Installation
Docker Installation (Recommended)
# Pull IVRE Docker image
docker pull ivre/ivre:latest
# Run IVRE container with MongoDB
docker run -d --name ivre-mongo -v ivre_data:/data/db mongo:latest
# Run IVRE with MongoDB link
docker run -d --name ivre \
--link ivre-mongo:mongo \
-p 5000:5000 \
-v ivre_results:/tmp/ivre \
ivre/ivre:latest
Ubuntu/Debian Installation
# Install dependencies
sudo apt-get update
sudo apt-get install -y \
python3 python3-pip \
nmap masscan \
mongodb \
tor \
graphviz
# Install IVRE
pip3 install ivre
# Initialize database
ivre --init
Arch Linux Installation
# Install from AUR
git clone https://aur.archlinux.org/ivre.git
cd ivre
makepkg -si
# Or use yay
yay -S ivre
# Nmap (active scanning)
sudo apt-get install nmap
# Masscan (fast port scanning)
sudo apt-get install masscan
# ZGrab2 (service banner grabbing)
go get -u github.com/zmap/zgrab2
# ZDNS (DNS reconnaissance)
go get -u github.com/zmap/zdns
Database Setup
MongoDB Configuration
# Start MongoDB service
sudo systemctl start mongodb
sudo systemctl enable mongodb
# Verify MongoDB is running
mongosh
> db.version()
IVRE Database Initialization
# Initialize IVRE with default database
ivre --init
# Initialize specific database
ivre --db-init
# Check database status
ivre --db-info
# Edit IVRE config
nano ~/.ivre/ivre.conf
# Add MongoDB connection
[database]
host = mongodb_server.example.com
port = 27017
db = ivre
Backup MongoDB Data
# Create backup
mongodump --out /backup/ivre_backup
# Restore backup
mongorestore /backup/ivre_backup
Active Scanning
Basic Nmap Scan
# Run simple Nmap scan
ivre runscans --nmap -t network 10.0.0.0/24
# Scan with specific ports
ivre runscans --nmap -p 22,80,443 -t network 10.0.0.0/24
Masscan Large-Scale Scanning
# Fast port discovery with Masscan
ivre runscans --masscan -p 80,443,8080 \
-t network 10.0.0.0/16
# Scan all common ports
ivre runscans --masscan -p 0-65535 \
--top-ports 1000 \
-t network 10.0.0.0/16
Advanced Nmap Options
# Service detection scan
ivre runscans --nmap --service-detection \
-p 22,80,443,3306,5432 \
-t network 10.0.0.0/24
# OS detection with service detection
ivre runscans --nmap --os-detection --service-detection \
-t network 10.0.0.0/24
# Aggressive scan (slow but detailed)
ivre runscans --nmap -A \
-t network 10.0.0.0/24
Custom Nmap Arguments
# Pass custom Nmap options
ivre runscans --nmap \
--nmap-args "--script http-title,http-open-proxy" \
-p 80,443,8080 \
-t network 10.0.0.0/24
# Timing templates
ivre runscans --nmap \
--nmap-args "-T3" \
-t network 10.0.0.0/24
Parallel Scanning
# Run multiple scans in parallel
ivre runscans --nmap -t network 10.0.0.0/24 &
ivre runscans --nmap -t network 172.16.0.0/24 &
wait
# Monitor scan progress
ivre list-scans
Target Management
# Add targets from file
ivre runscans --nmap --targets targets.txt
# Add targets by CIDR
ivre runscans --nmap -t network 10.0.0.0/24
# Add targets by hostname
ivre runscans --nmap -t network domain.com
Passive Scanning
Passive Reconnaissance with ivre passiverecon
# Perform passive recon
ivre passiverecon -d dns_records.txt
# Query Shodan data
ivre passiverecon --shodan apikey
# Use Censys data
ivre passiverecon --censys api_id api_secret
Data Enrichment Sources
# Enable DNS passive recon
ivre passiverecon --dns
# Enable HTTP service detection
ivre passiverecon --http
# Enable SSL certificate scanning
ivre passiverecon --ssl-certs
Web Interface
Start Web Server
# Run IVRE web interface
ivre web
# Run on specific port
ivre web --port 8080
# Bind to all interfaces
ivre web --host 0.0.0.0 --port 5000
Access Web Interface
# Local access
http://localhost:5000
# Remote access
http://server.example.com:5000
# Default credentials
# Admin: admin/admin (change immediately)
Web Interface Features
