Method and device for detecting DHCP service across VLAN based on vulnerability lateral movement

By deploying an agent program within the local area network and using Nmap for asset detection and vulnerability scanning, and propagating a DHCP service check program across VLANs, the problem of detecting unauthorized DHCP servers across VLANs was solved, thus achieving effective network security management and detection.

CN122372271APending Publication Date: 2026-07-10NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
Filing Date
2026-04-15
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing technologies cannot effectively detect DHCP services across VLANs, causing unauthorized DHCP servers to hide in other VLANs, increasing network management complexity and security threats.

Method used

By deploying an agent program within the local area network and using the Nmap tool for asset detection and vulnerability scanning, target asset devices with vulnerabilities are identified. Then, through these vulnerabilities, a DHCP service checker program is propagated across VLANs to detect DHCP services in other VLANs.

Benefits of technology

It implements cross-VLAN DHCP service detection, can identify unauthorized DHCP servers, maintain network order and security, and prevent attacks such as ARP spoofing.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372271A_ABST
    Figure CN122372271A_ABST
Patent Text Reader

Abstract

This application provides a method and apparatus for cross-VLAN DHCP service detection based on vulnerability lateral propagation, relating to the field of network security technology. The method includes: obtaining device information of online asset devices in other VLANs within the same local area network based on an agent program pre-deployed on a terminal device in a certain VLAN of the local area network; wherein the agent program includes a DHCP service checking program; determining a target asset device with a vulnerability based on the obtained device information; propagating the DHCP service checking program across VLANs to the target asset device through the vulnerability; and starting the DHCP service checking program on the target asset device to obtain relevant information about the DHCP service in its VLAN. This application realizes the cross-VLAN transmission of the DHCP service checking program, detecting unauthorized DHCP services that may exist in other VLANs, thereby reducing network security threats and vulnerabilities.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to a method, apparatus, device, and medium for detecting DHCP services across VLANs based on lateral propagation of vulnerabilities. Background Technology

[0002] In a physical local area network (LAN), Virtual Local Area Network (VLAN) technology is used to logically divide the LAN into multiple isolated broadcast domains. Dynamic Host Configuration Protocol (DHCP) is an important service in network infrastructure, primarily responsible for allocating and managing IP addresses within the LAN. Typically, there is only one authorized DHCP server within a VLAN.

[0003] If multiple DHCP servers exist within a single VLAN, it can lead to IP address confusion or conflicts, affecting not only normal network operation but also increasing the complexity of network management. Furthermore, unauthorized DHCP servers may pose network security threats, potentially resulting in information leaks. Therefore, performing DHCP service checks is essential. This effectively detects and manages DHCP services within the local area network, identifies potential unauthorized DHCP servers, maintains network order and security, effectively defends against covert network attacks such as ARP spoofing, and protects user networks from malicious attacks.

[0004] In related technologies, DHCP service detection methods primarily rely on sending broadcast packets to obtain server responses. However, due to the isolation characteristics of VLANs, broadcast packets cannot be forwarded between different VLANs. Therefore, this detection method typically only detects and manages DHCP services within the current VLAN, making it difficult to detect unauthorized DHCP service deployments that may exist in other VLANs. If an unauthorized DHCP server is hidden in another VLAN, it will leave blind spots and potential vulnerabilities for network security operations and maintenance. Summary of the Invention

[0005] To address the shortcomings of the existing technologies, this invention provides a method, apparatus, device, and medium for cross-VLAN DHCP service detection based on vulnerability lateral propagation, employing the following technical solution: Firstly, a method for detecting DHCP services across VLANs based on vulnerability lateral propagation is provided, including: Based on the agent program pre-deployed on the terminal device of a certain VLAN in the local area network, the device information of online asset devices in other VLANs in the same local area network is obtained; wherein, the agent program includes a DHCP service check program; Based on the obtained device information, the target asset device with the vulnerability was identified; By exploiting vulnerabilities in the target asset device, the DHCP service inspection program is propagated across VLANs to the target asset device; The DHCP service check program is initiated on the target asset device to obtain relevant information about the DHCP server in the VLAN.

