IVRE: screenshot all the things!

The title of this blog comes from a nice article from 2014 named Scan Internet and Screenshot all the things

Some people have been asking us how the screenshots published with the Internet-wide Modbus scan had been taken.

Truth is, there was nothing to be proud of, and nothing worth publishing. As an example, I used a PhantomJS script to screenshot a Web-based RDP client…

But there are some great news: four Nmap scripts are now integrated to IVRE to take screenshots, and handle four different protocols.

Read more...

IVRE has a new home!

Together with a new logo, IVRE now has its own website: ivre.rocks!

By the way, we have a demonstration instance there which is only accessible with an account. Just e-mail us to get an access! It runs the latest version from the repository, using Docker images.

For the record, the original domain (iv.re) has been deleted (after a one day notice!) because Afnic (who handles .re) discovered that the domain validity check for .re was broken and should not have allowed such a domain.

Un job passionnant dans une équipe fun

Le CEA va recruter, pour son labo de SSI au moins deux ingénieurs-chercheurs.

Les activités sont très variées et couvrent de très nombreux domaines techniques de la sécurité des systèmes d’information (tests d’intrusion, détection et recherche d’intrusions, recherche et développement, etc.).

Plus d’infos dans le post LinkedIn correspondant. Contactez-moi !

IVRE: new (cool) features

Long time no post… so here is a Prévert-style inventory of some recent IVRE’s features.

Read more...

Mining public keys with IVRE

Background

In my previous post I explain how I have run a scan against Internet-exposed Modbus-enabled devices, and share the results obtained.

I have been asked several times why had I chosen to run a Zmap + Nmap scan instead of a Zmap + Zgrab, which would have been a lot faster.

Here is my answer: I wanted to scan the other services running on the Modbus-enabled devices, because:

  • They tells a lot about the device behind the IP address (the screenshots is a feature I really like, but anonymous FTP file listing is also great, for example)
  • They often show intersting weaknesses.

Read more...

Scanning Internet-exposed Modbus devices for fun & fun

There is a French expression that says (translation is mine) “you don’t shoot at an ambulance”. Well, I do. Shooting at ambulances is fun. Plus it has a lot of advantages:

  • It’s less risky than shooting at a tank.
  • As my friend Renzo likes to say, ambulances are easy to spot in the jungle and they bear cross-shaped targets.
  • There are often other easy targets hanging around (casualties, doctors, etc.).

Anyway, here is a scan I have run against the whole IPv4 address space, looking for Internet-exposed Modbus services.

Read more...

Scapy 2.3.1 is out, Merry Christmas!

After the release of Scapy 2.3.0 just a few days ago, Guillaume Valadon figured out we actually needed some more fixes (PR 88 & PR 89).

After some work, Scapy 2.3.1 is out, with some good news (read Guillaume’s e-mail announcing Scapy 2.3.0 for a non-exhaustive list), including Robin Jarry’s excellent work to add IPSec support (FR).

You can download the release from Bitbucket (ZIP).

If you are a package maintainer for a Linux distribution, please consider updating Scapy to 2.3.1.

Enjoy!

(Active) network recon with IVRE

Let’s see how to use IVRE to dig some Nmap scan results.

I’ll assume you have (successfully) installed Docker and followed the instructions in the IVRE documentation about Docker.

You should now have two running containers (ivredb and ivreweb) and one ready to run (ivreclient). The database has been initialized from the client (the --init commands in the documentation).

Read more...

IPSec dans Scapy

Un billet rapide pour mentionner l’arrivée dans Scapy de la prise en charge d’IPSec.

Œuvre de Robin Jarry (6WIND), cette contribution importante est, au delà de l’intérêt évident de ce qu’elle implémente, un modèle pour les personnes souhaitant contribuer à Scapy :

  • Le code est très propre et bien documenté ;
  • Le module vient avec ses tests ;
  • Le texte qui décrit la pull-request est très clair et détaillé.

Bref, merci et bravo à Robin !

Présentation de TorPylle

Comme j’aime bien l’analyse de protocoles réseau, je me suis intéressé au protocole Tor, dont le logiciel Tor est la seule implémentation à ma connaissance. Et comme j’aime bien Scapy, j’ai commencé à écrire une implémentation du protocole Tor en Scapy, TorPylle (annoncée ici et il y a quelques temps déjà, et publiée sur GitHub et BitBucket).

Read more...