| Feature | Purpose | Location |
|---|
| Scan Status | Monitor active scans | Dashboard |
| Host Database | Search hosts | Hosts tab |
| Service Browser | View discovered services | Services tab |
| Certificate Analysis | View SSL certificates | Certificates tab |
| Flow Analysis | Network traffic patterns | Flow tab |
| Reports | Generate scan reports | Reports tab |
Querying Results
Search Hosts
# Search by IP
ivre db host 10.0.0.5
# Search by hostname
ivre db host example.com
# Search by port status
ivre db host --port 22 --open
Port Service Queries
# Find all open ports
ivre db service --open
# Find specific service
ivre db service --name ssh --open
# Find high-risk services
ivre db service --port 23,445,3389 --open
Advanced Queries
# Find hosts with specific OS
ivre db host --os "Linux"
# Find hosts with vulnerability
ivre db host --script "smb-enum-shares"
# Search by geolocation
ivre db host --country US
Export Results
# Export hosts to CSV
ivre db host --csv > hosts.csv
# Export JSON format
ivre db host --json > hosts.json
# Export specific fields
ivre db host --json | jq '.[] | {ip: ._id, ports: .ports}'
Flow Analysis
Analyze Network Flows
# View flow statistics
ivre flow stats
# Analyze top talkers
ivre flow top-talkers
# Identify unusual traffic
ivre flow anomalies
Flow-Based Investigation
# Find all connections to specific IP
ivre flow --dst 10.0.0.1
# Find connections on specific port
ivre flow --dport 443
# Find connections from specific subnet
ivre flow --src 10.0.0.0/24
API Usage
Python API
import ivre.db
# Get database connection
db = ivre.db.db
# Query all hosts
for host in db.get_view_docs({}):
print(host['_id'], host.get('hostnames'))
# Search by port
results = db.get_view_docs({
'ports.port': {'$in': [22, 80, 443]},
'ports.status_state': 'open'
})
for host in results:
print(f"Host: {host['_id']}")
for port in host.get('ports', []):
print(f" Port {port['port']}: {port['service']}")
REST API Queries
# Get host information via API
curl http://localhost:5000/api/host/10.0.0.1
# Search hosts
curl "http://localhost:5000/api/hosts?filter=\
{\"ports.port\":22}"
# Get scan results
curl "http://localhost:5000/api/scans"
Large-Scale Scanning Strategies
Network Reconnaissance Pipeline
# 1. Quick port discovery with Masscan
ivre runscans --masscan \
--top-ports 100 \
-t network 10.0.0.0/16
# 2. Detailed service detection on discovered ports
ivre runscans --nmap --service-detection \
--nmap-args "--top-ports 1000" \
-t network 10.0.0.0/16
# 3. Vulnerability scanning on identified services
ivre runscans --nmap \
--nmap-args "--script vuln,smb-enum*" \
-t network 10.0.0.0/16
Incremental Scanning
# Scan class A with aggressive timing
ivre runscans --masscan \
--top-ports 100 \
--nmap-args "-T5" \
-t network 10.0.0.0/8
# Refine with service detection later
ivre runscans --nmap --service-detection \
-t network 10.0.0.0/16
Distributed Scanning
# Split targets across multiple nodes
# Node 1: 10.0.0.0/25
ivre runscans --nmap -t network 10.0.0.0/25
# Node 2: 10.0.128.0/25
ivre runscans --nmap -t network 10.0.128.0/25
# Aggregate results in central database
Continuous Monitoring
# Schedule recurring scans
0 2 * * * ivre runscans --nmap \
--top-ports 1000 \
-t network 10.0.0.0/24
# Create daily reports
0 6 * * * ivre db host --json > \
/reports/$(date +\%Y-\%m-\%d).json
Threat Intelligence Integration
Shodan Data Integration
# Import Shodan results
ivre shodan-grab --apikey YOUR_SHODAN_KEY \
--query "port:22"
# Search imported Shodan data
ivre db service --name ssh
Censys Integration
# Import Censys certificates
ivre censys --api-id ID --api-secret SECRET
# Search certificates
ivre db host --cert-subject "*.example.com"
Custom Intelligence Integration
# Import custom threat data
ivre db host --add-intel \
