CN115001863A - Network security vulnerability detection method, device, medium and electronic equipment - Google Patents

Network security vulnerability detection method, device, medium and electronic equipment Download PDF

Info

Publication number
CN115001863A
CN115001863A CN202210881602.7A CN202210881602A CN115001863A CN 115001863 A CN115001863 A CN 115001863A CN 202210881602 A CN202210881602 A CN 202210881602A CN 115001863 A CN115001863 A CN 115001863A
Authority
CN
China
Prior art keywords
data
network
equipment
target network
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210881602.7A
Other languages
Chinese (zh)
Other versions
CN115001863B (en
Inventor
江波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Graffiti Intelligent Electronic Co ltd
Hangzhou Tuya Information Technology Co Ltd
Original Assignee
Zhejiang Graffiti Intelligent Electronic Co ltd
Hangzhou Tuya Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Graffiti Intelligent Electronic Co ltd, Hangzhou Tuya Information Technology Co Ltd filed Critical Zhejiang Graffiti Intelligent Electronic Co ltd
Priority to CN202210881602.7A priority Critical patent/CN115001863B/en
Publication of CN115001863A publication Critical patent/CN115001863A/en
Application granted granted Critical
Publication of CN115001863B publication Critical patent/CN115001863B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The application discloses a network security vulnerability detection method, a network security vulnerability detection device, a network security vulnerability detection medium and electronic equipment. The method comprises the following steps: generating a network access request aiming at a target network for the data sending equipment based on the equipment identification information of the data sending equipment; the control data sending equipment requests the target network for encrypting the configuration data based on the network access request; wherein the encrypted configuration data is captured from the target network by a data capture device, the encrypted configuration data including the device identification information; decrypting the encrypted configuration data by using a preset encryption key, and determining whether a security vulnerability exists in the target network based on a decryption processing result and the equipment identification information; according to the technical scheme, the security vulnerability detection efficiency and the security vulnerability detection rate can be improved.

Description

Network security vulnerability detection method, device, medium and electronic equipment
Technical Field
The present application relates to the field of computer application technologies, and in particular, to a method, an apparatus, a medium, and an electronic device for detecting a network security vulnerability.
Background
With the gradual development of the internet of things, more and more intelligent devices such as intelligent homes or intelligent automobiles appear in the daily life of people. Short-distance wireless communication networks such as Zigbee networks are widely applied to the Internet of things, and the security loopholes of the short-distance wireless communication networks are likely to cause intelligent devices such as Zigbee devices in the short-distance wireless communication networks to be remotely controlled due to hacker attacks, so that it becomes more important to detect the security loopholes of the short-distance wireless communication networks.
However, most of the intelligent devices in the short-distance wireless communication network are low-power consumption devices, and the time window for charging and communication is short, so that continuous and stable communication cannot be achieved, which brings a greater challenge to the security vulnerability detection of the short-distance wireless communication network.
Disclosure of Invention
The application provides a network security vulnerability detection method, a network security vulnerability detection device, a network security vulnerability detection medium and electronic equipment, which can be used for detecting security vulnerabilities in short-distance wireless communication networks such as Zigbee networks, and achieve the purpose of improving security vulnerability detection efficiency and security vulnerability detection rate.
According to a first aspect of the present application, a method for detecting a network security vulnerability is provided, the method comprising:
generating a network access request aiming at a target network for a data sending device based on the device identification information of the data sending device;
controlling the data transmission device to request encryption configuration data from the target network based on the network access request; wherein the encrypted configuration data is captured from the target network by a data capture device, the encrypted configuration data including the device identification information;
and decrypting the encrypted configuration data by using a preset encryption key, and determining whether the target network has a security vulnerability or not based on a decryption processing result and the equipment identification information.
According to a second aspect of the present application, there is provided a network security vulnerability detection apparatus, the apparatus comprising:
the network access request generating module is used for generating a network access request aiming at a target network for the data sending equipment based on the equipment identification information of the data sending equipment;
an encryption configuration data request module, configured to control the data sending device, and request the target network for encryption configuration data based on the network access request; wherein the encrypted configuration data is captured from the target network by a data capture device, the encrypted configuration data including the device identification information;
and the security vulnerability determination module is used for decrypting the encrypted configuration data by using a preset encryption key and determining whether the target network has a security vulnerability or not based on a decryption processing result and the equipment identification information.
According to a third aspect of the present invention, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the network security vulnerability detection method according to the embodiment of the present application.
According to a fourth aspect of the present invention, an electronic device is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the network security vulnerability detection method according to the embodiment of the present application.
According to the technical scheme of the embodiment of the application, the detection of the security vulnerability in the target network is realized through the mutual cooperation of the data sending equipment and the data capturing equipment. According to the embodiment of the application, the data sending equipment and the data capturing equipment are controlled to respectively execute the data sending operation and the data capturing operation, the performance limit of a vulnerability detection tool is broken, the problems that the time window for power-on of intelligent equipment and equipment communication in a short-distance wireless communication network is short, and key communication data are easy to lose are solved, and the security vulnerability detection efficiency and the vulnerability detection rate are improved.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present application, nor do they limit the scope of the present application. Other features of the present application will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a network security vulnerability detection method according to an embodiment;
fig. 2 is a flowchart of a network security vulnerability detection method provided according to the second embodiment;
fig. 3 is a flowchart of a network security vulnerability detection method provided according to the third embodiment;
fig. 4 is a schematic structural diagram of a network security vulnerability detection apparatus according to a fourth embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," "target," and "candidate" and the like in the description and claims of this application and the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a network security vulnerability detection method according to an embodiment, where this embodiment may be applicable to a case of detecting a security vulnerability existing in a short-distance wireless communication network, such as a Zigbee network, and the method may be executed by a network security vulnerability detection apparatus, the network security vulnerability detection apparatus may be implemented in a form of hardware and/or software, and may be integrated in an electronic device running the system, and optionally, the network security vulnerability detection apparatus may be integrated with a vulnerability detection host computer.
