Github Repo: https://github.com/ChrisTruncer/EyeWitness
For the past few months, the EyeWitness codebase has gone through multiple refactors, nearly all by Rohan Vazarkar (@CptJesus), but also myself. One thing that I try to preach, and any developer should agree with, is that there are three primary features a script/tool needs to have. It needs to be usable, perform a service of value (otherwise why even write it), but it also needs to be stable. With the recent updates to the back-end libraries EyeWitness uses, we failed on that last feature. At times, EyeWitness would seem to just crash on us, but then run perfectly seconds later. After many assessments of encountering these shared frustrations, we decided to start from scratch.
As of now, I’m happy to release EyeWitness 2.0, a complete re-write from the ground up. We took stability as the driving goal for our design decisions, and which libraries to use, and made the 2.0 version something that we are really happy to finally push out. This post will serve as a user’s guide, to show how to use the primary features of the tool.
First, our new menu:
Note: There’s more options available than what is displayed above.
First, let’s talk about the original/primary goal of EyeWitness, taking screenshots of websites! We removed Ghost from EyeWitness, due to stability reasons, and added in two different methods of taking screenshots. When using –web, EyeWitness will call selenium, which uses the actual browser (IceWeasel or Firefox) installed on your system, to take screenshots. You won’t see s browser pop-up, but it’s running in the background, and taking screenshots of the URLs that you provided.
Due to the fact that we encountered a large number of issues when relying on a single library to take screenshots, we decided that we didn’t want to have another single point of failure, so we added in another option when it comes for web screenshots. You can use “–headless” to use phantomjs to take screenshots of websites. The nice thing about phantomjs is it’s very fast, and can run in a headless environment.
Finally, probably the most requested feature we’ve had for some time is for EyeWitness to thread its requests. I’m really happy to say that threading has been added into EyeWitness! By default, EyeWitness will use 10 threads, but this number can be adjusted by the user with the “–threads #NUMTHREADS” option. The ability to run threaded scans has significantly cut back on the amount of time required to scan all URLs provided to EyeWitness.
Next, we’ve added in the ability to take screenshots and generate a report for RDP and VNC all because of the awesome work by Sylvain Peyrefitte (@citronneur) and the RDPY project. Now, all you need to do is use the –rdp or –vnc switch, and EyeWitness will attempt to screenshot either service. RDP screenshots will take a picture of the login screen, which will potentially also capture any other user accounts currently logged into the system. VNC screenshots will attempt to connect to a VNC service which doesn’t require authentication, and capture a screenshot of the VNC environment.
Due to the stability issues EyeWitness had in the past, we ran into instances where EyeWitness may get 90% of the way through a scan, crash on a single host, and would have to start all over. This was another major point of frustration for Rohan and myself. This was initially solved by Robin Wood (@digininja) when he provided us with a script that would generate a report based off of the currently available information that EyeWitness had gathered. We also wanted to look into this, and have now added in proper resume support! As of this 2.0 update, EyeWitness will use a sqlite database to track the systems that are queued up for screenshots, and then mark them complete in the database once done. In the event of a crash, or of the user CTRL + C to quit out of the scan, the latest information will be saved to the sqlite DB, which is in the report output folder. Once the user is ready to resume their scan, you just need to call EyeWitness with the –resume option, and pass the location of the database file.
The above pictures are what you should see when canceling a scan, and then resuming it at a later time.
Finally, the last new feature I want to go over is the new report generated by EyeWitness. EyeWitness will still attempt to identify default credentials for each web application that it scans. However, a new report layout was created for the 2.0 release. Not only does the EyeWitness report perform default credential checks, it also now will attempt to sort out and group different types of web applications together. We’ve created a group called “High Value Targets” which may have admin login links available, or any other target that might be of immediate interest to the user, such as Tomcat servers. The report will have a table of contents at the top, which can be used to jump right to any section of the report.
Oh, and just one more thing.
One request that we had from Steve Borosh (@424f424f) was to make our report searchable. Initially, we turned this down because we didn’t want to require a complete back-end database, we wanted EyeWitness Reports to be portable. However, Rohan created a search script which will parse the sqlite database that’s created with each scan and generate a report based on what you’re searching for. Want to test it out? It’s easy, just call the search script, pass in the path to the sqlite database, and provide the search strings. A new report will be created containing the results!
