WitnessMe
Overview
WitnessMe is an automated web application reconnaissance tool that captures screenshots and fingerprints web technologies. It combines visual reconnaissance with automated technology detection, making it invaluable for:
- Capturing evidence of web applications for reports
- Identifying web technologies through visual analysis
- Building reconnaissance databases of target websites
- Documenting security assessment findings
- Rapid enumeration across multiple targets
The tool handles SSL/TLS issues, timeouts, and various HTTP configurations automatically.
Installation
From GitHub Source
git clone https://github.com/byt3bl33d3r/WitnessMe.git
cd WitnessMe
pip install -r requirements.txt
python witnessme.py --helpUsing pip
pip install witnessme
witnessme --helpDocker Installation
docker pull byt3bl33d3r/witnessme
docker run -it -v $(pwd)/screenshots:/app/screenshots byt3bl33d3r/witnessmeKali Linux
apt update && apt install witnessme -yBasic Usage
| Command | Description |
|---|---|
witnessme scan <target> | Capture screenshot from single URL |
witnessme scan <target> --proxy <proxy> | Scan through HTTP proxy |
witnessme scan <target> --timeout <seconds> | Set custom timeout |
witnessme scan <target> --port <port> | Specify non-standard port |
witnessme scan <file> | Scan targets from file (one per line) |
witnessme report | Generate HTML report of captures |
witnessme -h | Show help and all options |
Common Examples
Single Target Screenshot
witnessme scan https://example.comCaptures a screenshot from the target and saves it along with metadata including title, technologies detected, and HTTP response codes.
Scanning Multiple Targets
cat targets.txt
# http://192.168.1.10
# http://192.168.1.11:8080
# https://internal-app.local
witnessme scan targets.txtAutomatically processes each target from the file, captures screenshots, and stores results with detected information.
Scanning with Custom Timeout
witnessme scan https://slow-app.example.com --timeout 30Increases timeout for slower-responding applications, useful for detecting services that take longer to render.
Scanning Behind Proxy
witnessme scan https://example.com --proxy http://127.0.0.1:8080Routes traffic through a proxy (Burp Suite, mitmproxy, etc.) for interception and further analysis.
Port Specification
witnessme scan http://example.com --port 8080
witnessme scan https://example.com --port 8443Scans non-standard HTTP/HTTPS ports commonly used for development or internal applications.
Advanced Usage
Batch Scanning with Output Management
# Create directory for results
mkdir -p reconnaissance/screenshots
# Scan targets and organize results
witnessme scan targets.txt
# View captured screenshots
ls -la screenshots/
# Generate consolidated HTML report
witnessme reportProtocol Handling
# Force HTTP (ignores HTTPS redirects)
witnessme scan http://example.com
# Force HTTPS
witnessme scan https://example.com
# Try both HTTP and HTTPS
for proto in http https; do
witnessme scan ${proto}://example.com
doneIntegration with Nmap Results
# Extract web services from Nmap XML
nmap -p 80,443,8080,8443,8000,9000 -sV --open example.com -oX results.xml
# Extract HTTP/HTTPS URLs
grep -oP 'portid="\K[0-9]+|<service name="\K[^"]+' results.xml | paste - - | \
awk '{print "http://example.com:" $1}' > web_targets.txt
# Screenshot all web services
witnessme scan web_targets.txtCustom Target List with Metadata
# Create advanced target list
cat targets.txt
# https://web1.example.com:443
# http://web2.example.local:8080
# https://10.0.0.5:9000
# Run scan
witnessme scan targets.txt
# Generate report with all findings
witnessme reportScreenshot Management
Directory Structure
.
├── screenshots/
│ ├── 2024-01-15_102030/
│ │ ├── example.com.png
│ │ ├── example.com.json
│ │ └── index.html
│ └── 2024-01-15_112545/
│ └── ...
└── reports/
└── witnessme_report.htmlAccessing Results
# View all screenshots
ls screenshots/*/
# View metadata for each screenshot
cat screenshots/*/example.com.json | jq .