[0006] Secondly, a device for detecting DHCP services across VLANs based on vulnerability lateral propagation is provided, including: The asset detection module is used to obtain device information of online asset devices in other VLANs within the same local area network based on an agent program pre-deployed on a terminal device in a certain VLAN of the local area network; wherein, the agent program includes a DHCP service check program; The vulnerability scanning module is used to identify target asset devices with vulnerabilities based on the acquired device information. The program propagation module is used to propagate the DHCP service inspection program across VLANs to the target asset device by exploiting vulnerabilities in the target asset device. The DHCP service detection module is used to start the DHCP service check program on the target asset device to obtain relevant information about the DHCP server in the VLAN.

[0007] Thirdly, an electronic device is provided, comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the computer program, when executed by the processor, performs the steps of the method as described in the first aspect.

[0008] Fourthly, a readable storage medium is provided, on which a program or instructions are stored, which, when executed by a processor, implement the steps of the method as described in the first aspect.

[0009] The method for detecting DHCP services across VLANs based on vulnerability lateral propagation in this application has the following beneficial effects: Because VLANs isolate broadcast packets, DHCP services within other VLANs cannot be detected. Therefore, the key to DHCP service detection lies in how to send the DHCP service checking program from a terminal device in one VLAN to devices in other VLANs for DHCP service detection. This application identifies vulnerable asset devices in other VLANs within the LAN by scanning, and then sends the DHCP service checking program to the target asset devices through these vulnerabilities, achieving cross-VLAN transmission of the DHCP service checking program. Once the DHCP service checking program is transmitted across VLANs to the vulnerable host device, the DHCP service checking function is activated to detect the DHCP service within that VLAN. Then, the legitimacy of the DHCP service can be determined based on the returned DHCP server information.

[0010] The apparatus, electronic device, and readable storage medium corresponding to the method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation in this application can achieve the same technical effect, and will not be described in detail here to avoid duplication. Attached Figure Description

[0011] Figure 1 A schematic flowchart illustrating a method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation, provided for embodiments of this application; Figure 2 A schematic flowchart illustrating another method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation provided in this application embodiment; Figure 3 This is a schematic diagram of the architecture of a DHCP service detection device based on vulnerability lateral propagation to achieve cross-VLANs, provided in an embodiment of this application. Detailed Implementation

[0012] To further illustrate the technical means and effects adopted by the present invention to achieve its intended purpose, the technical solutions in the embodiments of this application are clearly described. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art are within the scope of protection of this application.

[0013] The terms "first," "second," etc., used in the specification and claims of this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such terms can be used interchangeably where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first," "second," etc., are generally of the same class and the number of objects is not limited; for example, a first object can be one or more. Furthermore, in the specification, "and / or" indicates at least one of the connected objects, and the character " / " generally indicates that the preceding and following objects are in an "or" relationship.

[0014] The steps described in this application and the flowcharts in the accompanying drawings are not necessarily strictly executed according to the step numbers; the execution order of the steps can be changed. Furthermore, certain steps can be omitted, multiple steps can be combined into one step, and / or one step can be broken down into multiple steps.

[0015] This specification provides a method for detecting DHCP services across VLANs based on lateral propagation of vulnerabilities, and also relates to a device for detecting DHCP services across VLANs based on lateral propagation of vulnerabilities, a computer device, and a computer-readable storage medium. The following describes each item in detail with reference to the accompanying drawings and preferred embodiments.