--intel-file threat_indicators.json
# Query threat intelligence
ivre db host --intel
Reporting
Generate Scan Reports
# HTML report
ivre report -f html -o scan_report.html
# CSV export
ivre db host --csv > scan_results.csv
# JSON report
ivre db host --json > scan_results.json
Summary Reports
# Service summary
ivre db service --json | jq 'group_by(.service)' > services.json
# Port distribution
ivre db host --json | jq '.[] | .ports[]' | \
jq -r '.port' | sort | uniq -c
# Vulnerability summary
ivre db host --json | jq '.[] | .scripts[]' | \
jq -r '.script' | sort | uniq -c
Custom Report Generation
# Generate host inventory
ivre db host --json | jq -r \
'.[] | [._id, .hostnames, .os.osmatch] | @csv' \
> inventory.csv
# Find critical services
ivre db service --json | jq \
'.[] | select(.service == "http" or .service == "ssh")'
Advanced Configuration
# Edit IVRE config
nano ~/.ivre/ivre.conf
# Increase parallel scans
[nmap]
processes = 10
# MongoDB optimization
[database]
max_batch_size = 1000
Scanning Parameters
# Adjust scanning rate
ivre runscans --nmap \
--nmap-args "--max-rate 1000" \
-t network 10.0.0.0/24
# Adjust timeouts
ivre runscans --nmap \
--nmap-args "--connect-timeout 30" \
-t network 10.0.0.0/24
Database Optimization
# Create MongoDB indexes
mongosh
> db.nmap.createIndex({_id: 1})
> db.nmap.createIndex({"ports.port": 1})
# Monitor database size
du -sh /var/lib/mongodb
Troubleshooting
Connection Issues
# Test MongoDB connection
ivre --db-info
# Check MongoDB status
sudo systemctl status mongodb
# Restart MongoDB
sudo systemctl restart mongodb
Scan Failures
# Check scan logs
tail -f /var/log/ivre/scans.log
# Verify target accessibility
nmap -p 22,80,443 10.0.0.1
# Check network connectivity
ping 10.0.0.1
traceroute 10.0.0.1
Database Issues
# Check database consistency
ivre --db-check
# Rebuild indexes
ivre --db-rebuild-indexes
# Backup before troubleshooting
mongodump --out /backup/pre-fix
Memory Issues
# Monitor memory usage
free -h
top -p $(pgrep -f ivre)
# Reduce parallel processes
nano ~/.ivre/ivre.conf
# Set processes = 2
Security Considerations
Authentication
# Change default web admin password
# Access web UI and update credentials
# Or via CLI:
ivre add-user --admin newadmin
Network Security
# Bind web interface to localhost only
ivre web --host 127.0.0.1
# Use firewall rules
ufw allow 5000/tcp
ufw default deny incoming
Data Protection
# Encrypt database connections
# Edit MongoDB config
nano /etc/mongod.conf
# Enable SSL/TLS
# Regular backups
mongodump --out /secure/backup/$(date +%Y%m%d)
Scan Anonymity
# Use Tor for passive scanning
ivre passiverecon --tor
# Randomize scan timing
ivre runscans --nmap \
--nmap-args "-T2" \
-t network 10.0.0.0/24
Common Workflows
Complete Network Assessment
# 1. Quick port scan (Masscan)
ivre runscans --masscan --top-ports 1000 \
-t network 10.0.0.0/24
# 2. Detailed enumeration (Nmap)
ivre runscans --nmap \
--service-detection --os-detection \
-t network 10.0.0.0/24
# 3. Vulnerability assessment
ivre runscans --nmap \
--nmap-args "--script vuln" \
-t network 10.0.0.0/24
# 4. Generate report
ivre db host --json > assessment.json
Incident Response Investigation
# Search compromised host
ivre db host 10.0.0.50
# Find lateral movement patterns
ivre flow --src 10.0.0.50
# Identify exposed services
ivre db service --dst 10.0.0.50 --open
# Generate timeline
ivre db host --json | jq \
'.[] | {ip: ._id, scan_date: .scan_date}' | sort
Asset Management
# Generate inventory
ivre db host --json > inventory.json
# Count services by type
ivre db service --json | \
jq -r '.[] | .service' | sort | uniq -c
# Identify outdated software
ivre db host --json | jq '.[] | select(.os.cpe)' > cpe_list.json
# Export for CMDB
ivre db host --csv > cmdb_import.csv