We hope that this helps to explain the major updates to EyeWitness! If there’s any questions you still have, feel free to contact @CptJesus or @ChrisTruncer on twitter, in #Veil on Freenode, or leave a comment below. Thanks, and hope this helps!
Amazing work sir, i LOVE your work.
one quesiton though.. sometimes i use Eyewitness on 400-500 ips, no problem. but in this case i took a file, split it in half (with split) and this is what i get in the end of the 2nd file
[*] Completed 255 out of 269 hosts
Attempting to screenshot https://snippedip
Attempting to screenshot https://snippedip
Attempting to screenshot https://snippedip
Attempting to screenshot https://snippedip
Attempting to screenshot https://snippedip
Traceback (most recent call last):
File “/usr/share/eyewitness/EyeWitness.py”, line 562, in
multi_mode(cli_parsed)
File “/usr/share/eyewitness/EyeWitness.py”, line 494, in multi_mode
sort_data_and_write(cli_parsed, results)
File “/usr/share/eyewitness/modules/reporting.py”, line 189, in sort_data_and_write
html += obj.create_table_html()
File “/usr/share/eyewitness/modules/objects.py”, line 232, in create_table_html
self.sanitize(key), self.sanitize(value))
UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xe4 in position 64: ordinal not in range(128)
do you have any idea why/how this can be prevented?
Can you provide me a URL which triggers this error? Once you do, I can get a fix in for it. But we haven’t been able to re-create this, so a/the URL would be very helpful.
Is there a way to access the data within the database instead of using the reports?
You can open the database with any SQLite browser and look at it that way.
Love the ability to import nmap xml to create http and https urls. You may consider expanding the list of http and https ports in helper.py to include more web ports (e.g. 8444, 9090, 4443, etc). It’s basically impossible to create an exhaustive list, but my normal scanning of corp environments usually includes around 30-40+ web ports. The more obscure the web server port, the more likely there’s something there that’s been forgotten or ignored. I check for http and https on these: http://pastebin.com/raw/g8ajfwrs
Love the tool mate!
Thanks for the info. While I agree it would be nice to have more, I just don’t want to go overboard with the amount of ports added. I think 80 and 443 right now are fairly solid since they are the most seen. If anyone needs more, it’s fairly easy to just append to a file with the new ports added.
Also, a safer bet would be to run a NMap or Nessus scan as the parser will grab all of the non-standard ports and scan them.
Totally agree. After using EyeWitness more in depth, I found multiple options to accommodate additional web ports.
Great tool! Thank you for sharing this. I was wondering, is it possible to have EyeWitness take a screenshot of all public pages of a domain or would the URLs have to be entered into a watchlist/input list individually?
The URLs would need to be entered manually in order for that to happen.
Any ways to provide cookies to EyeWitness for taking screenshots of sites behind authentication?
At the moment no, it doesn’t have that ability. But that isn’t a bad idea.
Hello!
I want to screenshot a large number of RDP and VNC hosts at a time.
After a lot of unsuccesful connections the thread hangs on Error Connecting to [ip].
Is this normal and i should wait more for getting the report?
How long are you waiting for the response? Sometimes VNC and RDP screenshots take a while, especially if you are giving them a large number. If you find it just hangs, for testing purposes, can you break it up into smaller chunks and find out the culprit ip?
Thank you for the very fast response.
I read it from a csv file, generated by zmap.
Hangs randomly. Is there a way to read the file line by line, try to connect, screenshot, then move to the next line? As i see –threads # does not make any difference.
Hello! I’ve found a problematic IP adress that is responding for requests but possibly it’s not a VNC server but this one hangs the whole process (and many other ip’s too).
Do you know a scanner that scans for VNC sessions on specific ips that i can give to EyeWitness, or is there a workaround (like timeout option) for example : if i cant connect in 5 sec it’ll move to the other ips?
Thanks in advance!
Regards : Peter
I wish I did, but I don’t have the ability at the moment to timeout VNC or RDP screenshots, only web.