The vulnerability detection upper computer, the data sending equipment and the data capturing equipment form a network security vulnerability detection system together. And the vulnerability detection upper computer is defined with core logic for detecting network security vulnerabilities. The vulnerability detection upper computer is used for controlling the data sending equipment and the data capturing equipment, and realizes the detection of the network security vulnerability through the mutual cooperation of the data sending equipment and the data capturing equipment.
The data sending device and the data capturing device are network security vulnerability detection tools in the embodiment of the application. Specifically, the data sending device is controlled by the vulnerability detection upper computer through a data sending process, and the data sending device is used for executing data sending operation; the data capture device is controlled by the upper computer for detecting the vulnerability through a data capture thread, and the data capture device is used for executing data capture operation, preferably, the data sending operation and the data capture operation are carried out asynchronously. Optionally, the data sending device is configured with a data sending chip, and the data capturing device is configured with a data capturing chip, where the data sending chip defines a core processing logic of a data sending operation, and the data capturing chip defines a core processing logic of a data capturing operation.
Next, a method for detecting a network security vulnerability provided by the embodiment of the present application is introduced.
As shown in fig. 1, the method includes:
s110, generating a network access request aiming at a target network for the data sending equipment based on the equipment identification information of the data sending equipment.
The device identification information of the data transmission device is used for identifying the data transmission device. The device identification information is actually identity information of the data transmission device. Optionally, the device identification information of the data sending device is a Media Access Control Address (MAC Address) of the data sending device.
The network access request is generated by the vulnerability detection upper computer as data sending equipment and is used for requesting the target network to allow the data sending equipment to be added into the target network. Optionally, the network access request target network includes a network identifier (PANID), a communication address (source address), and device identification information of the data transmission device, such as a MAC address. And under the condition that the target network allows the data sending equipment to join the target network, the target network allocates a communication address under the target network for the data sending equipment and feeds back the encryption configuration data.
And the network to be detected meeting the security vulnerability detection condition is a target network. The time for powering on and communicating the equipment in the network to be detected is limited. Optionally, the network to be detected is a short-distance wireless communication network. The security vulnerability detection condition is a precondition for performing security vulnerability detection on the network to be detected. Optionally, the security vulnerability detection condition is that the device is allowed to be distributed, that is, a new device is allowed to join the network to be detected. Illustratively, the network to be detected is a ZigBee network, and the target network is a ZigBee network allowing devices to be configured with a network. The ZigBee network is a network established based on a ZigBee protocol, and includes ZigBee devices such as gateway devices and terminal devices, and optionally, the gateway devices include a router and a coordinator. The router is responsible for forwarding communication data in the ZigBee network, and the coordinator is responsible for establishing the ZigBee network. Illustratively, the terminal device can be connected to a smart home of the ZigBee network, such as a smart light fixture or a smart door lock. The network distribution allowing equipment is in a network state of the ZigBee network, and the ZigBee equipment is allowed to access the ZigBee network under the condition that the ZigBee network is in the network state. In order to facilitate understanding of the network security vulnerability detection method provided by the present application, the embodiments of the present application will be explained by taking a ZigBee network as an example. However, it should be noted that the ZigBee network does not constitute a limitation to the scope of the present application, and the network security vulnerability detection method provided by the present application may be applied to short-range wireless communication networks with limited power-on and communication time of other devices.
According to the method and the device for detecting the security vulnerability, data communication is carried out between the vulnerability detection tool and the intelligent device in the target network to achieve security vulnerability detection, specifically, data sending operation is carried out through data sending equipment to send data to the target network, and data capturing operation is carried out through data capturing equipment to capture data from the target network.
According to the embodiment of the application, the data sending operation and the data capturing operation are separated and delivered to the data sending device and the data capturing device to be executed respectively, the data sending operation and the data capturing operation are not deployed on the same chip, and the performance limit of a single chip can be broken.
It can be known that the smart devices in the target network are generally low-power devices, and the communication windows of the low-power devices are very short, which puts requirements on the processing performance of the vulnerability detection tool. The method is limited by the processing performance of a single chip, data sending operation and data capturing operation are deployed on the single chip, key data are easily lost in the data communication process between the single chip and low-power-consumption equipment, the chip is often required to be repeatedly operated for many times, and the problems of low security vulnerability detection efficiency and low vulnerability detection rate exist.
The data acquisition device and the data sending device which are independent of each other are matched with each other to carry out data communication with the target network, and the problems that the time window for power-on of the intelligent device and device communication in the target network is short and key communication data are easy to lose are solved. The data sending equipment is responsible for sending data to the target network, and the data capturing equipment is responsible for capturing the data from the target network, so that loss of key communication data can be effectively avoided, and vulnerability detection efficiency is improved.
S120, controlling the data sending equipment to request the encryption configuration data from the target network based on the network access request; wherein the encrypted configuration data is captured from the target network by a data capture device, the encrypted configuration data including the device identification information.
The vulnerability detection upper computer controls the data sending equipment to send the network access request to the target network based on the data sending thread, and the target network feeds back the encrypted configuration data under the condition that the data sending equipment meets the network access requirement. The encryption configuration data is used for the data transmission device to perform encryption processing on the communication data. Optionally, the encryption configuration data is subjected to encryption processing, and the encryption configuration data includes device identification information of the data sending device.
And the vulnerability detection upper computer controls the data capture equipment to monitor the target network and capture the encrypted configuration data from the target network.
S130, decrypting the encrypted configuration data by using a preset encryption key, and determining whether the target network has a security vulnerability or not based on a decryption processing result and the equipment identification information.
