if not, ending the analysis; extracting the position mark byte of the message, and judging the quantity of the message transmitted at this time according to the byte value; and intercepting all the messages transmitted at this time, storing the message contents, and outputting the message contents as an analysis result. Irrelevant data packets do not need to be processed, text contents of the clipboard are efficiently identified, parsing time is saved, and audit efficiency is improved.

Description

Analysis method for RDP text transmission of bastion machine
Technical Field
The invention belongs to the technical field of operation and maintenance auditing, and particularly relates to a parsing method for a transmission text based on an RDP (remote desktop protocol) of a bastion machine.
Background
Remote Desktop Protocol (RDP) is a set of standard protocols established by microsoft corporation for Remote Desktop access over a network, and serves as an application layer of a network Protocol suite. The RDP-based bastion machine (also called a flashboard machine) is mainly used for enabling a user to be connected to a remote Windows server which starts a Terminal Service through an RDP-based client (such as an mstsc client tool), the client can acquire a complete remote server desktop and realize operation and maintenance operation on the server on the desktop, the whole process is consistent with the operation directly on the remote server, and the server maintenance efficiency is improved. RDP is essentially a graphical operating protocol, and since RDP is a protocol for maintaining servers, it is an interactive protocol, i.e. clients submit information while servers return information.
In the operation and maintenance process, it is a common operation to copy and paste the text through the clipboard, so if the text content copied and pasted by the clipboard needs to be audited, the functional parameters in the message data need to be analyzed, and finally the copied and pasted content is obtained.
Disclosure of Invention
Based on the background, the analytic method for the RDP text transmission of the bastion machine is provided, and after the processing of a network channel layer, an ISO data layer, a virtual channel layer and a decryption layer, specific functional data in a message can be obtained, and then the functional data are analyzed, so that uplink and downlink text contents copied and pasted by a clipboard can be obtained, and further content audit is performed. The specific technical scheme is as follows.
The analysis method for the RDP text transmission of the bastion machine is characterized in that when the RDP protocol operation and maintenance is based, the text copying and pasting messages between an operation and maintenance end and a target end are analyzed to obtain specific functional parameters, and the analysis process of the message data comprises the following steps:
s100, acquiring a channel number of the message, and judging whether the message is a clipboard transmission channel; if yes, carrying out the next step; if not, ending the analysis;
s200, extracting the content flag byte of the message, and judging whether the message data is clipboard content according to the byte value; if yes, carrying out the next step; if not, ending the analysis;
s300, extracting the position mark byte of the message, and judging the number of the message transmitted at this time according to the byte value;
s400, intercepting all messages transmitted this time, storing the message contents, and outputting the message contents as an analysis result.
Preferably, the flag byte indicating that the message data is clipboard content includes first and third bytes of the message data, and when the values of the two bytes are simultaneously consistent with a predetermined value, the current message data is listed as clipboard content.
Preferably, the message location flag byte includes a first flag and a second flag, where the two flags respectively flag whether the current message is the first message or the last message of the current transmission, and determine the number of the messages of the current transmission according to the two flags.
For the first message transmitted this time, intercepting the message content of which the data head deviates the length of the control information as the analysis result of the first message;
further, the intercepting the content of the message for storage and outputting as an analysis result includes: intercepting and storing the content of a first message when no continuous message exists after the first message is acquired; when a continuous message exists after the first message is acquired, intercepting the content of the first message for temporary storage, continuously acquiring subsequent messages, sequentially identifying and intercepting the message content of the clipboard until the last message of the transmission, and sequentially assembling the intercepted message content and storing the message content in a database.
Foretell technical scheme is applied to and carries out copy paste operation through the clipboard in carrying out the operation through the bastion machine, screens out the message data of pasting through the clipboard copy according to the channel number of message, content sign byte, again according to the position sign byte value of every message, counts out all message quantity of transmission at every turn, intercepts the data content of taking out the message respectively to first message and continuation message to it obtains the complete text content of pasting of copying to assemble the back analysis in proper order, can be right according to the strategy at last the text content of resolving carries out the safety audit. According to the technical scheme, in the analysis process, the text content of the clipboard is identified, and an irrelevant data packet does not need to be processed, so that the analysis time is saved, and the audit efficiency is improved.
Drawings
Fig. 1 is a schematic workflow diagram of an embodiment of an RDP text transmission and parsing method of a bastion machine according to the present invention.
Detailed Description
The first is a supplementary explanation of the related art.
The operation and maintenance auditing system monitors communication data between the operation and maintenance client and the target server through a network, when an operation and maintenance person accesses the target server through the operation and maintenance client, file operation records and file operation processes are transmitted between the operation and maintenance client and the target server in a communication data mode, protocol data are extracted and analyzed by capturing the communication data, the protocol data are restored into readable data and stored in a database, and the auditing person can check each operation process of the operation and maintenance person through image or file playback.
Windows remote operation and maintenance is a widely used operation and maintenance mode. Besides the graph operation and maintenance, the Windows remote operation and maintenance can also upload and download files. Therefore, some security problems often occur in remote operation and maintenance, for example, operation and maintenance personnel may mistakenly upload a virus file to a target host, and may also download data on a target device, resulting in leakage of confidential data. Therefore, accurate post positioning is performed on file operations of operation and maintenance personnel, such as copying and pasting, uploading and downloading, disk mapping and the like, and the method is very important for operation and maintenance auditing.
Generally, if a remote Linux system needs to be logged in, ssh/telnet is mostly used for completion, and if a desktop environment of the remote Linux system needs to be logged in, VNC is a remote desktop program based on an RFB protocol and default to most Linux distribution versions, but VNC is not friendly to the experience of a common user and runs slowly. Remote desktops for Windows are based on RDP protocol, and under Linux, open-source rdpserver, or xrdp, can be utilized.
The advantage of the operation and maintenance personnel remotely operating the target host computer through the RDP protocol is that the user can reliably use all application programs, files and network resources on the remote computer without executing local programs; moreover, the RDP supports virtual channels to continuously transmit data exchange between the client and the server, including remoteapp channel, sticker board channel, audio channel, printer channel, disk mapping channel, USB pluggable device channel for transmitting different types of data. Meanwhile, the RDP data stream can be conveniently intercepted between the operation and maintenance client and the target host, and the data volume is small due to the fact that the RDP data stream is compressed.
However, RDP data may transmit a plurality of data packets or only transmit a part of the data packets in a single transmission process, and if the received data packets are directly analyzed, error information may be extracted; meanwhile, the analysis of a large number of data packets requires too long time, which results in too slow generation of analysis results, and may cause the auditing system to be unable to quickly and accurately obtain the required information, which affects the accurate analysis and positioning of security problems. Therefore, it is necessary to provide a new technical solution for implementing fast and accurate analysis of data message content in RDP operation and maintenance, so as to improve operation and maintenance efficiency.
