External and Internal vulnerability scans are often part of any penetration test. Automated scanning tools, however, can’t always find the “good stuff.” Many times, some of the worst things that we find are in the results marked as Low-Severity or Informational in nature. It can be as easy as just visiting a web service that is exposed and finding that the default credentials haven’t been changed. As an attacker, why bother exploiting a system when they can just login with credentials that were found with a quick Google search? How about systems with no authentication?
For larger scans, it might not be feasible to manually visit every web service that is exposed. That is where tools like EyeWitness come in! There are other tools that perform similar tasks, such as RAWR and Peeping Tom. I encourage you to check those out as well. I am in no way biased towards EyeWitness other than that is what I picked up and it does everything that I would like. It allows you to feed in a list of web addresses or, more often for me, a Nessus file directly exported from a Nessus server. It will automatically visit the web services that were found, take screenshots, and generate a nifty report for you in HTML format. All you have to do is scroll through the report and see which websites look interesting. It’s very helpful in quickly finding the “good stuff.”
To use EyeWitness on a Kali box, start by cloning the repository.
Enter the directory and run the setup file.
If you want to feed in a Nessus file, first export it from your Nessus server to a .nessus format.
Move the Nessus file onto your Kali box. I like to put it in the EyeWitness directory. Then, issue the command to process the file. I run it with a timeout of 30 seconds, 15 threads, and tell it to use Selenium to perform the screenshots (–web flag).
Below is a sample of the report that is generated.
As you can see, this can be extremely valuable for both pentesters and network administrators. Quickly find the “good stuff” or determine just what is running on your network.