[0016] Please see Figure 1-2 This application provides a method for detecting DHCP services across VLANs based on vulnerability lateral propagation, including: Step S1: Based on the agent program pre-deployed on the terminal device of the first VLAN of the local area network, obtain the device information of online asset devices in other VLANs within the same local area network; wherein, the agent program includes a DHCP service check program; Step S2: Based on the obtained device information, identify the target asset device with the vulnerability; Step S3: By exploiting the vulnerability in the target asset device, propagate the DHCP service inspection program across VLANs to the target asset device; Step S4: Start the DHCP service check program on the target asset device to obtain relevant information about the DHCP server in the VLAN.

[0017] Because VLANs isolate broadcast packets, DHCP services within other VLANs cannot be detected. Therefore, the key to DHCP service detection lies in how to send the DHCP service checking program from a terminal device in one VLAN to devices in other VLANs for DHCP service detection. This application identifies vulnerable asset devices in other VLANs within the LAN by scanning, and then sends the DHCP service checking program to the target asset devices through these vulnerabilities, achieving cross-VLAN transmission of the DHCP service checking program. Once the DHCP service checking program is transmitted across VLANs to the vulnerable host device, the DHCP service checking function is activated to detect the DHCP service within that VLAN. Then, the legitimacy of the DHCP service can be determined based on the returned DHCP server information.

[0018] Furthermore, the agent program also includes an asset detection program and a vulnerability scanning program; The asset detection program uses a combination of Nmap's ICMP scanning and TCP probing to detect assets and obtain device information (such as IP address, MAC address, etc.) of online asset devices. The vulnerability scanning program uses Nmap's port scanning method to obtain the open status of port 445 and SMB service version information of the asset device to determine whether a vulnerability exists; if it exists, it uses the SMB service on port 445 to propagate the DHCP service check program across VLANs to the target asset device.

[0019] The DHCP service checking program detects the DHCP service within its VLAN by sending broadcast packets and obtains relevant information about the DHCP server.

[0020] This application embodiment mainly utilizes an agent program deployed on a VLAN terminal within a local area network to detect vulnerable asset devices in other VLANs within the same local area network. The DHCP service checking program in the agent program is then propagated to the vulnerable asset devices in other VLANs. The DHCP service checking program then detects the DHCP service in the propagated VLAN by sending broadcast packets, thereby realizing DHCP service detection in other VLANs.

[0021] Furthermore, the agent program is automatically loaded when the operating system starts and runs continuously in the background, enabling DHCP service detection to be performed in real time or periodically.

[0022] In practice, during the installation of the agent program, regsvr32 is called to register the agent program's background service. After registration, a background service item will be added under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services in the registry. The operating system will automatically load and run this service when it starts up. In this way, the asset detection, vulnerability scanning and DHCP service check function modules of this method will always be running.

[0023] Furthermore, in order to send the DHCP service check program to devices in other VLANs, it is first necessary to know which other online asset devices are present in the local area network. This application embodiment uses a combination of Nmap's ICMP scanning and TCP probing methods to scan for other online asset devices in the local area network. Specifically: First, perform an ICMP scan. If the ICMP scan fails, then enable TCP probing. The ICMP scan specifically includes: obtaining device information of online asset devices based on the response by sending ICMP Echo requests, Timestamp requests, or AddressMask requests; The TCP probe specifically includes: sending a SYN packet or an empty packet to port 445 of the target IP address, and obtaining the device information of the online asset device based on the response.

[0024] Nmap (an open-source tool) has host detection capabilities. By sending specific probe packets and analyzing the target response, it can perform liveness checks on a specified IP address to determine whether a host is online. This application applies Nmap's host detection functionality to asset detection. Specifically, Nmap's ICMP is first used to probe asset devices within the local area network. The command "nmap -sn -PE targetIP / 24" is then used to probe asset devices at a specified address. If an online asset device exists on the network, its returned device information, such as IP address and MAC address, will be received. However, if the target device blocks ICMP, Nmap's ICMP detection will fail. Therefore, this patent also integrates Nmap's TCP probing method. When Nmap's ICMP scanning fails, Nmap's TCP probing is then used to scan asset devices, thereby improving the success rate of the detection.

