IVRE includes tools to run Nmap against targets like a network or an address range, a whole country, a specific AS, or the full IPv4 connected address space.
Use the CLI tools, the Python API or the Web interface to browse the results.
Filter, look for specific services or vulnerable versions, within a specific country or network, quickly access to previous results for a specific host, etc.
Make the best of your scan results to identify similar hosts and corner-cases.
Look for most (and least) common ports, services or products, and get a quick overview of the address space with the “heatmap”
IVRE is an open-source framework for network recon. It relies on open-source well-known tools (Nmap, Masscan, ZGrab2, ZDNS and Zeek (Bro)) to gather data (network intelligence), stores it in a database (MongoDB is the recommended backend), and provides tools to analyze it.
It includes a Web interface aimed at analyzing Nmap scan results (since it relies on a database, it can be much more efficient with huge scans than a tool like Zenmap, the Nmap GUI, for example).
IVRE means Instrument de veille sur les réseaux extérieurs, and is French for DRUNK, Dynamic Recon of Unknown NetworKs.
IVRE comes with a handy interface to browse network flows.
IVRE can import results from Zeek (Bro), Argus or Netflow (using Nfdump). The data can be explored from a CLI, a Web interface and the Python API.
$ zeek -r mycapture.cap $ ivre flowcli --init This will remove any scan result in your database. Process ? [y/N] y $ ivre zeek2db *.log $ ivre flowcli --count 585 clients 1259 servers 3629 flows
There are several ways to install and deploy IVRE; depending on your situation, you may want to use your distribution packages (Kali Linux, Arch Linux or BlackArch Linux users), Pip, Docker and Vagrant, or a manual installation process.
If you are an Arch Linux user, there is an AUR package, that should be easy to install: something like yay -S ivre ivre-web should work (use yay -S ivre-git ivre-web-git to get the current development version). If you use BlackArch Linux, IVRE should be installed and work out of the box. If not, just run: pacman -S ivre ivre-web.
$ mkdir -m 1777 var_lib_mongodb ivre-share dokuwiki_data $ wget -q https://ivre.rocks/Vagrantfile $ vagrant up --no-parallel Bringing machine 'ivredb' up with 'docker' provider... Bringing machine 'ivreweb' up with 'docker' provider... Bringing machine 'ivreclient' up with 'docker' provider... [...] $ docker attach ivreclient root@e809cb41cb9a:/#
You don't want to use Docker, Archlinux or Pip? The documentation includes a step-by-step installation procedure, that should be easy to adapt to any Linux / Unix-like system.
Some blog posts have been published, along with sample data, to help newcomers get started.
Access to a demonstration instance, running IVRE's latest version with an Internet-wide scan of Modbus-enabled device, is available upon request. Contact us!
When no tool exist in IVRE to get the information you want, it's easy to access your results through the Python API. The data can then be processed and used with your favorite analysis tools (here, matplotlib and RT Graph 3D).
IVRE integrates with several security tools, such as YETI (Your Everyday Threat Intelligence) and Cortex (TheHive project). Thanks to IVRE's API (and using existing examples), building new connectors for other tools should be easy.
By the way if you have a great tool running on top of IVRE, please let us know!
You like IVRE? Keep in touch, and let the world know about it!
By talking about IVRE (how it helps you, what you are able to do with it), you can help us reach more people and grow the community. This will attract new users, bug reporters and contributors, which in turn, will make IVRE better, for you!