During IVRE's installation, web/cgi-bin scripts are copied directly from the source files without adjusting the she-bang to the according python2 version.

If system default Python version is python3, this cause the webUI to display the message:
ERROR: Could not import ivre. Check the server's logs!

Hi guys,

I’m interested in your software and it seems you’ve presented it at the HES2015 conf. However, the slides don’t seem to be available yet; could you maybe share them somewhere?

Cheers!

PR #84 has improved the reactivity of the Web interface, partly by using one-time bindings. But is has left some places where one-time bindings would be appropriate.

We should review AngularJS bindings and use one-time bindings where appropriate.

I would like to have the possibility to tag scan results. That is to say, associate a tuple (scan, host, port) with one or more custom tags (for instance, strings).

For example, after a scan import, I would like to go through the results (by scrolling or filtering them) and tag some of them with To investigate, Funny, May be vulnerable, ...

Then, once this first pass done, it would be great to display only results which match a given tag or set of tags.
It could be a nice way to do team work on the same sample, and to quickly emphasize relevant information (for further investigation, report writing and so on).

In addition, an API to tag elements would be appreciated. I would like to be able to use an extern tool/module to parse scan results, and, for instance, tag elements with a known corresponding CVE (and go back to them later in the UI).

Masscan has a -oX output compatible with Nmap, but import of such output with nmap2db does not work.

It would be great to have a dedicated interface to compare the result (Graph and hosts) of given queries.
For instance, I would like to be able to compare the top openports on (maybe rendering as several columns):

| * | country:EU* | country:DE |

This FR seems related to #147. Indeed, it could be considered as a sub-case of report building.

The tooltip disappears for filters with an optional argument when typing ":". Example: "screenwords:".

Since PR #62, the graphs are supposed to be responsive. However, this seems to apply only to "Map" and "Top values" graphs, and not to "Address space", "IPs & Ports", "Timeline" and "Timeline (24h)".

IVRE should be able to get screenshots produced by http-screenshot

Which is the command I should run to remove an agent (that I see when I run: ivre runscansagentdb --list-agents)

hi ,there !
first,When I finished the installation and deployment,Importing scan data,i found that I can not go to the next page by the upper left corner of the page navigation on web interface, can you help ,think you !
second, is there any way to directly manipulate the database .
think you very much .

When using a criteria that makes the topvalues function return an object as the label, the graph displays "[object Object]" instead of the value/string.

For instance, the 'openports' criteria.

When symlinks are found, the filename value of the file entry is "filename": [filename] -> [linktaret]. It should be "filename": [filename], "linktarget": [linktarget].

Hi,

it should be mentioned in the doc that the required version of p0f is the (old) 2.x
The output format changed on 3.0 and will cause p0f2db to crash.

Cheers,

Hey there!

Not directly related to ivre, but I am not very experienced with docker. How do I update ivre from within the container? Is there a way for it to update as and when updates are pushed to github on my machine?

I have a bunch of data in the container I don't want to loose, but not sure what the upgrade path method is.

Hey there!

Awesome project, many kegs of beer deserved 👍

Just some quick thoughts on host discovery. I read https://nmap.org/docs/discovery.pdf a while back and came across a project which reflects those ideas (https://github.com/leebaird/discover). It uses a combination of ICMP Echo, TCP SYN Pings and UDP Pings for discovery, and also sets the source to port 53 (DNS) for external scans. These settings help identify more hosts that may otherwise not respond.

Below is the code it uses for an external scan without service detection:

