基于TCP协议可选项的系统识别工具设计
|
摘要
随着计算机网络的飞速发展,网络安全问题越来越引起人们的广泛关注,并成为当今网络技术研究的重点之一。保障网络安全最大的挑战之一就是能否及时准确地发现漏洞,而绝大部分安全漏洞和隐患都与操作系统息息相关,因此操作系统的精确识别是保障网络安全的关键技术之一。
本文首先介绍了当前计算机网络环境的发展状况以及面临的安全威胁,之后详细论述了开放端口扫描和远程操作系统识别等识别工具所需的关键技术,并在此基础上提出了一种基于TCP协议可选项的远程操作系统识别技术,最后根据前文的理论给出了一种远程操作系统识别工具的总体设计方案并在Windows2003中用VC6.0实现了此方案。
本文的主要工作在于运用了基于TCP协议可选项的识别技术来完成对远程操作系统信息的准确识别。识别过程主要包括四个步骤:首先通过“半开放”连接来探测远程目标主机的开放端口。其次根据收集到的开放端口信息,向目标主机的指定端口发送六个含有特殊TCP可选项的数据包。然后,截获、解析并分析响应数据包,从中提取出TCP选项作为指纹信息。最后,在指纹特征库中对指纹信息进行查询和匹配。在测试的过程中,以上海交大Web服务器作为测试对象,准确地获得了其开放端口信息和操作系统版本信息。
本文的内容主要包括:第1章是绪论,介绍了本文的研究目的、意义、所做工作及国内外研究动态和现有产品等。第2章是端口扫描技术概述,简单介绍了TCP协议头部中的标志比特和TCP连接建立的机制,全面细致地介绍了常见端口扫描技术及其原理。第3章是TCP/IP指纹识别技术,简单介绍了TCP协议头部中的可选项、TCP/IP指纹识别技术的概念和应用,详细阐述了基于TCP协议可选项的远程操作系统识别技术。第4章是远程系统识别工具的总体设计思想,简单介绍了原始套接字编程。详细阐述了识别工具的总体设计思想和调度模块的设计与实现。第5章是核心模块设计与实现,详细介绍了开放端口扫描模块、操作系统识别模块和指纹匹配模块等三大核心模块的设计与实现。第6章是结束语。对全文的工作进行了总结,并对后续工作做出展望。
Along with the flying development of computer network, the information security has been focused by more and more people and considered as one of the most important technologies in the network research field. One of the biggest challenges to protect network from being attacked is whether we can find vulnerabilities promptly. While most vulnerability has much in common with OS information, the accurate identification of OS is one of the most pivotal technologies to ensure network to be safe.
This paper presents the current environment of computer network and threat it may face to and introduces the key technologies of OS identification such as open ports scanning and TCP fingerprint for an identification tool. Based on this knowledge, I think up a new method to identify remote OS by using TCP options. At last, I explain a way to design this kind of software and develop a tool to validate the theory. The main work of this paper is analyzing an implement technology of identifying remote OS information based on TCP options. There are four main steps to accomplish the task. Firstly, the tool detects all the open ports of the remote OS by TCP SYN scanning. Secondly, the tool would send 6 packets which contain some special TCP options to the appointed port. Thirdly, the tool will sniff the reply packets and parse them to obtain fingerprints of the target OS. Lastly, the tool will match the results from the database of fingerprints. During the process of testing, we took the Web-server of Shanghai Jiao Tong University as object, attaining both the open ports and the OS version information exactly.
The main content of this paper includes six chapters. The first one is introduction which presents the goal and signification of this research and introduces the products both inland and outland. The second one is technology of port-scanning. In this chapter, the paper introduces six symbol Bits in TCP head and the process of three-way handshake briefly. Then the paper expounds the theory of normal ways for ports scanning. The third one is TCP/IP fingerprint identification. This chapter introduces the options in TCP head, the concept and application of TCP fingerprint and the OS identification based on TCP options. The forth one is the whole design idea of this identification tool which introduces the raw socket programming and the flow chart of this design. The fifth one is the implement of core modules which introduces the design and implement of three core modules. The last one is tag chapter which summarizes the whole paper and makes a prospect for the continuative work.
