CN118138300A - Penetration test method, system, device and storage medium based on request confusion - Google Patents
Penetration test method, system, device and storage medium based on request confusion Download PDFInfo
- Publication number
- CN118138300A CN118138300A CN202410242657.2A CN202410242657A CN118138300A CN 118138300 A CN118138300 A CN 118138300A CN 202410242657 A CN202410242657 A CN 202410242657A CN 118138300 A CN118138300 A CN 118138300A
- Authority
- CN
- China
- Prior art keywords
- request
- penetration test
- target
- proxy
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000035515 penetration Effects 0.000 title claims abstract description 194
- 238000010998 test method Methods 0.000 title claims abstract description 20
- 238000012360 testing method Methods 0.000 claims abstract description 177
- 238000000034 method Methods 0.000 claims description 29
- 238000004458 analytical method Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 13
- 239000000047 product Substances 0.000 description 11
- 239000003795 chemical substances by application Substances 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000005253 cladding Methods 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a penetration test method, a penetration test system, a penetration test device and a storage medium based on request confusion, which comprise the following steps: acquiring a first penetration test request of a client, carrying out request confusion on the first penetration test request to obtain a second penetration test request, and further sending the second penetration test request to a proxy server; receiving a second penetration test request through the proxy server, and determining a request protocol and a target server according to the second penetration test request; performing flow snooze on the second penetration test request through the proxy server, and sending a preset invalid data packet to the target server; and determining a target proxy mode by the proxy server according to the request protocol, and forwarding the second penetration test request to the target server according to the target proxy mode. The invention effectively enhances the concealment of the penetration test, reduces the interception influence of the safety product on the penetration test, ensures the stable performance of the penetration test, and can be widely applied to the technical field of the penetration test.
Description
Technical Field
The invention relates to the technical field of penetration testing, in particular to a penetration testing method, a penetration testing system, a penetration testing device and a penetration testing storage medium based on request confusion.
Background
In recent years, with the wide application of network technology in education, finance, medical treatment, security protection and other fields, networks and information systems are applied to various important industry scenes in the forms of artificial intelligence, cloud computing, big data, the internet, intelligent terminals and the like. However, the tight integration of network technology with various fields also carries the risk of network attacks. Since network technology exposes the new infrastructure to the reach of network attackers, its security will face serious challenges. Once these important facilities are paralyzed by attack, there will be a huge loss to the country and people. Therefore, in order to ensure robustness of network infrastructure and services and security of network data, implementation of network software and hardware and protocols should avoid security vulnerabilities as much as possible, which is a basic requirement of network space security.
As the internet scale increases, network traffic grows, so does the number of security attacks that new infrastructures are subject to, which poses a serious threat to network security. Attacks on known or potential vulnerabilities of various network critical facilities can not only cause serious damage to the interests of individuals and businesses, but can also be upgraded to the level of national security. Therefore, patching security vulnerabilities to defend against network attacks has become an urgent task. "unknowing attacks, so-called importation" security personnel discover possible vulnerabilities of the target through the attack on the target. This manner of security assessment, known as "penetration testing", is an important means of discovering and repairing target security vulnerabilities to improve system security.
Meanwhile, in order to prevent the ever-increasing network security threat, more and more infrastructure administrators employ various security products to protect their networks. These security products include firewalls, intrusion detection guards, honeypot traceability, etc., which intercept and track malicious attacks and provide real-time security precautions and response measures. In addition, many other security products, such as antivirus software, security audit tools, security information and event management systems, etc., can help enterprises and organizations to improve network security and reduce security risks. The security products have the functions of guaranteeing network security, preventing unauthorized access and malicious attack, and guaranteeing the integrity, confidentiality and availability of network systems and data.
The introduction of these systems can to some extent improve the safety of the system but also make penetration testing more difficult to achieve with valuable results. Especially in the automated penetration process, the test host is often limited to one or a few machines, and the simulated attack traffic sent by the test program has similar attack characteristics. The security product has very strong sensing and blocking capacity for the attack traffic with similar characteristics and the same source, so that an automatic testing tool is intercepted to be invalidated. If the test host is simply added, not only the higher software and hardware deployment cost, the labor and the management cost are required, but also the problem of similar attack characteristics cannot be solved. Therefore, how to enhance the concealment of the penetration test, reduce the interception effect of the security product on the penetration test and ensure the stable performance of the penetration test becomes a problem to be solved.
