CN114124475A - Network asset port scanning and service identification method and device - Google Patents
Network asset port scanning and service identification method and device Download PDFInfo
- Publication number
- CN114124475A CN114124475A CN202111308102.6A CN202111308102A CN114124475A CN 114124475 A CN114124475 A CN 114124475A CN 202111308102 A CN202111308102 A CN 202111308102A CN 114124475 A CN114124475 A CN 114124475A
- Authority
- CN
- China
- Prior art keywords
- port
- scanning
- service
- asset
- fingerprint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000013507 mapping Methods 0.000 claims description 10
- 230000004044 response Effects 0.000 claims description 8
- 238000004088 simulation Methods 0.000 claims description 4
- 230000000007 visual effect Effects 0.000 claims description 4
- 238000012800 visualization Methods 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 abstract description 8
- 230000000694 effects Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for scanning a network asset port and identifying a service, wherein the method comprises the following steps: creating an asset scanning task, wherein the asset scanning task comprises a scanning target and scanning parameters; carrying out port scanning on a scanning target according to the scanning parameters to obtain the current port state of each port; acquiring historical port states of all ports, and generating alarm information when the current port state is inconsistent with the historical port state; identifying a port service fingerprint of which the current port state is an open port; and generating a service fingerprint asset library according to the port service fingerprint, and visually displaying the service fingerprint asset library. The invention effectively helps the user to quickly know all the ports and the service information in the open state on the network equipment by acquiring the current port state of each port and the service information deployed on each port, thereby realizing the technical effects of reducing the maintenance cost of network assets and reducing the safety risk.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network asset port scanning and service identification method and device.
Background
In recent years, with diversification of enterprise services and increase of various support platforms and information management systems, network scale is continuously enlarged, and network assets, such as network devices, hosts, security devices and the like, are more and more complex.
With the expansion of the network scale of the enterprise, network assets will increase sharply, and each network asset will open many ports, deploying many services, resulting in the increase of the management and maintenance cost, and the increase of the network security risk due to too many ports being opened.
Disclosure of Invention
In view of the above, it is necessary to provide a method and an apparatus for network asset port scanning and service identification, so as to solve the technical problems of high network asset maintenance cost and high security risk in the prior art.
In order to solve the technical problem, the invention provides a network asset port scanning and service identification method, which comprises the following steps:
creating an asset scanning task, wherein the asset scanning task comprises a scanning target and scanning parameters;
carrying out port scanning on the scanning target according to the scanning parameters to obtain the current port state of each port;
acquiring historical port states of all ports, and generating alarm information when the current port state is inconsistent with the historical port state;
identifying the port service fingerprint of which the current port state is an open port;
and generating a service fingerprint asset library according to the port service fingerprint, and carrying out visual display on the service fingerprint asset library.
In some possible implementations, the identifying that the current port status is a port service fingerprint of an open port includes:
and calling a port scanning tool Nmap, identifying an open port, and identifying a port service fingerprint of the open port.
In some possible implementations, the identifying that the current port status is a port service fingerprint of an open port includes:
constructing a user-defined service fingerprint library, wherein the user-defined service fingerprint library comprises a plurality of regular matching sentences, a plurality of port service fingerprints and mapping relations between the regular matching sentences and the port service fingerprints;
sending a request message to the port simulation, and receiving a response message of the port;
extracting characteristic information from the response message, and determining the regular matching statement matched with the characteristic information;
and determining the port service fingerprint corresponding to the characteristic information according to the regular matching statement matched with the characteristic information and the mapping relation.
In some possible implementations, the mapping relationship between the plurality of regular matching statements and the plurality of port service fingerprints is:
the plurality of regular matching sentences correspond to the plurality of port service fingerprints one to one;
or the like, or, alternatively,
at least one of the port service fingerprints corresponds to at least two of the canonical match statements.
In some possible implementations, the generating a service fingerprint asset library from the port service fingerprint includes:
invoking an initial service fingerprint asset library, the initial service fingerprint asset library comprising a plurality of storage directories storing different types of service fingerprints;
acquiring type information of the port service fingerprint, and determining the type of the port service fingerprint based on the type information;
and storing the port service fingerprint into a corresponding storage directory to generate the service fingerprint asset library.
