(Active) network recon with IVRE

Let’s see how to use IVRE to dig some Nmap scan results.

I’ll assume you have (successfully) installed Docker and followed the instructions in the IVRE documentation about Docker.

You should now have two running containers (ivredb and ivreweb) and one ready to run (ivreclient). The database has been initialized from the client (the --init commands in the documentation).

Let’s start ivreclient:

$ docker start -i ivreclient
ivreclient
root@ivreclient:/#

From here, we have two options:

  • Get Nmap scan results you already have, or run Nmap directly from a machine without using the Docker containers. In this case, copy the results to your share directory (/tmp/ivre-share from outside the container) and proceed directly to the step Importing the results.
  • Run Nmap through IVRE in the ivreclient container.

Running a scan

We are going to use the runscans utility. Try --help for information about the options.

Let’s start with something simple: a fast scan of 1k random hosts with the default options.

root@ivreclient:/# cd /ivre-share
root@ivreclient:/ivre-share# runscans --routable --limit 1000 \
>                                     --nmap-ports fast \
>                                     --output XMLFork --processes 10

And now wait for the command to terminate. In the meantime, you can, from outside the container, check how many hosts have been scanned so far:

$ find /tmp/ivre-share/scans/ROUTABLE/{down,up} -type f | wc -l
655

When scanning random hosts with the default options, you should get about 14 hosts up out of 100 hosts scanned. To check the current ratio, try this:

$ for d in /tmp/ivre-share/scans/ROUTABLE/{down,up} ; do \
>     find $d -type f | wc -l; done | \
>     python -c "a=input(); b=input(); print float(b)/(a+b)*100"
13.0434782609

If you get a lot more than that, look for a transparent proxy, for example, answering SYN+ACK to any outgoing SYN packet with destination port 80.

If you get a lot less, check if you have a non-filtered connection to the Internet, and if your container can use it.

When the scan is over, runscans returns. Clean the temporary directory by running:

root@ivreclient:/ivre-share# rm -rf scans/ROUTABLE/current

Importing the results

If you have just run a scan with runscans --routable [...], the results are located under scans/ROUTABLE/{up,down}. Unless we want to run another scan later and we would like to skip hosts we have already scanned, it is now safe to remove the results for hosts seen down. Then we can import the results:

root@ivreclient:/ivre-share# rm -rf scans/ROUTABLE/down
root@ivreclient:/ivre-share# nmap2db -r -s Scanner001 -c ROUTABLE \
>                                    scans/ROUTABLE/up
[...]
140 results imported.

Enjoying the data

Command-line / Python API

You can use the CLI scancli or the Python interface:

root@ivreclient:/ivre-share# scancli --count
140
root@ivreclient:/ivre-share# scancli --nfs
Host xxx.xxx.xxx.xxx from Scanner001 (ROUTABLE) (up: syn-ack)
        KR - Korea, Republic of
        AS4766 - Korea Telecom
        scan 2014-09-12 10:26:42 - 2014-09-12 10:28:32
        87 ports closed (87 resets)
        [...]
        tcp/111   open     (syn-ack, ttl=38)    rpcbind (probed) 2 RPC #100000
                nfs-ls:
                        Arguments:
                        maxfiles: 10 (file listing output limited)
                rpcinfo:
                        program version   port/proto  service
                        100000  2            111/tcp  rpcbind
                        100000  2            111/udp  rpcbind
                        100003  2,3,4       2049/tcp  nfs
                        100003  2,3,4       2049/udp  nfs
                        100005  1,2,3      33615/udp  mountd
                        100005  1,2,3      59192/tcp  mountd
                        100021  1,3,4      48445/udp  nlockmgr
                        100021  1,3,4      58979/tcp  nlockmgr
                        100024  1          38986/tcp  status
                        100024  1          57549/udp  status
        [...]
root@ivreclient:/ivre-share# python
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from ivre.db import db
>>> import ivre.utils
>>> ivre.utils.int2ip(db.nmap.get(db.nmap.searchnfs())[0]['addr'])
'xxx.xxx.xxx.xxx'

Web interface

From the computer that runs the containers (from another, you’ll need a bit of work), start a web-browser (Firefox or Chromium), browse to http://localhost/, and click the HELP button (near the top-left corner).

You should get something like:

../../../_images/ivre_homepage_help.png

Now play with the filters (look in the menus and the doc), and the exploration tool. For example, type port:open in the Top values input box and validate:

../../../_images/ivre_top_open_ports.png

Now change to probedservice, and validate:

../../../_images/ivre_top_probed_services.png

Now, you just have to add more data. I hope this will work for you and be useful!