[0025] For example, the specific command for TCP probing using Nmap in this embodiment is "nmap -sn -PS445 targetIP / 24". This method can not only detect online asset devices, but also determine whether port 445 of the device is open, so as to use the port for program propagation.

[0026] Furthermore, in order to send the DHCP service check program to devices in other VLANs within the local area network (LAN), after detecting the asset devices within the LAN, we also need to know which asset devices have vulnerabilities. This article uses Nmap's port scanning method to determine whether a specified port on a device is open. Specifically: The Namp TCP SYN scan method is used to send TCP SYN packets to port 445 of the target asset device, and the port status is determined based on the response. If a SYN+ACK packet is returned, then port 445 of the target host is open. If an RST reset message is returned, then port 445 of the target host is closed. Further scan the target asset device with the port open to obtain its SMB service version information in order to determine whether it can be used to spread programs or files.

[0027] Nmap provides port scanning functionality. Its working principle involves sending specific types of network packets to a target port and determining the port's operational status based on the response. Nmap can scan ports in the default range of 1-10000 or perform a precise scan of a specific port. Nmap's port scanning consists of two main steps: the first step is sending probe packets, i.e., sending specific types of network packets (such as TCP SYN, ACK, etc.) to the specified port on the target host; the second step is parsing the response packets, i.e., inferring the port status based on the response or no response from the target host. This application applies Nmap's port scanning functionality to vulnerability scanning, using TCP SYN to scan port 445 of the target host. Sending TCP SYN packets simulates the initial request to establish a connection, i.e., the first handshake; if port 445 of the target host is open, a SYN+ACK is returned, i.e., the second handshake; if port 445 of the target host is closed, an RST reset packet is returned; if the target host does not respond, the port may be filtered by a firewall.

[0028] It is worth noting that the TCP SYN scan in this application does not require completing the three-way TCP handshake, thus avoiding being logged and therefore possessing a certain degree of stealth.

[0029] For example, the specific scanning command in this embodiment is as follows: Use "nmap -sS -p 445 target IP" to scan whether port 445 of a device is enabled. If it is enabled, use "nmap -sV -sS -p- target IP" to scan and obtain the version number of the running SMB service to determine whether it can be used to propagate programs or files. If port 445 of a device's operating system is open and running an SMB service, and the version of the SMB service meets the requirements, the SMB service on port 445 can be used to propagate the DHCP service check program across VLANs, sending the DHCP service check program from a terminal device in one VLAN of the local area network to devices in other VLANs.

[0030] Furthermore, in order to detect DHCP service within a VLAN, this embodiment of the application uses the NDIS driver to send IP request broadcast packets to obtain relevant information about the DHCP server. Specifically: First, assemble the request packet used to simulate automatically obtaining an IP address; Next, the request packet is broadcast within the VLAN via the NDIS driver; Then, receive the response information returned by the DHCP server, such as the MAC address and IP address of the DHCP server.

[0031] In this embodiment, a request packet that simulates automatic IP address acquisition is first assembled, and then the NDIS driver is used to send the IP request packet out in a broadcast manner. If a DHCP service exists in the current VLAN, it will return an automatically assigned IP address and relevant information about the DHCP server, such as the DHCP server's MAC address and IP address. If the MAC address and other relevant information of the DHCP server match the MAC address and other information of a known authorized DHCP server, then the DHCP service is legitimate; otherwise, it indicates an unauthorized DHCP service.

[0032] In some possible implementations, the method for detecting DHCP services across VLANs based on vulnerability lateral propagation further includes: The detected DHCP service information is compared with the pre-configured legitimate DHCP server information. If an unauthorized DHCP server is detected within a VLAN, the relevant information will be reported to the alarm server.

