Design And Implementation Of Penetration Testing System Based On MVC Framework

With the continuous development of the Internet,people are becoming more and more dependent on the Internet.While enj oying the convenience of the Internet,people will also be threatened by network security incidents such as Bitcoin virus extortion.People's security and economic property will be greatly affected.In order to reduce the impact of network security incidents,the penetration testing method in network evaluation has become one of the most effective ways to evaluate network system security.Penetration testing started late in China,and the requirements for testers are relatively high.Although there are many kinds of penetration testing tools and platforms,however,most of the tools and platforms are single in function,ineffective,low in automation and low in penetration testing efficiency.Based on the above background,this paper focuses on the calculation method of penetration testing attack path based on attack graph,constructs a penetration testing attack path model based on attack graph,encapsulates different penetration testing tools in different stages by using information collection,network scanning and vulnerability utilization technologies,and the penetration testing system is implemented with Spring MVC framework.The problems mentioned above are well solved.The specific work and innovations are as follows:1.This paper constructs a calculation model of penetration testing path attack scheme based on attack graph,which mainly includes target information collection,index system establishment and quantification,host attack graph generation and attack path scheme calculation.This paper collects information from five aspects:host,port,topology,service and vulnerability,establishes index system,links each isolated point,quantifies attack complexity and privilege requirement,generates attack graph by using forward attack graph algorithm,and vulnerability utilization success rate is weighted,and the attack path is calculated by the penetration success rate,and the penetration attack is carried out according to the optimal attack path scheme.Finally,through experimental verification and comparison,it is proved that the method of calculating penetration testing path attack scheme based on attack graph has better advantages,availability and practicability.2.The penetration testing system is designed and implemented with Spring MVC framework.The system consists of seven modules,including information collection module,vulnerability scanning module,attack path generation module and penetration attack module.Information collection module collects target network information from ports,hosts,topologies and services by using encapsulated Nmap tools,SNMP and ARP protocols;vulnerability scanning module detects vulnerability information by using Xscan or Nessus tools on the basis of information collection;the attack path generation module is based on the information collected by information collection and vulnerability scanning,calculates the model of penetration testing path attack scheme based on attack graph,and generates attack graph and attack path scheme;the penetration attack module uses Metasploit to attack according to penetration attack path scheme,and finally obtains user privileges and generates a penetration testing report.In addition,Nmap,Xscan and other penetration testing tools are uniformly packaged and deployed before they are used.According to the designed interface and script template,automatic invocation tools can effectively enhance the degree of Automated Penetration testing.3.Testing and analyzing the system.Through setting up environment,testing the functions of each module,and comparing with traditional penetration testing tools and platforms,it proves that the system has great advantages in information collection,vulnerability scanning,attack path generation,penetration testing efficiency,degree of automation and other performance,it has certain practical value in practical application.