CN117692377B - VPN verification test method, device and equipment for network target range and storage medium - Google Patents

VPN verification test method, device and equipment for network target range and storage medium Download PDF

Info

Publication number
CN117692377B
CN117692377B CN202410130663.9A CN202410130663A CN117692377B CN 117692377 B CN117692377 B CN 117692377B CN 202410130663 A CN202410130663 A CN 202410130663A CN 117692377 B CN117692377 B CN 117692377B
Authority
CN
China
Prior art keywords
target
test
configuration file
vpn
vpn client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410130663.9A
Other languages
Chinese (zh)
Other versions
CN117692377A (en
Inventor
向文丽
贾焰
韩伟红
周密
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peng Cheng Laboratory
Original Assignee
Peng Cheng Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peng Cheng Laboratory filed Critical Peng Cheng Laboratory
Priority to CN202410130663.9A priority Critical patent/CN117692377B/en
Publication of CN117692377A publication Critical patent/CN117692377A/en
Application granted granted Critical
Publication of CN117692377B publication Critical patent/CN117692377B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a VPN verification test method, device, equipment and storage medium for a network target range, wherein the method comprises the following steps: obtaining a test configuration file of a VPN client from a test configuration file set, wherein the VPN client communicates with a plurality of target systems and/or target connections based on the test configuration file, and the test configuration file set comprises a plurality of test configuration files to be tested; testing the test configuration file according to the VPN client to obtain a target configuration file, wherein the target configuration file is a test configuration file passing the test; and sending the target configuration file to the target account. In the embodiment of the invention, the test configuration file can be automatically acquired and the VPN verification test can be carried out, so that the test cost is saved, and the test efficiency is effectively improved.