Disclosure of Invention
The present invention aims to solve at least one of the technical problems existing in the prior art to a certain extent.
Therefore, an object of the embodiments of the present invention is to provide a penetration test method based on request confusion, which effectively enhances the concealment of penetration test, reduces the interception influence of security products on penetration test, and ensures the stable performance of penetration test by various processing means such as confusion replacement, delay transmission, proxy forwarding, etc. of test requests.
It is another object of an embodiment of the present invention to provide a penetration test system based on request confusion.
In order to achieve the technical purpose, the technical scheme adopted by the embodiment of the invention comprises the following steps:
in a first aspect, an embodiment of the present invention provides a penetration test method based on request confusion, including the steps of:
acquiring a first penetration test request of a client, carrying out request confusion on the first penetration test request to obtain a second penetration test request, and further sending the second penetration test request to a proxy server;
receiving the second penetration test request through the proxy server, and determining a request protocol and a target server according to the second penetration test request;
Performing flow snooze on the second penetration test request through the proxy server, and sending a preset invalid data packet to the target server;
And determining a target proxy mode according to the request protocol through the proxy server, and forwarding the second penetration test request to the target server according to the target proxy mode.
Further, in one embodiment of the present invention, the step of performing request confusion on the first penetration test request to obtain a second penetration test request specifically includes:
acquiring a first request header of the first penetration test request;
generating a plurality of second request heads, and calculating the text similarity between each second request head and the first request head;
Determining the second request header with the text similarity smaller than or equal to a preset first threshold as a target request header, and replacing the request header of the first penetration test request according to the target request header to obtain a second penetration test request.
Further, in one embodiment of the present invention, the step of determining a request protocol and a target server according to the second penetration test request specifically includes:
And carrying out message analysis on the second penetration test request to obtain the request protocol and the target server.
Further, the step of performing, by the proxy server, traffic snooze on the second penetration test request and sending a preset invalid data packet to the target server specifically includes:
Reserving the second penetration test request through the proxy server, and acquiring the preset invalid data packet;
And sending the invalid data packet to the target server through the proxy server until a preset flow doze duration is reached.
Further, in one embodiment of the present invention, the step of determining the target agent mode according to the request protocol specifically includes:
When the request protocol is the HTTP protocol, determining that the target proxy mode is the HTTP proxy mode;
And when the request protocol is TCP protocol or UDP protocol, determining that the target proxy mode is SOCKS proxy mode.
Further, in one embodiment of the present invention, the step of forwarding the second penetration test request to the target server according to the target proxy mode specifically includes:
acquiring proxy service list information used by the client in a preset history period;
Determining that the unused proxy service of the client in the preset history period is a target proxy service according to the proxy service list information;
And forwarding the second penetration test request to the target server through the target proxy service according to the target proxy mode.
Further, in one embodiment of the present invention, the penetration test method further comprises the steps of:
determining that the first penetration test request is a non-HTTP traffic penetration test request, and sending the first penetration test request to the proxy server;
Receiving the first penetration test request through the proxy server, and determining the request protocol and the target server according to the first penetration test request;
performing flow snooze on the first penetration test request through the proxy server, and sending the invalid data packet to the target server;
And determining the target proxy mode according to the request protocol through the proxy server, and forwarding the first penetration test request to the target server according to the target proxy mode.
In a second aspect, an embodiment of the present invention provides a penetration test system based on request confusion, including:
The request confusion module is used for acquiring a first penetration test request of the client, carrying out request confusion on the first penetration test request to obtain a second penetration test request, and further sending the second penetration test request to the proxy server;
The request analysis module is used for receiving the second penetration test request through the proxy server and determining a request protocol and a target server according to the second penetration test request;
The traffic snooze module is used for snoozing the second penetration test request through the proxy server and sending a preset invalid data packet to the target server;
And the request forwarding module is used for determining a target proxy mode according to the request protocol through the proxy server and forwarding the second penetration test request to the target server according to the target proxy mode.
