An example of terminal compliance check using port scanning
Abstract: Large-scale office networks often run a large number of terminals. The security of these terminals is a key concern of network administrators. How to carry out information security education for users and which technical defense measures to take are the contents of many articles. , But are these defensive measures effective? Do employees use the terminal as required? This article uses port scanning technology to provide an example for terminal application inspection, and provides an idea for network administrators to check terminal compliance.
Keywords: port scanning; Nmap ; terminal compliance
1. Background
Modern large companies often have their own internal office networks. Depending on the scale and distribution of the company's business, some office networks are concentrated in a certain area, and some are trans-province and transnational. Where computer networks are used, security issues must be considered. This is a consensus that everyone has reached since the development of computer networks for many years. Faced with the company's large-scale network with many hosts, how can we quickly check and find those hosts with hidden security risks? This is a problem that network administrators cannot avoid. At present, people's research on intranet security is relatively extensive, which can be summarized in three aspects: 1 ) Strengthen employee safety awareness education; 2 ) Improve terminal security management level; 3 ) Improve terminal security protection measures. [ 1 ] The author believes that in addition to frontal defense, we should also consider inspection methods, otherwise we cannot verify whether our defense methods are effective. Considering that a complete VPN test may not be applicable to every company, this article proposes a method of using port scanning for terminal compliance checks, and gives examples. It is hoped that with a little bit of information, and to encourage network management personnel to think about intranet security.
2. Port and port scan
Port is just an abstract concept in software, used to distinguish communication channels. This is similar to how IP addresses are used to identify computers on a network, and ports are used to identify specific applications used on a single computer. For example, your web browser will connect to TCP port 80 in HTTP URLs by default . If you specify the secure HTTPS protocol, the browser will try port 443 by default .
Port scanning is the act of remotely testing multiple ports to determine what state they are in. Usually the state we are most interested in is open , which means that the application is listening and accepting connections on the port. Although many port scanners traditionally concentrate all ports in the open or closed state, the tool we will use, Nmap, is more refined, which divides the ports into six states. These states are not inherent attributes of the port itself, but describe how Nmap views them. For example, an Nmap scan from the same network as the target might show port 135/tcp as open , while a scan using the same option from the Internet might show the port as filtered .
3. Problem
In a real environment, we sometimes need to quickly find a host with an open TCP port from a network . [ 2 ] For example: after the vulnerability of Microsoft IIS was exposed, we would like to know which of these hosts on the network has TCP port 80 open and the service is still running; or, when you find that one is The backdoor left by *** on the compromised host runs on port 31337. You will want to quickly scan the network to find other compromised hosts, and so on.
4. Solution
To solve the above problem, the most direct way is to run the following command:
#nmap -Pn -p<portnumber> -oG <logfilename.gnmap> <target network>
This is a search for 4096 Ge IP 's Web server (port 80 open) specific examples:
#nmap -Pn -p80 -oG logs/pb-port80scan-%D.gnmap 216.163.128.0/20
File name " % D" will be replaced by digital scanning operation date (for example, 2007 Nian 9 Yue 1 day "090 107" ). Although this scan command is effective, optimization of some options will greatly reduce the scan time.
#nmap -T4 -Pn -p80 - -max-rtt-timeout 200ms - -initial-rtt-timeout 150ms - -min-hostgroup 512 -oG logs/pb-port80scan-%D.gnmap 216.163.128.0/20
We found that most of the time was spent on reverse DNS resolution. By adding -n to the above command line to prohibit DNS resolution, you can greatly reduce the waiting time.
The above command stores the grepable format result in the specified file. Then, we use a simple egrep command to find the machine with port 80 open:
egrep ‘[^0-9]80/open’ logs/pb-port80scan-%D.gnmap
The egrep pattern is preceded by [^ 0-9] to avoid false matching ports (for example, 3180 ). Since we only scan port 80 , of course it cannot happen, but this is a good habit when doing multi-port scanning. If you only need an IP address, use egrep awk'{print $ 2}' .
5. Example demonstration
Sometimes a story is the best way to understand a decision. Only in practical examples can we better understand how to decide which command lines to use in a solution. For example, in a company, there are about 4096 terminals. The application company that can use these terminals has clear requirements. Among them, there is a " user terminal must not provide web services. " However, in the face of such a large number of terminals, the network It is impossible for an administrator to conduct a census. Even if you have checked each one, you cannot guarantee that there will be no violations in the future. The host running a web server usually opens TCP port 80. Although in theory such a server can listen on any port, port 80 is the most likely . Therefore, we can identify those employees who violate company regulations by finding the terminals on the network with port 80 open.
In order to optimize the scanning effect, we first measured the network delay, with an average delay of 60 milliseconds. After considering the average delay effect, we use the following options: -max-rtt-timeout 200ms--initial-rtt-timeout 150ms . Then use a more aggressive time template- T4 .
Since we pay attention to minimizing the completion time of the entire scan, rather than minimizing the time before returning the first batch of host results, a larger scan group size can be specified. Option --min-hostgroup 512 sets each parallel scan 512 hosts. Using precise sub-address blocks can avoid inefficient scanning sub-blocks. For example, if you use -min-hostgroup 500 for 4096 hosts in this example, 96 host scanning sub-blocks will appear in the end .
Since a ping takes the same time as the single-port scan itself, there is no need to waste time in the previous ping phase. Therefore, -Pn is specified to disable this phase. By using the -n parameter to skip reverse DNS resolution, you can save a lot of time. Otherwise, disable ping case of scanning, Nmap will try to find all 4096 Ge IP . Since we are looking for a web server, we set the port to 80 . Of course, such a setting will miss all HTTP servers running on non-standard ports (such as 81 or 8080 ) . Will not find an SSL server using port 443 . You can also add these ports after option -p , but even adding one more port will double the scan time, which is roughly proportional to the number of ports scanned.
The last option is -oG , followed by the name of the file where you want to store the grepable results. Gordon adds the target network to the end of the command, and then presses enter to start scanning. As shown in Example 6 :
Example 6: start scanning
Nmap scans all in about three minutes 4096 Ge IP . The normal output shows a bunch of ports in the filtering state. Most of these IPs may not be active hosts (the ports are only shown as filtered) because Nmap did not receive a response to its SYN probe. We use the egrep command to get the list of web servers from the output file . As shown in Example 7 :
Example 7: egrep command to query hosts with open port 80
After all the effort, he found in 4096 Ge IP has two hosts in 80 ports open. The situation described in the above example may have been encountered by many network administrators. Compared with the investigation of one host, the efficiency of using port scanning is significantly higher. Of course, if there are extreme users, such as: deliberately avoiding scanning; modifying web service ports; setting local firewall policies, etc., the effect of our current method will be greatly reduced, but users with this technology themselves should be in the company It's conspicuous.
6. Summary
The scope of the topic of terminal compliance inspection is actually quite large, and it is not only the aspect of application inspection. This article takes the terminal whose TCP port 80 is checked as an example, and introduces the application of port scanning technology in this respect. Of course, no technology alone can solve the problem of terminal compliance inspection. We also need to comprehensively use other means to expand the scope of inspection, improve inspection efficiency, and reduce the workload of network administrators.
references:
[1] Luo Huaping . Research on the security management of large-scale enterprise intranet computer terminals [J]. Industry and Technology Forum , 2020, 19(02): 36-38.
[2]Gordon Lyon.Nmap Network Scanning[EB/OL].https://nmap.org/book/toc.html,2011.