The technical solution of the present invention will be described in detail with reference to examples.
As shown in fig. 1, in the method for parsing RDP text transmission of a bastion station, when an RDP protocol is used for operation and maintenance, a text copy and paste message between an operation and maintenance end and a target end is parsed to obtain specific functional parameters, where the parsing process of message data includes:
and S0, acquiring the RDP protocol message between the operation and maintenance client and the target server. Packet capturing software or hardware can be used for capturing a data packet on a transmission link of the network card by monitoring network data, and the captured data packet is stored or recorded as a data packet to be filtered or analyzed. Of course, the capturing of the data packets may also set different capturing strategies to perform preliminary screening on the unnecessary data packets.
S100, acquiring a channel number of the message, and judging whether the message is a clipboard transmission channel; if yes, carrying out the next step; if not, the analysis is ended. Different data transfers have different channel numbers, so the channel for clipboard content transfer can be identified by the channel number.
S200, extracting the content flag byte of the message, and judging whether the message data is clipboard content according to the byte value; if yes, carrying out the next step; if not, the analysis is ended. The clipboard channel can also transmit data of various contents, and some data do not have the meaning of the function, so that the copied and pasted message contents are identified according to special content mark bytes when the copied and pasted real contents are analyzed; the content mark byte comprises a first byte and a third byte of the message data, and when the values of the two bytes are consistent with a specified value at the same time, the current message data is listed as clipboard content.
S300, extracting the position mark byte of the message, and judging the number of the message transmitted at this time according to the byte value; the copied and pasted text content has a long or short content, sometimes one message can be completely transmitted, sometimes a plurality of continuous messages are needed to be completely transmitted, and therefore, if the complete copied and pasted text content is analyzed, the number of the messages related to the content of the current transmission needs to be determined at first. The message position mark byte comprises a first mark and a second mark, the two marks respectively mark whether the current message is the first message or the last message of the transmission, and the number of the messages of the transmission is determined according to the two marks.
The specific process for determining the number of the messages includes four situations:
in case one, when the first flag determines that the current message is the first message of the transmission, and the second flag determines that the current message is not the last message of the transmission, the current message is the first message of the transmission, and a subsequent message is provided behind the current message; continuing to judge the subsequent messages until the marks of the messages accord with the situation four, counting to obtain the number of the messages, and executing the step S400 on each message;
in case two, when the first mark determines that the current message is the first message of the transmission, and the second mark determines that the current message is the last message of the transmission, the current message is the only message of the transmission, and no continuous message is left behind; determining the number of the messages transmitted this time as 1, and executing the step S400 on the current message;
in case three, when the first mark determines that the current message is not the first message of the transmission, and the second mark determines that the current message is not the last message of the transmission, the current message is the middle message of the transmission, and a continuous message is arranged behind the middle message; continuing to judge the subsequent messages until the marks of the messages accord with the situation four, counting to obtain the number of the messages, and executing the step S400 on each message;
in case four, when the first flag determines that the current message is not the first message of the current transmission, and the second flag determines that the current message is the last message of the current transmission, and no continuous message is left behind; and counting the number of all messages, and executing the step S400 on each message.
S400, intercepting all messages transmitted this time, storing the message contents, and outputting the message contents as an analysis result. The method specifically comprises the following steps: intercepting and storing the content of a first message when no continuous message exists after the first message is acquired; when a continuous message exists after the first message is acquired, intercepting the content of the first message for temporary storage, continuously acquiring subsequent messages, sequentially identifying and intercepting the message content of the clipboard until the last message of the transmission, and sequentially assembling the intercepted message content and storing the message content in a database.
Preferably, the first packet transmitted this time is determined according to S310 or S320, and the packet content of the packet whose header deviates from the control information length is intercepted as the analysis result of the first packet.
It should be noted that, the uplink and downlink messages are different only in channel number, and the analysis processes after the messages are identified are consistent, and all the messages can be analyzed according to the above steps.
Example one
Monitoring a transmission link of network data on a network card through packet capturing software, capturing a data packet, and processing the data packet through a network channel layer, an ISO data layer and a virtual channel layer.
If the data packet is determined to be a transmission channel of the clipboard through the channel number, then the first byte and the third byte of the message are extracted, and when the values of the two bytes simultaneously and respectively accord with the specified byte values a and b, the content of the message is the content of the clipboard.
Further extracting position mark bytes of the messages, wherein when the first mark determines that the current message is the first message of the transmission, and the second mark determines that the current message is the last message of the transmission, the current message is the only message of the transmission and no continuous message is left behind; and determining the heat preservation quantity of the transmission as 1, and intercepting the message content for storage after the data head deviates the control information length, and outputting the message content as an analysis result.
Example two
Monitoring a transmission link of network data on a network card through packet capturing software, capturing a data packet, and processing the data packet through a network channel layer, an ISO data layer and a virtual channel layer.
If the data packet is determined to be a transmission channel of the clipboard through the channel number, then the first byte and the third byte of the message are extracted, and when the values of the two bytes simultaneously and respectively accord with the specified byte values a and b, the content of the message is the content of the clipboard.
Further extracting position mark bytes of the messages, and when the first mark determines that the current message is the first message of the transmission, and the second mark determines that the current message is not the last message of the transmission, the current message is the first message of the transmission and a subsequent message is arranged behind the current message; continuously acquiring data messages, continuously determining the positions of the messages in the transmission according to the position mark bytes, and adding 1 to the number of the messages in the transmission each time the messages are continuously acquired; when the first mark of a certain message determines that the current message is not the first message of the transmission, and the second mark determines that the current message is the last message of the transmission, and no continuous message is left behind; counting the sequence of all messages, intercepting the message content after the data head of the first message deviates the control information length, temporarily storing the message content of the continuous messages intercepted in sequence, and when all the message content of the transmission is intercepted, sequentially assembling the content to obtain an analysis result, wherein the analysis result is the content which is transmitted and copied and pasted through a clipboard.
Those skilled in the art will appreciate that the steps or components for implementing the above embodiments may be implemented by a program to instruct associated hardware to implement the steps or components, and the program may be stored in a computer readable storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (6)

