Welcome to IVRE’s documentation!

IVRE (French: Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is an open-source framework for network recon, written in Python. It relies on powerful open-source tools to gather intelligence from the network, actively or passively.

It aims at leveraging network captures and scans to let you understand how a network works. It is useful for pentests & red-teaming, incident response, monitoring, etc.


IVRE can aggregate scan results as well as intelligence from network captures. It accepts results from several tools:


IVRE can prove useful in several different scenarios (you may want to have a look at the Screenshots gallery). Here are some examples:

  • Create your own Shodan-like service, using Nmap and/or Masscan and/or Zmap / Zgrab / Zgrab2, against the whole Internet or your own networks, (private or not).

  • Store each X509 certificate seen in SSL/TLS connections, SSH public keys and algorithms, DNS answers, HTTP headers (Server, Host, User-Agent, etc.), and more… This can be useful to:

    • Validate X509 certificates independently from the clients.

    • Monitor phishing domains (based on DNS answers, HTTP Host headers, X509 certificates) hit from your corporate network.

    • Run your own, private (or not) passive DNS service.

Getting started

If you want to learn more about the different purposes of IVRE, you should start reading the Principles.

After that, you can start the Installation process.

Once you are ready, dive into the “Usage” section!


Code contributions (pull-requests) are of course welcome!

The project needs scan results and capture files that can be provided as examples. If you can contribute some samples, or if you want to contribute some samples and would need some help to do so, or if you can provide a server to run scans, please contact the author.


For both support and contribution, the repository on Github should be used: feel free to create a new issue or a pull request!

You can also join the Gitter conversation (that is the preferred way to get in touch for questions), or use the e-mail dev on the domain ivre.rocks.

On Twitter, you can follow and/or mention @IvreRocks.

On Mastodon, you can follow and/or mention @ivre@infosec.exchange.


Indices and tables