Sign up to save your podcasts
Or
Share Ivre: A Versatile Network Reconnaissance Framework
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ivre: A Versatile Network Reconnaissance Framework
Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. Being an infosec researcher requires more than just installing Kali Linux and watching a few YouTube tutorials. Being able to navigate the hundreds of tools available at your fingertips and knowing which tool is best for the job requires a good amount of self-learning or, at the very least, finding in-depth reviews to help you figure things out. We've reviewed a lot of open source tools at SecurityTrails over the past few months and today's the day for another new tool. Read on, and we'll review the open source tool Ivre, which is supported by the French Atomic Energy Commission. ## What is Ivre? Ivre is an advanced network reconnaissance framework built with Python and MongoDB. Ivre relies on a number of packages (Nmap, Masscan, Zmap, Zeek, Argus, Nfdump, ZDNS) and brings them all together through the CLI and a web interface.
A researcher can perform active or passive reconnaissance of a network, then browse and perform further analysis via the CLI or web interface. Ivre can be used for standard red and blue team investigations, creating your own private Shodan/Censys, or even your own passive DNS service. Main features: Framework: Ivre doesn't re-invent the wheel—it relies on existing software by combining them and building on that foundation. Web interface: The web-based GUI makes filtering and exploring data a breeze. Visualizations: Adding to the Web interface, there are multiple visualizations and sorting mechanisms that enable greater analysis (including visualizing network flows). API: If you find any limitations within the framework, you can use the API to export your data and visualize/analyse it elsewhere. ## Who is Ivre for? Just like Masscan and Jok3r, Ivre is great for both offensive red team investigations as well as defensive research.
As mentioned above, you can also use Ivre to make your own private Shodan or passive DNS service. The passive service is great for organizations of all types to monitor their networks and see the flow of network activity to detect any anomalous behaviour. ## Installing Ivre on Linux Ivre offers many installation options. Based on the documentation, Ivre supports Docker and is packaged on a number of Linux distributions, as you can see here. However, This tool relies on a number of different packages that require their own installation. These include MongoDB, Nmap, Zmap, Masscan, Apache/Nginx (optional) and many others. We'll attempt to follow a lean installation by only using required packages.
It's always important to use some type of sandboxing environment when installing new software. You could opt for a virtual machine (VM), container or a remote test server. We used Ubuntu 20.04 for this review, and any commands used here should apply to Debian-based distros (and with a few minor tweaks, to other distros as well). First, we install some system-level packages: The command above will install two scanners (Nmap and ZMap) and the other packages will be used to build Masscan, which can be done as follows: You can see our full installation instructions for Masscan here.
Now we'll create a Python virtual environment and install Ivre: You should now have Ivre installed system-wide, which you can confirm by running: Now we can initialize Ivre by running the following commands: This will remove existing data from the database. These commands can be used in between investigations to clean up the data. The last step will be to fetch IP data: This command fetches IP data from the Ivre website and Maxmind.
This data is required if you want to scan/list IP addresses from an AS or per country. ## Testing/Usage Our first test will be to run a scan on 100 random hosts by running five parallel Nmap processes: Now we can import the results into the database and create a view of it: You can verify that your scan ran successfully by the output of the 'scan2db' command, w...
View all episodes
By SecurityTrailsNote: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. Being an infosec researcher requires more than just installing Kali Linux and watching a few YouTube tutorials. Being able to navigate the hundreds of tools available at your fingertips and knowing which tool is best for the job requires a good amount of self-learning or, at the very least, finding in-depth reviews to help you figure things out. We've reviewed a lot of open source tools at SecurityTrails over the past few months and today's the day for another new tool. Read on, and we'll review the open source tool Ivre, which is supported by the French Atomic Energy Commission. ## What is Ivre? Ivre is an advanced network reconnaissance framework built with Python and MongoDB. Ivre relies on a number of packages (Nmap, Masscan, Zmap, Zeek, Argus, Nfdump, ZDNS) and brings them all together through the CLI and a web interface.
A researcher can perform active or passive reconnaissance of a network, then browse and perform further analysis via the CLI or web interface. Ivre can be used for standard red and blue team investigations, creating your own private Shodan/Censys, or even your own passive DNS service. Main features: Framework: Ivre doesn't re-invent the wheel—it relies on existing software by combining them and building on that foundation. Web interface: The web-based GUI makes filtering and exploring data a breeze. Visualizations: Adding to the Web interface, there are multiple visualizations and sorting mechanisms that enable greater analysis (including visualizing network flows). API: If you find any limitations within the framework, you can use the API to export your data and visualize/analyse it elsewhere. ## Who is Ivre for? Just like Masscan and Jok3r, Ivre is great for both offensive red team investigations as well as defensive research.
As mentioned above, you can also use Ivre to make your own private Shodan or passive DNS service. The passive service is great for organizations of all types to monitor their networks and see the flow of network activity to detect any anomalous behaviour. ## Installing Ivre on Linux Ivre offers many installation options. Based on the documentation, Ivre supports Docker and is packaged on a number of Linux distributions, as you can see here. However, This tool relies on a number of different packages that require their own installation. These include MongoDB, Nmap, Zmap, Masscan, Apache/Nginx (optional) and many others. We'll attempt to follow a lean installation by only using required packages.
It's always important to use some type of sandboxing environment when installing new software. You could opt for a virtual machine (VM), container or a remote test server. We used Ubuntu 20.04 for this review, and any commands used here should apply to Debian-based distros (and with a few minor tweaks, to other distros as well). First, we install some system-level packages: The command above will install two scanners (Nmap and ZMap) and the other packages will be used to build Masscan, which can be done as follows: You can see our full installation instructions for Masscan here.
Now we'll create a Python virtual environment and install Ivre: You should now have Ivre installed system-wide, which you can confirm by running: Now we can initialize Ivre by running the following commands: This will remove existing data from the database. These commands can be used in between investigations to clean up the data. The last step will be to fetch IP data: This command fetches IP data from the Ivre website and Maxmind.
This data is required if you want to scan/list IP addresses from an AS or per country. ## Testing/Usage Our first test will be to run a scan on 100 random hosts by running five parallel Nmap processes: Now we can import the results into the database and create a view of it: You can verify that your scan ran successfully by the output of the 'scan2db' command, w...