In a third aspect, an embodiment of the present invention provides a penetration test apparatus based on request confusion, including:
At least one processor;
at least one memory for storing at least one program;
The at least one program, when executed by the at least one processor, causes the at least one processor to implement a request confusion-based penetration test method as described above.
In a fourth aspect, embodiments of the present invention also provide a computer readable storage medium having stored therein a processor executable program which when executed by a processor is configured to perform a request confusion based penetration test method as described above.
The advantages and benefits of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
According to the embodiment of the invention, the request head of the penetration test request is subjected to confusion replacement, so that the protection equipment cannot acquire the characteristic information of the penetration test through the request information, the original request sequence is disturbed through the traffic dozing technology, the interference protection equipment recognizes the penetration test traffic through the technologies such as sequence, topology and the like, and the network address of the hidden penetration client is forwarded through the proxy, so that the protection equipment cannot locate the penetration client, the concealment of the penetration test is effectively enhanced, the interception influence of the security product on the penetration test is reduced, and the stable performance of the penetration test is ensured.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following description will refer to the drawings that are needed in the embodiments of the present invention, and it should be understood that the drawings in the following description are only for convenience and clarity to describe some embodiments in the technical solutions of the present invention, and other drawings may be obtained according to these drawings without any inventive effort for those skilled in the art.
FIG. 1 is a flow chart of the steps of a request confusion-based penetration test method according to an embodiment of the present invention;
FIG. 2 is a block diagram of a penetration test system based on request confusion according to an embodiment of the present invention;
FIG. 3 is a block diagram of a penetration test apparatus based on request confusion according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the invention. The step numbers in the following embodiments are set for convenience of illustration only, and the order between the steps is not limited in any way, and the execution order of the steps in the embodiments may be adaptively adjusted according to the understanding of those skilled in the art.
In the description of the present invention, the plurality means two or more, and if the description is made to the first and second for the purpose of distinguishing technical features, it should not be construed as indicating or implying relative importance or implicitly indicating the number of the indicated technical features or implicitly indicating the precedence of the indicated technical features. Furthermore, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art.
In the prior art, no matter whether a manual attack or an automatic attack test is used in the penetration test according to the vulnerability database, the POC or the EXP in the prior vulnerability database cannot be separated. The attacker often carries out small-amplitude modification according to the actual attack requirement based on the existing vulnerability attack information. And these requests derived from the same attack load all have content characteristics similar to the original attack load. Once the content characteristics of the original attack load or some derivative attack load are recorded by the guard, it means that most attacks with similar characteristics will be marked and intercepted.
With the development of machine learning, the technology is gradually applied to the classification of encrypted malicious traffic. The technology establishes a classification model aiming at malicious traffic by collecting characteristics or characteristic sequences such as data packet size, protocol type, time stamp, time delay and the like of the traffic. The malicious traffic is distinguished from the normal traffic, so that network security professionals can be effectively helped to find and prevent malicious attacks. The existing penetration test program only slightly modifies and transmits the original POC or EXP content, and rarely modifies the flow characteristics such as protocols, time delay and the like outside the content. When faced with a guard using machine learning classification techniques, transmitting traffic characteristics of the attack load unmodified would enable the guard to capture malicious attack loads from the traffic or data cladding plane, thereby identifying and intercepting the attack.
The attack tracing technology is a technology for determining the source of the attack and the identity of an attacker by analyzing and tracking data such as traffic, logs and the like of network attacks. Whereas for network applications, the traceability information of primary concern is the network address of the attacker and the characteristics of the device or attack software. Such information may assist network security defenses in determining the identity and source of an attacker to take corresponding defensive measures. Therefore, how to avoid tracing and countering the defender is an important part of the job for the penetration testing party.
Penetration testing is now widely used for evaluation of computer systems, networks or applications. And sending attack load data to the target system by using the existing attack request, thereby achieving the purposes of discovering the loopholes of the target system and ensuring the safety of the target system. However, if the manufacturer has deployed security measures, it is necessary to partially intercept the existing penetration test request information, so as to delay or even prevent the possible loopholes in the target system from being found, and further prevent the wide application and development of penetration tests.