Because the encrypted configuration data is obtained through encryption processing, the vulnerability detection upper computer utilizes the preset encryption key to decrypt the encrypted configuration data to obtain a decryption result. Wherein the preset encryption key is a default link key provided by a network protocol. The pre-set encryption key is a key that can be publicly obtained. Optionally, the predetermined encryption key is a Trust center link key (Trust center link key). The vulnerability detection upper computer decrypts the encrypted configuration data by using a preset Encryption key to obtain a decryption result, and illustratively, the vulnerability detection upper computer performs hash Encryption processing on the preset Encryption key by using an Advanced Encryption Standard (AES) Encryption algorithm to obtain a hash Encryption key. Then, the vulnerability detection upper computer determines a random counter of an AES encryption algorithm according to the encryption configuration data; and then, based on an AES encryption algorithm, utilizing a Hash encryption key to encrypt a random counter, wherein the encrypted random counter is the undetermined decryption key for encrypting the configuration data. And performing exclusive-or calculation by using the encrypted random counter character string and the encrypted configuration data byte by byte, wherein the exclusive-or calculation result is a decryption processing result of the encrypted configuration data.
It can be known that the encrypted configuration data includes device identification information of the data sending device, and a decryption processing result obtained by performing decryption processing on the encrypted configuration data, and if the decryption processing result includes the device identification information of the data sending device, it indicates that decryption is successful, that is, the encrypted configuration data is obtained by using a preset encryption key for encryption processing, and the preset encryption key is a key that can be obtained publicly, that is, any user who grasps the preset encryption key can decrypt the encrypted configuration data, and the target network has a risk of communication data leakage. The intelligent devices in the target network are susceptible to being remotely controlled by hacker attacks, which may determine that a security breach exists in the target network.
According to the technical scheme of the embodiment of the application, the detection of the security vulnerability in the target network is realized through the mutual cooperation of the data sending equipment and the data capturing equipment. According to the embodiment of the application, the data sending equipment and the data capturing equipment are controlled to respectively execute the data sending operation and the data capturing operation, the performance limit of a vulnerability detection tool is broken, the problems that the time window for power-on of intelligent equipment and equipment communication in a short-distance wireless communication network is short, and key communication data are easy to lose are solved, and the security vulnerability detection efficiency and the vulnerability detection rate are improved.
In an optional embodiment, determining whether the target network has a security vulnerability based on the decryption processing result and the device identification information includes: matching the decryption processing result with the equipment identification information to obtain a matching result; and if the matching result is that the matching is successful, determining that the target network has the encryption vulnerability.
The decryption processing result is obtained by decrypting the encrypted configuration data by using a preset encryption key, and the encrypted configuration data includes the device identification information of the data transmission device. If the decryption processing result includes the device identification information, it indicates that the encryption configuration data is obtained by performing encryption processing using the preset encryption key. And determining whether the decryption processing result comprises the equipment identification information of the data sending equipment, specifically, matching the decryption processing result with the equipment identification information of the data sending equipment to obtain a matching result. If the matching is successful, the decryption processing result includes the equipment identification information of the data sending equipment, and the encryption configuration data is obtained by utilizing the preset encryption key to carry out encryption processing. Any user who grasps the preset encryption key can decrypt the encrypted configuration data, the risk of communication data leakage exists in the target network, and the encryption vulnerability exists in the target network.
If the matching result is matching failure, the encryption configuration data can be determined not to be obtained by encrypting by using a preset encryption key, and the target network can be further determined not to have encryption loopholes.
According to the technical scheme, whether the encryption vulnerability exists in the target network is determined by judging whether the decryption processing result comprises the equipment identification information of the data sending equipment, so that whether the encryption vulnerability exists in the target network is detected, the vulnerability detection accuracy is ensured, and meanwhile, the detection flow of the encryption vulnerability is simplified.
In an optional embodiment, controlling the data sending device to request the encrypted configuration data from the target network based on the network access request includes: controlling the data sending equipment to send the network access request to the target network so as to enable target gateway equipment in the target network to feed back network access response data; controlling the data capture equipment to capture the network access response data, and determining the time sequence information of the network access response data as a reference time sequence; and generating time sequence response data based on the reference time sequence, and controlling the data sending equipment to feed back the time sequence response data to the target network so that the target network feeds back the encrypted configuration data.
And the vulnerability detection upper computer controls the data sending equipment to send a network access request to the target network based on the data sending thread. And the target gateway equipment in the target network feeds back network access response data aiming at the network access request. Optionally, the target gateway device is a coordinator in a ZigBee network.
Optionally, the network entry response data includes device identification information of the target gateway device and device identification information of the data sending device, and the device identification information may be, for example, a MAC address. The network access response data also comprises time sequence information and a communication address which is allocated to the data sending equipment by the target gateway equipment. The data transmitting device may access the target network based on the communication address assigned by the target gateway device.
And when the vulnerability detection upper computer controls the data sending equipment to send a network access request to the target network, the data capturing equipment is controlled to monitor the target network, and the data capturing equipment is controlled to capture network access response data in response to capturing the network access request. And the vulnerability detection upper computer determines time sequence information in the network access response data and determines the time sequence information as a reference time sequence.
The time sequence information is used for distinguishing different communication data, for example, each time a ZigBee device in the ZigBee network transmits communication data, the time sequence corresponding to the communication data needs to be incremented. Generally, 255 is the maximum timing, and when the timing reaches 255, the timing is reset to 0.
After the target network sends out the network access response data, the time sequence response data needs to be fed back for the network access response data in a short time. The time sequence information in the time sequence response data is consistent with the time sequence information in the network access response data. And the vulnerability detection upper computer generates time sequence response data based on the reference time sequence and controls the data sending equipment to send the time sequence response data to the target network. And after receiving the time sequence response data, the target network feeds back the encrypted configuration data. According to the embodiment of the application, through the mutual cooperation of the data sending device and the data capturing device, the time sequence response data can be fed back to the target network within a very short time after the network access response data is captured, for example, within 0.005 second, and the time sequence response data can be used as a response aiming at the network access response data.
According to the technical scheme, the data sending device and the data capturing device are matched with each other to carry out data communication with the target gateway device in the target network, the time sequence response data are fed back aiming at the time sequence response data in the limited communication time of the target gateway device, the problems that a low-power-consumption device in the target network is short in communication time window and key data are easy to lose are solved, and the vulnerability detection efficiency is improved.