[0033] Based on the above technical solution, when a proxy program with asset detection, vulnerability detection, and DHCP service inspection functions is deployed and started on a terminal in a certain VLAN of the local area network (LAN), it performs asset detection, probing asset devices in other VLANs of the LAN and receiving relevant information returned by online devices to determine which online asset devices are in the LAN. Then, based on the online host information provided by the asset detection results, it performs vulnerability scanning on online devices in other VLANs to determine which devices have their 445 port open and are running SMB services. The SMB services of these vulnerable devices are then used to transmit a DHCP service inspection program across VLANs. When the DHCP service inspection program is transmitted across VLANs to the vulnerable host device, the DHCP service inspection function is activated to detect the DHCP service in that VLAN. If a relevant DHCP service is detected in a certain VLAN, we can determine the legitimacy of the DHCP service based on the returned DHCP server information and finally report it to the alarm server to alert the administrator. This includes providing an interface for receiving, storing, viewing, and auditing alarm information. Therefore, this application can detect DHCP services across VLANs within a local area network; and monitor DHCP services in real time, and when a new DHCP service is detected, it can promptly report the relevant information to the alarm server.

[0034] See Figure 3 Corresponding to the above-described method embodiment for detecting DHCP services across VLANs based on vulnerability lateral propagation, this application embodiment provides a device for detecting DHCP services across VLANs based on vulnerability lateral propagation, comprising: The asset detection module obtains device information of online asset devices in other VLANs within the same local area network based on an agent program pre-deployed on a terminal device in a certain VLAN of the local area network; wherein, the agent program includes a DHCP service check program; The vulnerability scanning module identifies target asset devices with vulnerabilities based on the acquired device information. The program propagation module uses vulnerabilities in the target asset device to propagate the DHCP service inspection program across VLANs to the target asset device; The DHCP service detection module initiates the DHCP service check program on the target asset device to obtain relevant information about the DHCP servers of other VLANs.

[0035] Furthermore, the agent program also includes an asset detection program and a vulnerability scanning program; The asset detection program is used to detect assets by combining ICMP scanning and TCP probing, and to obtain equipment information of online asset devices. The vulnerability scanning program determines whether a vulnerability exists by scanning the open status of port 445 and the SMB service version information of the asset device. If a vulnerability exists, it uses the SMB service on port 445 to propagate the DHCP service check program across VLANs to the target asset device.

[0036] Furthermore, the DHCP service checking program is used to detect the DHCP service within its VLAN by sending broadcast packets and to obtain relevant information about the DHCP server.

[0037] Furthermore, the agent program is automatically loaded when the operating system starts and runs continuously in the background, enabling DHCP service detection to be performed in real time or periodically.

[0038] Furthermore, the asset detection program is used to perform asset detection using a combination of ICMP scanning and TCP probing to obtain equipment information of online asset devices; specifically including: First, perform an ICMP scan. If the ICMP scan fails, then enable TCP probing. The ICMP scan specifically includes: obtaining device information of online asset devices based on the response by sending ICMP Echo requests, Timestamp requests, or AddressMask requests; The TCP probe specifically includes: sending a SYN packet or an empty packet to port 445 of the target IP address, and obtaining the device information of the online asset device based on the response.

[0039] Furthermore, the vulnerability scanning program uses Nmap's port scanning method to obtain the open status of port 445 and SMB service version information of the asset device to determine whether a vulnerability exists; specifically including: The TCP SYN packet is sent to port 445 of the target asset device using a TCP SYN scan, and the port status is determined based on the response. If a SYN+ACK packet is returned, then port 445 of the target host is open. If an RST reset message is returned, then port 445 of the target host is closed. Further scan the target asset device with the port open to obtain its SMB service version information in order to determine whether it can be used to spread programs or files.

[0040] Furthermore, the DHCP service checking program is used to detect the DHCP service within its VLAN by sending broadcast packets and to obtain relevant information about the DHCP server; specifically, it includes: Configure request packets to simulate automatically obtaining IP addresses; The request packet is sent in broadcast form within the VLAN via the NDIS driver; Receive response information returned by the DHCP server; optionally, obtain the MAC address and IP address of the DHCP server from the response information.