The embodiment of the invention effectively enhances the concealment of the penetration test, reduces the interception influence of the security product on the penetration test and ensures the stable performance of the penetration test through a plurality of processing means such as confusion replacement, delay transmission, proxy forwarding and the like of the test request.
Referring to fig. 1, an embodiment of the present invention provides a penetration test method based on request confusion, which specifically includes the following steps:
S101, acquiring a first penetration test request of a client, carrying out request confusion on the first penetration test request to obtain a second penetration test request, and further sending the second penetration test request to a proxy server.
Further as an alternative embodiment, the step of performing request confusion on the first penetration test request to obtain the second penetration test request specifically includes:
s1011, acquiring a first request head of a first penetration test request;
s1012, generating a plurality of second request heads, and calculating the text similarity between each second request head and the first request head;
S1013, determining a second request head with the text similarity smaller than or equal to a preset first threshold value as a target request head, and replacing the request head of the first penetration test request according to the target request head to obtain a second penetration test request.
Specifically, the HTTP request header refers to a portion of header information used to describe a request in the HTTP request message. It contains some metadata that the client requests from the server, such as fields for request method, URI, protocol version, accept, accept-Encoding, user-Agent, content-Type, etc.
The HTTP request header may help the server learn about the client's request, thereby providing a better response. For example, the User-Agent header may tell the server the type and version of the browser or other software used by the client so that the server may provide different content or formats depending on the type of client. The Accept-Encoding header may tell the server what compression algorithm the client supports, so that the server may choose an appropriate algorithm to compress to improve the transmission efficiency. The Content-Type request header functions to let the server know the format and Type of the request body in order to correctly parse the Content of the request body. If the format and type of the request body are incorrect, the server may not process the request correctly and may even cause errors or security vulnerabilities.
The embodiment of the invention is suitable for an HTTP traffic penetration test process, and when HTTP traffic enters a request confusion proxy process, the HTTP request header confusion process is firstly entered: generating a group of request header fields and field values, calculating text similarity between the group of request headers and an original request header according to a TF-IDF method, scoring a text difference between the generated request header and the original request header according to the text similarity, and selecting a request header with the text similarity smaller than or equal to a preset first threshold (namely, the text difference is larger than the first threshold) as a target request header to perform confusion replacement on the original penetration test request; if the gap between the generated request header and the original request header is not large enough, the request header is regenerated until the text gap is greater than a first threshold.
S102, receiving a second penetration test request through the proxy server, and determining a request protocol and a target server according to the second penetration test request.
Further as an optional implementation manner, the step of determining the request protocol and the target server according to the second penetration test request specifically includes:
And carrying out message analysis on the second penetration test request to obtain a request protocol and a target server.
Specifically, since the second penetration test request only replaces the request header of the first penetration test request, the request protocol and the target server of the original penetration test request can still be obtained by analyzing the message of the second penetration test request.
S103, performing flow snooze on the second penetration test request through the proxy server, and sending a preset invalid data packet to the target server.
Further as an optional implementation manner, the step of performing traffic snooze on the second penetration test request through the proxy server and sending a preset invalid data packet to the target server specifically includes:
S1031, reserving a second penetration test request through a proxy server, and acquiring a preset invalid data packet;
S1032, the invalid data packet is sent to the target server through the proxy server until the preset flow doze duration is reached.
Specifically, after the HTTP request is confused, entering a traffic doze stage; in the doze stage of the flow, the test request sent by the downstream agent is reserved for a period of time and then sent out, and invalid data packets are sent to the target in the doze process, so that the sequence of the test flow is disturbed on the premise of not damaging the original request and service flow; and finally, forwarding the confusing and snooze traffic to the request proxy.
S104, determining a target proxy mode through the proxy server according to the request protocol, and forwarding the second penetration test request to the target server according to the target proxy mode.
Specifically, according to the protocol and service type used by the original request, selecting to use an HTTP proxy or a SOCKS proxy, and selecting a proxy service which has not been used recently by the test client for forwarding.
