基于设备识别的网络扫描工具Kscan的设计与实现

发布时间：2018-08-02 17:09

【摘要】：随着互联网技术的日益发展,越来越多的终端设备加入到了网络空间中,网络摄像头、网络打印机、数字媒体设备、智能家电等新兴设备使网络空间变得缤纷复杂。对终端设备进行精准识别,不仅能帮助网络管理员及时核查网络资产,还可以将设备信息与漏洞信息相关联,及时地发现潜在的安全风险,避免被不法分子攻击。因此设备识别对网络安全预警与安全评估有着重要的意义。本文主要描述一款基于设备识别的网络扫描工具Kscan的设计与实现。Kscan网络扫描工具通过主动探测的手段,对未知网络终端设备进行扫描,获取目标设备的端口开放情况,使用应用层协议和服务组件信息,操作系统信息,设备的产品信息等进行探测。扫描的数据将存储在公司重要产品威胁情报平台的后端数据中心。Kscan根据不同的应用层协议或者服务组件,发送不同的数据包来获取目标设备的应答Banner数据,根据Banner中的特征字段与指纹库中的设备指纹的匹配结果来完成设备识别。Kscan在探测操作系统时,利用TCP/IP协议栈指纹技术,通过发送一系列特殊的网络探测包来获取目标操作系统的TCP/IP协议栈特征,之后将其特征与操作系统指纹库中的指纹相匹配并得出结果。本文从Kscan扫描工具的扫描需求出发,详细描述了 Kscan的总体架构设计与各个模块的详细设计与关键的实现细节。在详细设计中,针对五种设备识别率较高的应用层协议和三种网络组件进行了分析,给出如何通过它们来进行设备识别的方法。此外还详细介绍了 Kscan所使用的探测技术和扫描策略。目前Kscan支持对56种不同的应用层协议和服务组件的扫描以及50种类型的终端设备的识别。Kscan目前正在向工控设备识别领域的方向扩展,指纹库也将不断地被扩充。
[Abstract]:With the development of Internet technology, more and more terminal devices are added to the network space. The network camera, network printer, digital media equipment, intelligent home appliances and other new devices make the network space colorful and complex. The accurate identification of terminal equipment can not only help the network administrator to check the network assets in time, but also can link the equipment information with the vulnerability information, discover the potential security risk in time, and avoid being attacked by illegal elements. Therefore, equipment identification plays an important role in network security early warning and security assessment. This paper describes the design and implementation of Kscan, a network scanning tool based on device identification. By means of active detection, the unknown network terminal equipment is scanned, and the port opening of the target device is obtained. Use application layer protocol and service component information, operating system information, equipment product information and so on. The scanned data will be stored in the back-end data center of the company's critical product threat intelligence platform. Kscan sends different packets to obtain the target device's response Banner data based on different application layer protocols or service components. According to the matching result between the characteristic fields in Banner and the fingerprint of devices in fingerprint database, the device identification. Kscan is realized by using TCP/IP protocol stack fingerprint technology when detecting the operating system. The TCP/IP stack features of the target operating system are obtained by sending a series of special network detection packets, which are then matched with the fingerprints in the operating system fingerprint database and the results are obtained. Based on the scanning requirements of Kscan scanning tools, this paper describes in detail the overall architecture design of Kscan, the detailed design of each module and the key implementation details. In the detailed design, five kinds of application layer protocols with high recognition rate and three kinds of network components are analyzed, and the methods of device identification through them are given. In addition, the detection technology and scanning strategy used by Kscan are introduced in detail. At present, Kscan supports the scanning of 56 different application layer protocols and service components and the identification of 50 types of terminal devices. KScan is currently expanding to the field of industrial control equipment identification, and the fingerprint database will be continuously expanded.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【相似文献】