EyeWitness – Hacker Tools: Hacking through screenshots 👩‍💻

EyeWitness is an incredible tool that allows you to quickly get a feel for what assets to target first. We all know hundreds of content discovery tools that give us vast amounts of data, but do we ever focus on efficiently parsing all that data? How do you go through hundreds of endpoints? If you’re doing it manually, then be sure to read this article as EyeWitness may be of great help to you!

🙋‍♂️ What is EyeWitness?

EyeWitness is a Python tool written by @CptJesus and @christruncer. It’s goal is to help you efficiently assess what assets of your target to look into first.

It achieves this by taking screenshots of every assets and showing you those screenshots alongside some header information and potential default credentials if applicable.

Reading on what this tool can do is all fun and games, but let’s put the tool to the test by using it!

👷‍♀️ Installing EyeWitness

You can’t run a tool without installing it first. Luckily, it’s as easy as shown in this GIF.

Installing EyeWitness

As you can see, installing EyeWitness consists of 2 steps:

• Clone the repository: git clone https://github.com/FortyNorthSecurity/EyeWitness.git

• Run the setup.sh script: sh EyeWitness/Python/setup/setup.sh

That’s all! If all goes well, you’ve now successfully installed EyeWitness!

🐱‍🏍 Our first run!

Let’s get into it! There’s only one obvious thing we still need: A list of domain names to target. This can easily be gotten from one of the reconnaissance tools we’ve already discussed in the past! Check out our Hacking Tools page in the Intigriti Hackademy!

Now we can execute eyewitness -f domains.txt and this will start the tool. Take a look at the gif below to see what such a run looks like.

Running EyeWitness

After executing, the tool will open the result in your browser. Here you can assess the results. Let’s discuss them the screenshot below.

The result page starts off by giving us a nice overlay of all everything that it found. In this case we have Unauthorized pages, Not Found pages and Bad requests already filtered out of all the rest. Nice!

Scrolling down, we find screenshots and the headers of all these pages. We can now quickly assess which page we would like to target first!

🌟 Features

Let’s take a closer look at some more features that EyeWitness has in store for us!

EyeWitness Usage

Input options

These are the options that can help you input the targets to take screenshots of.

• -f Filename
  Line-separated file containing URLs to capture. As seen in the example above.

• -x Filename.xml
  Nmap XML or .Nessus file because yes, this tool can parse that output!

• --single Single URL
  Single URL/Host to capture. If for some reason you’d only want to scan a single target.

• --no-dns
  Skip DNS resolution when connecting to websites. Can be useful in specific cases if you’re going through a VPN for example.

Input Options

Timing Options

Need to go fast, need to slow down? These options help you go to town! Please take a close look at these options as they can help you stay within the required limits of bug bounty programs!

• --timeout
  Timeout Maximum number of seconds to wait while requesting a web page (Default: 7).

• --jitter # of Seconds
  Randomize URLs and add a random delay between requests.

• --delay # of Seconds
  Delay between the opening of the navigator and taking the screenshot.

• --threads # of Threads
  Number of threads to use while using file based input.

• --max-retries Max retries on a timeout
  Max retries on timeouts.

Timing Options

Report Output Options

Couple of minor options to change the output file.

• -d Directory Name
  Directory name for report output

• --results Hosts Per Page
  Number of Hosts per page of report

• --no-prompt
  Don’t prompt to open the report

Report Output Options

Web Options

These options deal with the way that EyeWitness takes screenshots of the resulting pages. All of this can be configured to handle that HTTP(S) traffic in just the way you want it! Note that some of these options are also required to adhere to some bug bounty program’s rules.

• --user-agent User Agent
  User Agent to use for all requests.

• --difference Difference Threshold
  Difference threshold when determining if user agent requests are close “enough” (Default: 50).

• --proxy-ip 127.0.0.1
  IP of web proxy to go through.

• --proxy-port 8080
  Port of web proxy to go through.

• --proxy-type socks5
  Proxy type (socks5/http).

• --show-selenium
  Show display for selenium.

• --resolve
  Resolve IP/Hostname for targets.

• --add-http-ports ADD_HTTP_PORTS
  Comma-separated additional port(s) to assume are http (e.g. ‘8018,8028’).

• --add-https-ports ADD_HTTPS_PORTS
  Comma-separated additional port(s) to assume are https (e.g. ‘8018,8028’)

• --only-ports ONLY_PORTS
  Comma-separated list of exclusive ports to use (e.g. ‘80,8080’).

• --prepend-https
  Prepend http:// and https:// to URLs without either

• --selenium-log-path SELENIUM_LOG_PATH
  Selenium geckodriver log path.

Web Options

Resume Options

This option is a really, really nice one that allows you to resume scanning if your previous scan crashed. When we’re dealing with potentially thousands of endpoints, crashes can occur, so this options is a real lifesaver!

• --resume ew.db
  Path to db file if you want to resume. You can find the database file in the directory (named the current date and time) that EyeWitness automatically creates when running.

Resume Options

🚧 Conclusion

EyeWitness is a simple, yet helpful tool designed to help you get more efficient in your post reconnaissance phase! Start using it today to hack even faster!

If you would like to recommend a tool for us to cover next week, then be sure to let us know down below. Also be sure to check out all the previous Hacker Tools articles, such as the last one on GoSpider.

Did you know that there is a video accompanying this article? Check out the playlist!