In some possible implementations, after generating the alarm information when the current port state and the historical port state are inconsistent, the method further includes:
determining a port to be modified of which the port state needs to be modified according to the alarm information;
and modifying the port to be modified in a command line mode.
In some possible implementations, the scan target is a surviving device, and the scan parameters include a scan time period and an IP range or domain range.
In some possible implementations, the port service fingerprint includes a service name, version information, and product information of the port.
In some possible implementations, the port scanning the scan target according to the scan parameter includes:
and carrying out port scanning on the scanning target by using a port scanner Masscan.
In another aspect, the present invention further provides a network asset port scanning and service identification device, including:
the asset scanning task creating unit is used for creating an asset scanning task, and the asset scanning task comprises a scanning target and scanning parameters;
the port scanning unit is used for carrying out port scanning on the scanning target according to the scanning parameters to obtain the current port state of each port;
the alarm information generating unit is used for acquiring the historical port state of each port and generating alarm information when the current port state is inconsistent with the historical port state;
a port service fingerprint identification unit, configured to identify a port service fingerprint of which the current port state is an open port;
and the visualization unit is used for generating a service fingerprint asset library according to the port service fingerprint and visually displaying the service fingerprint asset library.
The beneficial effects of adopting the above embodiment are: the method for scanning the network asset port and identifying the service acquires the current port state of each port and identifies the port service fingerprint by creating the asset scanning task, effectively helps a user to quickly know all the port and port service fingerprints in an open state on network equipment, reduces the maintenance cost of the network asset, generates alarm information by comparing the current port state with the historical port state, does not need the user to manually traverse the port state of each port, reduces the maintenance cost of the network asset, and reminds the user to pay attention when the port state is changed in time through the alarm information so as to reduce the safety risk of the network asset.
Furthermore, the invention can be used for visually displaying the service fingerprint asset library by identifying the port service fingerprint of the open port and generating the service fingerprint asset library according to the port service fingerprint, so that a user can observe the port service fingerprint in real time, and further, the user can be assisted in finding, positioning and solving problems, and the safety risk of the network asset is further reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart illustrating a method for network asset port scanning and service identification according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of one embodiment of S104 of FIG. 1;
FIG. 3 is a schematic flow chart of one embodiment of S105 of FIG. 1;
FIG. 4 is a structural diagram of an embodiment of modifying a port state provided by the present invention;
FIG. 5 is a schematic structural diagram of an embodiment of a network asset port scanning and service identification apparatus provided in the present invention;
fig. 6 is a schematic structural diagram of an embodiment of an electronic device provided in the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the embodiments of the present application, "a plurality" means two or more unless otherwise specified.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the invention. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The invention provides a network asset port scanning and service identification method and device, which are respectively explained below.
Fig. 1 is a schematic flowchart of an embodiment of a network asset port scanning and service identification method provided by the present invention, and as shown in fig. 1, the network asset port scanning and service identification method includes:
s101, creating an asset scanning task, wherein the asset scanning task comprises a scanning target and a scanning parameter;
s102, carrying out port scanning on a scanning target according to the scanning parameters to obtain the current port state of each port;
s103, acquiring historical port states of the ports, and generating alarm information when the current port state is inconsistent with the historical port state;
s104, identifying the port service fingerprint of which the current port state is an open port;
and S105, generating a service fingerprint asset library according to the port service fingerprint, and carrying out visual display on the service fingerprint asset library.
Compared with the prior art, the method for scanning the network asset port and identifying the service provided by the embodiment of the invention has the advantages that the current port state of each port is obtained and the port service fingerprint is identified by creating the asset scanning task, so that a user is effectively helped to quickly know all the port service fingerprints in the open state on the network equipment, the maintenance cost of the network asset is reduced, the alarm information is generated by comparing the current port state with the historical port state, the user does not need to manually traverse the port state of each port, the maintenance cost of the network asset is reduced, and the user is reminded to pay attention to the alarm information when the port state is changed in time, so that the safety risk of the network asset is reduced.
Furthermore, the embodiment of the invention visually displays the service fingerprint asset library by identifying the port service fingerprint of the open port and generating the service fingerprint asset library according to the port service fingerprint, so that a user can observe the port service fingerprint in real time, and further can assist the user in finding, positioning and solving problems and further reduce the safety risk of the network asset.