nmap --privileged -PE -PS21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 -PU53,67,68,69,123,135,137,138,139,161,162,445,500,514,520,631,1434,1900,4500,49152 -sS -sU -p T:1-1040,1050,1080,1099,1125,1158,1194,1214,1220,1344,1352,1433,1500,1503,1521,1524,1526,1720,1723,1731,1812,1813,1953,1959,2000,2002,2030,2049,2100,2121,2200,2202,2222,2301,2381,2401,2433,2456,2500,2556,2628,2745,2780-2783,2947,3000,3001,3031,3121,3127,3128,3200,3201,3230-3235,3260,3268,3269,3306,3339,3389,3460,3500,3527,3632,3689,4000,4045,4100,4242,4369,4430,4443,4445,4661,4662,4711,4848,5000,5001,5009,5010,5019,5038,5040,5059,5060,5061,5101,5180,5190,5191,5192,5193,5250,5432,5554,5555,5560,5566,5631,5666,5672,5678,5800,5801,5802,5803,5804,5850,5900-6009,6101,6106,6112,6161,6346,6379,6588,6666,6667,6697,6777,7000,7001,7002,7070,7100,7210,7510,7634,7777,7778,8000,8001,8004,8005,8008,8009,8080,8081,8082,8083,8091,8098,8099,8100,8180,8181,8222,8332,8333,8383,8384,8400,8443,8444,8470-8480,8500,8787,8834,8866,8888,9090,9100,9101,9102,9160,9343,9470-9476,9480,9495,9996,9999,10000,10025,10168,11211,12000,12345,12346,13659,15000,16080,18181-18185,18207,18208,18231,18232,19150,19190,19191,20034,22226,27017,27374,27665,28784,30718,31337,32764,32768,32771,33333,35871,37172,38903,39991,39992,40096,46144,46824,49400,50000,50030,50060,50070,50075,50090,51080,51443,53050,54320,58847,60000,60010,60030,60148,60365,62078,63148,U:53,67,123,137,161,500,523,1434,1604,2302,3478,5353,6481,17185,31337 --max-retries 3 --min-rtt-timeout 100ms --max-rtt-timeout 500ms --initial-rtt-timeout 1500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --open -g 53 

The relevant parts relating to discovery:

-PE -PS21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 -PU53,67,68,69,123,135,137,138,139,161,162,445,500,514,520,631,1434,1900,4500,49152 -g 53

Would it be better to use a bigger combination of ICMP Echo, TCP SYN Pings and UDP Pings as the default option or does it have its disadvantages? If it isn't better, how could I specify multiple Ping types in ivre via template or commands with each having its own list of ports?

I've tried to replicate the command with templates, but noticed that when additional prescan ports are specified, ivre passes them to a TCP SYN Ping (-PS). I don't see a way of doing both a -PS and -PU scan, each with a seperate list. Also when trying to use the addi

Is there a way to make ivre use the custom list as above?

P.S. Quick side question, whilst looking at nmapopt.py, I see that

pings='SE'

What is the SE option?

Sorry for the bombardment of questions, its really late in the morning here!

Hi,

It seems that pip doesn't create the /usr/local/share/ivre/geoip/ directory under Debian. Due to this problem check_candidate in config.py is not able to locate the folder automatically and GEOIP_PATH is set to None.

Furthermore, the setup.py file in pip package (version 0.9.3) is different from the file on GitHub. Is it a good thing?

I don't really understand pip packaging so I let you think about it :)

Cyrille

Scan parameters might be templates (stored in the DB?) instead of configuration values.

Managing both port and host scripts makes the code more complicated and, more importantly, make some request we make less efficient (because less capable of using MongoDB indexes).

We should either manage all scripts in a central list of nested documents:

{
    "ports": [{"proto": "tcp", "port": 80, [...]}, [...]],
    "scripts": [
        {"port": 80, "proto": "tcp", "id": "http-title", "output": [...]},
        {"host": True, "id": "firewalk", "output": [...]},
    ],
}

Or create a fake nested document in ports array:

{
    "ports": [
        {"proto": "tcp", "port": 80, "scripts": [{"id": "http-title", "output": [...]}, [...]] [...]},
        {"host": True, "scripts": [{"id": "firewalk", "output": [...]}, [...]]},
    ],
}

Hi,

After fast installation using manual I cannot access to dokuwiki in HELP menu. Apache2 says

Forbidden
You don't have permission to access /dokuwiki/doc:webui on this server.

Linux debian 4.5.5-x86_64-linode69 #3 SMP Fri May 20 15:25:13 EDT 2016 x86_64 GNU/Linux

Server version: Apache/2.4.10 (Debian)
Server built: Nov 28 2015 14:05:48

Thanx.

Hi,
http://thyme.apnic.net/current/data-raw-table has been down now for 4 days are there any alternatives? Do you think the host will come back online? Does anyone have a copy of data-raw-table?

Related to #178

Introduced in #214.

As stated in #83, the current report feature lacks of customization settings.

To my mind, these steps are needed to consider the feature really usable:

• Handling every Graphavailable in IVRE, not just Top values and Map
  • This may involve a refactoring and cleaning of the code of graph.js, specifically rewriting them as object with a common API and options (WIP)
• Split lines into sub-elements of size 1/3, 1/2, 2/3 and 1. Thus, Top values + Map becomes Top values with 1/2, Map with 1/2. This also involved the possibility to indicate / display it in the interface
• Add an import/export configuration feature to manage report template
• Use specific query for a given Graph rather than a global one
  • This could be achieved thanks to the aforementioned import/export feature, allowing one to specify query in the given configuration (JSON?), and avoiding the modification of the UI
• Display a Host instead of a Graph (maybe by using the specific query system)

Using last IVRE version (5bb541b) and Firefox 41.0.1, adding a second filter through the web interface ends with a unique, broken filter filter1%20filter2.

It may be related with document.location.hash returning filter1%20filter2 on Firefox, contrary of filter1 filter2 on Chrome.

Currently, there is no way to prevent the user that its database version schema is too old.

While displaying results with a bad schema version, a warning could be printed to remind the user to scancli --update-schema.

I followed https://github.com/cea-sec/ivre/blob/master/web/dokuwiki/doc/fast-install-and-first-run.txt and got this error

root@server:~# ivre ipdata --download
Downloading http://geolite.maxmind.com/download/geoip/database/GeoLiteCity_CSV/GeoLiteCity-latest.zip to /usr/local/share/ivre/geoip/GeoIPCityCSV.zip: done.
Downloading http://thyme.apnic.net/current/data-raw-table to /usr/local/share/ivre/geoip/BGP.raw: done.
Downloading http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip to /usr/local/share/ivre/geoip/GeoIPASNumCSV.zip: done.
Downloading http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip to /usr/local/share/ivre/geoip/GeoIPCountryCSV.zip: done.
Unpacking: Traceback (most recent call last):
File "/usr/local/bin/ivre", line 73, in
main()
File "/usr/local/bin/ivre", line 51, in main
tools.get_command(possible_commands[0])()
File "/usr/local/lib/python2.7/dist-packages/ivre/tools/ipdata.py", line 95, in main
ivre.geoiputils.download_all(verbose=not args.quiet)
File "/usr/local/lib/python2.7/dist-packages/ivre/geoiputils.py", line 161, in download_all
func(_args, *_kargs)
File "/usr/local/lib/python2.7/dist-packages/ivre/geoiputils.py", line 81, in bgp_raw_to_csv
utils.net2range(line[:-1].split()[0]))
File "/usr/local/lib/python2.7/dist-packages/ivre/utils.py", line 93, in net2range
addr, mask = network.split('/')
ValueError: need more than 1 value to unpack

Hi. After I started
& sudo ivre runscans --routable --limit 1000
I get error:

Traceback (most recent call last):
  File "/usr/local/bin/ivre", line 71, in <module>
    main()
  File "/usr/local/bin/ivre", line 49, in main
    tools.get_command(possible_commands[0])()
  File "/usr/local/lib/python2.7/dist-packages/ivre/tools/runscans.py", line 439, in main
    accept_target_status=accept_target_status)
  File "/usr/local/lib/python2.7/dist-packages/ivre/tools/runscans.py", line 190, in call_nmap
    stdin=subprocess.PIPE, stdout=subprocess.PIPE)
  File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory
~$

Linux alex 2.6.32-042stab108.1 #1 SMP Thu Apr 23 19:17:11 MSK 2015 x86_64 x86_64 x86_64 GNU/Linux

Python 2.7.6

db version v2.4.9
Wed Jun 8 13:46:20.241 git version: nogitversion

WARNING, script element without port or host
WARNING, script element without port or host
Warning:guessing pitch as xheight on row 1, block 2
WARNING, script element without port or host
WARNING, script element without port or host
WARNING, script element without port or host
Traceback (most recent call last):
File "/usr/local/bin/nmap2db", line 118, in
main()
File "/usr/local/bin/nmap2db", line 114, in main
sys.stderr.write(ivre.utils.warn_exception(exc, fname=scan))
NameError: global name 'sys' is not defined

While asking for a Top values on, say, port:open with a limit of 15, one obtain the following request:
cgi-bin/scanjson.py?...&limit=15

But the limit value returned by (main(), l44):

flt, archive, sortby, unused, skip, limit = webutils.flt_from_query(query)

equals 10, that is to say, config.WEB_LIMIT.

In scanjson.py, after calling params = webutils.parse_query_string(), I got:

{'action': 'topvalues:port:open',
'callback': 'jQuery20302025769434403628_1437074324928',
'limit': '15',
'q': 'country%3AFR%20devicetype%3Awebcam%20tcp%2F3000',
'_': '1437074324934'}

So the limit parameter seems correctly parsed. The behavior seems to come from query_from_params(params), that I've not dug yet.