1. The analytic method of the fort machine RDP text transmission is characterized in that when the operation and maintenance are carried out based on an RDP protocol, the text copying and pasting messages between an operation and maintenance end and a target end are analyzed to obtain specific functional parameters, and the analytic process of the message data comprises the following steps:
s100, acquiring a channel number of the message, and judging whether the message is a clipboard transmission channel; if yes, carrying out the next step; if not, ending the analysis;
s200, extracting the content flag byte of the message, and judging whether the message data is clipboard content according to the byte value; if yes, carrying out the next step; if not, ending the analysis;
s300, extracting the position mark byte of the message, and judging the number of the message transmitted at this time according to the byte value;
s400, intercepting all messages transmitted this time, storing the message contents, and outputting the message contents as an analysis result.
2. The parsing method as claimed in claim 1, wherein the flag byte indicating that the message data is clipboard content comprises a first byte and a third byte of the message data, and when the values of the two bytes are consistent with a predetermined value at the same time, the current message data is listed as clipboard content.
3. The parsing method of claim 2, wherein the message location flag byte comprises a first flag and a second flag, the first flag and the second flag respectively flag whether the current message is the first message or the last message of the current transmission, and the number of the messages of the current transmission is determined according to the two flags.
4. The parsing method according to claim 3, wherein the determining the number of the packets transmitted this time according to the two flags includes:
s310, when the first mark determines that the current message is the first message of the transmission, and the second mark determines that the current message is not the last message of the transmission, the current message is the first message of the transmission, and a continuous message is arranged behind the current message; continuing to judge the subsequent messages until the marks of the messages accord with S340, counting the number of the messages, and executing the step S400 on each message;
s320, when the first mark determines that the current message is the first message of the transmission, and the second mark determines that the current message is the last message of the transmission, the current message is the only message of the transmission, and no continuous message is left behind; determining the number of the messages transmitted this time as 1, and executing the step S400 on the current message;
s330, when the first mark determines that the current message is not the first message of the transmission, and the second mark determines that the current message is not the last message of the transmission, the current message is the middle message of the transmission, and a continuous message is arranged behind the middle message; continuing to judge the subsequent messages until the marks of the messages accord with S340, counting the number of the messages, and executing the step S400 on each message;
s340, when the first mark determines that the current message is not the first message of the transmission, and the second mark determines that the current message is the last message of the transmission, and no continuous message is left behind; and counting the number of all messages, and executing the step S400 on each message.
5. The parsing method of claim 4, wherein the intercepting the message content for storage and output as a parsing result comprises: intercepting and storing the content of a first message when no continuous message exists after the first message is acquired; when a continuous message exists after the first message is acquired, intercepting the content of the first message for temporary storage, continuously acquiring subsequent messages, sequentially identifying and intercepting the message content of the clipboard until the last message of the transmission, and sequentially assembling the intercepted message content and storing the message content in a database.
6. The parsing method according to claim 1 or 3, wherein a first packet transmitted this time is determined according to S310 or S320, and a packet content of a header offset by a control information length is intercepted as a parsing result of the first packet.
CN202010101382.2A 2020-02-19 2020-02-19 Analysis method for RDP text transmission of bastion machine Pending CN113285965A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010101382.2A CN113285965A (en) 2020-02-19 2020-02-19 Analysis method for RDP text transmission of bastion machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010101382.2A CN113285965A (en) 2020-02-19 2020-02-19 Analysis method for RDP text transmission of bastion machine

