IVRE - Network Recon Framework

IVRE - Network Recon Framework

IVRE (Instrument de veille sur les réseaux extérieurs) a.k.a DRUNK (Dynamic Recon of UNKnown networks) is an open source framework for network recon, written in Python with a MongoDB backend.

It has tools for passive recon (flow analytics relying on Bro, Argus, Nfdump, fingerprint analytics based on Bro and p0f) and active recon (IVRE uses Nmap to run scans, can use ZMap as a pre-scanner; IVRE can also import XML output from Nmap and Masscan).


  • Python 2 (version 2.6 minimum), or 3 (version 3.3 minimum). Python 2.6 compatibility is important to make sure IVRE works with RHEL and CentOS version 6.
    • the Crypto module.
    • the pymongo module, version 2.7.2 minimum.
    • optionally PIL, to trim screenshots.
    • optionally py2neo to use the flow module, version 3 minimum.
    • optionally sqlalchemy and psycopg2 to use the experimental PostgreSQL backend.
  • Nmap version 7.25BETA2 minimum (actually, earlier versions can be used by setting script_timeout to None in each scan template).
  • optionally ZMap and/or Masscan
  • Bro (version 2.3 minimum), Argus, Nfdump& p0f (version 2, will not work with version 3) for the passive fingerprint and flow modules.
  • MongoDB, version 2.6 minimum (tests are run with versions 2.6.12, 3.0.15, 3.2.18, 3.4.10, 3.6.2 and 3.7.1).
  • optionally Neo4j for the flow module.
  • optionally PostgreSQL, version 9.5 minimum (tests are run with versions 9.5.10, 9.6.6 and 10.1), for the experimental PostgreSQL backend.
  • a web server (successfully tested with Apache and Nginx, should work with anything capable of serving static files and run a Python-based CGI), although a test web server is distributed with IVRE (ivre httpd).
  • Dokuwiki or another Wiki to use as a notepad. Dokuwiki can also be used to display the documentation.
  • a web browser (successfully tested with recent versions of Firefox and Chromium).
  • Maxmind GeoIP free databases.
  • optionally Tesseract, if you plan to add screenshots to your Nmap scan results.
  • optionally Docker & Vagrant (version 1.6 minimum).

No comments

Powered by Blogger.