EyeWitness is an incredible tool that allows you to quickly get a feel for what assets to target first. We all know hundreds of content discovery tools that give us vast amounts of data, but do we ever focus on efficiently parsing all that data? How do you go through hundreds of endpoints? If you’re doing it manually, then be sure to read this article as EyeWitness may be of great help to you!
🙋♂️ What is EyeWitness?
EyeWitness is a Python tool written by @CptJesus and @christruncer. It’s goal is to help you efficiently assess what assets of your target to look into first.
It achieves this by taking screenshots of every assets and showing you those screenshots alongside some header information and potential default credentials if applicable.
Reading on what this tool can do is all fun and games, but let’s put the tool to the test by using it!
👷♀️ Installing EyeWitness
You can’t run a tool without installing it first. Luckily, it’s as easy as shown in this GIF.
As you can see, installing EyeWitness consists of 2 steps:
- Clone the repository:
git clone https://github.com/FortyNorthSecurity/EyeWitness.git
- Run the setup.sh script:
That’s all! If all goes well, you’ve now successfully installed EyeWitness!
🐱🏍 Our first run!
Let’s get into it! There’s only one obvious thing we still need: A list of domain names to target. This can easily be gotten from one of the reconnaissance tools we’ve already discussed in the past! Check out our Hacking Tools page in the Intigriti Hackademy!
Now we can execute
eyewitness -f domains.txt and this will start the tool. Take a look at the gif below to see what such a run looks like.
After executing, the tool will open the result in your browser. Here you can assess the results. Let’s discuss them the screenshot below.
The result page starts off by giving us a nice overlay of all everything that it found. In this case we have Unauthorized pages, Not Found pages and Bad requests already filtered out of all the rest. Nice!
Scrolling down, we find screenshots and the headers of all these pages. We can now quickly assess which page we would like to target first!
Let’s take a closer look at some more features that EyeWitness has in store for us!
These are the options that can help you input the targets to take screenshots of.
Line-separated file containing URLs to capture. As seen in the example above.
Nmap XML or .Nessus file because yes, this tool can parse that output!
--single Single URL
Single URL/Host to capture. If for some reason you’d only want to scan a single target.
Skip DNS resolution when connecting to websites. Can be useful in specific cases if you’re going through a VPN for example.
Need to go fast, need to slow down? These options help you go to town! Please take a close look at these options as they can help you stay within the required limits of bug bounty programs!
Timeout Maximum number of seconds to wait while requesting a web page (Default: 7).
--jitter # of Seconds
Randomize URLs and add a random delay between requests.
--delay # of Seconds
Delay between the opening of the navigator and taking the screenshot.
--threads # of Threads
Number of threads to use while using file based input.
--max-retries Max retries on a timeout
Max retries on timeouts.
Report Output Options
Couple of minor options to change the output file.
-d Directory Name
Directory name for report output
--results Hosts Per Page
Number of Hosts per page of report
Don’t prompt to open the report
These options deal with the way that EyeWitness takes screenshots of the resulting pages. All of this can be configured to handle that HTTP(S) traffic in just the way you want it! Note that some of these options are also required to adhere to some bug bounty program’s rules.
--user-agent User Agent
User Agent to use for all requests.
--difference Difference Threshold
Difference threshold when determining if user agent requests are close “enough” (Default: 50).
IP of web proxy to go through.
Port of web proxy to go through.
Proxy type (socks5/http).
Show display for selenium.
Resolve IP/Hostname for targets.
Comma-separated additional port(s) to assume are http (e.g. ‘8018,8028’).
Comma-separated additional port(s) to assume are https (e.g. ‘8018,8028’)
Comma-separated list of exclusive ports to use (e.g. ‘80,8080’).
Prepend http:// and https:// to URLs without either
Selenium geckodriver log path.
This option is a really, really nice one that allows you to resume scanning if your previous scan crashed. When we’re dealing with potentially thousands of endpoints, crashes can occur, so this options is a real lifesaver!
Path to db file if you want to resume. You can find the database file in the directory (named the current date and time) that EyeWitness automatically creates when running.
EyeWitness is a simple, yet helpful tool designed to help you get more efficient in your post reconnaissance phase! Start using it today to hack even faster!
If you would like to recommend a tool for us to cover next week, then be sure to let us know down below. Also be sure to check out all the previous Hacker Tools articles, such as the last one on GoSpider.
Did you know that there is a video accompanying this article? Check out the playlist!