I started to play with a nice reconnaissance tool that could be helpful in many cases - offensive as well as defensive. "IVRE" [1] ("DRUNK" in French) is a tool developed by the CEA, the Alternative Energies and Atomic Energy Commission in France. It's a network reconnaissance framework that includes:
I deployed this tool and feed it with attacker's IP addresses collected by my honeypots: My honeypots data are processed by Splunk which, amongst the generation of dashboards, extract the list of offensive IP addresses and feed IVRE. The IP addresses are scanned using Nmap and the post-processing of results stored in a MongoDB database. The post-processing includes:
All the results are available through a web interface but also via command line tools. At this time, I already collected info from 3500+ IP addresses: Basic information is display per IP addresses: Some reconnaissance features like automatic screenshots: And sharing of data: Very useful to find compromized hosts which deliver malware! The web interface provides a powerful search feature. Examples:
Out of the box, statistics are available. Example, the top CPE detected: Getting more knowledge about your attackers is always good. IVRE can help you in this way. This is a very powerful framework that will help you to build your own small "Shodan". Happy hunting! Xavier Mertens (@xme) |
Xme 581 Posts ISC Handler Jan 13th 2017 |
Thread locked Subscribe |
Jan 13th 2017 4 years ago |
This is a really interesting program. I'm a little confused how exactly to download it I've had bad luck in the past trying to understand GitHub and actually getting anything running. I only started to use the terminal about a month ago and still have more questions than answers. I tried to download bro and snort and couldn't figure it out at all.
Is this something I can figure out how to use and will it help me determine exactly what is going on with my network? I tried to use their documentation and didn't really see anything like a how to. I see lots of odd connections with blacklists of addresses especially from the log on my modem and other unusual things. Does that last chart show that Macs are getting more (malware?) than other computers? |
Anonymous |
Quote |
Jan 13th 2017 4 years ago |
The quickest way to deploy it is to run the Docker version!
|
Xme 581 Posts ISC Handler |
Quote |
Jan 14th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!