EyeWitness - A Rapid Web Application Triage Tool

EyeWitness is designed to take screenshots of websites, RDP services, and open VNC servers, provide some server header info, and identify default credentials if possible.

Note: It requires Python.


  EyeWitness.py [--web] [--headless] [--rdp] [--vnc] [--all-protocols]
[-f Filename] [-x Filename.xml] [--single Single URL]
[--createtargets targetfilename.txt] [--no-dns]
[--timeout Timeout] [--jitter # of Seconds]
[--threads # of Threads] [-d Directory Name]
[--results Hosts Per Page] [--no-prompt]
[--user-agent User Agent] [--cycle User Agent Type]
[--difference Difference Threshold]
[--proxy-ip] [--proxy-port 8080]
[--show-selenium] [--resolve]
[--add-http-ports ADD_HTTP_PORTS]
[--add-https-ports ADD_HTTPS_PORTS] [--prepend-https]
[--vhost-name hostname] [--active-scan] [--resume ew.db]

EyeWitness is a tool used to capture screenshots from a list of URLs

--web HTTP Screenshot using Selenium
--headless HTTP Screenshot using PhantomJS Headless
--rdp Screenshot RDP Services
--vnc Screenshot Authless VNC services
--all-protocols Screenshot all supported protocols, using Selenium for

Input Options:
-f Filename Line seperated file containing URLs to capture
-x Filename.xml Nmap XML or .Nessus file
--single Single URL Single URL/Host to capture
--createtargets targetfilename.txt
Parses a .nessus or Nmap XML file into a line-
seperated list of URLs
--no-dns Skip DNS resolution when connecting to websites

Timing Options:
--timeout Timeout Maximum number of seconds to wait while requesting a
web page (Default: 7)
--jitter # of Seconds
Randomize URLs and add a random delay between requests
--threads # of Threads
Number of threads to use while using file based input

Report Output Options:
-d Directory Name Directory name for report output
--results Hosts Per Page
Number of Hosts per page of the report
--no-prompt Don't prompt to open the report

Web Options:
--user-agent User Agent
User Agent to use for all requests
--cycle User Agent Type
User Agent Type (Browser, Mobile, Crawler, Scanner,
Misc, All
--difference Difference Threshold
Difference threshold when determining if user agent
requests are close "enough" (Default: 50)
--proxy-ip IP of web proxy to go through
--proxy-port 8080 Port of web proxy to go through
--show-selenium Show display for selenium
--resolve Resolve IP/Hostname for targets
--add-http-ports ADD_HTTP_PORTS
Comma-seperated additional port(s) to assume are http
(e.g. '8018,8028')
--add-https-ports ADD_HTTPS_PORTS
Comma-seperated additional port(s) to assume are https
(e.g. '8018,8028')
--prepend-https Prepend http:\\ and https:\\ to URLs without either
--vhost-name hostname
Hostname to use in Host header (headless + single mode
--active-scan Perform live login attempts to identify credentials or
login pages.

Resume Options:
--resume ew.db Path to db file if you want to resume

When using "-web", EyeWitness will call selenium, which uses the actual browser (IceWeasel or Firefox) installed on your system, to take screenshots.  You won't see s browser pop-up, but it's running in the background, and taking screenshots of the URLs that you provided.

You can also use "-headless" to use phantomjs to take screenshots of websites. The nice thing about phantomjs is it's very fast, and can run in a headless environment.

By default, EyeWitness will use 10 threads, but this number can be adjusted by the user with the "-threads #NUMTHREADS" option.  The ability to run threaded scans has significantly cut back on the amount of time required to scan all URLs provided to EyeWitness.

It also has the ability to to take screenshots and generate a report for RDP and VNC, all you need to do is, is use the –rdp or –vnc switch.

from Effect Hacking full article here