EyeWitness
EyeWitness is a web application screenshot tool that helps security professionals quickly identify the nature of web services. It captures screenshots, collects server headers, and generates reports with built-in screenshot galleries.
Installation
Linux/Ubuntu
# Install dependencies
sudo apt update
sudo apt install python3 python3-pip git
# Clone repository
git clone https://github.com/FortyNorthSecurity/EyeWitness.git
cd EyeWitness/Python
# Install Python requirements
pip3 install -r requirements.txt
# Install additional tools
sudo apt install firefox-geckodriverKali Linux
# Pre-installed
eyewitness --help
# Or install from source
git clone https://github.com/FortyNorthSecurity/EyeWitness.git
cd EyeWitness/Python
chmod +x eyewitness.py
sudo python3 eyewitness.py --helpManual Setup
# Install Selenium and dependencies
pip3 install selenium
# Download Chrome/Firefox drivers
wget https://chromedriver.chromium.org/download
# Make executable
chmod +x eyewitness.pyBasic Syntax
# Show help
python3 eyewitness.py --help
# Version
python3 eyewitness.py --version
# Basic single URL
python3 eyewitness.py -u http://example.com
# Multiple URLs from file
python3 eyewitness.py -f urls.txt
# Specify output directory
python3 eyewitness.py -u http://example.com -d ./screenshotsInput Methods
Single URL
# HTTP
python3 eyewitness.py -u http://example.com
# HTTPS
python3 eyewitness.py -u https://example.com:8443
# With port
python3 eyewitness.py -u http://example.com:8080File Input (URL List)
# Create URL list
cat > urls.txt << EOF
http://10.0.0.1
http://10.0.0.2:8080
https://192.168.1.100:8443
http://internal-server.local
EOF
# Process list
python3 eyewitness.py -f urls.txt -d ./resultsCIDR/IP Range Input
# Scan IP range
python3 eyewitness.py --single 192.168.1.0/24 -d ./network_scan
# Specific port
python3 eyewitness.py --single 192.168.0.0/24:8080 -d ./port_8080
# Multiple ports
python3 eyewitness.py --single 10.0.0.0/24:80,443,8080,8443 -d ./multi_portNmap Integration
# Export nmap results
nmap -oX nmap_results.xml target.com
# Use nmap XML output
python3 eyewitness.py -x nmap_results.xml -d ./eyewitness_results
# Process only web services
python3 eyewitness.py -x nmap_results.xml --web -d ./web_onlyScreenshot Options
Browser Configuration
# Use Firefox (default)
python3 eyewitness.py -f urls.txt --firefox
# Use Chrome/Chromium
python3 eyewitness.py -f urls.txt --chrome
# Specify resolution
python3 eyewitness.py -f urls.txt --resolution 1920x1080
# Timeout per screenshot (seconds)
python3 eyewitness.py -f urls.txt --timeout 10Rendering Options
# Accept self-signed certificates
python3 eyewitness.py -f urls.txt --no-cert-check
# Disable JavaScript
python3 eyewitness.py -f urls.txt --no-js
# Enable all plugins
python3 eyewitness.py -f urls.txt --all-plugins
# Hide screenshot log
python3 eyewitness.py -f urls.txt --no-log-to-consolePerformance Tuning
# Number of threads
python3 eyewitness.py -f urls.txt -t 10
# Max number of screenshots
python3 eyewitness.py -f urls.txt --max-screenshots 100
# Memory limit (for headless mode)
python3 eyewitness.py -f urls.txt --max-memory-percentage 80Output & Reporting
Default Report Structure
# Generated files
results/
├── index.html # Main report
├── active.html # Services that responded
├── report.html # Detailed report
├── source/ # Full page source
├── screenshots/ # PNG screenshots
└── csv/
└── summary.csv # CSV exportReport Generation Options
# Generate JSON report
python3 eyewitness.py -f urls.txt --json
# CSV output
python3 eyewitness.py -f urls.txt --csv-output
# Create summary report
python3 eyewitness.py -f urls.txt --create-report
# Detailed logging
python3 eyewitness.py -f urls.txt --log-level debugCustom Output Format
# Specify output directory
python3 eyewitness.py -f urls.txt -d /path/to/output
# Date-stamped directory
python3 eyewitness.py -f urls.txt -d ./results_$(date +%Y%m%d_%H%M%S)
# Keep temporary files
python3 eyewitness.py -f urls.txt --keep-tempAdvanced Scenarios
Web Application Scanning
# Common web ports
python3 eyewitness.py --single 10.0.0.0/24:80,443,8000,8080,8443 \
--no-cert-check \
-d ./web_scan \
-t 15
# With custom timeout for slow apps
python3 eyewitness.py -f urls.txt \
--timeout 20 \
--delay 2 \
-d ./slow_appsNetwork Reconnaissance
# Scan entire subnet
nmap -sV -p 80,443,8000-8100 -oX network.xml 192.168.0.0/24
# Process with EyeWitness
python3 eyewitness.py -x network.xml \
--web \
--no-cert-check \
-d ./network_screenshots \
-t 20Cloud/Container Scanning
# Scan multiple cloud instances
cat > cloud_targets.txt << EOF
http://api-server-01.internal:8000
http://api-server-02.internal:8000
https://app-server-01.internal:443
EOF
python3 eyewitness.py -f cloud_targets.txt \
--no-cert-check \
--timeout 5 \
-d ./cloud_scanIntegration Workflows
With Shodan
# Export Shodan results
shodan download -l 10000 results.json "port:8080 http"
# Convert to URL list
jq -r '.[] | "\(.ip):\(.port)"' results.json > urls.txt
# Screenshot with EyeWitness
python3 eyewitness.py -f urls.txt -d ./shodan_screenshotsWith Masscan
# Scan with masscan
masscan 0.0.0.0/0 -p80,443 --banners -oX masscan.xml
# Process results
python3 eyewitness.py -x masscan.xml --web -d ./masscan_screenshotsWith Metasploit
# Export Metasploit hosts
msfconsole -q -x "hosts -o web_services.txt" && exit
# Convert format
awk '{print "http://"$1}' web_services.txt > urls.txt
# Screenshot
python3 eyewitness.py -f urls.txt -d ./metasploit_resultsComplete Scanning Example
#!/bin/bash
# Comprehensive web scanning workflow
TARGET_RANGE="192.168.1.0/24"
OUTPUT_DIR="./scan_results_$(date +%Y%m%d_%H%M%S)"
echo "[*] Starting network reconnaissance..."
# 1. Nmap scan
echo "[*] Running Nmap scan..."
nmap -sV -p 80,443,8000,8080,8443 \
--script http-title \
-oX nmap_results.xml \
$TARGET_RANGE
# 2. Generate screenshots
echo "[*] Capturing web service screenshots..."
python3 eyewitness.py \
-x nmap_results.xml \
--web \
--no-cert-check \
-d $OUTPUT_DIR \
-t 10 \
--timeout 10
# 3. Generate reports
echo "[*] Generating reports..."
cd $OUTPUT_DIR
ls -la
echo "[+] Scan complete! Results in: $OUTPUT_DIR"Header Extraction
# View captured headers
python3 eyewitness.py -f urls.txt --extract-headers
# Parse headers from results
grep -r "Server:" results/source/ | sort | uniq -c | sort -rn
# Extract technologies
grep -r "X-Powered-By:" results/source/Troubleshooting
Issue: Firefox driver not found
# Install GeckoDriver
wget https://github.com/mozilla/geckodriver/releases/download/v0.33.0/geckodriver-v0.33.0-linux64.tar.gz
tar -xzf geckodriver-*.tar.gz
sudo mv geckodriver /usr/local/bin/
# Verify
geckodriver --versionIssue: Chrome/Chromium not found
# Install Chromium
sudo apt install chromium-browser
# Or Chrome
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo dpkg -i google-chrome-stable_current_amd64.deb
# Download ChromeDriver
wget https://chromedriver.chromium.org/downloadIssue: Certificate warnings
# Ignore self-signed certificates
python3 eyewitness.py -f urls.txt --no-cert-check
# Or modify headers
python3 eyewitness.py -f urls.txt --disable-security-featuresIssue: Timeout on slow applications
# Increase timeout
python3 eyewitness.py -f urls.txt --timeout 30
# Add delay between requests
python3 eyewitness.py -f urls.txt --delay 3Best Practices
- Use appropriate threading levels (5-15 threads)
- Include timeouts to avoid hanging on unresponsive hosts
- Disable cert checks for internal networks
- Keep screenshots organized by scan date
- Review CSV summaries for patterns
- Document findings in reports
Output Files
| File | Description |
|---|---|
| index.html | Main navigation page |
| active.html | Live services only |
| report.html | Full report with details |
| summary.csv | Comma-separated data |
| screenshots/ | PNG image files |
| source/ | Raw HTML source |
Last updated: 2026-03-30 | EyeWitness v2.1