1. Scanning trilogy
A complete network security scan is divided into three phases:
Phase 1: Discovery of the target host or network (port scanning)
The second stage: After discovering the target, further collect the target information, including the type of operating system, the running service and the version of the service software. If the target is a network, you can further discover the topology of the network, routing devices, and information about each host (target information identification)
The third stage: Judging or further testing whether there are security vulnerabilities in the system based on the collected information (vulnerability scanning)
2. Port scanning technology
When it is determined that the target host is active, port scanning technology can be used to discover the open ports of the target host, including network protocols and ports monitored by various applications. Port scanning techniques mainly include the following three categories:
Open scanning: It will generate a large amount of audit data, which is easy to be discovered by the other party, but its reliability is high;
TCP Connect scan, TCP reverse ident scan
Covert scanning: It can effectively avoid the detection of the other party's intrusion detection system and firewall, but the data packets used in this scanning are easily discarded when passing through the network, resulting in false detection information;
TCP SYN scan, TCP indirect scan
Semi-open scanning: Concealment and reliability are between the former two.
TCP FIN scan, TCP Xmas scan, TCP Null scan, TCP ftp proxy scan, segment scan, UDP scan
3. Target information identification
After finding the surviving systems on the network, the next step is to get the operating system information and open service information of the target host. The technologies used mainly include service identification and operating system detection (Operating System Detection).
Service identification: Usually, the way to obtain the service type is to infer directly according to RFC1700. But the following situations can make this job a little bit more troublesome:
The host deliberately opens a service to a non-standard port;
The host opened a service not defined in RFC1700;
The host is installed with a backdoor program.
Therefore, sometimes it is not enough to judge the service type only by the port number, and more information may be needed.
Operating system detection: Since many vulnerabilities are closely related to the operating system, determining the type of operating system is also very important for vulnerability assessment tools. At present, the methods used to detect the operating system can be mainly divided into two categories: using system information and using TCP/IP stack fingerprints. The latter can be achieved in many different ways.
Table 1: Comparison of OS detection methods
4. Vulnerability detection
After the two steps of discovering the target and grabbing information, the vulnerability detection can be carried out.
Vulnerability detection methods are mainly divided into three types: direct test (test), inference (inference) and test with credentials (Test with Credentials).
5. Different scanning strategies
A computer security scan can be performed not only from the network, but also from the host computer. That is to say, security scanning has two strategies based on the network and based on the host .
Network- based security assessment tools that assess a system from the perspective of an intruder are called remote scanners or network scanners. Host -based security assessment tools evaluate a system from the perspective of a local system administrator. Such tools are called local scanners or system scanners . The main purpose of these two types of scanners is to discover potential security holes in the system or network.
(1) Host-based vulnerability assessment analyzes file content, and checks inappropriate settings, weak passwords, and other security issues in the system. It has the following characteristics:
Running on a single host, the scan target is the local host;
The design and implementation of the scanner is related to the operating system of the target host;
Scanning items mainly include user account files, group files, system permissions, system configuration files, key files, log files, user passwords, network interface status, system services, software vulnerabilities, etc.
(2) The vulnerability assessment based on the network simulates the behavior of attacking the system and records the response of the system by executing some plug-ins or scripts, so as to discover the loopholes in it. It has the following characteristics:
Run on single or multiple hosts, scan target is local host or single/multiple remote hosts;
The design and implementation of the scanner is independent of the operating system of the target host;
Scanning items mainly include target open ports, system network services, system information, system vulnerabilities, remote service vulnerabilities, Trojan horse detection, denial of service attacks, etc.
6. Comparison of commonly used scanning tools
Network security learning resource sharing:
Zero-based entry
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Due to the limited space, only part of the information is shown, you need to click the link above to get it