A network recon framework published by the CEA (https://github.com/cea-sec) and the ANSSI (https://github.com/ANSSI-FR)
But I already think I know how to fix it myself! If not, ill be back here.
I have a problem with this sample: it has no{"templateID":"CVE-2018-15473","info":{"name":"OpenSSH Username Enumeration","author":["r3dg33k","daffainfo"],"tags":["network","openssh","cve","cve2018"],"description":"OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.","reference":["https://nvd.nist.gov/vuln/detail/cve-2018-15473"],"severity":"medium","classification":{"cve-id":["cve-2018-15473"],"cwe-id":["cwe-362"],"cvss-metrics":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","cvss-score":5.3}},"type":"network","host":"scanme.nmap.org","matched":"scanme.nmap.org:22","timestamp":"2021-10-28T17:16:15.931565-05:00"}
"ip" field, and the "host" and "matched" fields use a hostname, so we cannot know which IP this record is about. If my memory serves well, you (@0xtavian) had the "ip" field added by the Nuclei team so time ago, it would really be helpful here!
sorry for the late reply. but this is awesome man! yea i thought we took care of that as well but its good to know they are on it. I actually had a convo recently ( shortly before i posted the new JSON structure in this chat ) with PD about a unified JSON that all of their tools can update dynamically, im not too sure how much of that idea they are implementing but i think they are taking some points from it.
Is there an easy way to import only the latest performed scans in 'views'? For example, if I already have 10.000 results of category "HTTP" in views. I perform a new scan that has 1000 new results for the category "HTTP" and I only want to import these new 1000 when I do "ivre db2view --category HTTP". Saves a lot of time, especially as my database is expected to become bigger and bigger over time.
I have had a very hard time figuring out a regression in IVRE's tests. It seems to be a regression introduced in the Python interpreter.
See https://bugs.python.org/issue45235
This message https://bugs.python.org/issue45235#msg406079 shows a similar problem. The regression exists in Python 3.9.8 but not in 3.9.7.
The regression has been introduced to Python versions 3.6 to 3.10. It is not clear when a bugfix release will be published, nor if it will cover versions lower than 3.9.
See https://bugs.python.org/issue45235
This message https://bugs.python.org/issue45235#msg406079 shows a similar problem. The regression exists in Python 3.9.8 but not in 3.9.7.
The regression has been introduced to Python versions 3.6 to 3.10. It is not clear when a bugfix release will be published, nor if it will cover versions lower than 3.9.
2 replies
host_timeout is, as you noted, an option passed to Nmap (so it is based on Nmap's good will). Also, this is a real timeout (in seconds) and it is applied for each host.--nmap-max-cpu, on the other hand, is a limit applied by the OS (it will kill Nmap if it exceeds it), only based on the CPU usage (if Nmap idles for a very long time, nothing happens), and it is applied for the whole Nmap process (even if it scans 1000 hosts)
Python 3.6 support dropped
PR: ivre/ivre#1246
Announcement: https://twitter.com/IvreRocks/status/1464301113809981440
PR: ivre/ivre#1246
Announcement: https://twitter.com/IvreRocks/status/1464301113809981440
Would definitely send some coffee money.
I don't know what is you current knowledge of IVRE and network cartography tools so far, but I'll try to give a generic answer (sorry if it is too obvious or to vague).
Basically, the first task is to identify what works best to scan your target: what protocols & ports, what tool(s), which options, etc. That depends on how large the target is, how deep the scan could/should be, how long the scan could/should last, etc. That part is not really covered by IVRE (even if IVRE comes with tools to run Nmap; maybe one of the
Then, when you have decided on what you want to run, you should set-up a cron job or equivalent that will run the scan and insert it (in the scan purpose), and probably update the view purpose (that is, calling
If some of the tools you identify in the first step is not supported by IVRE, you would have another task to implement support for it in IVRE.
Basically, the first task is to identify what works best to scan your target: what protocols & ports, what tool(s), which options, etc. That depends on how large the target is, how deep the scan could/should be, how long the scan could/should last, etc. That part is not really covered by IVRE (even if IVRE comes with tools to run Nmap; maybe one of the
ivre runscans* tools would be great for your use-case, but that depends on your use-case).Then, when you have decided on what you want to run, you should set-up a cron job or equivalent that will run the scan and insert it (in the scan purpose), and probably update the view purpose (that is, calling
ivre scan2db and ivre db2view).If some of the tools you identify in the first step is not supported by IVRE, you would have another task to implement support for it in IVRE.
Understandable that far, I'll have a look around on what's available by default and see what can be done. Which setup would you suggest from the ones available on https://ivre.rocks/#get-started? I see there's Docker possibility, but I also see that there's a repo for kali Linux. Might the repo be maybe be used on Ubuntu Server also, or you suggest Docker there?
(also, I use the development branch from git on my servers, but maybe you don't want that: you get more functionalities at the price of a bit of instability; your call!)
Early httpx (ProjectDiscovery, https://github.com/projectdiscovery/httpx) support in IVRE to be merged soon: ivre/ivre#1262
Early httpx (ProjectDiscovery, https://github.com/projectdiscovery/httpx) support in IVRE to be merged soon: ivre/ivre#1262
works great ! Thanks !!!
WARNING:ivre:Will not handle record with schema_version 19 ...
what 's the best way to mitigate ? is there a possible conversion or shall i reinit my db ?
1 reply
I think you were part of the discussion on the issue initially. I’m left it alone because i had no data showing it was necessary
Finally ran into something in my scope that was filtering option-less syn packets
1 reply
so the way we have http fields above...... is there a way to do the same with "http-nuclei" results?
so for example i want to find all "wordpress" instances found by nuclei <-- is there a way to do this?
ah, nice to be back, fyi, you can use matrix ( flufychat, element hydrogen) to join this room '#ivre_ivre:gitter.im '
https://twitter.com/IvreRocks/status/1511982035912507395
IVRE now uses SSL blacklist data from abuse.ch to add tags for known bad certificates and JA3 (client) fingerprints (the former can be used with both data from passive sensors and from active network scans, while the latter will only be useful for passive sensors).
I don't have huge datasets, but I already did find interesting stuffs using that (interestingly enough, there are both a certificate and a JA3 fingerprint from the blacklist in IVRE's tests dataset, so the expected number of hosts with tags had to be updated with this new feature).
IVRE now uses SSL blacklist data from abuse.ch to add tags for known bad certificates and JA3 (client) fingerprints (the former can be used with both data from passive sensors and from active network scans, while the latter will only be useful for passive sensors).
I don't have huge datasets, but I already did find interesting stuffs using that (interestingly enough, there are both a certificate and a JA3 fingerprint from the blacklist in IVRE's tests dataset, so the expected number of hosts with tags had to be updated with this new feature).
hi @p-l- , I did an upgrade of IVRE to the last version (0.9.17) on my server that makes the scans and which exposes the web interface. But, this warning appears on the IHM : "WARNING: 1 document displayed has been inserted by a more recent version of IVRE. Please update IVRE!"
I don't understand why I have this warning...
FYI, the python librarie IVRE is ran in a virtual environment (python 3.9.12) and I put the path of virtualenv in the app.wsgi. This config (executed IVRE in a virtualenv + path in app.wsgi) worked for the v0.9.15 .
Any idea ?
I don't understand why I have this warning...
FYI, the python librarie IVRE is ran in a virtual environment (python 3.9.12) and I put the path of virtualenv in the app.wsgi. This config (executed IVRE in a virtualenv + path in app.wsgi) worked for the v0.9.15 .
Any idea ?
7 replies