IVRE

Installation

Docker Installation (Recommended)

# Pull IVRE Docker image
docker pull ivre/ivre:latest

# Run IVRE container with MongoDB
docker run -d --name ivre-mongo -v ivre_data:/data/db mongo:latest

# Run IVRE with MongoDB link
docker run -d --name ivre \
  --link ivre-mongo:mongo \
  -p 5000:5000 \
  -v ivre_results:/tmp/ivre \
  ivre/ivre:latest

Ubuntu/Debian Installation

# Install dependencies
sudo apt-get update
sudo apt-get install -y \
  python3 python3-pip \
  nmap masscan \
  mongodb \
  tor \
  graphviz

# Install IVRE
pip3 install ivre

# Initialize database
ivre --init

Arch Linux Installation

# Install from AUR
git clone https://aur.archlinux.org/ivre.git
cd ivre
makepkg -si

# Or use yay
yay -S ivre

Install Scanning Tools

# Nmap (active scanning)
sudo apt-get install nmap

# Masscan (fast port scanning)
sudo apt-get install masscan

# ZGrab2 (service banner grabbing)
go get -u github.com/zmap/zgrab2

# ZDNS (DNS reconnaissance)
go get -u github.com/zmap/zdns

Database Setup

MongoDB Configuration

# Start MongoDB service
sudo systemctl start mongodb
sudo systemctl enable mongodb

# Verify MongoDB is running
mongosh
> db.version()

IVRE Database Initialization

# Initialize IVRE with default database
ivre --init

# Initialize specific database
ivre --db-init

# Check database status
ivre --db-info

Configure Remote MongoDB

# Edit IVRE config
nano ~/.ivre/ivre.conf

# Add MongoDB connection
[database]
host = mongodb_server.example.com
port = 27017
db = ivre

Backup MongoDB Data

# Create backup
mongodump --out /backup/ivre_backup

# Restore backup
mongorestore /backup/ivre_backup

Active Scanning

Basic Nmap Scan

# Run simple Nmap scan
ivre runscans --nmap -t network 10.0.0.0/24

# Scan with specific ports
ivre runscans --nmap -p 22,80,443 -t network 10.0.0.0/24

Masscan Large-Scale Scanning

# Fast port discovery with Masscan
ivre runscans --masscan -p 80,443,8080 \
  -t network 10.0.0.0/16

# Scan all common ports
ivre runscans --masscan -p 0-65535 \
  --top-ports 1000 \
  -t network 10.0.0.0/16

Advanced Nmap Options

# Service detection scan
ivre runscans --nmap --service-detection \
  -p 22,80,443,3306,5432 \
  -t network 10.0.0.0/24

# OS detection with service detection
ivre runscans --nmap --os-detection --service-detection \
  -t network 10.0.0.0/24

# Aggressive scan (slow but detailed)
ivre runscans --nmap -A \
  -t network 10.0.0.0/24

Custom Nmap Arguments

# Pass custom Nmap options
ivre runscans --nmap \
  --nmap-args "--script http-title,http-open-proxy" \
  -p 80,443,8080 \
  -t network 10.0.0.0/24

# Timing templates
ivre runscans --nmap \
  --nmap-args "-T3" \
  -t network 10.0.0.0/24

Parallel Scanning

# Run multiple scans in parallel
ivre runscans --nmap -t network 10.0.0.0/24 &
ivre runscans --nmap -t network 172.16.0.0/24 &
wait

# Monitor scan progress
ivre list-scans

Target Management

# Add targets from file
ivre runscans --nmap --targets targets.txt

# Add targets by CIDR
ivre runscans --nmap -t network 10.0.0.0/24

# Add targets by hostname
ivre runscans --nmap -t network domain.com

Passive Scanning

Passive Reconnaissance with ivre passiverecon

# Perform passive recon
ivre passiverecon -d dns_records.txt

# Query Shodan data
ivre passiverecon --shodan apikey

# Use Censys data
ivre passiverecon --censys api_id api_secret

Data Enrichment Sources

# Enable DNS passive recon
ivre passiverecon --dns

# Enable HTTP service detection
ivre passiverecon --http

# Enable SSL certificate scanning
ivre passiverecon --ssl-certs

Web Interface

Start Web Server

# Run IVRE web interface
ivre web

# Run on specific port
ivre web --port 8080

# Bind to all interfaces
ivre web --host 0.0.0.0 --port 5000

Access Web Interface

# Local access
http://localhost:5000

# Remote access
http://server.example.com:5000

# Default credentials
# Admin: admin/admin (change immediately)

Web Interface Features

Feature	Purpose	Location
Scan Status	Monitor active scans	Dashboard
Host Database	Search hosts	Hosts tab
Service Browser	View discovered services	Services tab
Certificate Analysis	View SSL certificates	Certificates tab
Flow Analysis	Network traffic patterns	Flow tab
Reports	Generate scan reports	Reports tab