In some embodiments of the invention, the scan target is a surviving device and the scan parameters include a scan time period and an IP range or domain range.
Wherein, surviving device refers to: a network device in an active state.
In some embodiments of the invention, the port service fingerprint includes a service name, version information, and product information for the port.
In the specific embodiment of the present invention, the service name of the port service fingerprint is "ssh", and the product information is "OpenSSH"; the version information is "7.4".
It should be noted that: the historical port state in step S103 may be a port state generated after the last port scan is performed on the scan target.
Preferably, the alarm information includes a port number of the current port state that is inconsistent with the historical port state and a port service fingerprint.
By setting the alarm information to comprise the port number and the port service fingerprint, a user can visually see the port with the changed port state without manually searching the port with the changed port state by the user, the time for positioning the port with the changed port state is further reduced, and the port maintenance efficiency is improved.
In some embodiments of the present invention, the visually displaying the service fingerprint asset library in step S105 may specifically be: and drawing the service fingerprints of the ports and the change trend graph of the ports in each time period for the user to use.
In some embodiments of the present invention, step S104 specifically includes: and calling a port scanning tool Nmap, identifying the open port and identifying the port service fingerprint of the open port.
The open port is identified by calling a port scanning tool Nmap, so that the speed of identifying the open port can be improved.
It should be understood that: before calling a port scanning tool Namp to identify an open port, Namp scanning parameters need to be configured, wherein the Namp scanning parameters include but are not limited to:
(1) the scanning mode is as follows: the method and the device are divided into half connection (no three-way handshake) and full connection (complete three-way handshake, long time consumption), and in order to further improve the scanning efficiency, the embodiment of the invention uses a half connection scanning mode.
(2) Whether the operating system is displayed: booting is a speculative scan of the device operating system, which is booted by default in embodiments of the present invention.
(3) Whether service details are displayed: after the display is opened, the product information and the version information can be displayed in detail. In order to facilitate the user to know and master the details of the current service, the embodiment of the invention is opened by default.
(4) Whether to bypass the firewall: after the firewall is started, different strategies are tried to bypass the firewall, the first strategy is to delay certain time for packet sending and is mainly used for bypassing the limitation of frequency, the second strategy is to forge a plurality of ips for scanning, and the firewall is not started to bypass in the embodiment of the invention.
(5) Number of cells of scan port: and dynamically calculating the parallel line number of the distributed scanning ports according to the port number of a scanning target, and improving the scanning speed.
(6) Scanning a time template: the performance optimization level set by Nmap is referred to as "time and performance" in chapter eleventh "of Nmap reference guide", and the performance optimization level of the embodiment of the present invention is T4.
(7) Excluded ports: mainly to avoid the issue of packets to the service ports of some printers. By setting the excluded ports, unnecessary ports can be prevented from being scanned, and the scanning speed is improved while the scanning data is reduced.
In some cases, for example: in order to solve the problem, in some embodiments of the present invention, as shown in fig. 2, step S104 includes:
s201, constructing a user-defined service fingerprint library, wherein the user-defined service fingerprint library comprises a plurality of regular matching statements, a plurality of port service fingerprints and mapping relations between the regular matching statements and the port service fingerprints;
s202, sending a request message to a port simulation, and receiving a response message of the port;
s203, extracting characteristic information from the response message, and determining a regular matching statement matched with the characteristic information;
and S204, determining the port service fingerprint corresponding to the characteristic information according to the regular matching statement matched with the characteristic information and the mapping relation.
According to the embodiment of the invention, the user-defined service fingerprint library is constructed, the response message is received based on the request message sent to the port simulation, the characteristic information is extracted from the response message, and the regular matching statement matched with the characteristic information is determined, so that the corresponding port service fingerprint is determined, when the port service fingerprint cannot be identified by the port scanning tool Namp, the purpose of identifying the port service fingerprint which cannot be identified is realized by the mode, and the applicability of the network asset port scanning and service identification method is further improved.
Specifically, after the corresponding relationship between the feature information and the port service fingerprints is established, if the port service is executed again, the port service fingerprints are automatically matched, and the version name, the version information and the product information are correctly identified.
It should be noted that: the port service fingerprints in the custom service fingerprint library need to be synchronously updated into the service fingerprint asset library in a fixed format.