# Find screenshots with specific technologies
grep -r "WordPress" screenshots/*/
# Export screenshot metadata to CSV
find screenshots/ -name "*.json" -exec grep -H "title" {} \;Technology Detection
Detected Technologies
WitnessMe automatically identifies:
| Technology Category | Examples |
|---|---|
| CMS | WordPress, Joomla, Drupal, Magento |
| Frameworks | Django, Rails, Laravel, ASP.NET |
| Web Servers | Apache, Nginx, IIS, Tomcat |
| Databases | MySQL, PostgreSQL, MongoDB (via banners) |
| JavaScript Libraries | jQuery, Bootstrap, Angular, React |
| Admin Panels | cPanel, Plesk, WHM, Webmin |
| Monitoring Tools | Grafana, Prometheus, Splunk |
Understanding Detected Information
{
"target": "example.com:443",
"screenshot": "example.com.png",
"title": "Welcome to Example",
"response_code": 200,
"response_time_ms": 1240,
"technologies": [
{
"name": "WordPress",
"version": "5.9.2",
"confidence": "high"
},
{
"name": "Apache",
"confidence": "high"
}
],
"headers": {
"Server": "Apache/2.4.41"
}
}Report Generation
Creating HTML Reports
# Generate comprehensive HTML report
witnessme report
# Report includes:
# - All captured screenshots
# - Technology detection results
# - HTTP response codes
# - Response times
# - Navigation between findingsReport Structure
# View generated report
open report.html # macOS
xdg-open report.html # Linux
# Report contains:
# - Thumbnail gallery of all screenshots
# - Detailed findings for each target
# - Technology inventory
# - Sortable tables
# - Response code statisticsExporting Results for Further Analysis
# Extract all titles from screenshots
find screenshots/ -name "*.json" -exec jq -r '.title' {} \;
# Find all unique servers detected
find screenshots/ -name "*.json" -exec jq -r '.headers.Server' {} \; | sort -u
# Count screenshots by response code
find screenshots/ -name "*.json" -exec jq -r '.response_code' {} \; | sort | uniq -cAdvanced Configuration
Proxy Configuration
# HTTP proxy (for Burp Suite)
witnessme scan targets.txt --proxy http://127.0.0.1:8080
# SOCKS5 proxy (for Tor)
witnessme scan targets.txt --proxy socks5://127.0.0.1:9050
# Proxy with authentication
witnessme scan targets.txt --proxy http://user:pass@proxy.com:8080Timeout and Performance Settings
# Short timeout for quick enumeration
witnessme scan targets.txt --timeout 5
# Long timeout for slow applications
witnessme scan targets.txt --timeout 60
# Parallel scanning (if supported)
# Process multiple targets concurrently
witnessme scan targets.txt --threads 4SSL/TLS Handling
# Skip SSL verification (insecure but useful for testing)
witnessme scan https://self-signed.local --ignore-ssl-errors
# Force specific TLS version
# Standard HTTPS works for most modern servers
witnessme scan https://example.comReal-World Reconnaissance Workflows
Complete Enumeration Workflow
#!/bin/bash
# Step 1: Identify web servers with Nmap
nmap -p 80,443,8080-8090 --open -sV target.local -oX nmap.xml
# Step 2: Extract URLs from Nmap results
grep -oP 'portid="\K[0-9]+' nmap.xml | sort -u | while read port; do
echo "http://target.local:$port"
echo "https://target.local:$port"
done > web_targets.txt
# Step 3: Screenshot all web services
witnessme scan web_targets.txt
# Step 4: Generate comprehensive report
witnessme report
# Step 5: Analyze results
open report.htmlMonitoring Web Application Changes
#!/bin/bash
# Baseline scan
witnessme scan https://app.example.com
cp screenshots/* baseline/
# After infrastructure change
witnessme scan https://app.example.com
cp screenshots/* after_change/
# Compare screenshots
diff baseline/app.example.com.json after_change/app.example.com.jsonLarge-Scale Infrastructure Scanning
# Generate target list from CIDR range
nmap -p 80,443 --open 10.0.0.0/24 -oG nmap.grep | grep "open" | awk '{print $2}' > targets.txt
# Screenshot all web servers
time witnessme scan targets.txt
# Generate report with all findings
witnessme report
# Summary statistics
find screenshots/ -name "*.json" | wc -l
echo "Total targets scanned"Troubleshooting
Connection Issues
# Test connectivity manually
curl -v https://example.com
# If behind corporate proxy
witnessme scan https://example.com --proxy http://proxy.corp.com:8080
# If SSL certificate errors
# Use --ignore-ssl-errors flag (verify target legitimacy first)
witnessme scan https://internal-app.local --ignore-ssl-errorsScreenshot Capture Failures
# Enable verbose output
witnessme scan https://example.com -v
# Increase timeout if page loads slowly
witnessme scan https://example.com --timeout 30
# Check disk space
df -h screenshots/Large Batch Performance
# For very large target lists, process in chunks
split -l 100 targets.txt targets_
for file in targets_*; do
echo "Processing $file..."
witnessme scan $file
sleep 5
doneIntegration with Other Tools
Combining with Web Vulnerability Scanners
# Get screenshots first
witnessme scan https://example.com
# Identify technology from screenshots
grep -r "WordPress" screenshots/
# Then run targeted scanner
wpscan --url https://example.com -e vpFeeding Results to Burp Suite
# Capture all web services
witnessme scan targets.txt --proxy http://127.0.0.1:8080
# All traffic flows through Burp for detailed testing
# Screenshots provide visual inventory
# Burp performs active vulnerability testingCreating Evidence Documentation
# Generate HTML report for documentation
witnessme report
# Report can be included in security assessment documentation
# Provides visual proof of discovered web applications
# Timestamp and URL information includedBest Practices
- Authorization First: Obtain written permission before scanning any target
- Organized Results: Create separate directories for different scan dates/targets
- Proxy Usage: Route through Burp Suite for simultaneous detailed analysis
- Timeout Adjustment: Set appropriate timeouts based on network conditions
- Regular Reporting: Generate reports for documentation and stakeholder communication
- Backup Findings: Keep copies of key screenshots in case original directories are cleared
- Privacy: Redact sensitive information from reports before sharing
- Evidence Chain: Maintain timestamps and metadata for legal/compliance requirements
Performance Metrics
Typical Scan Times
# Single target
witnessme scan https://example.com
# ~2-5 seconds depending on page complexity and network
# Multiple targets (10 URLs)
witnessme scan targets.txt
# ~30-60 seconds
# Large batch (100+ targets)
witnessme scan large_targets.txt
# ~5-15 minutes depending on timeouts and networkConclusion
WitnessMe provides rapid, automated visual reconnaissance of web applications. Its ability to capture screenshots, detect technologies, and generate comprehensive reports makes it essential for reconnaissance phases of authorized security assessments and infrastructure documentation.