基于TrackRay的滲透測試平臺設(shè)計(jì)
《信息技術(shù)與網(wǎng)絡(luò)安全》2020年第6期
范 晶,焦運(yùn)良,戴貽康
華北計(jì)算機(jī)系統(tǒng)工程研究所,北京100083
摘要: 如何維護(hù)網(wǎng)絡(luò)信息安全一直是IT行業(yè)重點(diǎn)關(guān)注的問題。滲透測試是一種常見的網(wǎng)絡(luò)安全評估方法,由于滲透測試所采用的安全工具過于繁雜,因此設(shè)計(jì)一個(gè)基于TrackRay的滲透測試平臺,內(nèi)置有漏洞掃描器和Web服務(wù)接口,并集成和綜合多種安全工具的優(yōu)點(diǎn),功能強(qiáng)大,簡便易用。特別是支持Java、Python、JSON等方式編寫插件,調(diào)用各種類型插件來進(jìn)行滲透測試,可移植性大大提高。經(jīng)試驗(yàn)結(jié)果表明,該滲透測試平臺搭建簡單方便,可運(yùn)用于Windows和Linux等系統(tǒng),并且可以進(jìn)行靈活的編寫插件實(shí)現(xiàn)快速的Web安全漏洞檢測。
中圖分類號: TP309
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2020.06.007
引用格式: 范晶,焦運(yùn)良,戴貽康. 基于TrackRay的滲透測試平臺設(shè)計(jì)[J].信息技術(shù)與網(wǎng)絡(luò)安全,2020,39(6):38-43.
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2020.06.007
引用格式: 范晶,焦運(yùn)良,戴貽康. 基于TrackRay的滲透測試平臺設(shè)計(jì)[J].信息技術(shù)與網(wǎng)絡(luò)安全,2020,39(6):38-43.
Design of penetration test platform based on TrackRay
Fan Jing,Jiao Yunliang,Dai Yikang
National Computer System Engineering Research Institute of China,Beijing 100083,China
Abstract: Today,how to ensure information security is an important problem in the Internet. Penetration test is a common network security assessment method. Because using different security tools are too complicated, this paper designs a penetration testing platform based on TrackRay, with built-in vulnerability scanner and web service interface. It also integrates the advantages of various security tools, which makes it powerful and easy to use. In particular, the framework supports Java, Python, JSON and other ways to write plug-ins and calling various types of plug-ins to take penetration testing. And its portability is greatly improved. From the experimental results, it shows that the penetration testing platform designed in this paper is simple and convenient to build, can be used in Windows and Linux systems, and can be flexible to write plug-ins to achieve rapid detection of web security vulnerabilities.
Key words : information security;penetration testing;TrackRay;portability
互聯(lián)網(wǎng)中Web應(yīng)用所產(chǎn)生的漏洞數(shù)量越來越多,使得每年發(fā)生的黑客攻擊案件也在逐年增長[1]。為了保障網(wǎng)絡(luò)或系統(tǒng)的信息安全,在系統(tǒng)投入應(yīng)用之前都會對其進(jìn)行滲透測試。滲透測試模擬黑客或者入侵者的攻擊行為,繞過或破壞目標(biāo)系統(tǒng)的安全防護(hù)并獲得一定的系統(tǒng)權(quán)限,在此過程中檢測系統(tǒng)漏洞或病毒并給出修復(fù)建議,從而分析與評估系統(tǒng)的安全等級。通常使用的滲透測試工具有WVS、AppScan、Nessus等,這些工具測試時(shí)存在自動(dòng)化水平低、測試流量太大以及漏洞發(fā)現(xiàn)率較低等缺點(diǎn)。基于此,本文設(shè)計(jì)一個(gè)基于TrackRay的滲透測試平臺,功能強(qiáng)大,便于搭建,并且可以靈活地編寫插件快速實(shí)現(xiàn)Web安全漏洞檢測。
本文詳細(xì)內(nèi)容請下載: http://www.xxav2194.com/resource/share/2000003189
作者信息:
范 晶,焦運(yùn)良,戴貽康
(華北計(jì)算機(jī)系統(tǒng)工程研究所,北京100083)
此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。