In some embodiments of the present invention, the mapping relationship between the plurality of regular matching statements and the plurality of port service fingerprints is: the plurality of regular matching statements correspond to the plurality of port service fingerprints one to one.
In order to further improve the success rate of identifying the port service fingerprints, in a preferred embodiment of the present invention, the mapping relationship between the plurality of regular matching statements and the plurality of port service fingerprints is as follows: at least one port service fingerprint corresponds to at least two canonical match statements.
By setting the port service fingerprint to correspond to at least two regular matching sentences, the method realizes that one service fingerprint can be simultaneously configured with a plurality of regular matching sentences, and when the port service fingerprint is identified, as long as one regular matching sentence is successfully matched, the port service fingerprint is considered to be successfully identified, so that the identification success rate and efficiency of the port service fingerprint are improved.
To improve the ordering and aesthetics of the service fingerprint asset library, in some embodiments of the invention, as shown in FIG. 3, step S105 comprises:
s301, calling an initial service fingerprint asset library, wherein the initial service fingerprint asset library comprises a plurality of storage directories for storing different types of service fingerprints;
s302, obtaining type information of the port service fingerprint, and determining the type of the port service fingerprint based on the type information;
s303, storing the port service fingerprints into the corresponding storage directories to generate a service fingerprint asset library.
According to the embodiment of the invention, the port service fingerprints are stored in the corresponding storage directories, so that the user can visually see the number of the port service fingerprints corresponding to each type of port service fingerprints, the user is assisted to quickly find problems, and the safety of network assets is further improved.
In some embodiments of the present invention, the type information of the port service fingerprint in step S302 may be: port number, service name, version information, html title, html page content.
And in some embodiments of the invention, the types of port service fingerprints include types of network security, support systems, system software, enterprise applications, hardware peripherals, internet of things devices, and the like.
In one embodiment, when the service name is "360 Security guard," the type of port service fingerprint is network Security.
In order to further improve the identification degree of the service fingerprint asset library, in some embodiments of the present invention, each type of port service fingerprint further includes a secondary identifier, and the secondary identifier is a refined classification of different types of port service fingerprints, and can be flexibly set by a user, which is not specifically limited herein.
In order to enable remote adjustment of the port in the abnormal state, in some embodiments of the present invention, as shown in fig. 4, after step S103, the method further includes:
s401, determining a port to be modified of which the port state needs to be modified according to the alarm information;
s402, modifying the port to be modified in a command line mode.
According to the embodiment of the invention, the port to be modified is modified through the command line, so that the port in the abnormal state can be remotely adjusted, and the safety of the network assets is further improved. Specifically, the method comprises the following steps: the port may be closed or opened by way of a command line.
It should be understood that: the port to be modified, which may be modified in a command line manner, should be a port on the network device that has credential information.
In some embodiments of the present invention, step S102 specifically includes: and carrying out port scanning on the scanning target by using a port scanner Masscan.
The port scanner Masscan is an Internet-level high-performance port scanning tool, can scan and pass all IPs of the whole Internet by using SYN packet detection technology, adopts an asynchronous transmission mode and a stateless scanning mode, and has high scanning efficiency.
It should be understood that: before port scanning is performed on a scanning target by using a port scanner mascan, mascan scanning parameters need to be configured, wherein the mascan scanning parameters include but are not limited to:
(1) scanning speed: the higher the speed of the scanning of the hair pack, the lower the accuracy.
(2) Excluding scanning assets: no scanning is required for individual ip within a large range of segments.
(3) And specifying a loading configuration file: and loading the asset list in the third-party file for scanning.
(4) Specifying the ip address of the packet: the packet is sent using this IP address.
(4) Number of transmission retries: number of retries after scan failure.
And outputting the result obtained by Masscan to a specified file according to an XML format.
