While doing pentesting, pentesters needs to submit their bugs to website owner. While submitting bugs, collecting evidence of the website before penetration testing and after bug fixing is must that is where eyewitness is used. This will help pen tester and the people who do bug bounty to take a snapshot of the website while performing at test on the website or web application. According to ethical hacking researcher of international institute of cyber security getting screenshots of any website becomes more easy which tells user how website user interface looks like and code associated with it.
We will show you tool called Eyewitness which is designed using python libraries. Eyewitness helps pentesters/ security researchers to take screenshots of any URL. Below diagram gives an rough idea on when to use Eyewitness, it should be during Reconnaissance phase and after Submitting bug.
- For testing we will use Ubuntu 18.04. Some perquisites required are python3, pip3, xvfb.
- Open terminal type git clone https://github.com/FortyNorthSecurity/EyeWitness.git
- Type cd EyeWitness/setup/
- Type ./setup.sh
- After installing dependencies
- Type sudo apt-get update
- Type sudo apt-get install xvfb
- Type pip3 install xvfbwrapper
- Type cd ..
- Type ./EyeWitness.py –single http://duckduckgo.com –web
- –single is used for single URL.
- –web is used for http screeenshot using selenium.
root@ubuntu:/home/iicybersecurity/Downloads/EyeWitness# ./EyeWitness.py --single http://duckduckgo.com --web
################################################################################
# EyeWitness #
################################################################################
# FortyNorth Security - https://www.fortynorthsecurity.com #
################################################################################
Attempting to screenshot http://duckduckgo.com
[*] Hit timeout limit when connecting to http://duckduckgo.com, retrying
[*] Hit timeout limit when connecting to http://duckduckgo.com
[*] Done! Report written in the /home/iicybersecurity/Downloads/EyeWitness/11142019_015148 folder!
Would you like to open the report now? [Y/n]
Y
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
M M
M .”cCCc”. M
M /cccccccc\ Our Upcoming Trainings: M
M §cccccccc| M
M :ccccccccP 44Con >> Dec 02- Dec 05 2019 M
M \cccccccc() London, England M
M \ccccccccD http://44con.com M
M |cccccccc\ _ M
M |ccccccccc) // Charlotte >> August 3-6 M
M |cccccc|= // Charlotte, NC M
M /°°°°°°”-. (CCCC) M
M ;----._ _._ |cccc| M
M .*° °° °. \cccc/ M
M / / ( )/ccc/ M
M |_/ | _.°cccc| M
M |/ °^^^°ccccccc/ M
M / \cccccccc/ M
M / \cccccc/ M
M | °*° M
M / \ Psss. Follow us on >> Twitter M
M °*-.__________..-*°° >> Facebook M
M \WWWWWWWWWWWWWWWW/ >> LinkedIn M
M \WWWWWWWWWWWWWW/ M
MMMMM|WWWWWWWWWWWW|MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
- Move to given location type cd 11142019_015148
- Type ls
root@ubuntu:/home/iicybersecurity/Downloads/EyeWitness# cd 11142019_015148 root@ubuntu:/home/iicybersecurity/Downloads/EyeWitness/11142019_015148# root@ubuntu:/home/iicybersecurity/Downloads/EyeWitness/11142019_015148# ls jquery-1.11.3.min.js report.html screens source style.css
- Eyewitness has captured initial page of the duckduckgo.com
- This tool has also gathered some basic info
root@ubuntu:/home/iicybersecurity/Downloads/EyeWitness/11142019_015148# cat report.html
<html>
<head>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" type="text/css"/>
<title>EyeWitness Report</title>
<script src="jquery-1.11.3.min.js"></script>
<script type="text/javascript">
function toggleUA(id, url){
idi = "." + id;
$(idi).toggle();
change = document.getElementById(id);
if (change.innerHTML.indexOf("expand") > -1){
change.innerHTML = "Click to collapse User Agents for " + url;
}else{
change.innerHTML = "Click to expand User Agents for " + url;
}
}
</script>
</head>
<body>
<center>
<center>Report Generated on 11/14/2019 at 01:51:48</center><table border="1">
<tr>
<th>Web Request Info</th>
<th>Web Screenshot</th>
</tr><tr>
<td><div style="display: inline-block; width: 300px; word-wrap: break-word">
<a href="http://duckduckgo.com" target="_blank">http://duckduckgo.com</a><br>
<br><b> Page Title: </b>DuckDuckGo — Privacy, simplified.