Querying Results

Search Hosts

# Search by IP
ivre db host 10.0.0.5

# Search by hostname
ivre db host example.com

# Search by port status
ivre db host --port 22 --open

Port Service Queries

# Find all open ports
ivre db service --open

# Find specific service
ivre db service --name ssh --open

# Find high-risk services
ivre db service --port 23,445,3389 --open

Advanced Queries

# Find hosts with specific OS
ivre db host --os "Linux"

# Find hosts with vulnerability
ivre db host --script "smb-enum-shares"

# Search by geolocation
ivre db host --country US

Export Results

# Export hosts to CSV
ivre db host --csv > hosts.csv

# Export JSON format
ivre db host --json > hosts.json

# Export specific fields
ivre db host --json | jq '.[] | {ip: ._id, ports: .ports}'

Flow Analysis

Analyze Network Flows

# View flow statistics
ivre flow stats

# Analyze top talkers
ivre flow top-talkers

# Identify unusual traffic
ivre flow anomalies

Flow-Based Investigation

# Find all connections to specific IP
ivre flow --dst 10.0.0.1

# Find connections on specific port
ivre flow --dport 443

# Find connections from specific subnet
ivre flow --src 10.0.0.0/24

API Usage

Python API

import ivre.db

# Get database connection
db = ivre.db.db

# Query all hosts
for host in db.get_view_docs({}):
    print(host['_id'], host.get('hostnames'))

# Search by port
results = db.get_view_docs({
    'ports.port': {'$in': [22, 80, 443]},
    'ports.status_state': 'open'
})

for host in results:
    print(f"Host: {host['_id']}")
    for port in host.get('ports', []):
        print(f"  Port {port['port']}: {port['service']}")

REST API Queries

# Get host information via API
curl http://localhost:5000/api/host/10.0.0.1

# Search hosts
curl "http://localhost:5000/api/hosts?filter=\
{\"ports.port\":22}"

# Get scan results
curl "http://localhost:5000/api/scans"

Large-Scale Scanning Strategies

Network Reconnaissance Pipeline

# 1. Quick port discovery with Masscan
ivre runscans --masscan \
  --top-ports 100 \
  -t network 10.0.0.0/16

# 2. Detailed service detection on discovered ports
ivre runscans --nmap --service-detection \
  --nmap-args "--top-ports 1000" \
  -t network 10.0.0.0/16

# 3. Vulnerability scanning on identified services
ivre runscans --nmap \
  --nmap-args "--script vuln,smb-enum*" \
  -t network 10.0.0.0/16

Incremental Scanning

# Scan class A with aggressive timing
ivre runscans --masscan \
  --top-ports 100 \
  --nmap-args "-T5" \
  -t network 10.0.0.0/8

# Refine with service detection later
ivre runscans --nmap --service-detection \
  -t network 10.0.0.0/16

Distributed Scanning

# Split targets across multiple nodes
# Node 1: 10.0.0.0/25
ivre runscans --nmap -t network 10.0.0.0/25

# Node 2: 10.0.128.0/25
ivre runscans --nmap -t network 10.0.128.0/25

# Aggregate results in central database

Continuous Monitoring

# Schedule recurring scans
0 2 * * * ivre runscans --nmap \
  --top-ports 1000 \
  -t network 10.0.0.0/24

# Create daily reports
0 6 * * * ivre db host --json > \
  /reports/$(date +\%Y-\%m-\%d).json

Threat Intelligence Integration

Shodan Data Integration

# Import Shodan results
ivre shodan-grab --apikey YOUR_SHODAN_KEY \
  --query "port:22"

# Search imported Shodan data
ivre db service --name ssh

Censys Integration

# Import Censys certificates
ivre censys --api-id ID --api-secret SECRET

# Search certificates
ivre db host --cert-subject "*.example.com"

Custom Intelligence Integration

# Import custom threat data
ivre db host --add-intel \
  --intel-file threat_indicators.json

# Query threat intelligence
ivre db host --intel

Reporting

Generate Scan Reports

# HTML report
ivre report -f html -o scan_report.html

# CSV export
ivre db host --csv > scan_results.csv

# JSON report
ivre db host --json > scan_results.json

Summary Reports

# Service summary
ivre db service --json | jq 'group_by(.service)' > services.json

# Port distribution
ivre db host --json | jq '.[] | .ports[]' | \
  jq -r '.port' | sort | uniq -c

# Vulnerability summary
ivre db host --json | jq '.[] | .scripts[]' | \
  jq -r '.script' | sort | uniq -c

Custom Report Generation

# Generate host inventory
ivre db host --json | jq -r \
  '.[] | [._id, .hostnames, .os.osmatch] | @csv' \
  > inventory.csv

# Find critical services
ivre db service --json | jq \
  '.[] | select(.service == "http" or .service == "ssh")'

Advanced Configuration

Performance Tuning

# Edit IVRE config
nano ~/.ivre/ivre.conf

# Increase parallel scans
[nmap]
processes = 10

# MongoDB optimization
[database]
max_batch_size = 1000

Scanning Parameters

# Adjust scanning rate
ivre runscans --nmap \
  --nmap-args "--max-rate 1000" \
  -t network 10.0.0.0/24

# Adjust timeouts
ivre runscans --nmap \
  --nmap-args "--connect-timeout 30" \
  -t network 10.0.0.0/24

Database Optimization

# Create MongoDB indexes
mongosh
> db.nmap.createIndex({_id: 1})
> db.nmap.createIndex({"ports.port": 1})

# Monitor database size
du -sh /var/lib/mongodb

Troubleshooting

Connection Issues

# Test MongoDB connection
ivre --db-info

# Check MongoDB status
sudo systemctl status mongodb

# Restart MongoDB
sudo systemctl restart mongodb

Scan Failures

# Check scan logs
tail -f /var/log/ivre/scans.log

# Verify target accessibility
nmap -p 22,80,443 10.0.0.1

# Check network connectivity
ping 10.0.0.1
traceroute 10.0.0.1

Database Issues

# Check database consistency
ivre --db-check

# Rebuild indexes
ivre --db-rebuild-indexes

# Backup before troubleshooting
mongodump --out /backup/pre-fix

Memory Issues

# Monitor memory usage
free -h
top -p $(pgrep -f ivre)

# Reduce parallel processes
nano ~/.ivre/ivre.conf
# Set processes = 2

Security Considerations

Authentication

# Change default web admin password
# Access web UI and update credentials
# Or via CLI: 
ivre add-user --admin newadmin

Network Security

# Bind web interface to localhost only
ivre web --host 127.0.0.1

# Use firewall rules
ufw allow 5000/tcp
ufw default deny incoming

Data Protection

# Encrypt database connections
# Edit MongoDB config
nano /etc/mongod.conf
# Enable SSL/TLS

# Regular backups
mongodump --out /secure/backup/$(date +%Y%m%d)

Scan Anonymity

# Use Tor for passive scanning
ivre passiverecon --tor

# Randomize scan timing
ivre runscans --nmap \
  --nmap-args "-T2" \
  -t network 10.0.0.0/24

Common Workflows

Complete Network Assessment

# 1. Quick port scan (Masscan)
ivre runscans --masscan --top-ports 1000 \
  -t network 10.0.0.0/24

# 2. Detailed enumeration (Nmap)
ivre runscans --nmap \
  --service-detection --os-detection \
  -t network 10.0.0.0/24

# 3. Vulnerability assessment
ivre runscans --nmap \
  --nmap-args "--script vuln" \
  -t network 10.0.0.0/24

# 4. Generate report
ivre db host --json > assessment.json

Incident Response Investigation

# Search compromised host
ivre db host 10.0.0.50

# Find lateral movement patterns
ivre flow --src 10.0.0.50

# Identify exposed services
ivre db service --dst 10.0.0.50 --open

# Generate timeline
ivre db host --json | jq \
  '.[] | {ip: ._id, scan_date: .scan_date}' | sort

Asset Management

# Generate inventory
ivre db host --json > inventory.json

# Count services by type
ivre db service --json | \
  jq -r '.[] | .service' | sort | uniq -c

# Identify outdated software
ivre db host --json | jq '.[] | select(.os.cpe)' > cpe_list.json

# Export for CMDB
ivre db host --csv > cmdb_import.csv