Example two
Fig. 2 is a flowchart of a network security vulnerability detection method according to a second embodiment. The present embodiment is further optimized on the basis of the foregoing embodiment, specifically, based on a data capture thread, controlling the data capture device to monitor communication data in a network to be detected until the data capture device captures any communication data, where "a network access request for a target network is generated for the data transmission device based on device identification information of the data transmission device," add-before-operation "is performed on the basis of the data capture thread; controlling the data sending equipment to request communication configuration data from the network to be detected based on the data sending thread; controlling the data capture equipment to capture the communication configuration data from the network to be detected based on a data capture thread; and determining the target network in the network to be detected based on the equipment distribution network identification in the communication configuration data. "
As shown in fig. 2, the method includes:
s210, based on the data capturing thread, the data capturing device is controlled to monitor the communication data in the network to be detected until the data capturing device captures any communication data.
The vulnerability detection upper computer starts the data capture equipment at first, and controls the data capture equipment to monitor the communication data in the network to be detected. Whether the network to be detected meets the security vulnerability detection condition is not determined, and under the condition that the security vulnerability detection condition allows the equipment to be distributed, the network to be detected may be a short-distance wireless communication network allowing the equipment to be distributed or may not be a short-distance wireless communication network not allowing the equipment to be distributed. The number of the networks to be detected is at least two, which is determined according to the actual situation, and is not limited herein.
And S220, controlling the data sending equipment to request communication configuration data from the network to be detected based on the data sending thread.
And under the condition that the data capturing device captures any communication data, controlling the data sending device to request communication configuration data from the network to be detected based on the data sending thread.
The communication configuration data refers to communication configuration data of scannable devices in the network to be detected. The scannable device refers to an intelligent device which can be scanned in the network to be detected. The communication configuration data is a data basis for data communication of the network to be detected.
Optionally, the communication configuration data includes: a Network Identifier (PANID) of the network to be detected, a communication address (source address) of the scannable device in the network to be detected, a device distribution network identifier, a network protocol version of the scannable device, and the like. The device distribution network identifier is used for determining whether the device distribution network is allowed in the current communication window of the network to be detected where the scannable device is located.
The data capturing device captures any communication data, which can indicate that the data capturing function of the data capturing device is normal, and the vulnerability detection upper computer controls the data sending device to request the communication configuration data from the network to be detected based on the data capturing thread under the condition that the data capturing device captures any communication data, so that the condition that the communication configuration data is lost due to the abnormal data capturing function of the data capturing device can be avoided.
And S230, controlling the data capturing equipment to capture the communication configuration data from the network to be detected based on a data capturing thread.
After the vulnerability detection upper computer controls the data sending equipment to request communication configuration data from the network to be detected, the data capturing equipment is controlled to capture the communication configuration data from the network to be detected based on the data capturing thread.
S240, determining the target network in the network to be detected based on the equipment distribution network identification in the communication configuration data.
And the vulnerability detection upper computer determines a target network in the network to be detected based on the equipment distribution network identification in the communication configuration data. Specifically, the vulnerability detection upper computer determines the to-be-detected network with the equipment distribution network identification as the allowable equipment distribution network as the target network.
S250, generating a network access request aiming at a target network for the data sending equipment based on the equipment identification information of the data sending equipment.
S260, controlling the data sending equipment to request the encryption configuration data from the target network based on the network access request; wherein the encrypted configuration data is captured from the target network by a data capture device, the encrypted configuration data including the device identification information.
S270, decrypting the encrypted configuration data by using a preset encryption key, and determining whether the target network has a security vulnerability or not based on a decryption processing result and the equipment identification information.
According to the technical scheme, the data sending equipment is controlled to request the communication configuration data from the network to be detected under the condition that the data capturing equipment captures any communication data, so that the condition that the communication configuration data are lost due to the abnormal data capturing function of the data capturing equipment can be avoided. According to the technical scheme, the communication configuration data are captured from the network to be detected by controlling the data capture equipment; and determining a target network in the network to be detected based on the equipment distribution network identification in the communication configuration data, and providing data support for requesting encrypted configuration data from the target network subsequently and detecting security holes in the target network based on the encrypted configuration data.
In an optional embodiment, controlling the data capture device to listen to communication data in a network to be detected includes: acquiring a channel scanning mode; determining a channel to be scanned in the candidate channels corresponding to the network to be detected according to the channel scanning mode; and controlling the data capturing equipment to monitor the communication data in the channel to be scanned based on a data capturing thread.
It is known that network protocols typically preset a set number of channels for data communications by devices in the network. Illustratively, the ZigBee protocol may set 16 channels as channel 11 to channel 26, respectively, for the ZigBee devices to communicate data.
The scanning of the network protocol preset channel is to determine whether a scannable device exists in the network to be detected, and further determine a target network allowing the device to be distributed according to the device distribution network identifier of the scannable device.
The channel scanning mode is used for determining a scanning mode of a preset channel. The preset channel to be scanned may be determined based on the channel scanning mode. The channel scanning mode is determined according to actual traffic requirements, and is not limited herein. Optionally, the channel scanning mode includes: scanning for a specified channel and scanning for all channels.
And the vulnerability detection upper computer determines a channel to be scanned in the candidate channels corresponding to the network to be detected according to the channel scanning mode. Next, the vulnerability detection upper computer controls the data capture device to monitor the communication data in the channel to be scanned to determine whether a scannable device exists in the channel to be scanned. The channel to be scanned is determined according to the channel scanning mode, and the channel to be scanned refers to a channel which needs to be scanned in the candidate channels. The candidate channels may be all preset channels.
According to the technical scheme, the upper vulnerability detection computer determines the channel to be scanned in the candidate channel corresponding to the network to be detected according to the channel scanning mode, the data capture equipment is controlled to monitor communication data in the channel to be scanned, the channel scanning mode is customized according to user requirements, the requirement for scanning various channels of users is met, the flexibility of channel scanning is improved, and the vulnerability detection efficiency is improved.