<br><b> Server:</b> nginx
<br><b> Date:</b> Thu, 14 Nov 2019 09:51:55 GMT
<br><b> Content-Type:</b> text/html; charset=UTF-8
<br><b> Content-Length:</b> 6174
<br><b> Connection:</b> close
<br><b> Vary:</b> Accept-Encoding
<br><b> ETag:</b> "5dcc81c7-181e"
<br><b> Strict-Transport-Security:</b> max-age=31536000
<br><b> X-Frame-Options:</b> SAMEORIGIN
<br><b> Content-Security-Policy:</b> default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'
<br><b> X-XSS-Protection:</b> 1;mode=block
<br><b> X-Content-Type-Options:</b> nosniff
<br><b> Referrer-Policy:</b> origin
<br><b> Expect-CT:</b> max-age=0
<br><b> Expires:</b> Thu, 14 Nov 2019 09:51:54 GMT
<br><b> Cache-Control:</b> no-cache
<br><b> Accept-Ranges:</b> bytes
<br><b> Response Code:</b> 200
<br><br><a href="source/http.duckduckgo.com.txt"
target="_blank">Source Code</a></div></td>
<td><div id="screenshot"><a href="screens/http.duckduckgo.com.png"
target="_blank"><img src="screens/http.duckduckgo.com.png"
height="400"></a></div></td></tr></div>
- Above report shows basic info about the captured website. With report.html, jquery-1.11.3.min.js also shows the version of javascript.
- Javascript can be used in information gathering.
- Using some another keywords.
- Type ./EyeWitness.py –single http://testphp.vulnweb.com/categories.php
- –single using for single url. You can also use multiple URLs. For that create txt file. Type urls.txt
- For using multiple URLs.
- Type ./EyeWitness.py -f urls.txt –web
- -f is used multiple URLs.
- –web is used for http screeenshot using selenium.
root@ubuntu:/home/iicybersecurity/Downloads/EyeWitness# ./EyeWitness.py --single http://testphp.vulnweb.com/categories.php
################################################################################
# EyeWitness #
################################################################################
# FortyNorth Security - https://www.fortynorthsecurity.com #
################################################################################
Attempting to screenshot http://testphp.vulnweb.com/categories.php
[*] Hit timeout limit when connecting to http://testphp.vulnweb.com/categories.php, retrying
[*] Done! Report written in the /home/iicybersecurity/Downloads/EyeWitness/11142019_024603 folder!
Would you like to open the report now? [Y/n]
Y
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
M M
M .”cCCc”. M
M /cccccccc\ Our Upcoming Trainings: M
M §cccccccc| M
M :ccccccccP 44Con >> Dec 02- Dec 05 2019 M
M \cccccccc() London, England M
M \ccccccccD http://44con.com M
M |cccccccc\ _ M
M |ccccccccc) // Charlotte >> August 3-6 M
M |cccccc|= // Charlotte, NC M
M /°°°°°°”-. (CCCC) M
M ;----._ _._ |cccc| M
M .*° °° °. \cccc/ M
M / / ( )/ccc/ M
M |_/ | _.°cccc| M
M |/ °^^^°ccccccc/ M
M / \cccccccc/ M
M / \cccccc/ M
M | °*° M
M / \ Psss. Follow us on >> Twitter M
M °*-.__________..-*°° >> Facebook M
M \WWWWWWWWWWWWWWWW/ >> LinkedIn M
M \WWWWWWWWWWWWWW/ M
MMMMM|WWWWWWWWWWWW|MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
- Above shows the same output which comes earlier with basic info about the website. Eyewitness can be quite helpful in logging initial steps of pentesting.
Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.