[0041] Furthermore, the DHCP service detection device based on vulnerability lateral propagation across VLANs also includes an alarm server, used to compare the detected DHCP service information with pre-set legitimate DHCP server information. If an unauthorized DHCP server is detected within a VLAN, the relevant information will be reported to the alarm server.

[0042] The above-described device for detecting DHCP services across VLANs based on vulnerability lateral propagation implements the steps and processes of the above-described method for detecting DHCP services across VLANs based on vulnerability lateral propagation, and achieves the same technical effect. To avoid repetition, it will not be described again here.

[0043] Corresponding to the above embodiments of the method for detecting DHCP services across VLANs based on the lateral propagation of vulnerabilities, this application provides an electronic device, which includes: a memory, a processor, and a computer program stored in the memory and executable on the processor. When the computer program is executed by the processor, it implements the steps and processes of the above embodiments of the method for detecting DHCP services across VLANs based on the lateral propagation of vulnerabilities, and achieves the same technical effect. To avoid repetition, it will not be described again here.

[0044] Memory can be used to store software programs and various data. Memory can primarily include a first storage area for storing programs or instructions and a second storage area for storing data. The first storage area can store the operating system, application programs or instructions required for at least one function (such as sound playback, image playback, etc.). Furthermore, memory can include volatile memory or non-volatile memory, or both. Non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory can be random access memory (RAM), static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous linked dynamic random access memory (Synchlink DRAM, SLDRAM), and direct memory bus RAM (DRRAM). The memory in the embodiments of this application includes, but is not limited to, these and any other suitable types of memory.

[0045] The processor may include one or more processing units; optionally, the processor integrates an application processor and a modem processor, wherein the application processor mainly handles operations related to the operating system, user interface, and applications, while the modem processor mainly handles wireless communication signals, such as a baseband processor. It is understood that the aforementioned modem processor may also not be integrated into the processor.

[0046] Corresponding to the above embodiments of the method for detecting DHCP services across VLANs based on the lateral propagation of vulnerabilities, this application also provides a readable storage medium storing a program or instructions. When the program or instructions are executed by a processor, they implement the steps and processes of the above embodiments of the method for detecting DHCP services across VLANs based on the lateral propagation of vulnerabilities, and achieve the same technical effect. To avoid repetition, they will not be described again here.

[0047] The processor is the processor in the electronic device described in the above embodiments of this application. The readable storage medium includes a computer-readable storage medium, such as a computer read-only memory (ROM), random access memory (RAM), a magnetic disk, or an optical disk.

[0048] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element. Furthermore, it should be noted that the scope of the methods and apparatuses in the embodiments of this application is not limited to performing functions in the order shown or discussed, but may also include performing functions substantially simultaneously or in the reverse order, depending on the functions involved. For example, the described methods may be performed in a different order than described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

[0049] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, can be embodied in the form of a computer software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk) and includes several instructions to cause a terminal (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in the various embodiments of this application.

[0050] It is understood that the embodiments of this application have been described above in conjunction with the accompanying drawings. However, this application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. As those skilled in the art will know, various changes or equivalent substitutions can be made to these features and embodiments without departing from the spirit and scope of the invention. Furthermore, those skilled in the art, under the guidance or instruction of this application, can modify these features and embodiments to adapt to specific situations and materials without departing from the spirit and scope of the invention. Therefore, this invention is not limited to the specific embodiments disclosed herein, and all embodiments falling within the scope of the claims of this application are within the protection scope of this invention.

Claims

1. A method for detecting DHCP services across VLANs based on lateral propagation of vulnerabilities, characterized in that, include: Based on the agent program pre-deployed on the terminal device of a certain VLAN in the local area network, the device information of online asset devices in other VLANs in the same local area network is obtained; wherein, the agent program includes a DHCP service check program; Based on the obtained device information, the target asset device with the vulnerability was identified; By exploiting vulnerabilities in the target asset device, the DHCP service inspection program is propagated across VLANs to the target asset device; The DHCP service check program is initiated on the target asset device to obtain relevant information about the DHCP server in the VLAN.

