IVRE
IVRE is a network reconnaissance framework for passive and active recon including flow analytics and fingerprinting. It uses Nmap for scans, supports ZMap pre-scanning, and imports XML output from Nmap and Masscan.
Description
IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is a comprehensive network recon framework. It provides tools for both passive reconnaissance, such as flow analytics relying on Bro, Argus, Nfdump, and fingerprint analytics based on Bro and p0f, and active reconnaissance using Nmap scans.
The framework supports importing scan results from Nmap and Masscan in XML format and can utilize ZMap as a pre-scanner for efficient large-scale scanning. IVRE is designed for network monitoring and reconnaissance tasks, making it suitable for security professionals conducting network discovery and analysis.
Additional functionality includes database management commands for processing various input formats like airodump and ARP data, enabling comprehensive network asset inventory and analysis workflows.
How It Works
IVRE operates as a network reconnaissance framework combining passive and active techniques. Passive recon analyzes network flows using tools like Bro, Argus, and Nfdump, alongside fingerprinting with Bro and p0f. Active recon leverages Nmap for detailed host scanning, with optional ZMap pre-scanning for initial host discovery. The framework imports Nmap and Masscan XML outputs into its database backend, supporting multiple storage options including MySQL, PostgreSQL, MongoDB, and TinyDB. Various subcommands handle data ingestion from sources like airodump captures and ARP tables, web data extraction, and flow processing for comprehensive network visibility.
Installation
sudo apt install ivreFlags
Examples
ivre -hivre airodump2dbivre arp2dbivre flow2dbivre db2viewivre flowcliivre getwebdata