Both HTTP proxy and SOCKS proxy are request proxy technologies. Proxy technology may forward traffic that would otherwise need to be sent from a to b, so that the server considers the traffic to be sent by b. The difference is that HTTP proxy is a simpler and common option if only the traffic of the HTTP protocol is to be proxied; SOCKS proxy is a more flexible and comprehensive option if proxy's permeate traffic is required to have both TCP and UDP protocol traffic.
HTTP proxy is the most common type of proxy that uses the HTTP protocol to proxy network traffic. When a user accesses a website through an HTTP proxy, the client sends an HTTP request to the proxy server, which forwards the request to the target server, and then returns a response to the client. HTTP proxy can only proxy HTTP protocol traffic, but cannot handle other protocols such as FTP, SMTP, etc.
SOCKS proxy uses SOCKS protocol to proxy network traffic, which can proxy TCP and UDP protocol traffic. When a user accesses a website through a SOCKS proxy, the client sends a connection request to the proxy server, which forwards the request to the target server and establishes a TCP or UDP connection to proxy traffic. Since the SOCKS proxy can proxy traffic of TCP and UDP protocols, it can be used to proxy various types of Web applications such as Web, FTP, mail, P2P, etc.
Further as an optional embodiment, the step of determining the target agent mode according to the request protocol specifically includes:
s1041, when the request protocol is HTTP protocol, determining the target agent mode as HTTP agent mode;
S1042, when the request protocol is TCP protocol or UDP protocol, determining the target agent mode as SOCKS agent mode.
Further as an optional implementation manner, the step of forwarding the second penetration test request to the target server according to the target proxy mode specifically includes:
S1043, acquiring proxy service list information used by the client in a preset history period;
S1044, determining that the unused proxy service of the client in the preset history period is the target proxy service according to the proxy service list information;
s1045, forwarding the second penetration test request to the target server through the target proxy service according to the target proxy mode.
Further as an alternative embodiment, the penetration test method further comprises the steps of:
S105, determining that the first penetration test request is a non-HTTP traffic penetration test request, and sending the first penetration test request to a proxy server;
S106, receiving a first penetration test request through the proxy server, and determining a request protocol and a target server according to the first penetration test request;
S107, performing flow snooze on the first penetration test request through the proxy server, and sending an invalid data packet to the target server;
S108, determining a target proxy mode through the proxy server according to the request protocol, and forwarding the first penetration test request to the target server according to the target proxy mode.
Specifically, the embodiment of the invention is also suitable for a non-HTTP traffic penetration test process, and compared with the HTTP traffic penetration test process, the method and the device mainly do not need to replace HTTP request heads, directly enter a traffic doze stage and then carry out request proxy forwarding.
The method steps of the embodiments of the present invention are described above. It can be understood that, in the embodiment of the invention, the request header of the penetration test request is subjected to confusion replacement, so that the protection equipment cannot acquire the characteristic information of the penetration test through the request information, the original request sequence is disturbed through the traffic doze technology, the interference protection equipment recognizes the penetration test traffic through the technologies such as sequence, topology and the like, and the network address of the hidden penetration client is forwarded through the proxy, so that the protection equipment cannot locate the penetration client, the concealment of the penetration test is effectively enhanced, the interception influence of the security product on the penetration test is reduced, and the stable proceeding of the penetration test is ensured.
Referring to FIG. 2, an embodiment of the present invention provides a request confusion based penetration test system comprising:
The request confusion module is used for acquiring a first penetration test request of the client, carrying out request confusion on the first penetration test request to obtain a second penetration test request, and further sending the second penetration test request to the proxy server;
The request analysis module is used for receiving a second penetration test request through the proxy server and determining a request protocol and a target server according to the second penetration test request;
The flow doze module is used for performing flow doze on the second penetration test request through the proxy server and sending a preset invalid data packet to the target server;
and the request forwarding module is used for determining a target proxy mode according to a request protocol through the proxy server and forwarding the second penetration test request to the target server according to the target proxy mode.
The content in the method embodiment is applicable to the system embodiment, the functions specifically realized by the system embodiment are the same as those of the method embodiment, and the achieved beneficial effects are the same as those of the method embodiment.
Referring to fig. 3, an embodiment of the present invention provides a penetration test apparatus based on request confusion, including:
At least one processor;
at least one memory for storing at least one program;
the at least one program, when executed by the at least one processor, causes the at least one processor to implement a request confusion-based penetration test method as described above.
