本文選題：漏洞評估　切入點(diǎn)：滲透測試　出處：《河北科技大學(xué)》2014年碩士論文

【摘要】：隨著棱鏡門事件的爆發(fā)以及OpenSSL心臟出血漏洞事件的披露,信息安全逐漸成為近年來國家、企事業(yè)單位及科研機(jī)構(gòu)關(guān)注的焦點(diǎn)。為有效減小信息安全事件帶來的嚴(yán)重影響,漏洞評估以及滲透測試等網(wǎng)絡(luò)安全評估手段成了評估信息系統(tǒng)安全現(xiàn)狀最有效的方式。相較于國外,國內(nèi)相關(guān)安全評估技術(shù)資源較匱乏,現(xiàn)有的安全評估工具雖然數(shù)目眾多,但功能單一、操作困難,評估過程缺乏連貫性、自動化以及智能化等缺陷,由此造成國內(nèi)眾多信息系統(tǒng)存在的安全問題不能被及早發(fā)現(xiàn)。在上述背景下,本文利用Metasploit框架作為評估系統(tǒng)的核心,通過對Metasploit現(xiàn)有接口進(jìn)行二次開發(fā),集成當(dāng)前較流行的安全工具,以模塊化及插件式的方式,將原本的C/S架構(gòu)轉(zhuǎn)變?yōu)锽/S架構(gòu),并將系統(tǒng)有效劃分為主機(jī)掃描、密碼破解、Web掃描、漏洞利用、會話控制及報表生成等模塊,最后將各個階段智能化的關(guān)聯(lián)起來,以一種“黑盒子”的方式向用戶隱藏復(fù)雜的安全評估過程,最終通過Web展示評估結(jié)果。對本評估系統(tǒng)進(jìn)行了功能驗(yàn)證,并通過對比實(shí)驗(yàn),發(fā)現(xiàn)本系統(tǒng)從漏洞檢測率、漏洞利用成功率、掃描速率等方面都表現(xiàn)出明顯優(yōu)勢。利用本系統(tǒng),可以減小管理員的負(fù)擔(dān),增加信息系統(tǒng)的安全性,減輕敏感信息泄露的概率。
[Abstract]:With the outbreak of the Prism Gate incident and the disclosure of the OpenSSL heart bleeding loophole, information security has gradually become the focus of attention of the country, enterprises and institutions and scientific research institutions in recent years.In order to effectively reduce the serious impact of information security events, vulnerability assessment and penetration testing have become the most effective way to evaluate the security status of information systems.Compared with foreign countries, the domestic safety assessment technology resources are relatively scarce. Although the number of existing safety assessment tools is numerous, but the function is single, the operation is difficult, the evaluation process lacks of consistency, automation and intelligence, and so on.As a result, the security problems existing in many information systems in China cannot be detected as early as possible.Under the above background, this paper uses the Metasploit framework as the core of the evaluation system, through the secondary development of the existing interface of Metasploit, integrates the current more popular security tools, in the way of modularization and plug-in.The original C / S architecture is transformed into B / S architecture, and the system is effectively divided into host scanning, password cracking Web scanning, vulnerability exploitation, session control and report generation, etc. Finally, each stage is intelligently connected.Hide the complex security evaluation process from the user in a "black box" way, and finally display the evaluation results through Web.The function of the evaluation system is verified, and through comparative experiments, it is found that the system has obvious advantages in vulnerability detection rate, vulnerability utilization success rate, scanning rate and so on.The system can reduce the burden of administrator, increase the security of information system and reduce the probability of sensitive information leakage.
【學(xué)位授予單位】：河北科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 常艷;王冠;;網(wǎng)絡(luò)安全滲透測試研究[J];信息網(wǎng)絡(luò)安全;2012年11期

相關(guān)碩士學(xué)位論文 前1條

1 曹斌;滲透測試演練平臺的設(shè)計與實(shí)現(xiàn)[D];北京郵電大學(xué);2012年

，

本文編號：1711614