First commit

MANIFEST

@@ -0,0 +1,91 @@
+# file GENERATED by distutils, do NOT edit
+setup.py
+bin/attackkeys
+bin/checkknownkeys
+bin/detectdupkeys
+bin/getmoduli
+bin/ipdata
+bin/ipinfo
+bin/ipinfohost
+bin/httpd-ivre
+bin/nmap2db
+bin/p0f2db
+bin/passiverecon2db
+bin/passivereconworker
+bin/plotdb
+bin/runscans
+bin/runscans-agent
+bin/scancli
+bin/scanstatus
+doc/AGENT.md
+doc/DOCKER.md
+doc/FAST-INSTALL-AND-FIRST-RUN.md
+doc/INSTALL.md
+doc/LICENSE-EXTERNAL.md
+doc/LICENSE.md
+doc/README.md
+doc/WEBUI.md
+docker/agent/Dockerfile
+docker/base/Dockerfile
+docker/base/ivre.conf
+docker/client/Dockerfile
+docker/db/Dockerfile
+docker/web/Dockerfile
+docker/web/doku-conf-acl.auth.php
+docker/web/doku-conf-plugins.local.php
+docker/web/doku-conf-local.php
+docker/web/doku-conf-users.auth.php
+docker/web/nginx-default-site
+honeyd/sshd
+ivre/__init__.py
+ivre/config.py
+ivre/db.py
+ivre/geoiputils.py
+ivre/graphroute.py
+ivre/keys.py
+ivre/mathutils.py
+ivre/nmapopt.py
+ivre/scanengine.py
+ivre/target.py
+ivre/utils.py
+ivre/xmlnmap.py
+passiverecon/passiverecon.bro
+passiverecon/passiverecon2db-ignore.example
+web/cgi-bin/scanjson.py
+web/cgi-bin/scanjsonconfig-sample.py
+web/dokuwiki/backlinks.patch
+web/dokuwiki/doc/agent.txt
+web/dokuwiki/doc/docker.txt
+web/dokuwiki/doc/fast-install-and-first-run.txt
+web/dokuwiki/doc/install.txt
+web/dokuwiki/doc/license-external.txt
+web/dokuwiki/doc/license.txt
+web/dokuwiki/doc/readme.txt
+web/dokuwiki/doc/webui.txt
+web/dokuwiki/media/logo.png
+web/static/config-sample.js
+web/static/favicon-loading.gif
+web/static/favicon.png
+web/static/index.html
+web/static/ivre.css
+web/static/ivre.js
+web/static/loading.gif
+web/static/logo.png
+web/static/world-110m.json
+web/static/templates/filters.html
+web/static/templates/menu.html
+web/static/templates/progressbar.html
+web/static/templates/subview-host-summary.html
+web/static/templates/subview-port-summary.html
+web/static/templates/subview-service-summary.html
+web/static/templates/view-hosts.html
+web/static/templates/view-scripts-only.html
+web/static/an/js/angular.js
+web/static/bs/css/bootstrap-responsive.css
+web/static/bs/css/bootstrap.css
+web/static/bs/img/glyphicons-halflings-white.png
+web/static/bs/img/glyphicons-halflings.png
+web/static/bs/js/bootstrap.js
+web/static/d3/js/d3.v3.min.js
+web/static/d3/js/topojson.v1.min.js
+web/static/jq/jquery.js