The content in the method embodiment is applicable to the embodiment of the device, and the functions specifically realized by the embodiment of the device are the same as those of the method embodiment, and the obtained beneficial effects are the same as those of the method embodiment.
The embodiment of the present invention also provides a computer-readable storage medium in which a processor-executable program is stored, which when executed by a processor is configured to perform a request confusion-based penetration test method as described above.
The computer readable storage medium of the embodiment of the invention can execute the penetration test method based on request confusion, can execute any combination implementation steps of the method embodiment, and has the corresponding functions and beneficial effects of the method.
Embodiments of the present invention also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, to cause the computer device to perform the method shown in fig. 1.
In some alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flowcharts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed, and in which sub-operations described as part of a larger operation are performed independently.
Furthermore, while the present invention has been described in the context of functional modules, it should be appreciated that, unless otherwise indicated, one or more of the functions and/or features described above may be integrated in a single physical device and/or software module or one or more of the functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary to an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be apparent to those skilled in the art from consideration of their attributes, functions and internal relationships. Accordingly, one of ordinary skill in the art can implement the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative and are not intended to be limiting upon the scope of the invention, which is to be defined in the appended claims and their full scope of equivalents.
The above functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or a part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the above-described method of the various embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer-readable medium may even be paper or other suitable medium upon which the program described above is printed, as the program described above may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
In the foregoing description of the present specification, reference has been made to the terms "one embodiment/example", "another embodiment/example", "certain embodiments/examples", and the like, means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the spirit and principles of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiment of the present application has been described in detail, the present application is not limited to the above embodiments, and various equivalent modifications and substitutions can be made by those skilled in the art without departing from the spirit of the present application, and these equivalent modifications and substitutions are intended to be included in the scope of the present application as defined in the appended claims.
Claims (10)
1. A request confusion based penetration test method comprising the steps of:
acquiring a first penetration test request of a client, carrying out request confusion on the first penetration test request to obtain a second penetration test request, and further sending the second penetration test request to a proxy server;
receiving the second penetration test request through the proxy server, and determining a request protocol and a target server according to the second penetration test request;
Performing flow snooze on the second penetration test request through the proxy server, and sending a preset invalid data packet to the target server;
And determining a target proxy mode according to the request protocol through the proxy server, and forwarding the second penetration test request to the target server according to the target proxy mode.
2. The method for performing a request confusion based penetration test according to claim 1, wherein the step of performing the request confusion on the first penetration test request to obtain a second penetration test request specifically comprises:
acquiring a first request header of the first penetration test request;
generating a plurality of second request heads, and calculating the text similarity between each second request head and the first request head;
Determining the second request header with the text similarity smaller than or equal to a preset first threshold as a target request header, and replacing the request header of the first penetration test request according to the target request header to obtain a second penetration test request.
3. The penetration test method based on request confusion as recited in claim 1, wherein the step of determining a request protocol and a target server according to the second penetration test request comprises the following steps:
And carrying out message analysis on the second penetration test request to obtain the request protocol and the target server.
4. The method for performing penetration test based on request confusion according to claim 1, wherein the step of performing traffic snooze on the second penetration test request by the proxy server and sending a preset invalid data packet to the target server specifically comprises:
Reserving the second penetration test request through the proxy server, and acquiring the preset invalid data packet;
And sending the invalid data packet to the target server through the proxy server until a preset flow doze duration is reached.
5. The method of claim 1, wherein the step of determining a target agent pattern according to the request protocol comprises:
When the request protocol is the HTTP protocol, determining that the target proxy mode is the HTTP proxy mode;
And when the request protocol is TCP protocol or UDP protocol, determining that the target proxy mode is SOCKS proxy mode.
6. The request confusion based penetration test method according to claim 1, wherein the step of forwarding the second penetration test request to the target server according to the target proxy mode specifically comprises:
acquiring proxy service list information used by the client in a preset history period;
Determining that the unused proxy service of the client in the preset history period is a target proxy service according to the proxy service list information;
And forwarding the second penetration test request to the target server through the target proxy service according to the target proxy mode.
7. A penetration test method based on request confusion as recited in any one of claims 1 to 6, further comprising the steps of:
determining that the first penetration test request is a non-HTTP traffic penetration test request, and sending the first penetration test request to the proxy server;
Receiving the first penetration test request through the proxy server, and determining the request protocol and the target server according to the first penetration test request;
performing flow snooze on the first penetration test request through the proxy server, and sending the invalid data packet to the target server;
And determining the target proxy mode according to the request protocol through the proxy server, and forwarding the first penetration test request to the target server according to the target proxy mode.
8. A request confusion based penetration test system, comprising:
The request confusion module is used for acquiring a first penetration test request of the client, carrying out request confusion on the first penetration test request to obtain a second penetration test request, and further sending the second penetration test request to the proxy server;
The request analysis module is used for receiving the second penetration test request through the proxy server and determining a request protocol and a target server according to the second penetration test request;
The traffic snooze module is used for snoozing the second penetration test request through the proxy server and sending a preset invalid data packet to the target server;
And the request forwarding module is used for determining a target proxy mode according to the request protocol through the proxy server and forwarding the second penetration test request to the target server according to the target proxy mode.
9. A request confusion based penetration test apparatus comprising:
At least one processor;
at least one memory for storing at least one program;
When the at least one program is executed by the at least one processor, the at least one processor is caused to implement a request confusion based penetration test method according to any of claims 1 to 7.
10. A computer readable storage medium, in which a processor executable program is stored, characterized in that the processor executable program, when being executed by a processor, is for performing a request confusion based penetration test method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410242657.2A CN118138300A (en) | 2024-03-04 | 2024-03-04 | Penetration test method, system, device and storage medium based on request confusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410242657.2A CN118138300A (en) | 2024-03-04 | 2024-03-04 | Penetration test method, system, device and storage medium based on request confusion |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118138300A true CN118138300A (en) | 2024-06-04 |
Family
ID=91229544
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410242657.2A Pending CN118138300A (en) | 2024-03-04 | 2024-03-04 | Penetration test method, system, device and storage medium based on request confusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118138300A (en) |
-
2024
- 2024-03-04 CN CN202410242657.2A patent/CN118138300A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110149350B (en) | Network attack event analysis method and device associated with alarm log | |
| US10200384B1 (en) | Distributed systems and methods for automatically detecting unknown bots and botnets | |
| CA2966408C (en) | A system and method for network intrusion detection of covert channels based on off-line network traffic | |
| US10084816B2 (en) | Protocol based detection of suspicious network traffic | |
| CN108111487B (en) | Safety monitoring method and system | |
| Yaacoub et al. | Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations | |
| Joshi et al. | Fundamentals of Network Forensics | |
| Ho et al. | False positives and negatives from real traffic with intrusion detection/prevention systems | |
| US20140344931A1 (en) | Systems and methods for extracting cryptographic keys from malware | |
| Hassan et al. | The role of artificial intelligence in cyber security and incident response | |
| Shrivastava et al. | Network forensics: Today and tomorrow | |
| CN106411951B (en) | Network attack behavior detection method and device | |
| Bijalwan | Network Forensics: Privacy and Security | |
| CN118138300A (en) | Penetration test method, system, device and storage medium based on request confusion | |
| Kara | Don't bite the bait: phishing attack for internet banking (e-banking) | |
| Alsharabi et al. | Detecting Unusual Activities in Local Network Using Snort and Wireshark Tools | |
| Nilsson et al. | Vulnerability scanners | |
| Qureshi et al. | Analysis of challenges in modern network forensic framework | |
| KR100862321B1 (en) | Method and apparatus for detecting and blocking network attack without attack signature | |
| Jayasekara | Security operations & incident management: Case study analysis | |
| Amran et al. | Metrics for network forensics conviction evidence | |
| Amarantidou | Computer and Network Forensics: investigating network traffic | |
| Krishnan | Role and Impact of Digital Forensics in Cyber Crime Investigations | |
| Mukhtar et al. | Analysis of firewall log-based detection scenarios for evidence in digital forensics | |
| Chandran et al. | A comprehensive survey of antiforensics for network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |