發(fā)布時(shí)間：2018-11-26 11:58

【摘要】：網(wǎng)絡(luò)滲透測(cè)試實(shí)驗(yàn)平臺(tái)是網(wǎng)絡(luò)安全實(shí)驗(yàn)教學(xué)環(huán)境的重要組成部分,是培養(yǎng)學(xué)生深入理解和掌握網(wǎng)絡(luò)滲透測(cè)試技術(shù)的主要手段,對(duì)于提高學(xué)員的滲透測(cè)試實(shí)踐能力具有重要意義。網(wǎng)絡(luò)滲透測(cè)試包含信息搜集、網(wǎng)絡(luò)掃描、滲透攻擊等多個(gè)階段,每個(gè)階段涉及多種網(wǎng)絡(luò)安全技術(shù)。復(fù)雜的滲透測(cè)試過程極大的增加了順利開展網(wǎng)絡(luò)安全實(shí)驗(yàn)教學(xué)的難度。在網(wǎng)絡(luò)滲透測(cè)試教學(xué)實(shí)踐中,已有的滲透測(cè)試工具只具有特定的滲透測(cè)試功能,集成化程度低,同時(shí),漏洞信息搜集途徑單一,人工依賴程度高,缺乏自動(dòng)獲取能力。滲透測(cè)試急需一種綜合性的實(shí)驗(yàn)教學(xué)平臺(tái)。針對(duì)網(wǎng)絡(luò)滲透測(cè)試實(shí)驗(yàn)教學(xué)中漏洞信息更新不及時(shí)、滲透測(cè)試工具功能分散的問題,本文提出了一種網(wǎng)絡(luò)滲透測(cè)試綜合實(shí)驗(yàn)平臺(tái)。該平臺(tái)包括漏洞信息搜集爬蟲系統(tǒng)和網(wǎng)絡(luò)滲透測(cè)試集成處理系統(tǒng),以用戶友好性和集成可擴(kuò)展性為設(shè)計(jì)目標(biāo),旨在建立一套靈活易用的綜合性滲透測(cè)試教學(xué)實(shí)驗(yàn)平臺(tái)。本文的主要工作包括以下幾點(diǎn):(1)針對(duì)網(wǎng)絡(luò)安全教學(xué)過程中存在的問題和特殊性,通過大量的理論調(diào)研,總結(jié)了網(wǎng)絡(luò)滲透測(cè)試綜合實(shí)驗(yàn)平臺(tái)的理論需求,提出了一個(gè)集成化的網(wǎng)絡(luò)滲透測(cè)試綜合實(shí)驗(yàn)平臺(tái)設(shè)計(jì)思想,并給出了平臺(tái)結(jié)構(gòu)和應(yīng)用技術(shù)的詳細(xì)設(shè)計(jì)方案。(2)針對(duì)網(wǎng)絡(luò)安全教學(xué)中網(wǎng)絡(luò)滲透測(cè)試過程的復(fù)雜性問題,提出了一個(gè)導(dǎo)航式流程集成方法,實(shí)現(xiàn)了網(wǎng)絡(luò)滲透測(cè)試流程的向?qū)讲僮骱涂梢暬故?提供了一個(gè)功能強(qiáng)大、簡(jiǎn)潔實(shí)用的用戶友好界面。(3)針對(duì)網(wǎng)絡(luò)滲透測(cè)試工具功能覆蓋面不全的問題,在詳細(xì)分析了NMap和Nessue掃描功能特性及Metasploit滲透測(cè)試原理的基礎(chǔ)上,提出了一個(gè)基于遠(yuǎn)程API的工具擴(kuò)展方法,為網(wǎng)絡(luò)滲透測(cè)試環(huán)境的工具集成提供支撐。(4)針對(duì)漏洞信息收集效率不高的問題,引入了基于主題爬蟲的信息搜集技術(shù),設(shè)計(jì)了一種基于主題爬蟲的漏洞信息自動(dòng)搜集系統(tǒng),給出了系統(tǒng)的框架結(jié)構(gòu)和運(yùn)行流程,能夠?qū)崿F(xiàn)漏洞信息的即時(shí)更新。(5)通過UML建模分析,設(shè)計(jì)了測(cè)試平臺(tái)的層次結(jié)構(gòu),闡述了各個(gè)模塊及相關(guān)技術(shù)的實(shí)現(xiàn)細(xì)節(jié),最后,實(shí)現(xiàn)了基于Django架構(gòu)的實(shí)驗(yàn)平臺(tái)原型系統(tǒng)。本文最后通過對(duì)實(shí)驗(yàn)平臺(tái)原型系統(tǒng)進(jìn)行功能測(cè)試。通過測(cè)試分析驗(yàn)證了該平臺(tái)具有較好的可靠性和靈活擴(kuò)展能力,能夠有效解決滲透測(cè)試實(shí)驗(yàn)過程復(fù)雜、工具功能覆蓋不全、漏洞信息搜索效率不高的問題,對(duì)實(shí)際教學(xué)實(shí)踐應(yīng)用有效,可為學(xué)生更好的學(xué)習(xí)和掌握網(wǎng)絡(luò)滲透測(cè)試技術(shù)提供實(shí)驗(yàn)環(huán)境支持。
[Abstract]:The experimental platform of network penetration test is an important part of the network security experimental teaching environment and the main means to train students to understand and master the network penetration test technology deeply. It is of great significance to improve the students' practical ability of penetration testing. Network penetration testing includes information gathering, network scanning, penetration attack and so on. Each stage involves various network security technologies. The complicated process of penetration test greatly increases the difficulty of carrying out network security experiment teaching smoothly. In the teaching practice of network penetration testing, the existing penetration testing tools only have specific penetration testing functions, and the integration degree is low. At the same time, the way of collecting vulnerability information is single, the degree of artificial dependence is high, and the ability of automatic acquisition is lacking. Penetration testing is in urgent need of a comprehensive experimental teaching platform. In order to solve the problem that the loophole information is not up to date and the function of penetration testing tools is dispersed in the experiment teaching of network penetration testing, a comprehensive experimental platform for network penetration testing is proposed in this paper. The platform includes a vulnerability information gathering crawler system and a network penetration test integrated processing system. It aims at establishing a flexible and easy to use comprehensive penetration test teaching experimental platform with the goal of user friendliness and integrated scalability. The main work of this paper includes the following points: (1) in view of the problems and particularities in the teaching process of network security, through a large number of theoretical investigations, the theoretical requirements of the comprehensive experimental platform for network penetration testing are summarized. This paper puts forward a design idea of an integrated experimental platform for network penetration testing, and gives a detailed design scheme of the platform structure and application technology. (2) aiming at the complexity of network penetration testing process in network security teaching, A navigational process integration method is proposed, which realizes the guided operation and visual display of the network penetration testing process, and provides a powerful function. Simple and practical user friendly interface. (3) aiming at the problem of incomplete functional coverage of network penetration testing tools, the features of NMap and Nessue scanning functions and the principle of Metasploit penetration testing are analyzed in detail. A tool extension method based on remote API is proposed to support tool integration in network penetration testing environment. (4) Information gathering technology based on topic crawler is introduced to solve the problem of low efficiency of vulnerability information collection. A vulnerability information collection system based on topic crawler is designed, and the framework and running flow of the system are given. (5) through UML modeling and analysis, the hierarchical structure of the test platform is designed. The implementation details of each module and related technologies are described. Finally, the prototype system of experimental platform based on Django architecture is implemented. At the end of this paper, the function of the prototype system of the experimental platform is tested. The test results show that the platform has good reliability and flexible expansion ability, and can effectively solve the problems of complex process of penetration test, incomplete coverage of tool functions and low efficiency of vulnerability information search. It is effective to practical teaching practice and can provide experimental environment for students to learn better and master network penetration test technology.
【學(xué)位授予單位】：國防科學(xué)技術(shù)大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 張勇,李力,薛倩;Web環(huán)境下SQL注入攻擊的檢測(cè)與防御[J];現(xiàn)代電子技術(shù);2004年15期

，

本文編號(hào)：2358493