README.md

@@ -0,0 +1,69 @@
+This file is part of IVRE.
+
+Copyright 2011 - 2014 [Pierre LALET](mailto:pierre.lalet@cea.fr)
+
+# What is it? #
+
+IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK
+(Dynamic Recon of UNKnown networks) is a network recon framework,
+including two modules for passive recon (one p0f-base and one
+bro-based) and one module for active recon (mostly nmap-based, with a
+bit of zmap).
+
+The advertising slogans are:
+
+  - (in French): IVRE, il scanne Internet.
+  - (in English): Know the networks, get DRUNK!
+
+The names IVRE and DRUNK have been chosen as a tribute to "Le
+Taullier".
+
+# Documentation #
+
+See [doc/README](doc/README.md) (and `doc/*` files) for more
+information.
+
+On a server with the IVRE web server properly installed with a
+Dokuwiki notepad, the `doc/*` files are available under the `doc:`
+namespace (e.g., `doc:readme` for the [doc/README](doc/README.md)
+file).
+
+On a client with IVRE installed, you can use a `--help` option with
+most IVRE CLI tools, and use `help(ivre.module)` with most IVRE Python
+sub-modules.
+
+# License #
+
+IVRE is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+IVRE is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+[along with IVRE](doc/LICENSE.md). If not, see [the gnu.org web
+site](http://www.gnu.org/licenses/).
+
+# Support #
+
+Try `--help` for the CLI tools, `help()` under Python and the "HELP"
+button in the web interface.
+
+Feel free to contact the author and offer him a beer if you need help!
+
+If you don't like beer, a good scotch or any other good alcoholic
+beverage will do (it is the author's unalienable right to decide
+whether a beverage is good or not).
+
+# Contributing #
+
+Code contributions (pull-requests) are of course welcome!
+
+The project needs scan results and capture files that can be provided
+as examples. If you can contribute some samples, or if you want to
+contribute some samples and would need some help to do so, or if you
+can provide a server to run scans, please contact the author.

agent/agent

@@ -0,0 +1,66 @@
+#! /bin/sh
+
+# This file is part of IVRE.
+# Copyright 2011 - 2014 Pierre LALET <pierre.lalet@cea.fr>
+#
+# IVRE is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# IVRE is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
+# License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with IVRE. If not, see <http://www.gnu.org/licenses/>.
+
+NMAPOPTS="-vv -A --host-timeout 15m"
+SLEEP="sleep 2"
+THREADS=10
+STOREDOWN="true"
+
+INDIR=./input/
+CURDIR=./cur/
+OUTDIR=./output/
+
+if [ "$TERM" != "screen" ] ; then
+    screen "$0" $@
+    exit 0
+fi
+
+mkdir -p "$INDIR" "$CURDIR" "$OUTDIR"
+
+if [ -z "$INTHREAD" ] ; then
+    screen -X setenv INTHREAD 1
+    for i in `seq $THREADS` ; do
+	screen "$0" $@
+    done
+    exit 0
+fi
+
+while true ; do
+    [ -f "want_down" ] && break
+    fname=`ls -rt "$INDIR" | head -1`
+    if [ -z "$fname" ] ; then
+	$SLEEP
+	continue
+    fi
+    if ! mv "$INDIR/$fname" "$CURDIR/" ; then
+	continue
+    fi
+    if ! (nmap $NMAPOPTS -iL "$CURDIR/$fname" -oX "$CURDIR/$fname.xml") ; then
+	rm -f "$CURDIR/$fname.xml"
+	mv "$CURDIR/$fname" "$INDIR/"
+	$SLEEP
+    else
+	if [ "$STOREDOWN" = "false" ] &&
+	    grep -q -F '<status state="down"' "$CURDIR/$fname.xml" ; then
+	    rm -f "$CURDIR/$fname.xml" "$CURDIR/$fname"
+	else
+	    mv "$CURDIR/$fname.xml" "$OUTDIR"
+	    rm -f "$CURDIR/$fname"
+	fi
+    fi
+done