In an optional embodiment, the determining, according to the channel scanning mode, a channel to be scanned from candidate channels corresponding to the network to be detected includes: if the channel scanning mode is to scan an appointed channel, determining an appointed channel identifier, and determining the channel to be scanned in the candidate channels according to the appointed channel identifier; and if the channel scanning mode is to scan all channels, determining a channel scanning sequence, and sequentially using the candidate channels as the channels to be scanned according to the channel scanning sequence.
The scanning of the designated channel refers to a mode of scanning the designated channel, and at least one designated channel identifier needs to be provided when the channel scanning mode is the mode of scanning the designated channel.
And the vulnerability detection upper computer determines a channel to be scanned in the candidate channels according to the designated signal identification, and specifically, the vulnerability detection upper computer determines the channel represented by the designated signal identification in the candidate channels as the channel to be scanned.
The scanning of all channels refers to a mode of scanning all channels, and all candidate channels are determined as channels to be scanned under the condition that the channel scanning mode is to scan all channels. Optionally, only one channel to be scanned is scanned at a time, so that communication data loss can be avoided.
And under the condition that the channel scanning mode is to scan all channels, the vulnerability detection upper computer determines a channel scanning sequence, and sequentially uses the candidate channels as the channels to be scanned according to the channel scanning sequence. The channel scanning order is determined according to actual traffic requirements, and is not limited herein. For example, the channel scan order may be the sequential scanning of the candidate channels in increasing order of channel identification, such as channel 11-channel 26.
Optionally, in the channel scanning process, each channel to be scanned is scanned only once, that is, in the channel scanning mode for scanning the specified channel, the specified channel is scanned only once, and likewise, in the channel scanning mode for scanning all channels, the candidate channel is also scanned only once, for example, in the case that the candidate channels include channels 11 to 26, and the channel scanning order is the channel identification increasing order, first, the channel 11 is determined as the channel to be scanned, after the channel 11 is scanned, the channel 12 is determined as the channel to be scanned, and so on, until all the candidate channels are scanned.
The technical scheme provides a channel scanning mode for scanning the designated channel and scanning all channels, covers common channel scanning requirements, supports a user to determine the channel scanning mode according to actual service requirements, and is beneficial to improving the channel scanning efficiency.
The network security vulnerability detection method is described by taking the network to be detected as a ZigBee network as an example, and in a specific embodiment, the network security vulnerability detection method comprises the following steps:
the upper computer for vulnerability detection acquires a channel scanning mode, the channel scanning mode is used for scanning an appointed channel, the condition that the appointed channel is a channel 12 is described, the upper computer for vulnerability detection starts a data capturing device to monitor the channel 12, under the condition that the data capturing device captures any communication data, the upper computer for vulnerability detection controls a data sending device to broadcast a beacon request data packet (beacon request) in the channel 12, ZigBee devices in a network to be detected respond to the beacon request and can broadcast and respond through the beacon data packet, and the upper computer for vulnerability detection controls the data capturing device to capture the beacon data packet. Wherein, the beacon data packet includes communication configuration data. And the vulnerability detection upper computer determines a target network in the network to be detected according to the equipment distribution network identification in the communication configuration data. For example, the device distribution network identifier in the beacon packet fed back by the coordinator a is the allowed device distribution network, and the ZigBee network to which the coordinator a belongs is determined as the target network.
Under the condition that the target network is determined, the vulnerability detection upper computer generates a network access request (association request) aiming at the target network for the data sending equipment according to the equipment identification information of the data sending equipment. Coordinator a in the target network broadcasts a response through Association response data (Association response) in response to the Association request. The vulnerability detection upper computer controls the data capture device to capture Association response, and the Association response needs to be subjected to time sequence response at the same time sequence through time sequence response data (Acknowledge). The timing response needs to be completed in a short process. The sequence of data packet transmission represented by the time sequence in the Zigbee protocol also guarantees the communication security through the time sequence.
The time sequence response process is as follows: after the Association response is captured by the data capturing device, the vulnerability detection upper computer determines the time sequence information of the Association response as a reference time sequence, generates an Acknowledge based on the reference time sequence, and controls the data sending device to feed back the Acknowledge as the response of the Association response to the coordinator A.
The coordinator a responds to Acknowledge, and broadcasts and responds to the feedback encryption configuration data through encryption configuration data (Transport Key). The Transport Key is obtained through encryption processing and comprises a data sending device identifier and a universal encryption Key (network Key).
The upper vulnerability detection computer controls the data capture equipment to capture encrypted configuration data from the target network, decrypts the encrypted configuration data by using a preset encryption Key (Trust center link Key), matches the decryption processing result with the equipment identification information, and if the matching is successful, determines that a Transport Key is obtained by using Trust center link Key for encryption processing, so that the ZigBee network has the risk of communication data leakage, and the target network has security vulnerabilities, particularly, the target network can be determined to have the encryption vulnerabilities.
EXAMPLE III
Fig. 3 is a flowchart of a network security vulnerability detection method according to the third embodiment. The embodiment is further optimized on the basis of the embodiment, and provides a method for detecting whether the ZigBee network has a control vulnerability or not under the condition that the target network has the encryption vulnerability.
As shown in fig. 3, the method includes:
and S310, under the condition that the target network has encryption loopholes, decrypting the encrypted configuration data by using the preset encryption key to obtain a general encryption key.
And under the condition that the target network has the encryption vulnerability, the vulnerability detection upper computer controls the data capture equipment to capture the communication data in the target network. The data sending device is used as a fake terminal device to join the target network.
The encryption configuration information includes a generic encryption key. The general encryption key is used for carrying out encryption protection on communication data in the target network. When the target network has an encryption vulnerability, the encrypted configuration data can be decrypted based on the preset encryption key, and the general encryption key can be obtained by decrypting the encrypted configuration data, that is, mastering the preset encryption key is equivalent to mastering the general encryption key, and the communication data in the target network can be decrypted based on the general encryption key.
S320, utilizing the general encryption key to decrypt the communication data captured by the data capture device in the target network, and determining the type of the communication data.