本文首先介绍了当前计算机网络环境的发展状况以及面临的安全威胁,之后详细论述了开放端口扫描和远程操作系统识别等识别工具所需的关键技术,并在此基础上提出了一种基于TCP协议可选项的远程操作系统识别技术,最后根据前文的理论给出了一种远程操作系统识别工具的总体设计方案并在Windows2003中用VC6.0实现了此方案。
本文的主要工作在于运用了基于TCP协议可选项的识别技术来完成对远程操作系统信息的准确识别。识别过程主要包括四个步骤:首先通过“半开放”连接来探测远程目标主机的开放端口。其次根据收集到的开放端口信息,向目标主机的指定端口发送六个含有特殊TCP可选项的数据包。然后,截获、解析并分析响应数据包,从中提取出TCP选项作为指纹信息。最后,在指纹特征库中对指纹信息进行查询和匹配。在测试的过程中,以上海交大Web服务器作为测试对象,准确地获得了其开放端口信息和操作系统版本信息。
本文的内容主要包括:第1章是绪论,介绍了本文的研究目的、意义、所做工作及国内外研究动态和现有产品等。第2章是端口扫描技术概述,简单介绍了TCP协议头部中的标志比特和TCP连接建立的机制,全面细致地介绍了常见端口扫描技术及其原理。第3章是TCP/IP指纹识别技术,简单介绍了TCP协议头部中的可选项、TCP/IP指纹识别技术的概念和应用,详细阐述了基于TCP协议可选项的远程操作系统识别技术。第4章是远程系统识别工具的总体设计思想,简单介绍了原始套接字编程。详细阐述了识别工具的总体设计思想和调度模块的设计与实现。第5章是核心模块设计与实现,详细介绍了开放端口扫描模块、操作系统识别模块和指纹匹配模块等三大核心模块的设计与实现。第6章是结束语。对全文的工作进行了总结,并对后续工作做出展望。
Along with the flying development of computer network, the information security has been focused by more and more people and considered as one of the most important technologies in the network research field. One of the biggest challenges to protect network from being attacked is whether we can find vulnerabilities promptly. While most vulnerability has much in common with OS information, the accurate identification of OS is one of the most pivotal technologies to ensure network to be safe.
This paper presents the current environment of computer network and threat it may face to and introduces the key technologies of OS identification such as open ports scanning and TCP fingerprint for an identification tool. Based on this knowledge, I think up a new method to identify remote OS by using TCP options. At last, I explain a way to design this kind of software and develop a tool to validate the theory. The main work of this paper is analyzing an implement technology of identifying remote OS information based on TCP options. There are four main steps to accomplish the task. Firstly, the tool detects all the open ports of the remote OS by TCP SYN scanning. Secondly, the tool would send 6 packets which contain some special TCP options to the appointed port. Thirdly, the tool will sniff the reply packets and parse them to obtain fingerprints of the target OS. Lastly, the tool will match the results from the database of fingerprints. During the process of testing, we took the Web-server of Shanghai Jiao Tong University as object, attaining both the open ports and the OS version information exactly.
The main content of this paper includes six chapters. The first one is introduction which presents the goal and signification of this research and introduces the products both inland and outland. The second one is technology of port-scanning. In this chapter, the paper introduces six symbol Bits in TCP head and the process of three-way handshake briefly. Then the paper expounds the theory of normal ways for ports scanning. The third one is TCP/IP fingerprint identification. This chapter introduces the options in TCP head, the concept and application of TCP fingerprint and the OS identification based on TCP options. The forth one is the whole design idea of this identification tool which introduces the raw socket programming and the flow chart of this design. The fifth one is the implement of core modules which introduces the design and implement of three core modules. The last one is tag chapter which summarizes the whole paper and makes a prospect for the continuative work.
引文
[1] 美国计算机应急响应小组,http://www.cert.org
[2] 林柏钢,网络与信息安全教程,北京,机械工业出版社,2004
[3] 张玉清,戴祖锋,谢崇斌,安全扫描技术,北京,清华大学出版社,2004
[4] Fyodor, Remote OS Detection Via TCP/IP Stack FingerPrinting, http://insecure.org/nmap/nmap-fingerprinting-article.txt, 2002
[5] 刘莉,网络漏洞扫描器的设计与实现,[学位论文],西安,西安电子科技大学,2007
[6] 刘宇东,基于 plug-in 的网络漏洞扫描系统信息网络安全,计算机工程与设计,2003,32(12),pp.49-50
[7] 汪生,孙乐昌,基于 CVE 的安全脆弱性数据库系统的扩展设计,微电子学与计算机,2005,22(10),pp.152-155
[8] 洪宏,网络安全扫描技术研究,计算机工程,2004,30(10),pp.52-56
[9] INSECURE.ORG, http://insecure.org
[10] TENABLE, http://www.nessus.org
[11] XFOCUS, http://www.xfocus.net
[12] IBM Internet Security Systems, http://www.iss.net
[13] The Security Auditor's Research Assistant, http://www-arc.com/sara
[14] 小榕软件实验室, http://www.netxeyes.org
[15] 孙学军,喻梅,计算机网络,北京,电子工业出版社,2003
[16] W.Richard Stevens 著,范建华等译,TCP/IP 详解,卷一:协议,北京,机械工业出版社,2000
[17] INSECURE.ORG, Remote OS Detection Via TCP/IP Fingerprinting (2nd Generation), http://insecure.org/nmap/osdetect, 2006
[18] 李鹏,杨献荣,许丽华,网络漏洞扫描器的设计与实现,计算机工程,2003,29(8),pp.116-117
[19] 王灏,王换招,端口扫描与反扫描技术,微机发展,2001.5,pp.60-63
[20] Ken Harrenstien, NICNAME/WHOIS, Network Information Center SRI International, http://www.cnpaf.net/Class/Rfcen/0532918533874901.html, 1982
[21] http://www.rfc.net
[22] 张义荣,赵志超,鲜明等,计算机网络扫描技术研究,计算机工程与应用,2004,40(2),pp.173-176
[23] Robert, Beverly. A Robust Classifier for Passive TCP/IP Fingerprinting. MIT Computer Science and Arti_cial Intelligence Laboratory
[24] 孙乐昌,刘京菊,王永杰,陆余良,基于 ICMP 协议的指纹探测技术研究,计算机科学,2002,29(1),pp.53-56
[25] Arkin, A remote active OS fingerprinting tool using ICMP, Magazine, 2002, 27(2)
[26] 王轶骏,薛质,李建华,基于 TCP/IP 协议栈指纹辨识的远程操作系统识别,计算机工程,2004,30(18)
[27] Marina del Rey, TRANSMISSION CONTROL PROTOCOL, Information Sciences Institute University of Southern California, http://www.cnpaf.net/Class/Rfcen/0532918533841379.html, 1981
[28] 郑灵翔,洪景新,陈辉煌,WINDOWS 2000/XP 下原始套接字的编程与应用,微机与应用,2002.6,pp.27-30
[29] WinSock API, http://baike.baidu.com/view/536104.htm
[30] 王剑,史军,浅析远程主机操作系统探测工具设计,计算机工程,2004,30
[31] nmap-os-db, http://insecure.org/nmap/download.html
[32] Ofir Arkin, Fyodor Yarochkin, Xprobe v2.0: A “Fuzzy” Approach to Remote Active Operating System Fingerprinting, www.sys-security.com, 2002
[33] http://www.activestate.com/downloads
[34] 王艳平,张越,Windows 网络与通信程序设计,北京,人民邮电出版社,2006
[35] 程咏喜,蒋珉,基于 TCP/IP 协议的 WinSock 网络编程及应用,计算机时代,2004.7,pp.29-31
[36] RANDAL L.SCHWARTZ, TOM PHOENIX, BRIAN D FOY, Learning Perl(影印版), 东南大学出版社,2006
[2] 林柏钢,网络与信息安全教程,北京,机械工业出版社,2004
[3] 张玉清,戴祖锋,谢崇斌,安全扫描技术,北京,清华大学出版社,2004
[4] Fyodor, Remote OS Detection Via TCP/IP Stack FingerPrinting, http://insecure.org/nmap/nmap-fingerprinting-article.txt, 2002
[5] 刘莉,网络漏洞扫描器的设计与实现,[学位论文],西安,西安电子科技大学,2007
[6] 刘宇东,基于 plug-in 的网络漏洞扫描系统信息网络安全,计算机工程与设计,2003,32(12),pp.49-50
[7] 汪生,孙乐昌,基于 CVE 的安全脆弱性数据库系统的扩展设计,微电子学与计算机,2005,22(10),pp.152-155
[8] 洪宏,网络安全扫描技术研究,计算机工程,2004,30(10),pp.52-56
[9] INSECURE.ORG, http://insecure.org
[10] TENABLE, http://www.nessus.org
[11] XFOCUS, http://www.xfocus.net
[12] IBM Internet Security Systems, http://www.iss.net
[13] The Security Auditor's Research Assistant, http://www-arc.com/sara
[14] 小榕软件实验室, http://www.netxeyes.org
[15] 孙学军,喻梅,计算机网络,北京,电子工业出版社,2003
[16] W.Richard Stevens 著,范建华等译,TCP/IP 详解,卷一:协议,北京,机械工业出版社,2000
[17] INSECURE.ORG, Remote OS Detection Via TCP/IP Fingerprinting (2nd Generation), http://insecure.org/nmap/osdetect, 2006
[18] 李鹏,杨献荣,许丽华,网络漏洞扫描器的设计与实现,计算机工程,2003,29(8),pp.116-117
[19] 王灏,王换招,端口扫描与反扫描技术,微机发展,2001.5,pp.60-63
[20] Ken Harrenstien, NICNAME/WHOIS, Network Information Center SRI International, http://www.cnpaf.net/Class/Rfcen/0532918533874901.html, 1982
[21] http://www.rfc.net
[22] 张义荣,赵志超,鲜明等,计算机网络扫描技术研究,计算机工程与应用,2004,40(2),pp.173-176
[23] Robert, Beverly. A Robust Classifier for Passive TCP/IP Fingerprinting. MIT Computer Science and Arti_cial Intelligence Laboratory
[24] 孙乐昌,刘京菊,王永杰,陆余良,基于 ICMP 协议的指纹探测技术研究,计算机科学,2002,29(1),pp.53-56
[25] Arkin, A remote active OS fingerprinting tool using ICMP, Magazine, 2002, 27(2)
[26] 王轶骏,薛质,李建华,基于 TCP/IP 协议栈指纹辨识的远程操作系统识别,计算机工程,2004,30(18)
[27] Marina del Rey, TRANSMISSION CONTROL PROTOCOL, Information Sciences Institute University of Southern California, http://www.cnpaf.net/Class/Rfcen/0532918533841379.html, 1981
[28] 郑灵翔,洪景新,陈辉煌,WINDOWS 2000/XP 下原始套接字的编程与应用,微机与应用,2002.6,pp.27-30
[29] WinSock API, http://baike.baidu.com/view/536104.htm
[30] 王剑,史军,浅析远程主机操作系统探测工具设计,计算机工程,2004,30
[31] nmap-os-db, http://insecure.org/nmap/download.html
[32] Ofir Arkin, Fyodor Yarochkin, Xprobe v2.0: A “Fuzzy” Approach to Remote Active Operating System Fingerprinting, www.sys-security.com, 2002
[33] http://www.activestate.com/downloads
[34] 王艳平,张越,Windows 网络与通信程序设计,北京,人民邮电出版社,2006
[35] 程咏喜,蒋珉,基于 TCP/IP 协议的 WinSock 网络编程及应用,计算机时代,2004.7,pp.29-31
[36] RANDAL L.SCHWARTZ, TOM PHOENIX, BRIAN D FOY, Learning Perl(影印版), 东南大学出版社,2006