agent/sync

@@ -0,0 +1,55 @@
+#! /bin/sh
+
+# This file is part of IVRE.
+# Copyright 2011 - 2014 Pierre LALET <pierre.lalet@cea.fr>
+#
+# IVRE is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# IVRE is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
+# License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with IVRE. If not, see <http://www.gnu.org/licenses/>.
+
+
+# This is an equivalent of runscans-agent (the --sync part only) that
+# can do not need python.
+
+RSYNC="rsync"
+# Uncomment the following line to use TOR
+#RSYNC="torify rsync"
+
+MAINDIR="./agentsdata"
+
+# [user@]host:path [[user@]host:path [...]]
+AGENTS="user@host:path"
+
+SLEEP="2"
+
+function agent_path () {
+    echo "${MAINDIR}/$(echo $1 | tr ':@' '__')"
+}
+
+# make directories
+for a in $AGENTS ; do
+    for d in input remoteinput remotecur remoteoutput ; do
+	echo -p "$(agent_path $a)/${d}/"
+    done
+done
+
+# sync loop
+while true ; do
+    for a in $AGENTS ; do
+	${RSYNC} -a "$(agent_path $a)/input/" "$(agent_path $a)/remoteinput/"
+	${RSYNC} --remove-source-files "$(agent_path $a)/input/" "${a}/input/"
+	${RSYNC} --delete "${a}/input/" "$(agent_path $a)/remoteinput/" 
+	${RSYNC} --delete "${a}/cur/" "$(agent_path $a)/remotecur/" 
+	${RSYNC} --remove-source-files "${a}/output/" "$(agent_path $a)/remoteoutput/"
+    done
+    sleep ${SLEEP}
+done

bin/attackkeys

@@ -0,0 +1,97 @@
+#! /usr/bin/env python
+
+# This file is part of IVRE.
+# Copyright 2011 - 2014 Pierre LALET <pierre.lalet@cea.fr>
+#
+# IVRE is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# IVRE is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
+# License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with IVRE. If not, see <http://www.gnu.org/licenses/>.
+
+"""This tool is based on the paper "Mining your Ps and Qs: Detection
+of Widespread Weak Keys in Network Devices"
+(https://factorable.net/paper.html). It is *really* slow. You should
+probably consider to use the tool getmoduli to extract the moduli from
+the databases and then use the tool fastgcd (available here:
+https://factorable.net/resources.html).
+
+"""
+
+import ivre.keys
+import ivre.db
+from Crypto.Util.number import GCD
+import datetime
+import sys
+
+
+def check_keys(k, keys):
+    """Checks whether the modulus of the new RSA key k has a one common
+factor with one of the other keys.
+"""
+    res = False
+    for kk in keys:
+        g = GCD(k, kk)
+        if g != 1 and g != k:
+            print g, k, kk
+            sys.stdout.flush()
+            res = True
+    if (len(keys) + 1) % 100 == 0:
+        print "%d unique keys handled in %d seconds" % (
+            len(keys) + 1,
+            int(datetime.datetime.now().strftime('%s')) - starttime,
+        )
+        sys.stdout.flush()
+    return res
+
+
+def init():
+    "Initialize global variables."
+    global starttime
+    starttime = int(datetime.datetime.now().strftime('%s'))
+
+
+def test_keys():
+    "Run the test with all the SSH and SSL keys we have in our database."
+    keys = {}
+    allkeys = [ivre.keys.SSHRSAKey(), ivre.keys.SSLRSAKey(),
+               ivre.keys.PassiveSSLRSAKey()]
+    for a in allkeys:
+        for k in a.get_keys():
+            if 'modulus' in k:
+                kk = k['modulus']
+                if kk in keys:
+                    kkk = keys[kk]
+                    if (k['host'], k['port']) not in kkk:
+                        asnum = ivre.db.db.data.get(k['host'])
+                        if asnum is not None and 'as_num' in asnum:
+                            asnum = asnum['as_num']
+                        else:
+                            asnum = -1
+                        kkk.add((asnum, k['host'], k['port']))
+                        keys[kk] = kkk
+                    continue
+                if check_keys(kk, keys):
+                    print k
+                    sys.stdout.flush()
+                keys[kk] = set([(k['host'], k['port'])])
+            else:
+                print "BUG ?", k
+    print "%d unique keys handled in %d seconds" % (
+        len(keys),
+        int(datetime.datetime.now().strftime('%s')) - starttime,
+    )
+    for k in keys:
+        if len(keys[k]) != 1:
+            print hex(k), len(keys[k]), keys[k]
+
+if __name__ == '__main__':
+    init()
+    test_keys()