EyeWitness is a handy tool developed by Chris Truncer for grabbing web browser screenshots from a list of URLs. Especially handy for pen-testers is its ability to create the list of target URLs from Nessus scan output files. Whenever I do a Nessus vulnerability scan against a client, I always run EyeWitness against the scan results. This is because Nessus reports all detected web servers as an informational finding and these can have vulnerabilities that are obvious to a human but hard for a scanner to detect. For example, one scan detected several web servers and listed the finding as informational. However, visiting each of these URLs in a web browser revealed streaming video of the client’s internal offices. Clearly a security concern. Another common finding on internal network scans is embedded web servers that accept default credentials such as those found on routers, switches, printers and VOIP phones.
The tool can run on both Linux and Windows and I use it often. Although, occasionally I am in a situation where I am not able to use it. For example, when I have access to a Windows system only, and application whitelisting is in play or when moving files to the system is difficult. For such situations, I came up with the following Windows command line one-liner. Not as nifty as EyeWitness but having another quick an easy option comes in handy from time to time.
First, I generate the list of URLs based on the Nessus scan results. One option for doing this is to export the CSV version of the scan results and do a quick formula in Excel to build the list of URLs based on the “Service Detection” scan result. The other method is to export the scan results as a .nessus file, move that to my own local Linux instance, and use EyeWitness with the createtargets option as shown below.
./EyeWitness.py -f internal_scan_results.nessus --createtargets URLs.txt
Then I move this list to the Windows environment I am working in and I can run the following command to open each of the URLs in the URLs.txt file using Internet Explorer.
for /F %u in (URLs.txt) do @start iexplore %u
However, if I have more than a handful of URLs to work on, this will open up way too many Internet Explorer windows at once. To deal with this I added a counter and use it to pause after every five URLs opened. Before this will work, you need to first enable delayed variable expansion on the command line with this command.
Once you have done this, you can proceed with the following command.
set /a count=1 & for /F %u in (URLs.txt) do @start iexplore %u & echo %u & set /a _result=!count!%5>NUL & @(if !_result!==0 @pause) & set /a count+=1
Note: If you run the command above and it doesn’t pause after every five URLs, then you forgot to do the prerequisite “cmd.exe /V:ON” command.
This gives you a chance to manually inspect five web interfaces at a time, taking screenshots when it is interesting and trying default credentials. When you are ready to move on, just press any key in the command window to unleash another five. The command window output is shown below, the URL is echoed to the command line and opened in Internet Explorer in groups of five. Press any key when you are ready to continue.
This beats doing the same task manually by copy and pasting URLs into a browser window when using EyeWitness is not an option. Enjoy!