The general encryption key is used for encrypting and protecting the communication data in the target network, and the communication data in the target network can be decrypted by using the general encryption key. And determining the type of the communication data according to the decryption processing result of the communication data.
S330, under the condition that the communication data type is the terminal control data, the terminal control data is changed to obtain control change data.
The terminal control data is used for controlling a target terminal device in a target network. The target terminal device is an action object of terminal control data, the target terminal device is an intelligent device in a target network, and the target terminal device can be an intelligent lamp or an intelligent door lock.
And under the condition that the communication data type is terminal control data, the vulnerability detection upper computer changes the terminal control data to obtain control change data. Optionally, the control change data and the terminal control data are only different in time sequence information, that is, the vulnerability detection upper computer only changes the time sequence information of the terminal control data.
S340, sending the control change data to the target network through the data sending equipment, so that the target terminal equipment in the target network feeds back control response data aiming at the control change data.
The data transmission device is used as a fake terminal device in the target network and can carry out data communication with other terminal devices in the target network. And the vulnerability detection upper computer controls the data sending equipment to send control change data to the target network. And the target terminal equipment in the target network executes corresponding action according to the control change data and feeds back control response data.
And S350, determining whether the target network has a control vulnerability or not based on the control response data.
Wherein the control response data is generated by the target terminal device, and the effect of the control change data on the target terminal device can be determined based on the control response data.
And the vulnerability detection upper computer controls the data capture equipment to capture control response data, and determines whether the target network has a control vulnerability according to the control response data. And if the target terminal equipment is determined to successfully execute the control operation in the control change data according to the control response data, determining that the target network has the control vulnerability, and otherwise, determining that the target network does not have the control vulnerability.
Under the condition that the control change data and the terminal control data are only different in time sequence information, the control vulnerability in the target network can be determined in one step, and the target network has the risk of being attacked by replay.
Illustratively, the data capture device captures terminal control data 1 and terminal control data 2 at the target network. The terminal control data 1 is used for controlling the intelligent lamp A to perform lighting operation, and the terminal control data 2 is used for controlling the intelligent lamp A to perform extinguishing operation. The time sequence of the terminal control data 1 is before the terminal control data 2, and assuming that the time sequence of the terminal control data 1 is 100 and the time sequence of the terminal control data 2 is 101, the intelligent lamp a performs the lighting operation first and then performs the extinguishing operation. The vulnerability detection upper computer changes the time sequence of the terminal control data 1, and changes the time sequence from 100 to 102 to obtain control change data 1; and the vulnerability detection upper computer changes the time sequence of the terminal control data 2, and changes the time sequence 101 to 103 to obtain control change data 2. The vulnerability detection upper computer controls the data sending equipment to send control change data 1 and control change data 2 to a target network, and controls the data capturing equipment to capture control response data fed back by the intelligent lamp A in the target network. And if the intelligent lamp A executes the lighting operation and the extinguishing operation again, determining that the target network has a control bug and the target network has the risk of being attacked by replay.
According to the method for detecting the control vulnerability of the ZigBee network, whether the control vulnerability exists in the target network is further detected under the condition that the encryption vulnerability exists in the target network is determined, so that the detection efficiency of the security vulnerability is improved, the detection rate of the security vulnerability is improved, the security vulnerability existing in the target network can be found in time, and the data security of the target network can be improved.
Example four
Fig. 4 is a schematic structural diagram of a network security hole detection apparatus according to a fourth embodiment of the present application, where the embodiment is applicable to a case of detecting a security hole existing in a short-distance wireless communication network, for example, a Zigbee network. The device can be realized by software and/or hardware, and can be integrated in electronic equipment such as an intelligent terminal.
As shown in fig. 4, the apparatus may include: a network access request generation module 410, an encryption configuration data request module 420, and a security breach determination module 430.
A network access request generating module 410, configured to generate a network access request for a target network for a data sending device based on device identification information of the data sending device;
an encryption configuration data request module 420, configured to control the data sending device to request encryption configuration data from the target network based on the network access request; wherein the encrypted configuration data is captured from the target network by a data capture device, the encrypted configuration data including the device identification information;
and the security vulnerability determining module 430 is configured to decrypt the encrypted configuration data by using a preset encryption key, and determine whether a security vulnerability exists in the target network based on a decryption processing result and the device identification information.
According to the technical scheme of the embodiment of the application, the detection of the security vulnerability in the target network is realized through the mutual cooperation of the data sending equipment and the data capturing equipment. According to the embodiment of the application, the data sending equipment and the data capturing equipment are controlled to respectively execute the data sending operation and the data capturing operation, the performance limit of a vulnerability detection tool is broken, the problems that the time window for power-on of intelligent equipment and equipment communication in a short-distance wireless communication network is short, and key communication data are easy to lose are solved, and the security vulnerability detection efficiency and the vulnerability detection rate are improved.
Optionally, the security breach determining module 430 includes: a matching result determining submodule for matching the decryption processing result with the device identification information to obtain a matching result; and the encryption vulnerability determining submodule is used for determining that the target network has the encryption vulnerability if the matching result is that the matching is successful.
Optionally, the encrypted configuration data requesting module 420 includes: a network access request sending submodule, configured to control the data sending device to send the network access request to the target network, so that a target gateway device in the target network feeds back network access response data; the network access response data capturing submodule is used for controlling the data capturing equipment to capture the network access response data and determining the time sequence information of the network access response data as a reference time sequence; and the time sequence response data feedback submodule is used for generating time sequence response data based on the reference time sequence and controlling the data sending equipment to feed back the time sequence response data to the target network so as to enable the target network to feed back the encryption configuration data.
Optionally, the apparatus further includes: the communication data monitoring module is used for controlling the data capturing device to monitor the communication data in the network to be detected based on the data capturing thread before generating a network access request aiming at a target network for the data sending device based on the device identification information of the data sending device until the data capturing device captures any communication data; the communication configuration data request module is used for controlling the data sending equipment to request communication configuration data from the network to be detected based on the data sending thread; the communication configuration data capturing module is used for controlling the data capturing equipment to capture the communication configuration data from the network to be detected based on a data capturing thread; and the target network determining module is used for determining the target network in the network to be detected based on the equipment distribution network identification in the communication configuration data.
Optionally, the communication data monitoring module includes: a channel scanning mode obtaining submodule for obtaining a channel scanning mode; a channel to be scanned determining module, configured to determine a channel to be scanned in the candidate channels corresponding to the network to be detected according to the channel scanning mode; and the communication data monitoring submodule is used for controlling the data capturing equipment to monitor the communication data in the channel to be scanned based on a data capturing thread.
Optionally, the module for determining a channel to be scanned includes: a first channel determining submodule, configured to determine an assigned channel identifier if the channel scanning mode is to scan an assigned channel, and determine the channel to be scanned in the candidate channels according to the assigned channel identifier; and the second channel determining submodule is used for determining a channel scanning sequence if the channel scanning mode is to scan all channels, and sequentially using the candidate channels as the channels to be scanned according to the channel scanning sequence.
Optionally, the apparatus further comprises: the general encryption key determining module is used for decrypting the encrypted configuration data by using the preset encryption key to obtain a general encryption key under the condition that the target network has encryption loopholes; the communication data type determining module is used for decrypting the communication data captured by the data capturing device in the target network by using the general encryption key to determine the type of the communication data; the control change data determining module is used for changing the terminal control data to obtain control change data under the condition that the communication data type is the terminal control data; a control change data sending module, configured to send the control change data to the target network through the data sending device, so that a target terminal device in the target network feeds back control response data for the control change data; and the control vulnerability determining module is used for determining whether the target network has the control vulnerability or not based on the control response data.
In the technical scheme of the disclosure, the collection, storage, use, processing, transmission, provision, disclosure and the like of the related user information all accord with the regulations of related laws and regulations, and do not violate the good custom of the public order.
EXAMPLE five
FIG. 5 illustrates a schematic diagram of an electronic device 510, which can be used to implement embodiments. The electronic device 510 includes at least one processor 511, and a memory communicatively connected to the at least one processor 511, such as a ROM 512 (read only memory), a RAM 513 (random access memory), and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 511 may perform various appropriate actions and processes according to the computer program stored in the ROM 512 or the computer program loaded from the storage unit 518 into the RAM 513. In the RAM 513, various programs and data necessary for the operation of the electronic device 510 can also be stored. The processor 511, the ROM 512, and the RAM 513 are connected to each other by a bus 514. An input/output (I/O) interface 515 is also connected to bus 514.
Various components in the electronic device 510 are connected to the I/O interface 515, including: an input unit 516 such as a keyboard, a mouse, and the like; an output unit 517 such as various types of displays, speakers, and the like; a storage unit 518, such as a magnetic disk, optical disk, or the like; and a communication unit 519 such as a network card, modem, wireless communication transceiver, or the like. The communication unit 519 allows the electronic device 510 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunications networks.
Processor 511 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of processor 511 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. Processor 511 performs the various methods and processes described above, such as the network security vulnerability detection methods.
In some embodiments, the network security vulnerability detection method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 518. In some embodiments, some or all of the computer program may be loaded and/or installed onto the electronic device 510 via the ROM 512 and/or the communication unit 519. When loaded into RAM 513 and executed by processor 511, may perform one or more of the steps of the network security vulnerability detection methods described above. Alternatively, in other embodiments, processor 511 may be configured to perform the network security vulnerability detection method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present application may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this application, a computer readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user may provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data processing server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solution of the present application can be achieved, and the present invention is not limited thereto.
The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A method for detecting network security vulnerabilities, the method comprising:
generating a network access request aiming at a target network for a data sending device based on device identification information of the data sending device;
controlling the data transmission device to request encryption configuration data from the target network based on the network access request; wherein the encrypted configuration data is captured from the target network by a data capture device, the encrypted configuration data including the device identification information;
and decrypting the encrypted configuration data by using a preset encryption key, and determining whether the target network has a security vulnerability or not based on a decryption processing result and the equipment identification information.
2. The method of claim 1, wherein the determining whether the target network has a security vulnerability based on the decryption processing result and the device identification information comprises:
matching the decryption processing result with the equipment identification information to obtain a matching result;
and if the matching result is successful, determining that the target network has encryption loopholes.
3. The method of claim 1, wherein controlling the data sending device to request encryption configuration data from the target network based on the network access request comprises:
controlling the data sending equipment to send the network access request to the target network so as to enable target gateway equipment in the target network to feed back network access response data;
controlling the data capture equipment to capture the network access response data, and determining the time sequence information of the network access response data as a reference time sequence;
and generating time sequence response data based on the reference time sequence, and controlling the data sending equipment to feed back the time sequence response data to the target network so that the target network feeds back the encrypted configuration data.
4. The method of claim 1, wherein before generating the network access request for the target network for the data transmission device based on the device identification information of the data transmission device, the method further comprises:
based on a data capturing thread, controlling the data capturing equipment to monitor communication data in a network to be detected until the data capturing equipment captures any communication data;
controlling the data sending equipment to request communication configuration data from the network to be detected based on the data sending thread;
controlling the data capturing equipment to capture the communication configuration data from the network to be detected based on a data capturing thread;
and determining the target network in the network to be detected based on the equipment distribution network identification in the communication configuration data.
5. The method of claim 4, wherein controlling the data capture device to listen for communication data in the network to be detected based on a data capture thread comprises:
acquiring a channel scanning mode;
determining a channel to be scanned in the candidate channels corresponding to the network to be detected according to the channel scanning mode;
and controlling the data capturing equipment to monitor the communication data in the channel to be scanned based on a data capturing thread.
6. The method according to claim 5, wherein the determining, according to the channel scanning mode, a channel to be scanned among the candidate channels corresponding to the network to be detected comprises:
if the channel scanning mode is to scan an appointed channel, determining an appointed channel identifier, and determining the channel to be scanned in the candidate channels according to the appointed channel identifier;
and if the channel scanning mode is to scan all channels, determining a channel scanning sequence, and sequentially using the candidate channels as the channels to be scanned according to the channel scanning sequence.
7. The method according to any one of claims 1-6, further comprising:
under the condition that the target network has encryption loopholes, decrypting the encrypted configuration data by using the preset encryption key to obtain a general encryption key;
decrypting the communication data captured by the data capture equipment in the target network by using the general encryption key to determine the type of the communication data;
under the condition that the communication data type is terminal control data, changing the terminal control data to obtain control change data;
sending the control change data to the target network through the data sending equipment so that the target terminal equipment in the target network feeds back control response data aiming at the control change data;
and determining whether the target network has a control vulnerability or not based on the control response data.
8. An apparatus for detecting a network security vulnerability, the apparatus comprising:
the network access request generating module is used for generating a network access request aiming at a target network for the data sending equipment based on the equipment identification information of the data sending equipment;
an encryption configuration data request module, configured to control the data sending device, and request the target network for encryption configuration data based on the network access request; wherein the encrypted configuration data is captured from the target network by a data capture device, the encrypted configuration data including the device identification information;
and the security vulnerability determining module is used for decrypting the encrypted configuration data by using a preset encryption key and determining whether the target network has a security vulnerability or not based on a decryption processing result and the equipment identification information.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the network security vulnerability detection method according to any of claims 1-7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the network security vulnerability detection method of any of claims 1-7 when executing the computer program.
CN202210881602.7A 2022-07-26 2022-07-26 Network security vulnerability detection method, device, medium and electronic equipment Active CN115001863B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210881602.7A CN115001863B (en) 2022-07-26 2022-07-26 Network security vulnerability detection method, device, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210881602.7A CN115001863B (en) 2022-07-26 2022-07-26 Network security vulnerability detection method, device, medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN115001863A true CN115001863A (en) 2022-09-02
CN115001863B CN115001863B (en) 2022-11-22

Family

ID=83021438

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210881602.7A Active CN115001863B (en) 2022-07-26 2022-07-26 Network security vulnerability detection method, device, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN115001863B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116170340A (en) * 2023-04-24 2023-05-26 图林科技(深圳)有限公司 Network security test evaluation method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566656A (en) * 2018-04-13 2018-09-21 上海连尚网络科技有限公司 A kind of method and apparatus for detecting wireless network secure
CN110908357A (en) * 2019-10-23 2020-03-24 深圳开源互联网安全技术有限公司 Security vulnerability detection method and device, storage medium and intelligent device
CN111193699A (en) * 2019-08-23 2020-05-22 腾讯科技(深圳)有限公司 Method and device for detecting security vulnerability of ZigBee device
WO2022100020A1 (en) * 2020-11-16 2022-05-19 华为技术有限公司 Vulnerability testing method and apparatus
WO2022116147A1 (en) * 2020-12-04 2022-06-09 华为技术有限公司 Method and apparatus for detecting bluetooth vulnerability attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566656A (en) * 2018-04-13 2018-09-21 上海连尚网络科技有限公司 A kind of method and apparatus for detecting wireless network secure
CN111193699A (en) * 2019-08-23 2020-05-22 腾讯科技(深圳)有限公司 Method and device for detecting security vulnerability of ZigBee device
CN110908357A (en) * 2019-10-23 2020-03-24 深圳开源互联网安全技术有限公司 Security vulnerability detection method and device, storage medium and intelligent device
WO2022100020A1 (en) * 2020-11-16 2022-05-19 华为技术有限公司 Vulnerability testing method and apparatus
WO2022116147A1 (en) * 2020-12-04 2022-06-09 华为技术有限公司 Method and apparatus for detecting bluetooth vulnerability attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李桂萍: "Wi-Fi无线网络信号自适应阻断系统设计研究", 《信息技术》 *
谢帆等: "基于漏洞扫描的安全中间件的系统设计", 《科技信息(科学教研)》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116170340A (en) * 2023-04-24 2023-05-26 图林科技(深圳)有限公司 Network security test evaluation method

Also Published As

Publication number Publication date
CN115001863B (en) 2022-11-22

Similar Documents

Publication Publication Date Title
CN106533669B (en) The methods, devices and systems of equipment identification
US10838705B2 (en) System and method for service-initiated internet of things (IoT) device updates
US20200259848A1 (en) System and method for preventing security breaches in an internet of things (iot) system
KR102303689B1 (en) Systems and methods for establishing secure communication channels with Internet of Things (IoT) devices
KR102537363B1 (en) Systems and methods for secure Internet of Things (IoT) device provisioning
US9942328B2 (en) System and method for latched attributes in an internet of things (IOT) system
US11201886B2 (en) Security detection method, device, and apparatus
US10924920B2 (en) System and method for internet of things (IoT) device validation
KR20170104180A (en) Electronic apparatus and method for performing authentication between electronic apparatuses
US20190306714A1 (en) Method and system for accessing wireless network by smart device
CN105069875A (en) Electronic key, electronic devices and electronic device networking/pairing method
CN115001863B (en) Network security vulnerability detection method, device, medium and electronic equipment
CN107872315B (en) Data processing method and intelligent terminal
US20170171241A1 (en) Apparatus and method for obscuring wireless communication patterns
CN113992427B (en) Data encryption sending method and device based on adjacent nodes
KR100978141B1 (en) Wired and wireless integration gateway and operation method thereof
CN112769762B (en) Distributed efficient Internet of things equipment access method
CN108282551B (en) Message identification processing method and device, monitoring equipment and readable storage medium
CN111787514B (en) Method and device for acquiring equipment control data, storage medium and electronic device
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
McPherson et al. Using smartphones to enable low-cost secure consumer IoT devices
CN114793178B (en) Network distribution method, device, equipment and storage medium
CN112751929B (en) Method and system for communicating with remote PLC (programmable logic controller) equipment
CN110381505B (en) Method and device for accessing network hard disk video recorder
CN105827427B (en) Information processing method and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant