GoWitness
GoWitness is a command-line tool for web application reconnaissance that captures screenshots, fingerprints technologies, and extracts metadata from web applications. Developed by Fortra, it integrates with scanning tools like Nmap and Masscan for comprehensive asset discovery and visual-based vulnerability assessment.
Installation
# Install using Go (recommended)
go install github.com/fortra/gowitness@latest
# Or download precompiled binary
wget https://github.com/fortra/gowitness/releases/download/2.4.2/gowitness-2.4.2-linux-x86_64
chmod +x gowitness-2.4.2-linux-x86_64
sudo mv gowitness-2.4.2-linux-x86_64 /usr/local/bin/gowitness
# Verify installation
gowitness --versionBasic Commands
| Command | Description |
|---|---|
gowitness --version | Display GoWitness version |
gowitness --help | Show help information |
gowitness screenshot | Take screenshot of single URL |
gowitness scan | Scan multiple targets from file/stdin |
gowitness generate | Generate report from screenshots |
Single URL Screenshots
# Screenshot single URL
gowitness screenshot http://target.com
# Screenshot with HTTPS
gowitness screenshot https://target.com
# Specify output filename
gowitness screenshot http://target.com -f target-home.png
# Custom viewport size
gowitness screenshot http://target.com --width 1920 --height 1080
# Full page screenshot
gowitness screenshot http://target.com --full-page
# Set custom timeout (seconds)
gowitness screenshot http://target.com --timeout 10
# Save with metadata
gowitness screenshot http://target.com -d metadata.jsonBatch Scanning
# Scan URLs from file
gowitness scan --input urls.txt
# Scan from stdin
cat urls.txt | gowitness scan -
# Specify output directory
gowitness scan --input urls.txt --output screenshots/
# Set number of parallel threads
gowitness scan --input urls.txt --threads 5
# Skip TLS verification
gowitness scan --input urls.txt --no-verify-tlsNetwork Scanning
# Screenshot CIDR block on common ports
gowitness scan --cidr 192.168.1.0/24 --ports 80,443,8080
# Single host on multiple ports
gowitness scan --input targets.txt --ports 80,443,8080,3000,5000,8888
# Screenshot with nmap
nmap -p 80,443 --open target.com -oG - | awk '{print $5}' | gowitness scan -
# Integration with masscan
masscan 192.168.0.0/16 -p 80,443 -oG - | awk '{print "http://"$4":"$3}' | gowitness scan -Application Fingerprinting
# Enable technology detection
gowitness scan --input urls.txt --fingerprint
# Wappalyzer-style detection
gowitness scan --input urls.txt --wappalyzer
# Extract page titles
gowitness scan --input urls.txt --title
# Save HTTP response headers
gowitness scan --input urls.txt --save-response-headers
# Full metadata collection
gowitness scan --input urls.txt --title --headers --save-bodyOutput and Reports
# Generate HTML report
gowitness generate --input screenshots/ --output report.html
# Create report with thumbnails
gowitness generate --input screenshots/ --output index.html --thumbnail-size 300
# JSON output format
gowitness scan --input urls.txt --format json --output results.json
# CSV export
gowitness generate --input screenshots/ --output results.csv --format csv
# Include failed responses
gowitness scan --input urls.txt --include-404Authentication & Headers
# Basic authentication
gowitness screenshot http://target.com -u admin -p password
# Custom User-Agent
gowitness screenshot http://target.com --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Custom headers
gowitness screenshot http://target.com -H "Authorization: Bearer TOKEN" -H "X-Custom: Value"
# Cookie support
gowitness screenshot http://target.com --cookie "session=abc123; id=user456"
# Proxy support
gowitness screenshot http://target.com --proxy http://proxy.local:8080Real-World Reconnaissance Workflow
#!/bin/bash
# Complete web application reconnaissance
TARGET_DOMAIN="example.com"
WORK_DIR="recon_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$WORK_DIR"
# 1. Enumerate subdomains
echo "[*] Enumerating subdomains..."
subfinder -d $TARGET_DOMAIN -silent -o "$WORK_DIR/subdomains.txt"
# 2. Resolve and probe live hosts
echo "[*] Probing live hosts..."
cat "$WORK_DIR/subdomains.txt" | httpx -silent -o "$WORK_DIR/live_hosts.txt"
# 3. Screenshot all live applications
echo "[*] Capturing screenshots..."
gowitness scan --input "$WORK_DIR/live_hosts.txt" \
--output "$WORK_DIR/screenshots/" \
--threads 10
# 4. Fingerprint technologies
echo "[*] Fingerprinting applications..."
gowitness scan --input "$WORK_DIR/live_hosts.txt" \
--fingerprint \
--title \
--format json \
--output "$WORK_DIR/fingerprints.json"
# 5. Generate report
echo "[*] Generating report..."
gowitness generate \
--input "$WORK_DIR/screenshots/" \
--output "$WORK_DIR/index.html" \
--title "Web Application Reconnaissance Report"
echo "[+] Reconnaissance complete"
echo "[+] Results: $WORK_DIR"Port Scanning Integration
# Nmap discovered services
nmap -sV -p 80,443,8080,8443,3000,5000 target.com -oG - | \
awk '/open/{print "http://"$4":"$5}' | \
gowitness scan -
# Masscan + GoWitness
masscan 10.0.0.0/8 -p 80,443 --rate=1000 -oG - | \
awk '/open/{print $4}' | \
while read host; do
echo "http://$host" >> targets.txt
echo "https://$host" >> targets.txt
done
gowitness scan --input targets.txt --threads 20
# Screenshot all services from nmap XML
nmap -sV -p- -oX nmap-output.xml target.com
# Extract from XML and scan with GoWitness
grep '<port' nmap-output.xml | grep 'open' | \
awk -F'[><]' '{print "http://"$1":"$3}' | \
gowitness scan -Advanced Configuration
# Proxy chains
gowitness screenshot http://target.com \
--proxy socks5://proxy.local:9050
# Custom delay between requests
gowitness scan --input urls.txt --delay 2
# Maximum screenshot dimension
gowitness screenshot http://target.com --width 3840 --height 2160
# JavaScript execution timeout
gowitness screenshot http://target.com --js-timeout 15
# Skip certificate validation
gowitness screenshot https://self-signed.local --no-verify-tlsBatch Processing & Automation
# Process large URL lists
gowitness scan --input massive-targets.txt \
--threads 20 \
--timeout 10 \
--output batch_results/ \
--format json
# Parallel processing with GNU Parallel
cat urls.txt | parallel -j 10 gowitness screenshot {} -f {/.}.png
# Scheduled scanning
0 2 * * * /usr/local/bin/gowitness scan \
--input /data/targets.txt \
--output /data/screenshots/$(date +\%Y\%m\%d)/ \
--threads 10Troubleshooting
# Enable debug output
gowitness screenshot http://target.com --debug
# Verbose logging
gowitness scan --input urls.txt --verbose
# Check screenshot quality
file screenshots/*.png
identify screenshots/*.png
# Verify installation
which gowitness
gowitness --version
ldd $(which gowitness)Best Practices
- Use appropriate thread counts (5-10 per CPU core)
- Respect target rate limits with
--delayparameter - Save response headers for analysis with
--save-response-headers - Enable fingerprinting for technology identification
- Generate reports for stakeholder communication
- Screenshot both HTTP and HTTPS versions
- Use full page screenshots for complete visual analysis
- Organize results by domain/subdomain for easy comparison
- Verify SSL certificates in production environments
- Combine with other reconnaissance tools (nmap, subfinder, httpx)
Environment Variables
| Variable | Description |
|---|---|
GOWITNESS_THREADS | Default thread count |
GOWITNESS_TIMEOUT | Default timeout in seconds |
GOWITNESS_PROXY | Default proxy URL |
GOWITNESS_OUTPUT | Default output directory |
References
Last updated: 2026-03-30