2. The method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation according to claim 1, characterized in that, The proxy program also includes an asset detection program and a vulnerability scanning program; The asset detection program uses a combination of Nmap's ICMP scanning and TCP probing to detect assets and obtain equipment information of online asset devices. The vulnerability scanning program uses Nmap's port scanning method to obtain the open status of port 445 and SMB service version information of the asset device to determine whether a vulnerability exists; if it exists, it uses the SMB service on port 445 to propagate the DHCP service check program across VLANs to the target asset device.

3. The method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation according to claim 1, characterized in that, The DHCP service checking program detects the DHCP service within its VLAN by sending broadcast packets and obtains relevant information about the DHCP server.

4. The method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation according to any one of claims 1-3, characterized in that, The agent program is automatically loaded when the operating system starts and runs continuously in the background, enabling DHCP service detection to be performed in real time or periodically.

5. The method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation according to claim 2, characterized in that, The asset detection program employs a combination of Nmap ICMP scanning and TCP probing to detect assets and obtain equipment information of online asset devices; specifically, it includes: First, perform an ICMP scan. If the ICMP scan fails, then enable TCP probing. The ICMP scan specifically includes: obtaining device information of online asset devices based on the response by sending ICMP Echo requests, Timestamp requests, or Address Mask requests; The TCP probe specifically includes: sending a SYN packet or an empty packet to port 445 of the target IP address, and obtaining the device information of the online asset device based on the response.

6. The method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation according to claim 2, characterized in that, The vulnerability scanning program determines the existence of vulnerabilities by checking the open status of port 445 on the asset device and the SMB service version information; specifically, it includes: The Namp TCP SYN scan method is used to send TCP SYN packets to port 445 of the target asset device, and the port status is determined based on the response. If a SYN+ACK packet is returned, then port 445 of the target host is open. If an RST reset message is returned, then port 445 of the target host is closed. Further scan the target asset device with the port open to obtain its SMB service version information in order to determine whether it can be used to spread programs or files.

7. The method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation according to claim 3, characterized in that, The DHCP service checking program detects the DHCP service within its VLAN by sending broadcast packets and obtains relevant information about the DHCP server; specifically including: Assemble request packets to simulate automatically obtaining an IP address; The request packet is sent in broadcast form within the VLAN via the NDIS driver; Receive response information returned by the DHCP server; optionally, obtain the MAC address and IP address of the DHCP server from the response information.

8. The method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation according to claim 1, characterized in that, The method for detecting DHCP services across VLANs based on vulnerability lateral propagation also includes: The detected DHCP server information is compared with the preset legitimate DHCP server information. If it is determined that an unauthorized DHCP service is detected within the VLAN, the relevant information will be reported to the alarm server.

9. A device for detecting DHCP services across VLANs based on lateral propagation of vulnerabilities, characterized in that, include: The asset detection module is used to obtain device information of online asset devices in other VLANs within the same local area network based on an agent program pre-deployed on a terminal device in a certain VLAN of the local area network; wherein, the agent program includes a DHCP service check program; The vulnerability scanning module is used to identify target asset devices with vulnerabilities based on the acquired device information. The program propagation module is used to propagate the DHCP service inspection program across VLANs to the target asset device by exploiting vulnerabilities in the target asset device. The DHCP service detection module is used to start the DHCP service check program on the target asset device to obtain relevant information about the DHCP service of the VLAN.

10. A readable storage medium, characterized in that, The readable storage medium stores a program or instructions that, when executed by a processor, implement the steps of the method for detecting cross-VLAN DHCP services based on vulnerability lateral propagation as described in any one of claims 1 to 8.