In order to better implement the network asset port scanning and service identification method in the embodiment of the present invention, on the basis of the network asset port scanning and service identification method, as shown in fig. 5, correspondingly, the embodiment of the present invention further provides a network asset port scanning and service identification apparatus 500, including:
an asset scanning task creating unit 501, configured to create an asset scanning task, where the asset scanning task includes a scanning target and a scanning parameter;
a port scanning unit 502, configured to perform port scanning on a scanning target according to the scanning parameters, and obtain a current port state of each port;
an alarm information generating unit 503, configured to obtain a historical port state of each port, and generate alarm information when the current port state is inconsistent with the historical port state;
a port service fingerprint identification unit 504, configured to identify a port service fingerprint of which a current port state is an open port;
and a visualization unit 505, configured to generate a service fingerprint asset library according to the port service fingerprint, and visually display the service fingerprint asset library.
The network asset port scanning and service identifying device 500 provided in the foregoing embodiment may implement the technical solutions described in the foregoing network asset port scanning and service identifying method embodiments, and the specific implementation principles of the modules or units may refer to the corresponding contents in the foregoing network asset port scanning and service identifying method embodiments, and are not described herein again.
As shown in fig. 6, the present invention further provides an electronic device 600. The electronic device 600 comprises a processor 601, a memory 602 and a display 603. Fig. 6 shows only some of the components of the electronic device 600, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
The storage 602 may be an internal storage unit of the electronic device 600 in some embodiments, such as a hard disk or a memory of the electronic device 600. The memory 602 may also be an external storage device of the electronic device 600 in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, provided on the electronic device 600.
Further, the memory 602 may also include both internal storage units and external storage devices of the electronic device 600. The memory 602 is used for storing application software and various types of data for installing the electronic device 600.
The display 603 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch panel, or the like in some embodiments. The display 603 is used for displaying information at the electronic device 600 and for displaying a visual user interface. The components 601 and 603 of the electronic device 600 communicate with each other via a system bus.
In one embodiment, when the processor 601 executes the network asset port scanning and service identification procedure in the memory 602, the following steps may be implemented:
creating an asset scanning task, wherein the asset scanning task comprises a scanning target and scanning parameters;
carrying out port scanning on a scanning target according to the scanning parameters to obtain the current port state of each port;
acquiring historical port states of all ports, and generating alarm information when the current port state is inconsistent with the historical port state;
identifying a port service fingerprint of which the current port state is an open port;
and generating a service fingerprint asset library according to the port service fingerprint, and visually displaying the service fingerprint asset library.
It should be understood that: the processor 601, when executing the network asset port scanning and service identification program in the memory 602, may also perform other functions in addition to the above functions, which may be specifically described in the foregoing description of the corresponding method embodiments.
Further, the type of the electronic device 600 is not particularly limited in the embodiment of the present invention, and the electronic device 600 may be a portable electronic device such as a mobile phone, a tablet computer, a Personal Digital Assistant (PDA), a wearable device, and a laptop computer (laptop). Exemplary embodiments of portable electronic devices include, but are not limited to, portable electronic devices that carry an IOS, android, microsoft, or other operating system. The portable electronic device may also be other portable electronic devices such as laptop computers (laptop) with touch sensitive surfaces (e.g., touch panels), etc. It should also be understood that in other embodiments of the present invention, the electronic device 600 may not be a portable electronic device, but may be a desktop computer having a touch-sensitive surface (e.g., a touch panel).
Accordingly, the present application also provides a computer-readable storage medium, which is used for storing a computer-readable program or instruction, and when the program or instruction is executed by a processor, the method steps or functions provided by the above method embodiments can be implemented.
Those skilled in the art will appreciate that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium, to instruct associated hardware. The computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory.
The network asset port scanning and service identification method and device provided by the invention are introduced in detail, a specific example is applied in the description to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A network asset port scanning and service identification method is characterized by comprising the following steps:
creating an asset scanning task, wherein the asset scanning task comprises a scanning target and scanning parameters;
carrying out port scanning on the scanning target according to the scanning parameters to obtain the current port state of each port;
acquiring historical port states of all ports, and generating alarm information when the current port state is inconsistent with the historical port state;
identifying the port service fingerprint of which the current port state is an open port;
and generating a service fingerprint asset library according to the port service fingerprint, and carrying out visual display on the service fingerprint asset library.
2. The method of claim 1, wherein the identifying the current port status as a port service fingerprint of an open port comprises:
and calling a port scanning tool Nmap, identifying an open port, and identifying a port service fingerprint of the open port.