Since the filter file: can accept to specify a script name, it would be nice if it was also possible for file* top values. It is probably better to wait until #117 is fixed.

I would like to be able to use the Top / inverse-top values to highlight ports used by a given service.

For instance, if I use -port:http, it would be great to display the least used port serving HTTP (potentials easy targets, misconfiguration, ...).
When clicking on a value, the corresponding filter could be service:{ServiceName}:{PortChoice}.

Scans with no host inserted (empty, with no host up, or with no open ports when --port has been used) should not be inserted in the database.

In the Mongo DBO (ivre/ivre/db/mongo.py), some methods require a MongoDB instance, but they do not use it.

For instance:

• getid
• serialize
• distinct
• str2id
• _flt_and
• flt_or
• ...

Since these methods are related to MongoDB specificities but independent of the current instance, they could be implemented as static methods.

Does it appear legitimate ?

Hello!

Is it possible to make a http-screenshot to a FQDN instead of IP address ?

Many websites resolve to the same ip address and when I do a "http-screenshot" to a FQDN, it attacks the IP address and get errors 403 - Access Denied.

To make the http-screenshot I use phantomjs, screenshot.js and http-screenshot.nse from Ivre repository and works ok.

Thanks!

Hey, even if I run this command(ipdata --download) more than one day, it still does not have any output, I have to press Ctrl-C to stop it. Is there any other way to replace this command?

Since this is a work in progress, PR including changes to the static part of the Web UI will not be merged until this issue has been closed.

Hi guys;

I'm starting to use the features of passive recon but I have problems using p0f.

I'm using p0f 2.0.8 and Debian 8.2

root@Quijote:/tmp# apt-cache showpkg p0f
Package: p0f
Versions: 
2.0.8-2 (/var/lib/apt/lists/ftp.es.debian.org_debian_dists_jessie_main_binary-amd64_Packages) (/var/lib/dpkg/status)

If I run p0f and read a pcap file, i get information about fingerprints:

root@Quijote:/tmp# p0f -s /tmp/demo | more
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <[email protected]>, W. Stearns <[email protected]>
p0f: listening (SYN) on '/tmp/demo', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'all'.
85.XXX.XXX.201:1122 - Windows XP SP1+, 2000 SP3 (2) [priority1] 
  -> 10.302.404.503:443 (distance 21, link: sometimes DSL (3))

But when I run p0fdb with a pcap file, it gives me the following error:

root@Quijote:/tmp# p0f2db --sensor QUIJOTE-PASIVO /tmp/demo 

p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <[email protected]>, W. Stearns <[email protected]>
p0f: listening (SYN) on '/tmp/demo', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'tcp and tcp[tcpflags] & (tcp-syn|tcp-ack) == 2'.

Traceback (most recent call last):
  File "/usr/local/bin/p0f2db", line 100, in <module>
    process_file(filename, args.sensor, args.bulk, args.mode)
  File "/usr/local/bin/p0f2db", line 67, in process_file
    ) for line in p0fprocess.stdout
  File "/usr/local/lib/python2.7/dist-packages/ivre/db/__init__.py", line 670, in insert_or_update_bulk
    self.insert_or_update(timestamp, spec, getinfos=getinfos)
  File "/usr/local/lib/python2.7/dist-packages/ivre/db/mongo.py", line 2554, in insert_or_update
    upsert=True,
  File "/usr/lib/python2.7/dist-packages/pymongo/collection.py", line 572, in update
    check_keys, self.uuid_subtype), safe)
  File "/usr/lib/python2.7/dist-packages/pymongo/mongo_client.py", line 1124, in _send_message
    rv = self.__check_response_to_last_error(response, command)
  File "/usr/lib/python2.7/dist-packages/pymongo/mongo_client.py", line 1066, in __check_response_to_last_error
    raise OperationFailure(details["err"], code, result)
pymongo.errors.OperationFailure: Invalid modifier specified $min

root@Quijote:/tmp# [+] End of input file.

I know very little about python and mongo and would appreciate any help. Any idea?

Thank you.

Hey, i'm trying to import the resultsm but I get the following error:

root@30dcfd20aea8:/home# nmap2db -c ROUTABLE-CAMPAIGN-001 -s MySource -r scans/ROUTABLE/up
Traceback (most recent call last):
  File "/usr/local/bin/nmap2db", line 114, in <module>
    main()
  File "/usr/local/bin/nmap2db", line 108, in main
    merge=args.merge,
  File "/usr/local/lib/python2.7/dist-packages/ivre/db/__init__.py", line 337, in store_scan
    return store_scan_function(fname, filehash=scanid, **kargs)
  File "/usr/local/lib/python2.7/dist-packages/ivre/db/__init__.py", line 358, in store_scan_xml
    parser.parse(utils.open_file(fname))
  File "/usr/lib/python2.7/xml/sax/expatreader.py", line 107, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib/python2.7/xml/sax/xmlreader.py", line 123, in parse
    self.feed(buffer)
  File "/usr/lib/python2.7/xml/sax/expatreader.py", line 210, in feed
    self._parser.Parse(data, isFinal)
  File "/usr/lib/python2.7/xml/sax/expatreader.py", line 307, in end_element
    self._cont_handler.endElement(name)
  File "/usr/local/lib/python2.7/dist-packages/ivre/xmlnmap.py", line 899, in endElement
    os.path.dirname(self._fname), fname)) as fdesc:
IOError: [Errno 2] No such file or directory: u'scans/ROUTABLE/up/72/11/131/screenshot-72.11.131.101-80.jpg'

Why is this happening?

I'm trying IVRE authentication without much success and I do not know if it's something I'm doing wrong. I explain:

I create a new configuration file to enable some IVRE options:

vi /usr/local/etc/ivre.conf

And I add the following content:

WEB_LIMIT = 15
WEB_INIT_QUERIES = {
     "Admin": 'full'
# 'Admin', 'none',
# "Admin": 'category: MIDOMINIO.ES'
# 'Admin-scanner-a' 'source: scanner-to'
}
WEB_DEFAULT_INIT_QUERY = 'noaccess'

Well, with this configuration, when access IVRE, I do not get results.

Consulting /usr/local/lib/python2.7/dist-packages/ivre/webutils.py note that employs variable "REMOTE_USER"

get_user def ():
    "" "Return the connected user.

    "" "
    os.getenv return ('REMOTE_USER')

As I do not know if IVRE authentication uses Dokuwiki, I login in Dokuwiki and test access without result. You can see as i`m "admin" on Dokuwiki

Well... I Create a php file with phpinfo (); to see which user is being sent but not REMOTE_USER variable appears :-(

Next, I configure Apache with authentication so that when access IVRE, It ask me username/password

# Set up apache to be permitted values ​​using .htaccess
$ sed -i 's / AllowOverride None / AllowOverride All /' /etc/apache2/apache2.conf

$ cd /var/www/html

$ vi .htaccess

## Content of .htaccess :::
<Directory/var/www/html>
AuthType Digest
AuthName Wiki
AuthUserFile /etc/passwd-apache
require valid-user
</ Directory>
# ::: EOF .htaccess

# Create passwd-apache ( user/pass for auth )
$ htdigest -c / etc / passwd-admin apache Wiki

# Enable auth_digest,  por si acaso :-)
$ a2enmod auth_digest

# Restart apache
apache2ctl restart

Access to IVRE

Now, I can see that Apache/php recognizes "REMOTE_USER"

But ... again, no results :-(

If I set "WEB_DEFAULT_INIT_QUERY = none", I can see all hosts on IVRE as enable default value ( none = full )

What am i doing wrong ??

Ahh... thanks for read me

Hi,

Following your installation procedure I cannot attach to the ivreclient container as root, which is needed by runscans (and other tools).

Here is my config:

# docker --version
Docker version 1.0.1, build 990021a

# vagrant --version
Vagrant 1.7.2

Any help is appreciated, thanks.

Bonsoir Pierre ,
j'ai installé le framework sur un de mes serveurs distants, tout semble nominal
interface Web ok, scan actif ok .
En suivant ta procedure et doc :
"If you access the web interface by another URL than the "standard"
http://localhost/, then you have to set ALLOWED_REFERERS in
scanjsonconfig.py"
je me suis mis à la recherche du fichier pour modif, je ne l'ai pas trouvé. je pense être passé à côté d'un truc :(
as tu une idée ? par avance merci
@gn0u$$e (David)

(Feature request)

The option to take screenshot from ports 3389 and 5900 is implemented??

Using for example https://github.com/ChrisTruncer/EyeWitness