Publications (1)

Publication Number Publication Date
CN113285965A true CN113285965A (en) 2021-08-20

Family

ID=77275055

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010101382.2A Pending CN113285965A (en) 2020-02-19 2020-02-19 Analysis method for RDP text transmission of bastion machine

Country Status (1)

Country Link
CN (1) CN113285965A (en)

Similar Documents

Publication Publication Date Title
US7356610B2 (en) Systems and methods for monitoring network exchanges between a client and a server
CN112714047B (en) Industrial control protocol flow based test method, device, equipment and storage medium
KR101986481B1 (en) Method for automatic monitoring end to end performance of end-user and apparatus for using the same
CN112039824B (en) Communication method, system, device and computer readable storage medium
US7742415B1 (en) Non-intrusive knowledge suite for evaluation of latencies in IP networks
CN111083161A (en) Data transmission processing method and device and Internet of things equipment
CN109656574B (en) Transaction time delay measurement method and device, computer equipment and storage medium
US8386409B2 (en) Syslog message routing systems and methods
US8490173B2 (en) Unauthorized communication detection method
CN114500690A (en) Interface data processing method and device, electronic equipment and storage medium
CN110932918A (en) Log data acquisition method and device and storage medium
CN113285904A (en) RDP-based method for analyzing disk mapping file information
CN111177281B (en) Access control method, device, equipment and storage medium
CN113282358A (en) File transmission analysis method and device of bastion machine
CN111224891A (en) Traffic application identification system and method based on dynamic learning triples
CN113285965A (en) Analysis method for RDP text transmission of bastion machine
CN111367686A (en) Service interface calling method and device, computer equipment and storage medium
CN113472878B (en) Method and device for realizing file dragging transmission in VNC by using browser plug-in
CN110493081B (en) Method, device, equipment and storage medium for determining network traffic of game client
CN114765633A (en) Network message analysis method and device based on train real-time Ethernet protocol
CN111294382A (en) Real-time data pushing method and device
CN112165446A (en) Network interception method of VxWorks system
CN111182047A (en) Method and system for transferring files between large data platforms across a network
CN117389769B (en) Browser-end rich text copying method and system based on cloud service and cloud platform
CN115348337B (en) TCP data packet analysis method and device based on multiple protocols

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210820

WD01 Invention patent application deemed withdrawn after publication