基于Metasploit的网络安全评估系统的设计与实现

发布时间：2018-04-04 20:44

本文选题：漏洞评估　切入点：渗透测试　出处：《河北科技大学》2014年硕士论文

【摘要】：随着棱镜门事件的爆发以及OpenSSL心脏出血漏洞事件的披露,信息安全逐渐成为近年来国家、企事业单位及科研机构关注的焦点。为有效减小信息安全事件带来的严重影响,漏洞评估以及渗透测试等网络安全评估手段成了评估信息系统安全现状最有效的方式。相较于国外,国内相关安全评估技术资源较匮乏,现有的安全评估工具虽然数目众多,但功能单一、操作困难,评估过程缺乏连贯性、自动化以及智能化等缺陷,由此造成国内众多信息系统存在的安全问题不能被及早发现。在上述背景下,本文利用Metasploit框架作为评估系统的核心,通过对Metasploit现有接口进行二次开发,集成当前较流行的安全工具,以模块化及插件式的方式,将原本的C/S架构转变为B/S架构,并将系统有效划分为主机扫描、密码破解、Web扫描、漏洞利用、会话控制及报表生成等模块,最后将各个阶段智能化的关联起来,以一种“黑盒子”的方式向用户隐藏复杂的安全评估过程,最终通过Web展示评估结果。对本评估系统进行了功能验证,并通过对比实验,发现本系统从漏洞检测率、漏洞利用成功率、扫描速率等方面都表现出明显优势。利用本系统,可以减小管理员的负担,增加信息系统的安全性,减轻敏感信息泄露的概率。
[Abstract]:With the outbreak of the Prism Gate incident and the disclosure of the OpenSSL heart bleeding loophole, information security has gradually become the focus of attention of the country, enterprises and institutions and scientific research institutions in recent years.In order to effectively reduce the serious impact of information security events, vulnerability assessment and penetration testing have become the most effective way to evaluate the security status of information systems.Compared with foreign countries, the domestic safety assessment technology resources are relatively scarce. Although the number of existing safety assessment tools is numerous, but the function is single, the operation is difficult, the evaluation process lacks of consistency, automation and intelligence, and so on.As a result, the security problems existing in many information systems in China cannot be detected as early as possible.Under the above background, this paper uses the Metasploit framework as the core of the evaluation system, through the secondary development of the existing interface of Metasploit, integrates the current more popular security tools, in the way of modularization and plug-in.The original C / S architecture is transformed into B / S architecture, and the system is effectively divided into host scanning, password cracking Web scanning, vulnerability exploitation, session control and report generation, etc. Finally, each stage is intelligently connected.Hide the complex security evaluation process from the user in a "black box" way, and finally display the evaluation results through Web.The function of the evaluation system is verified, and through comparative experiments, it is found that the system has obvious advantages in vulnerability detection rate, vulnerability utilization success rate, scanning rate and so on.The system can reduce the burden of administrator, increase the security of information system and reduce the probability of sensitive information leakage.
【学位授予单位】：河北科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】