Description

VPN verification test method, device and equipment for network target range and storage medium
Technical Field
The present invention relates to the field of network communications technologies, and in particular, to a method, an apparatus, a device, and a storage medium for VPN verification test in a network target range.
Background
At present, a domestic and foreign network Range (Cyber Range) is used for simulating the running states and running environments of network architecture, system equipment and business processes in a real network space. The network target is used as an important verification test platform for attack and defense exercise, has the function of attack and defense exercise and the function of network risk assessment, and can be used for carrying out study and research related to network safety, network safety events and the like by constructing a VPN server in the network target and connecting an external user outside the network target to the VPN server in the network target through a VPN client.
With the increase of the scale of various application scenes, VPN clients for connecting to access to a network target range are more and more, and before formal application, the connectivity between each VPN client and a VPN server needs to be tested and verified. In the prior art, a tester generally performs a manual test and verification operation on the configuration file of each VPN client, and distributes the VPN configuration file which can be normally used after test and verification to an external user, however, when the number of VPN clients connected to a network target is large, more time and labor costs are required for testing, and the test efficiency is low.
Disclosure of Invention
The application mainly aims to provide a VPN verification test method, device, equipment and storage medium for a network target range, and aims to solve the technical problems of high cost and low efficiency of manual verification VPN in the prior art.
To achieve the above object, a first aspect of an embodiment of the present application provides a VPN verification test method for a network target, including:
Obtaining a test configuration file of a VPN client from a test configuration file set, wherein the VPN client communicates with a plurality of target systems and/or target connections based on the test configuration file, and the test configuration file set comprises a plurality of test configuration files to be tested;
testing the test configuration file according to the VPN client to obtain a target configuration file, wherein the target configuration file is the test configuration file passing the test;
and sending the target configuration file to a target account.
In a possible implementation manner of the present application, the testing the test configuration file according to the VPN client to obtain a target configuration file includes:
judging whether the corresponding test configuration file exists or not according to the VPN client;
when the test configuration file exists, acquiring test path information of the test configuration file;
Configuring the corresponding VPN client according to the test path information and the test configuration file so that the VPN client is connected with the target systems and/or targets;
and testing communication connection between the VPN client and the target systems and/or targets to obtain the target configuration file.
In one possible embodiment of the present application, the configuring the VPN client according to the test path information and the test configuration file, so that the VPN client connects the plurality of target systems and/or targets includes:
Generating a VPN connection script according to the test path information and an operating system running the VPN client;
executing the VPN connection script based on the operating system to start the VPN client and dial the number according to the test configuration file, so that the VPN client is connected with the target systems and/or targets.
In one possible implementation manner of the present application, the operating system includes a Windows operating system, and the executing the VPN connection script based on the operating system includes:
Constructing a right acquisition script based on the Windows operating system;
And executing the VPN connection script based on the Windows operating system after executing the permission acquisition script, wherein the permission acquisition script is used for acquiring the administrator permission of the Windows operating system.
In a possible embodiment of the present application, the testing the communication connection between the VPN client and a plurality of target systems and/or targets, to obtain the target profile, includes:
determining whether the plurality of target systems and/or targets are inside a target range;
when the target systems and/or targets are in the target range, executing a ping command based on the VPN client to acquire test information fed back by the target systems and/or targets;
judging whether the VPN client is successfully connected with the target systems and/or targets according to the test information;
when the VPN client is successfully connected with the target systems and/or targets, determining that the test configuration file passes the test, and storing a test result record in a test result file;
and obtaining the target configuration file according to the test result file.
In one possible embodiment of the present application, further comprising:
when the target systems and/or targets are outside the target range, acquiring the outlet IP address of the VPN client from the test configuration file;
And according to the exit IP address and based on the VPN client, executing a ping command, and acquiring test information fed back by the target systems and/or targets.
In one possible implementation manner of the present application, the obtaining, from the test configuration file, the egress IP address of the VPN client includes:
constructing a regular expression according to the test configuration file, and generating an export IP address extraction script;
And executing the export IP address extraction script, and acquiring the export IP address from the test configuration file.
In a possible embodiment of the present application, the executing a ping command according to the egress IP address and based on the VPN client includes:
Acquiring a public network IP address of the operation equipment of the VPN client;
Comparing the exit IP address with the public network IP address;
And executing a ping command according to the outlet IP address and based on the VPN client when the public network IP address is the same as the outlet IP address.
In one possible implementation manner of the present application, the obtaining the public network IP address of the running device of the VPN client includes:
Executing a first command line instruction to acquire public network IP address information of the running equipment;
Constructing a regular expression according to the public network IP address information, and generating a public network IP address extraction script;
executing the public network IP address extraction script, and acquiring the public network IP address from the public network IP address information.
In one possible embodiment of the present application, the VPN verification test method of the network target range further includes:
And after all the test configuration files of the test configuration file set are tested according to the VPN client to obtain a plurality of target configuration files, executing a second command line instruction to close the VPN client and stopping the verification test.
In one possible implementation manner of the present application, the sending the target configuration file to the target account includes:
acquiring mailbox information of the target account and target path information of the target configuration file;
constructing at least one target mail according to the mailbox information and the target path information, wherein the target mail comprises at least one target configuration file;
and sending the target mail based on the mailbox information so as to send the target configuration file to the target account.
To achieve the above object, a second aspect of an embodiment of the present application provides a VPN verification test apparatus for a network target, the apparatus including:
The VPN client is used for obtaining a test configuration file of a VPN client from a test configuration file set, wherein the VPN client is communicated with a plurality of target systems and/or target connections based on the test configuration file, and the test configuration file set comprises a plurality of test configuration files to be tested;
the testing module is used for testing the testing configuration file according to the VPN client to obtain a target configuration file;
and the sending module is used for sending the target configuration file to a target account, wherein the target configuration file is the test configuration file passing the test.
To achieve the above object, a third aspect of the embodiments of the present application provides a VPN verification test apparatus for a network target, the apparatus including: the device comprises a memory, a processor and a VPN verification test program of a network range which is stored in the memory and can run on the processor, wherein the processor executes the VPN verification test program of the network range to realize the VPN verification test method of the network range according to the embodiment of the first aspect.
To achieve the above object, a fourth aspect of the embodiments of the present application provides a storage medium having stored thereon a program for implementing a VPN authentication test method for a network target, the program for implementing a VPN authentication test method for a network target being executed by a processor to implement a VPN authentication test method for a network target as described in the first aspect embodiment.
To achieve the above object, a fifth aspect of the embodiments of the present application provides a computer program product, including a computer program or computer instructions stored in a computer readable storage medium, from which a processor of a computer device reads the computer program or the computer instructions, the processor executing the computer program or the computer instructions, causing the computer device to execute the VPN verification test method of the network target according to the embodiment of the first aspect.
According to the VPN verification test method, the device, the equipment and the storage medium of the network target range, compared with the problem that the efficiency and the accuracy of manual VPN verification test in the prior art are low, the VPN verification test method of the network target range obtains the test configuration file of the VPN client from the test configuration file set, wherein the VPN client is communicated with a plurality of target systems and/or targets based on the test configuration file, and the test configuration file set comprises a plurality of test configuration files to be tested; then testing the test configuration file according to the VPN client to obtain a target configuration file, wherein the target configuration file is the test configuration file passing the test; and then, the target configuration file is sent to the target account number, so that the test configuration file can be automatically acquired and VPN verification test can be carried out, the test cost is saved, and the test efficiency is effectively improved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a flowchart of a VPN verification test method for a network target range according to an embodiment of the present application;
Fig. 2 is a specific flowchart of step S200 in fig. 1;
Fig. 3 is a specific flowchart of step S230 in fig. 2;
fig. 4 is a specific flowchart of step S240 in fig. 2;
fig. 5 is a specific flowchart of step S300 in fig. 1;
FIG. 6 is a schematic diagram of a VPN verification test device for a network target range according to an embodiment of the present application;
fig. 7 is a schematic device structure diagram of a hardware operating environment related to an embodiment of a VPN verification test method for a network target range according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the element defined by the phrase "comprising one … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element, and furthermore, elements having the same name in different embodiments of the application may have the same meaning or may have different meanings, the particular meaning of which is to be determined by its interpretation in this particular embodiment or by further combining the context of this particular embodiment.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope herein. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" depending on the context. Furthermore, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context indicates otherwise. It will be further understood that the terms "comprises," "comprising," "includes," and/or "including" specify the presence of stated features, steps, operations, elements, components, items, categories, and/or groups, but do not preclude the presence, presence or addition of one or more other features, steps, operations, elements, components, items, categories, and/or groups. The terms "or", "and/or", "including at least one of", and the like, as used herein, may be construed as inclusive, or mean any one or any combination. For example, "including at least one of: A. b, C "means" any one of the following: a, A is as follows; b, a step of preparing a composite material; c, performing operation; a and B; a and C; b and C; a and B and C ", again as examples," A, B or C "or" A, B and/or C "means" any of the following: a, A is as follows; b, a step of preparing a composite material; c, performing operation; a and B; a and C; b and C; a and B and C). An exception to this definition will occur only when a combination of elements, functions, steps or operations are in some way inherently mutually exclusive.
It should be understood that, although the steps in the flowcharts in the embodiments of the present application are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the figures may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily occurring in sequence, but may be performed alternately or alternately with other steps or at least a portion of the other steps or stages.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
It should be noted that, in this document, step numbers such as S100 and S200 are adopted, and the purpose of the present application is to more clearly and briefly describe the corresponding content, and not to constitute a substantial limitation on the sequence, and those skilled in the art may execute S200 first and then execute S100 when implementing the present application, which is within the scope of protection of the present application.
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
In the following description, suffixes such as "module", "part" or "unit" for representing elements are used only for facilitating the description of the present application, and have no specific meaning per se. Thus, "module," "component," or "unit" may be used in combination.
In order to make the above objects, features and advantages of the present invention more comprehensible, the following description of the embodiments accompanied with the accompanying drawings will be given in detail. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Currently, with the increasing size of various application scenarios in a network target Range (Cyber Range), VPN clients for connecting to access the network target Range are more and more, and before formal application, the connectivity between each VPN client and a VPN server needs to be tested and verified. In the prior art, a tester generally performs a manual test and verification operation on a configuration file of each VPN client, and distributes the VPN configuration file which can be normally used after test and verification to an external user, however, when the number of VPN clients connected to a network target is large, more time and labor costs are required for testing, and the efficiency is low.
It can be understood that the network target range comprises an online network attack and defense learning environment, a network security event platform and a network security technology evaluation and research platform. However, there are also large differences in these products, which may be referred to as network ranges, supporting magnitude differences in scale, complexity of simulation environments, differences in application scenarios across industries, degree of reproduction of reality by the network ranges (i.e., degree of simulation), and so forth. The real purpose of the network target range is to provide a training place for real countermeasure, the network target range has the advantages of realizing the repeated utilization of resources, controlling the damage degree of targets, monitoring and evaluating the target range drilling data, discovering loopholes and repairing and reinforcing under the condition of not affecting the real environment, and improving the performance and safety.
Illustratively, a network range typically includes 5 roles, yellow, white, red, blue, and green, respectively. Wherein, the role functions of each role are as follows:
(1) The yellow square indicates a role of "pilot" and is a director in the whole network test process, and the participating processes include designing test, starting, stopping, recovering and checking the progress, state and detailed process of the test.
(2) The white square indicates the role of 'management' of the network target range platform, and the participating process is responsible for preparation work before the start of the test and daily transaction processing when the test is performed, constructing a target network before the test, simulating a network environment and the like, and responsible for system operation and maintenance during the test.
(3) Red party is the "attack" character, and the "antipyretic actor" of the target range test, opposite to blue party, attacks the attack to blue party in the attack and defense exercise.
(4) The blue party is a 'defending' role, and the 'right-handed actor' in the target range test is opposite to the red party, and resists the attack of the red party in attack and defense exercise.
(5) The green party is a 'detection' role, a 'monitor' of a target range test, one action of the red and blue parties in the drilling is monitored, the specific action of the current red and blue party is monitored, when the attack defense of the red and blue party is successful, the successful process of judgment and restoration, the attack manipulation and the defense method are researched, the illegal operation of the red party is monitored, the quantitative and qualitative evaluation is carried out on the test or the test fragment, and the attack and defense mechanism of the test is analyzed.
It will be appreciated that the external user may not be able to directly use the network arena, or the external user may need to log onto the virtual private network (Virtual Private Network, VPN) before connecting to the network arena via a VPN tunnel, for example, an OpenVPN tunnel service may be enabled, and the external user may connect to an OpenVPN server in the network arena outside the network arena via an OpenVPN client.
In order to solve the above-mentioned problems, an embodiment of the present application provides a VPN verification test method for a network target, and referring to fig. 1, fig. 1 is a schematic flow chart of a VPN verification test method for a network target according to an embodiment of the present application, where the method includes, but is not limited to, steps S100 to S300 as follows:
Step S100, obtaining a test configuration file of the VPN client from a test configuration file set, wherein the VPN client communicates with a plurality of target systems and/or target connections based on the test configuration file, and the test configuration file set comprises a plurality of test configuration files to be tested.
In some embodiments, the test configuration files used to configure the VPN client are obtained from a collection of test configuration files, which may be configured and tested in detail to ensure that it communicates with multiple target systems and/or targets of the network farm.
It should be noted that the test configuration file contains related contents for configuring a certificate, a key file, and the like of the VPN client for establishing the VPN connection tunnel. In an embodiment, the VPN client may be an OpenVPN client, and the OpenVPN client is configured through a test configuration file to connect to an OpenVPN server in a network target range, so as to test the stability of the connection. Further, the file names of the test configuration files can be set arbitrarily, wherein the extension name is ovpn, for example, the test configuration files can be configured as xxxx.ovpn, and the plurality of test configuration files to be tested in the test configuration file set can be named in sequence, for example, 1xxxx.ovpn, 2xxxx.ovpn, 3xxxx.ovpn and the like, so as to store and search the record after the test.
Step S200, testing the test configuration file according to the VPN client to obtain a target configuration file, wherein the target configuration file is the test configuration file passing the test.
In some embodiments, the test configuration file is tested according to the VPN client to obtain a target configuration file, and the test configuration file can be automatically called according to the VPN client to perform the test, so that the test configuration file capable of enabling the VPN client to normally connect and communicate is screened out from the test configuration file set and stored in the target configuration file set to obtain a corresponding target configuration file, where the target configuration file can be used for actually deploying and using the VPN client. Furthermore, when a plurality of test configuration files are obtained simultaneously, batch test can be carried out, and a plurality of target configuration files are obtained through screening so as to be distributed to a plurality of external users for configuration use.
Step S300, a target configuration file is sent to the target account.
In some embodiments, after obtaining the target configuration file, the target configuration file may be sent to a target account, where the target account may be a target account of an external user or administrator of the VPN client, so that normal configuration can be performed according to the target configuration file, and the VPN client is connected to VPN servers of various network target applications.
It should be noted that, a suitable sending manner may be selected, and the target configuration file may be sent to the target account, for example, by means of email, cloud storage, instant messaging tool, etc., so as to ensure that an external user or administrator using the VPN client obtains accurate configuration information, and improve the testing efficiency and accuracy of the VPN client.
According to the technical scheme, the test configuration files of the VPN client are obtained from the test configuration file set, wherein the VPN client is communicated with a plurality of target systems and/or targets based on the test configuration files, and the test configuration file set comprises a plurality of test configuration files to be tested; then testing the test configuration file according to the VPN client to obtain a target configuration file, wherein the target configuration file is a test configuration file passing the test; and then, the target configuration file is sent to the target account number, so that the test configuration file can be automatically acquired and VPN verification test can be carried out, the test cost is saved, and the test efficiency is effectively improved.
Referring to fig. 2, fig. 2 is a further illustration of step S200 in fig. 1, step S200 including, but not limited to, steps S210 to S240.
Step S210, judging whether the corresponding test configuration file exists according to the VPN client.
Step S220, when the test configuration file exists, the test path information of the test configuration file is obtained.
Step S230, corresponding VPN clients are configured according to the test path information and the test configuration file, so that the VPN clients are connected with a plurality of target systems and/or targets.
Step S240, the communication connection between the VPN client and a plurality of target systems and/or targets is tested, and a target configuration file is obtained.
In steps S210 to S240 of some embodiments, before performing the VPN authentication test, the type of VPN client, for example OpenVPN, PPTP, L TP, etc., needs to be determined first. Each type of client generally corresponds to different configuration files, and all the test configuration files can be read in a traversal mode, so that the corresponding test configuration files are obtained through matching.
Further, according to the type of the VPN client, a corresponding directory structure is created to store the test configuration file. For example, for a type of VPN client that is OpenVPN, a naming rule may be formulated for each test configuration file by creating a directory named "OpenVPN", e.g., date, time, version number, etc., to facilitate identification and management. In one embodiment, a file checking mechanism may be invoked to search for a test configuration file of the VPN client, e.g., according to file extension. Ovpn to search for, if a matching configuration file is found, then return to exist; otherwise, the return does not exist.
It can be understood that when determining that the test configuration file corresponding to the VPN client exists, the test path information of the test configuration file is obtained and recorded, where the test path information is used to confirm the path information of the directory where the test configuration file is located, so that the test configuration file is called according to the test path information to configure the corresponding VPN client, so that the VPN client is connected with a plurality of target systems and/or targets in a network target range, and further communication connection of the test VPN client is performed, so as to obtain the target configuration file, thereby being capable of automatically verifying and testing a plurality of test configuration files, and saving test cost.
In an embodiment, if the test configuration file corresponding to the VPN client does not exist or a matching test configuration file is not found, the test of the test configuration file is exited and the test of the next test configuration file is continuously executed, so that the efficiency of VPN verification test is improved.
Referring to fig. 3, fig. 3 is a further illustration of step S230 in fig. 2, step S230 including, but not limited to, steps S2310 through S2320.
Step S2310, generating VPN connection script according to the test path information and the operating system of the running VPN client.
Step S2320, executing VPN connection script based on the operation system to start the VPN client and dial up according to the test configuration file, so that the VPN client is connected with a plurality of target systems and/or targets.
In steps S2310 to S2320 of some embodiments, after determining the test configuration file of the VPN client, it is required to obtain the test path information of the VPN client, for example, may include the name, the location and the content of the test configuration file, and then write and generate a corresponding VPN connection script according to the type (such as Windows, linux, macOS) of the operating system running the VPN client. Specifically, the VPN connection script includes operations such as starting a VPN client, dial-up connection, and the like, and simultaneously reads parameters in a test configuration file, such as a server address, a user name, a password, and the like of a target system and/or a target, and by automatically generating and executing the VPN connection script, manual intervention can be reduced, so that possibility of incorrect operation is reduced, and test efficiency and accuracy of VPN verification test operation are improved.
It will be appreciated that testing and verification is required after the VPN connection script is generated to ensure that the script is able to properly perform VPN connection operations and to successfully connect to the target system and/or target. Specifically, based on a script execution mechanism provided by the operating system, a VPN connection script is executed to start a VPN client and perform dialing operation according to a server address, a user name, a password, etc. of a target system and/or a target in a test configuration file, so that the VPN client is connected with a plurality of target systems and/or targets. After the VPN client is successfully connected, it may be automatically or manually connected to multiple target systems and/or targets of the network target according to parameter settings in the test configuration file.
In some embodiments, the operating system in step S2310 to step S2320 includes a Windows operating system, and step S2320 further includes: constructing a right acquisition script based on a Windows operating system; executing the VPN connection script based on the Windows operating system after executing the permission acquisition script, wherein the permission acquisition script is used for acquiring the administrator permission of the Windows operating system. It can be understood that the permission acquisition script may be a command line call function of a vbs script using a programming language (such as Python, c# and the like) on the Windows operating system, before executing the CMD command to open the VPN client process, it is necessary to construct the permission acquisition script and acquire the administrator permission of the Windows operating system after executing the CMD command, so as to authorize running of the batch file, and the programming language may capture the output of the CMD command and determine whether the dialing operation of the VPN client is successful according to the output.
It should be noted that, script execution mechanisms provided by different operating systems are different, for example, windows can call a VPN client process through a batch file and dial-up connection, linux can execute Shell scripts to call the VPN client process and dial-up connection, compatibility of multi-platform VPN verification test can be achieved, and requirements of different users are met. In an embodiment, if the operating system running the VPN client is a Linux operating system, a Shell script may be created to call the VPN client process, and the Shell script is called by using a programming language to execute the VPN client dialing operation.
Referring to fig. 4, fig. 4 is a further illustration of step S240 in fig. 2, step S240 including, but not limited to, steps S2410 through S2440.
Step S2410, determining whether a plurality of target systems and/or targets are within a target range.
In step S2420, when the multiple target systems and/or targets are inside the target range, the ping command is executed based on the VPN client, so as to obtain the test information fed back by the multiple target systems and/or targets.
Step S2430, judging whether the VPN client is successfully connected with a plurality of target systems and/or targets according to the test information.
Step S2440, when the VPN client is successfully connected with a plurality of target systems and/or targets, determining that the test configuration file passes the test, and storing the test result record in the test result file;
step S2450, obtaining the target configuration file according to the test result file.
In steps S2410 to S2450 of some embodiments, a verification test may be performed on VPNs for different network range application scenarios, and a specific application scenario may be determined by determining whether multiple target systems and/or targets are within a target range, where the target range may be a network range containing multiple target systems and/or targets. Specifically, in CTF events and red-blue counter-events, the target range is a closed network environment, which can simulate a real network attack and defense scenario, and a competitor or an external user can access a plurality of target systems and/or targets inside the target range through a VPN client, for example, using an OpenVPN client. Before enabling, firstly, a ping command is executed based on the VPN client to acquire test information fed back by a plurality of target systems and/or targets, for example, the VPN client sends ICMP echo requests to the target systems and/or targets, and if the target systems and/or targets are in an active state and are in the internal of a target range, the target systems and/or targets respond to the echo requests and return response information as the test information, wherein the test information can comprise response time, packet loss rate and the like. Further, whether the VPN client is successfully connected with a plurality of target systems and/or targets is judged according to the test information, and specifically, test verification can be performed by checking whether response time is normal, whether a packet loss phenomenon exists or not, and the like. After the VPN client is successfully connected with a plurality of target systems and/or targets, the test configuration file can be determined to pass the test, and the test result is stored in the test result file, so that the target configuration file is obtained according to the test result file, and the test configuration file passing the test can be determined to be the target configuration file. Wherein ping also belongs to a communication protocol, and is part of a TCP/IP (Transmission Control Protocol/Internet Protocol Transmission control protocol/Internet protocol, also known as network communication protocol) protocol. The ping command can be used for checking whether the network is connected or not, so that the VPN fault analysis and judgment can be well assisted.
In one embodiment, when a plurality of target systems and/or targets are within a target range, a ping command is performed on the VPN client to test whether a connection is successfully established with the target systems and/or targets within the target range through the VPN client. In another embodiment, by recording the result of executing the ping command based on the VPN client, a reference basis may be provided for further VPN diagnosis and analysis, and the efficiency of VPN verification test may be improved.
In some embodiments, step S240 further includes steps S2421 to S2422:
In step S2421, when the plurality of target systems and/or targets are outside the target range, the egress IP address of the VPN client is obtained from the test configuration file.
Step S2422, according to the exit IP address and based on the VPN client, executing the ping command, the test information fed back by the multiple target systems and/or targets is obtained.
In steps S2421 to S2422 of some embodiments, when a user needs to perform network security protection, perform evaluation and test on performance, security, reliability, and the like of a network system or an application program, it is necessary to connect a plurality of target systems and/or targets outside a target range through a VPN client, in this application scenario, first obtain an exit IP address of the VPN client or other relevant configuration information from a test configuration file, where the test configuration file may be a text file, a JSON file, or a file in a specific format, and determine in advance an IP address or a domain name of the target system and/or target outside the target range in the test configuration file, and then establish connection according to the exit IP address and based on the VPN client configuration. Further, after the VPN connection is established successfully, based on the VPN client, a ping command is executed, an ICMP echo request is sent for each target system and/or target, and a response is waited, test information fed back by the response is collected, including response time, packet loss rate and the like, so as to evaluate VPN connectivity and performance, and after the VPN client is determined to be successfully connected with a plurality of target systems and/or targets, the test configuration file can be recorded and saved to obtain the target configuration file.
It should be noted that network targets are often used to simulate various network attack and threat scenarios to assess the security and response capabilities of the system. In this case, the simulated external threat (e.g., malicious website, phishing page, etc.) will be placed outside the network target as an external target system and/or target, which may better simulate the real threat environment.
In some embodiments, in step S2421, obtaining the egress IP address of the VPN client from the test configuration file is implemented by: constructing a regular expression according to the test configuration file, and generating an export IP address extraction script; and executing the export IP address extraction script, and acquiring the export IP address from the test configuration file. It can be appreciated that the matching pattern can be constructed using regular expressions according to the format and structure of the test configuration file, wherein the regular expressions are used for extracting the required information from the test configuration file, and can be adjusted and optimized according to different test configuration file formats, so that the method can adapt to different VPN test environments and requirements. For example, to extract the egress IP address of the VPN client or the domain name of the target system, thereby generating an egress IP address extraction script.
Specifically, matching of regular expressions and extracting the egress IP address may be accomplished using a programming language, such as Python, perl, or JavaScript, to write a script that will read the test profile and extract the egress IP address according to the regular expression. And running the outlet IP address extraction script to read the test configuration file and extract the outlet IP address, wherein the extracted outlet IP address can be stored in a designated position so as to carry out VPN verification test according to the outlet IP address later, and the VPN verification test efficiency and accuracy are improved by automatically constructing a regular expression and generating the outlet IP address extraction script.
In some embodiments, in step S2422, performing the ping command according to the egress IP address and based on the VPN client is accomplished by: acquiring a public network IP address of operation equipment of a VPN client; comparing the exit IP address with the public network IP address; and when the public network IP address is the same as the export IP address, executing the ping command according to the export IP address and based on the VPN client. It should be noted that, the manner of acquiring the public network IP address of the running device of the VPN client may include using an external IP address query service or a network management tool, and after acquiring the public network IP address of the device, comparing the public network IP address with the outlet IP address extracted from the test configuration file in the foregoing embodiment, where the purpose of the comparison is to determine whether the public network IP address is the same as the outlet IP address in the test configuration file. If the public network IP address is the same as the egress IP address, it is an indication that the VPN client has successfully connected to a target system and/or target outside the target range. Further, according to the exit IP address and based on the VPN client, the ping command is executed to test the connectivity between the VPN client and the target system and/or target, and by automatically comparing the execution of the IP address and the ping command, the time of manual intervention and manual configuration can be reduced, and the test efficiency can be improved.
In some embodiments, obtaining the public network IP address of the running device of the VPN client includes:
Executing a first command line instruction to acquire public network IP address information of the operation equipment; constructing a regular expression according to the public network IP address information, and generating a public network IP address extraction script; executing the public network IP address extraction script, and acquiring the public network IP address from the public network IP address information. It may be appreciated that the public network IP address information of the running device of the VPN client may be obtained by executing the first command line instruction, for example, the first command line instruction may send a request to a specific IP address query service using a curl command to obtain the public network IP address information of the running device of the VPN client. The Curl command is used to send HTTP requests, and response data can be obtained from the command line interface. Further, according to the format and structure of the public network IP address information, a programming language, such as Python, perl or JavaScript, is used for writing a public network IP address extraction script to realize matching and extraction of the regular expression, the script is executed for reading response of the command of the curl, and the public network IP address is extracted from the public network IP address information according to the regular expression, so that VPN verification test efficiency and accuracy are improved.
In some embodiments, after all the test profiles of the test profile set are tested according to the VPN client to obtain a plurality of target profiles, the second command line is executed to instruct the VPN client to close and stop the verification test. It will be appreciated that each test profile is applied to a VPN client that configures the target system or target, and that each test profile of the collection of test profiles contains relevant information about the target system or target, such as IP addresses, port numbers, etc. After the network connectivity check, the data transmission verification and other tests are completed on each test configuration file in the test configuration file set, the corresponding target configuration files are extracted from the test results, and the target configuration files contain the information of the test configuration files which are successfully connected and verified. Further, when the target configuration file is obtained, the VPN client is closed by executing a second command line instruction, where the second command line instruction may be to terminate the VPN client process or execute a corresponding closing command to stop the VPN verification test, and after the test is completed, the VPN client is closed, so that security of network resources can be ensured.
Referring to fig. 5, fig. 5 is a further illustration of step S300 of fig. 1, step S300 including, but not limited to, steps S310 to S330.
Step S310, acquiring mailbox information of a target account and target path information of a target configuration file.
Step S320, at least one target mail is constructed according to the mailbox information and the target path information, wherein the target mail comprises at least one target configuration file.
Step S330, a target mail is sent based on the mailbox information to send a target configuration file to the target account.
In steps S310 to S330 of some embodiments, the mailbox information of the target account may be obtained from a user input, a database, or other data source, and the mailbox information may include a mailbox address of the target account and possibly mailbox server information. Meanwhile, target path information of the target configuration file is required to be acquired, wherein the target path information comprises a file path, a file name, a file format and the like of the target configuration file, at least one target mail can be constructed according to the mailbox information and the target path information, and each target mail comprises one or more target configuration files as attachments. Further, when the mail is constructed, other relevant information such as a theme, text content and the like can be added according to the requirement, so that an external user can accurately receive the target configuration file to complete the configuration of the VPN client. When the target mail construction is completed, the target mail containing the target configuration file as an attachment is sent to the target account number by using the email client or service based on the mailbox information. In an embodiment, the target account may be an account of an external user connected to the network target range application by using the VPN client, and after acquiring the mailbox authorization code, the account is sent to the designated target account, and by automatically constructing and using an email to send the target configuration file, the security and reliability of VPN configuration file transmission can be ensured, and the test efficiency is improved. Meanwhile, the encryption and mailbox authentication mechanisms are used to further enhance the security of the data.
The embodiment of the application also provides a VPN verification test device of the network target range, as shown in fig. 6, the VPN verification test device comprises: the reading module 10 is configured to obtain a test configuration file of the VPN client from a test configuration file set, where the VPN client communicates with a plurality of target systems and/or target connections based on the test configuration file, and the test configuration file set includes a plurality of test configuration files to be tested;
The testing module 20 is configured to test the testing configuration file according to the VPN client to obtain a target configuration file, where the target configuration file is a testing configuration file passing the test;
And the sending module 30 is configured to send the target configuration file to the target account.
The specific implementation manner of the VPN verification test device for the network target range in the embodiment of the present application is substantially the same as that of each embodiment of the VPN verification test method for the network target range, and will not be described herein.
Referring to fig. 7, fig. 7 is a schematic device structure diagram of a hardware running environment according to an embodiment of the present application.
As shown in fig. 7, the VPN verification test device of the network target may include: a processor 1001, such as a CPU, memory 1005, and a communication bus 1002. Wherein a communication bus 1002 is used to enable connected communication between the processor 1001 and a memory 1005. The memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
In some embodiments, the VPN verification test device of the network target may further include a network interface, an audio circuit, a display, a connection line, a sensor, an input module, and the like, where the network interface may optionally include a standard wired interface, a wireless interface (e.g., WIFI interface, bluetooth interface), and the input module may optionally include a Keyboard (Keyboard), a system soft Keyboard, a voice input, a wireless receiving input, and the like.
It will be appreciated by those skilled in the art that the VPN authentication test device structure of the network farm does not constitute a limitation of the VPN authentication test device of the network farm, and may comprise more or fewer components than shown, or may combine certain components, or may be arranged in different components.
A VPN authentication test program for a network target may be included in memory as a computer storage medium, as well as an operating system, a network communication module, and the like. The operating system is a program that manages and controls VPN authentication test equipment hardware and software resources of the network target, supporting VPN authentication test programs of the network target, and the execution of other software and/or programs. The network communication module is used for realizing communication among all components in the memory and communication with other hardware and software in the management system.
In the VPN verification test device of the network target range, the processor is configured to execute a VPN verification test program of the network target range stored in the memory, so as to implement the VPN verification test method of the network target range.
The specific implementation manner of the VPN verification test device of the network target range in the embodiment of the present application is substantially the same as that of each embodiment of the VPN verification test method of the network target range, and will not be described herein.
The embodiment of the application also provides a storage medium, wherein the storage medium is stored with a program for realizing the VPN verification test method of the network target range, and the program for realizing the VPN verification test method of the network target range is executed by a processor to realize the VPN verification test method of the network target range.
The specific implementation manner of the storage medium in the embodiment of the present application is basically the same as each embodiment of the VPN verification test method in the network target range, and will not be described herein.
The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Some embodiments of the application are described above with reference to the accompanying drawings, which do not limit the scope of the claims. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the present application shall fall within the scope of the appended claims.

Claims (13)

1. A VPN verification test method for a network target range, comprising:
Obtaining a test configuration file of a VPN client from a test configuration file set, wherein the VPN client communicates with a plurality of target systems and/or target connections based on the test configuration file, and the test configuration file set comprises a plurality of test configuration files to be tested;
testing the test configuration file according to the VPN client to obtain a target configuration file, wherein the target configuration file is the test configuration file passing the test;
Sending the target configuration file to a target account;
The sending the target configuration file to the target account includes: acquiring mailbox information of the target account and target path information of the target configuration file;
constructing at least one target mail according to the mailbox information and the target path information, wherein the target mail comprises at least one target configuration file;
and sending the target mail based on the mailbox information so as to send the target configuration file to the target account.
2. The method according to claim 1, wherein the testing the test profile according to the VPN client to obtain a target profile includes:
judging whether the corresponding test configuration file exists or not according to the VPN client;
when the test configuration file exists, acquiring test path information of the test configuration file;
Configuring the corresponding VPN client according to the test path information and the test configuration file so that the VPN client is connected with the target systems and/or targets;
and testing communication connection between the VPN client and the target systems and/or targets to obtain the target configuration file.
3. The method according to claim 2, wherein configuring the respective VPN client according to the test path information and the test configuration file to connect the VPN client to the plurality of target systems and/or targets comprises:
Generating a VPN connection script according to the test path information and an operating system running the VPN client;
executing the VPN connection script based on the operating system to start the VPN client and dial the number according to the test configuration file, so that the VPN client is connected with the target systems and/or targets.
4. The method of claim 3, wherein the operating system comprises a Windows operating system, the executing the VPN connection script based on the operating system comprising:
Constructing a right acquisition script based on the Windows operating system;
And executing the VPN connection script based on the Windows operating system after executing the permission acquisition script, wherein the permission acquisition script is used for acquiring the administrator permission of the Windows operating system.
5. The method of claim 2, wherein the testing the VPN client for communication connection with the plurality of target systems and/or targets results in the target profile, comprising:
determining whether the plurality of target systems and/or targets are inside a target range;
when the target systems and/or targets are in the target range, executing a ping command based on the VPN client to acquire test information fed back by the target systems and/or targets;
judging whether the VPN client is successfully connected with the target systems and/or targets according to the test information;
when the VPN client is successfully connected with the target systems and/or targets, determining that the test configuration file passes the test, and storing a test result record in a test result file;
and obtaining the target configuration file according to the test result file.
6. The method as recited in claim 5, further comprising:
when the target systems and/or targets are outside the target range, acquiring the outlet IP address of the VPN client from the test configuration file;
And according to the exit IP address and based on the VPN client, executing a ping command, and acquiring test information fed back by the target systems and/or targets.
7. The method of claim 6, wherein the obtaining the egress IP address of the VPN client from the test profile comprises:
constructing a regular expression according to the test configuration file, and generating an export IP address extraction script;
And executing the export IP address extraction script, and acquiring the export IP address from the test configuration file.
8. The method of claim 6, wherein said executing a ping command based on said VPN client and according to said egress IP address comprises:
Acquiring a public network IP address of the operation equipment of the VPN client;
Comparing the exit IP address with the public network IP address;
And executing a ping command according to the outlet IP address and based on the VPN client when the public network IP address is the same as the outlet IP address.
9. The method of claim 8, wherein the obtaining the public network IP address of the running device of the VPN client comprises:
Executing a first command line instruction to acquire public network IP address information of the running equipment;
Constructing a regular expression according to the public network IP address information, and generating a public network IP address extraction script;
executing the public network IP address extraction script, and acquiring the public network IP address from the public network IP address information.
10. The method as recited in claim 1, further comprising:
And after all the test configuration files of the test configuration file set are tested according to the VPN client to obtain a plurality of target configuration files, executing a second command line instruction to close the VPN client and stopping the verification test.
11. A VPN validation testing apparatus for a network target, the apparatus comprising:
The VPN client is used for obtaining a test configuration file of a VPN client from a test configuration file set, wherein the VPN client is communicated with a plurality of target systems and/or target connections based on the test configuration file, and the test configuration file set comprises a plurality of test configuration files to be tested;
The testing module is used for testing the testing configuration file according to the VPN client to obtain a target configuration file, wherein the target configuration file is the testing configuration file passing the test;
The sending module is configured to send the target configuration file to a target account, where the sending the target configuration file to the target account includes: acquiring mailbox information of the target account and target path information of the target configuration file; constructing at least one target mail according to the mailbox information and the target path information, wherein the target mail comprises at least one target configuration file; and sending the target mail based on the mailbox information so as to send the target configuration file to the target account.
12. A VPN validation testing apparatus for a network target, the apparatus comprising: a memory, a processor, and a VPN validation test program of a network range stored on the memory and executable on the processor, the processor executing the VPN validation test program of the network range to implement the VPN validation test method of the network range of any of claims 1 to 10.
13. A storage medium having stored thereon a program for implementing a VPN authentication test method for a network range, the program for implementing a VPN authentication test method for a network range being executed by a processor to implement a VPN authentication test method for a network range according to any one of claims 1 to 10.
CN202410130663.9A 2024-01-31 2024-01-31 VPN verification test method, device and equipment for network target range and storage medium Active CN117692377B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410130663.9A CN117692377B (en) 2024-01-31 2024-01-31 VPN verification test method, device and equipment for network target range and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410130663.9A CN117692377B (en) 2024-01-31 2024-01-31 VPN verification test method, device and equipment for network target range and storage medium

Publications (2)

Publication Number Publication Date
CN117692377A CN117692377A (en) 2024-03-12
CN117692377B true CN117692377B (en) 2024-05-14

Family

ID=90135618

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410130663.9A Active CN117692377B (en) 2024-01-31 2024-01-31 VPN verification test method, device and equipment for network target range and storage medium

Country Status (1)

Country Link
CN (1) CN117692377B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640607A (en) * 2009-04-13 2010-02-03 山石网科通信技术(北京)有限公司 Collocation method of virtual private network based on internet security protocol and system therefor
CN108306792A (en) * 2018-04-08 2018-07-20 四川斐讯信息技术有限公司 A kind of method, apparatus, system and the test equipment of test equipment VPN functions
CN109474508A (en) * 2018-12-28 2019-03-15 深信服科技股份有限公司 A kind of VPN network-building method, system, VPN host node device and medium
CN115190042A (en) * 2022-06-16 2022-10-14 南京赛宁信息技术有限公司 Network target range target access state detection system and method
CN116567057A (en) * 2023-04-13 2023-08-08 中国银行股份有限公司 Application configuration method, device, equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10084642B2 (en) * 2015-06-02 2018-09-25 ALTR Solutions, Inc. Automated sensing of network conditions for dynamically provisioning efficient VPN tunnels

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640607A (en) * 2009-04-13 2010-02-03 山石网科通信技术(北京)有限公司 Collocation method of virtual private network based on internet security protocol and system therefor
CN108306792A (en) * 2018-04-08 2018-07-20 四川斐讯信息技术有限公司 A kind of method, apparatus, system and the test equipment of test equipment VPN functions
CN109474508A (en) * 2018-12-28 2019-03-15 深信服科技股份有限公司 A kind of VPN network-building method, system, VPN host node device and medium
CN115190042A (en) * 2022-06-16 2022-10-14 南京赛宁信息技术有限公司 Network target range target access state detection system and method
CN116567057A (en) * 2023-04-13 2023-08-08 中国银行股份有限公司 Application configuration method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN117692377A (en) 2024-03-12

Similar Documents

Publication Publication Date Title
Kennedy et al. Metasploit: the penetration tester's guide
EP3100192B1 (en) Automated penetration testing device, method and system
US10108801B2 (en) Web application vulnerability scanning
US10860462B2 (en) System, computer program product and method for enhanced production environment behavior mirroring E.G. while conducting pilot on proof-of-concept (PoC) platforms
US20140075563A1 (en) Automated security testing
US20180198773A1 (en) Systems and methods for automated detection of login sequence for web form-based authentication
CN105787364B (en) Automatic testing method, device and system for tasks
NIST Cloud Computing Forensic Science Working Group Nist cloud computing forensic science challenges
CN107004092B (en) Control device and method for network and vulnerability scanner
CN110880983A (en) Penetration testing method and device based on scene, storage medium and electronic device
JP5936798B2 (en) Log analysis device, unauthorized access audit system, log analysis program, and log analysis method
CN114499974B (en) Device detection method, device, computer device and storage medium
US10757402B2 (en) Camera certification for video surveillance systems
CN113868669A (en) Vulnerability detection method and system
CN117692377B (en) VPN verification test method, device and equipment for network target range and storage medium
CN116318783B (en) Network industrial control equipment safety monitoring method and device based on safety index
CN111245800A (en) Network security testing method and device of industrial control network based on application scene
CN114070632B (en) Automatic penetration test method and device and electronic equipment
CN111241547A (en) Detection method, device and system for unauthorized vulnerability
Moore et al. Penetration testing and metasploit
CN113886837A (en) Vulnerability detection tool credibility verification method and system
CN112468356A (en) Router interface testing method and device, electronic equipment and storage medium
CN117331758B (en) Verification method and device for target virtual machine mirror image, electronic equipment and storage medium
Neef et al. Bringing UFUs Back into the Air With FUEL: A Framework for Evaluating the Effectiveness of Unrestricted File Upload Vulnerability Scanners
CN114244578B (en) Method, system, equipment and medium for testing protection capability of communication card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant