introduction of network security scanner
the rapid development of Internet has brought great convenience to people's life and work, but at the same time, it has also brought some problems that cannot be ignored, and the security and confidentiality of network information is one of them.
the openness of the network and the attacks of hackers are the main reasons for the insecurity of the network. At the beginning of designing the Internet, scientists lacked the overall conception and design of security. The TCP/IP protocol we used was based on a credible environment, and the first consideration was network interconnection, which lacked the consideration of security. Moreover, TCP/IP protocol is completely open, remote access enables many attackers to succeed without going to the scene, and the connected hosts are based on the principle of mutual trust, which makes the network more insecure.
advanced technology is a powerful weapon to realize network information security. These technologies include: password technology, identity authentication technology, access control technology, security kernel technology, network anti-virus technology, information leakage prevention technology, firewall technology, network security vulnerability scanning technology, intrusion detection technology and so on. It is a good way to check the system before the security accident occurs, find the problem in time and solve it, so the network security vulnerability scanning technology came into being.
1. Basic working principle of scanner
Scanner is a program that automatically detects the security vulnerabilities of remote or local hosts. By using the scanner, we can find the distribution of various TCP ports, the services provided by remote servers and their software versions without leaving any trace, which enables us to indirectly or intuitively understand the security problems existing in remote hosts.
the scanner uses simulated attacks to check the possible known security vulnerabilities of the target item by item. The target can be workstations, servers, switches, database applications and other objects. Then, according to the scanning results, a careful and reliable security analysis report is provided to the system administrator, which provides an important basis for improving the overall level of network security. In the construction of network security system, security scanning tools are low in cost, good in effect, quick in effect, relatively opposite to the operation of the network, and simple in installation and operation, which can greatly reduce the manual labor of security administrators and help maintain the unity and stability of the security policy of the whole network.
Scanner is not a direct program to attack network vulnerabilities, it can only help us find some weaknesses of the target machine. A good scanner can analyze the data it gets and help us find the vulnerability of the target host. But it will not provide detailed steps to enter a system.
a scanner should have three functions: the ability to discover a host and a network; Once a host is found, it has the ability to find out what services are running on this host; The ability to find these vulnerabilities by testing these services.
Scanners are very important for Internet security, because they can reveal the vulnerability of a network. There are hundreds of well-known security vulnerabilities on any existing platform. In most cases, these vulnerabilities are unique and only affect one network service. Manually testing the vulnerability of a single host is an extremely tedious task, and the scanning program can easily solve these problems. Scanner developers use available common attack methods and integrate them into the whole scan, so that users can find the system vulnerabilities by analyzing the output results.
2. Introduction to port scanning
A real scanner is a TCP port scanner, which can gate TCP/IP ports and services (such as Telnet or FTP) and record the target's answers. In this way, useful information about the target host can be collected (for example, whether a user who has been absent for ten days can log in, etc.). Other so-called scanners are only UNIX network applications, which are generally used to observe whether a service is working normally on a remote machine. They are not real scanners, but they can also be used to collect information of the target host (the common rusers and host commands on UNIX platforms are good examples of such programs).
2.1 TCP SYN scans SYN packets sent by the
scanner, as if preparing to open a new connection and waiting for a response. The return information of a SYN|ACK indicates that the port is listening. A RST return indicates that the port is not listening. If a SYN|ACK is received, the scanner must send another RST signal to close the connection process.
advantage: no record will be left on the target computer.
disadvantage: the scanner must have root permission to create its own SYN packet.
2.2 TCP FIN scanning
Closed ports will reply to FIN packets with appropriate RST, while open ports will ignore the reply to FIN packets.
advantage: FIN packets can pass without any trouble.
Disadvantages: This method has something to do with the implementation of the system. In some systems, whether the port is open or closed, the FIN packet must be replied. In this case, this method is not practical.
2.3 TCP connect () scanning
The operating system provides connect () system calls to connect with the ports of each interested target computer. If the port is listening, then connect () can succeed. Otherwise, this port is not available, that is, no service is provided.
advantages: any user in the system has the right to use this call; It will take a long time if each target port is scanned in a linear way, but if multiple sockets are opened at the same time, the scanning can be accelerated.
Disadvantage: It is easy to be found. The logs file of the target computer will display a series of messages about connection and connection error, and it can be closed quickly.
3. Introduction of scanner program
At present, the existing scanner products can be mainly divided into two types: host-based and network-based. The former mainly focuses on the risk vulnerabilities on the host where the software is located, while the latter remotely detects the security risk vulnerabilities of other hosts through the network.
abroad, the host-based products mainly include ESM of AXENT Company and System Scanner of ISS Company, and the network-based products include Internet Scanner of ISS Company, NetRecon of AXENT Company, CyberCops Scanner of NAI Company and NetSonar of Cisco Company. At present, there are NetPower products developed by Netpower Studio of Chinese Academy of Sciences in China, and there are similar products in North Computer Company (* * *). Here are some free scanners available on the Internet.
3.1 NSS (Network Security Scanner)
(1) NSS is compiled by Perl language. Its fundamental value lies in speed. It runs very fast and can perform the following routine checks:
■Sendmail
■ anonymous FTP
■NFS exit
■ TFTP
■ Hosts.equiv.
(2) With NSS, users can add more powerful functions, including:
■AppleTalk scanning
■Novell scanning
■LAN administrator scanning
■ Scanable subnets
(3) The processes performed by NSS include:
■ Obtaining a list or report of designated domains, There was no such list in this domain
■ Use Ping command to determine whether the specified host is active
■ Scan the port of the target host
■ Report the vulnerability of the specified address
(4) Tip
After decompressing the NSS, you can't run it immediately, so you need to make some modifications, and you must set some environment variables to adapt to your machine configuration. The main variables include:
temporary directory used by $ tmpdir _ NSS
directory of $ ypx-ypx application
directory of $ ping _ executable ping command
directory of $ xwininfo
If you hide the Perl include directory (there are Perl include files in the directory) and it is not included in the PATH environment variable, At the same time, users should note that NSS needs the ftplib.pl library function. NSS has the ability of parallelism, and can perform distributed scanning among many workstations. Moreover, it can branch the process. Running NSS on a machine with limited resources (or running NSS without permission) should avoid this situation, and there are options in this regard in the code.
3.2 Strobe (Super Optimized TCP Port Detector)
strobe is a TCP port scanner, which can record all open ports of a specified machine. Strobe runs fast (its author claims that it can scan the machines of an entire country in a moderate time).
the main feature of p>strobe is that it can quickly identify what services are running on the specified machine. The main disadvantage of strobe is that this kind of information is very limited. At best, a strobe attack can provide a rough guide to "intruders" and tell them what services can be attacked. However, strobe makes up for this deficiency with extended line command options. For example, when scanning a host with a large number of designated ports, you can prohibit all duplicate port descriptions (only print the first port definition). Other options include:
■ Define the start and end ports
■ Define how long it takes to terminate this scan if a port or host response is not received.
■ define the socket number to be used
■ define the file of the target host to be captured by strobe
When you get strobe, you must get the manual page, which is an obvious problem for Solaris 2.3. In order to prevent problems, you must ban the use of getpeername (). This can be achieved by adding the -g flag to the line command. At the same time, although strobe didn't test the remote host extensively, the trace it left was as obvious as that of the early ISS, and the host scanned by strobe would know all this (this is very similar to executing the connection request in the /var/adm/messages file).
3.3 SATAN (network analysis tool for security administrators)
SATAN is designed for UNIX, and it is mainly written in C and Perl languages (some HTML technologies are also used for user-friendly interface). It can run on many UNIX-like platforms, some of which do not need to be ported at all, while others are only slightly ported.
running SATAN on Linux has a special problem. Some rules applied to the original system will cause fatal defects of system failure on Linus platform. Implementing select () call in tcp-scan module will also cause problems; Finally, if a user scans a complete subnet, it will introduce a reverse fping explosion, that is, a socket buffer overflow. However, one site contains not only the improved SATAN binary code for Linux, but also the diff file. SATAN is used to scan many known vulnerabilities of remote hosts, including but not limited to the following vulnerabilities:
■FTPD vulnerability and writable FTP directory
■NFS vulnerability
■NIS vulnerability
■RSH vulnerability
■Sendmail
■X server vulnerability
The installation of SATAN directory on each platform is the same as other applications. The first step of installation (after reading the instructions in the user documentation) is to run the Perl program reconfig. This program searches for various components and defines directory paths. If it cannot find or define a browser. Then the operation fails, and those users who install the browser in a non-standard directory (and have not set it in PATH) will have to set it manually. Similarly, users who are not using DNS (they are not running DNS on their own machines) must also make the following settings in /satan-1.1.1/conf/satan.cf: $ don _ use _ nslookuo = 1; After solving all the path problems, users can run the installation program (IRIX or SunOS) on the distributed system. I suggest watching the compilation very carefully to find out the errors.
SATAN needs more resources than general scanners, especially in terms of memory and processor functions. If you are slow when running SATAN, you can try several solutions. The most direct way is to expand memory and improve processor capacity, but if this method fails, I suggest the following two methods: First, delete other processes as much as possible; The second is to limit the number of hosts you scan at a time to less than 111. Finally, it is important that SATAN has a line command interface for hosts without strong video support or limited memory resources.
3.4 Jakal
Jakal is a secret scanner, that is, it can scan an area (behind a firewall) without leaving any trace.
when the secret scanner works, it will produce "half scans", which starts (but never completes) the SYN/ACK process with the target host. Fundamentally speaking, the secret scanner bypasses the firewall and avoids the port scanning detector to identify what services are running behind the firewall. This includes sophisticated scanning detectors like Courtney and GAbriel.
3.5 ident tcpscan
ident tcpscan is a more specialized scanner, which adds the function of identifying the owner of the process with specified TCP port, that is, it can determine the UID of the process.
3.6 CONNECT
CONNECT is a bin/sh program, which is used to scan the TFTP service subnet.
3.7 FSPScan
FSPScan is used to scan FSP services. FSP stands for file service protocol, which is an Internet protocol very similar to FTP. It provides anonymous file transfer and is said to have network overload protection function (for example, FSP never forks). FSP knows best.