DIVE is a Python-based tool designed to extract and validate IP addresses and domain names from any type of file, including text, binary, and logs. It offers additional features such as active DNS scanning, domain length filtering, and private IP filtering.
DIVE can be useful for cybersecurity professionals in identifying potential Command and Control (C2) servers statically. By extracting and validating IP addresses and domain names from network logs, system logs, malware executables and other artifacts, you can isolate suspicious or malicious traffic for further investigation.
- Extract IP addresses and domain names from any file type and directories
- Validate extracted domains
- Filter domains by length
- Filter out private IP addresses
- Perform active DNS scanning to identify active domains
- The tool is resource intensive with large file (i.e. memory dumps, disk images) and still requires a lot of optimizations
- Subject to DNS rate limits
- May produce false positives in binary files
- DNS active scan does not cover all DNS record type to improve performance
- IPv6 is not supported
git clone https://github.com/0xAxem/DIVE.gitcd DIVEpip install -r requirements.txtRun the script using the following command:
python dive.py [OPTIONS] PATH--active, -a: Perform an active DNS scan (default isFalse)--dive-type -dt [both|ips|domains]: Type of extraction to perform (default isboth)--filter-length, -fl: Filter domains by minimum length (default is3)--filter-private, -fp: Filter out private IP addresses (default isFalse)--filter-domains -fd: Output only specified domains (default is all domains)--threads, -t: Number of threads to use for active scan (default is40)
To extract IPs and domains from a single file:
python dive.py /path/to/file.txtTo extract IPs and domains from a directory:
python dive.py /path/to/directory/To perform an active DNS scan:
python dive.py --active /path/to/file.txtIf you'd like to contribute, please fork the repository and make changes as you'd like. Pull requests are warmly welcome.