3. The method of claim 1, wherein the identifying the current port status as a port service fingerprint of an open port comprises:
constructing a user-defined service fingerprint library, wherein the user-defined service fingerprint library comprises a plurality of regular matching sentences, a plurality of port service fingerprints and mapping relations between the regular matching sentences and the port service fingerprints;
sending a request message to the port simulation, and receiving a response message of the port;
extracting characteristic information from the response message, and determining the regular matching statement matched with the characteristic information;
and determining the port service fingerprint corresponding to the characteristic information according to the regular matching statement matched with the characteristic information and the mapping relation.
4. The method of claim 3, wherein the mapping relationship between the plurality of regular matching statements and the plurality of port service fingerprints is:
the plurality of regular matching sentences correspond to the plurality of port service fingerprints one to one;
or the like, or, alternatively,
at least one of the port service fingerprints corresponds to at least two of the canonical match statements.
5. The method of claim 1, wherein the generating a service fingerprint asset library according to the port service fingerprint comprises:
invoking an initial service fingerprint asset library, the initial service fingerprint asset library comprising a plurality of storage directories storing different types of service fingerprints;
acquiring type information of the port service fingerprint, and determining the type of the port service fingerprint based on the type information;
and storing the port service fingerprint into a corresponding storage directory to generate the service fingerprint asset library.
6. The method according to claim 1, further comprising, after generating an alarm message when the current port status and the historical port status are inconsistent:
determining a port to be modified of which the port state needs to be modified according to the alarm information;
and modifying the port to be modified in a command line mode.
7. The method of claim 1, wherein the scan target is a surviving device, and the scan parameters include a scan time period and an IP range or domain range.
8. The network asset port scanning and service identification method of claim 1, wherein said port service fingerprint comprises a service name, version information, and product information of a port.
9. The method of claim 1, wherein the port scanning the scan target according to the scan parameters comprises:
and carrying out port scanning on the scanning target by using a port scanner Masscan.
10. A network asset port scanning and service identification device, comprising:
the asset scanning task creating unit is used for creating an asset scanning task, and the asset scanning task comprises a scanning target and scanning parameters;
the port scanning unit is used for carrying out port scanning on the scanning target according to the scanning parameters to obtain the current port state of each port;
the alarm information generating unit is used for acquiring the historical port state of each port and generating alarm information when the current port state is inconsistent with the historical port state;
a port service fingerprint identification unit, configured to identify a port service fingerprint of which the current port state is an open port;
and the visualization unit is used for generating a service fingerprint asset library according to the port service fingerprint and visually displaying the service fingerprint asset library.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111308102.6A CN114124475A (en) | 2021-11-05 | 2021-11-05 | Network asset port scanning and service identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111308102.6A CN114124475A (en) | 2021-11-05 | 2021-11-05 | Network asset port scanning and service identification method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114124475A true CN114124475A (en) | 2022-03-01 |
Family
ID=80380935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111308102.6A Pending CN114124475A (en) | 2021-11-05 | 2021-11-05 | Network asset port scanning and service identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124475A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208695A (en) * | 2022-09-13 | 2022-10-18 | 平安银行股份有限公司 | Black box safety scanning method, device and system and electronic equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110037564A1 (en) * | 2009-08-14 | 2011-02-17 | Shining Union Limited | Data-communication-port control device |
| CN107295023A (en) * | 2017-08-23 | 2017-10-24 | 四川长虹电器股份有限公司 | A kind of cyberspace vulnerability scanning system and method |
| CN109951359A (en) * | 2019-03-21 | 2019-06-28 | 北京国舜科技股份有限公司 | The asynchronous scan method of distributed network assets and equipment |
| CN110311931A (en) * | 2019-08-02 | 2019-10-08 | 杭州安恒信息技术股份有限公司 | Assets automatic discovering method and device |
| CN111709009A (en) * | 2020-06-17 | 2020-09-25 | 杭州安恒信息技术股份有限公司 | Detection method and device for networked industrial control system, computer equipment and medium |
| CN111770082A (en) * | 2020-06-24 | 2020-10-13 | 深圳前海微众银行股份有限公司 | Vulnerability scanning method, device, equipment and computer readable storage medium |
| CN112468360A (en) * | 2020-11-13 | 2021-03-09 | 北京安信天行科技有限公司 | Asset discovery identification and detection method and system based on fingerprint |
| CN112751862A (en) * | 2020-12-30 | 2021-05-04 | 杭州迪普科技股份有限公司 | Port scanning attack detection method and device and electronic equipment |
-
2021
- 2021-11-05 CN CN202111308102.6A patent/CN114124475A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110037564A1 (en) * | 2009-08-14 | 2011-02-17 | Shining Union Limited | Data-communication-port control device |
| CN107295023A (en) * | 2017-08-23 | 2017-10-24 | 四川长虹电器股份有限公司 | A kind of cyberspace vulnerability scanning system and method |
| CN109951359A (en) * | 2019-03-21 | 2019-06-28 | 北京国舜科技股份有限公司 | The asynchronous scan method of distributed network assets and equipment |
| CN110311931A (en) * | 2019-08-02 | 2019-10-08 | 杭州安恒信息技术股份有限公司 | Assets automatic discovering method and device |
| CN111709009A (en) * | 2020-06-17 | 2020-09-25 | 杭州安恒信息技术股份有限公司 | Detection method and device for networked industrial control system, computer equipment and medium |
| CN111770082A (en) * | 2020-06-24 | 2020-10-13 | 深圳前海微众银行股份有限公司 | Vulnerability scanning method, device, equipment and computer readable storage medium |
| CN112468360A (en) * | 2020-11-13 | 2021-03-09 | 北京安信天行科技有限公司 | Asset discovery identification and detection method and system based on fingerprint |
| CN112751862A (en) * | 2020-12-30 | 2021-05-04 | 杭州迪普科技股份有限公司 | Port scanning attack detection method and device and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 秦丞;贺渝镔;: "IT资产高速探查及漏洞发现系统的研究", 软件, no. 12, 15 December 2019 (2019-12-15) * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208695A (en) * | 2022-09-13 | 2022-10-18 | 平安银行股份有限公司 | Black box safety scanning method, device and system and electronic equipment |
| CN115208695B (en) * | 2022-09-13 | 2022-12-06 | 平安银行股份有限公司 | Black box safety scanning method, device and system and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2019140828A1 (en) | Electronic apparatus, method for querying logs in distributed system, and storage medium | |
| EP3030966B1 (en) | Virtual computing instance migration | |
| WO2019179026A1 (en) | Electronic device, method for automatically generating cluster access domain name, and storage medium | |
| US9197629B2 (en) | Remote direct memory access authentication of a device | |
| CN112653618B (en) | Gateway registration method and device of micro-service application API (application program interface) endpoint | |
| US20200134192A1 (en) | Security Profiling of System Firmware and Applications from an OOB Appliance at a Differentiated Trust Boundary | |
| CN111414407A (en) | Data query method and device of database, computer equipment and storage medium | |
| US11113126B2 (en) | Verifying transfer of detected sensitive data | |
| CN107729768B (en) | Page display method and device, intelligent panel and storage medium | |
| WO2020216204A1 (en) | Information acquisition method and apparatus | |
| EP4095686A2 (en) | Method for switching skin of mini-program page, and electronic device | |
| CN116860350A (en) | Jailhouse tool configuration method, electronic device and computer readable storage medium | |
| CN114124475A (en) | Network asset port scanning and service identification method and device | |
| CN107862035B (en) | Network reading method and device for conference record, intelligent tablet and storage medium | |
| EP3699731A1 (en) | Method and device for calling input method, and server and terminal | |
| US20210334114A1 (en) | Method And Storage Medium For Realizing Interaction Between Business Systems And At Least One Component | |
| US9519527B1 (en) | System and method for performing internal system interface-based communications in management controller | |
| WO2023066258A1 (en) | Data processing method and apparatus for private data, computer device and medium | |
| CN113360172B (en) | Application deployment method, device, computer equipment and storage medium | |
| US11327558B2 (en) | Physical gesture based data manipulation within a virtual scene for investigating a security incident | |
| CN111352357B (en) | Robot control method and device and terminal equipment | |
| WO2020159898A1 (en) | System and method for application exploration | |
| CN115698988A (en) | System and method for viewing incompatible web pages via remote browser instances | |
| CN114826753B (en) | Full-flow intrusion detection method, device, equipment and medium based on rule characteristics | |
| CN113268300B (en) | Information display method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |