WitnessMe

Overview

WitnessMe is an automated web application reconnaissance tool that captures screenshots and fingerprints web technologies. It combines visual reconnaissance with automated technology detection, making it invaluable for:

Capturing evidence of web applications for reports
Identifying web technologies through visual analysis
Building reconnaissance databases of target websites
Documenting security assessment findings
Rapid enumeration across multiple targets

The tool handles SSL/TLS issues, timeouts, and various HTTP configurations automatically.

Installation

From GitHub Source

git clone https://github.com/byt3bl33d3r/WitnessMe.git
cd WitnessMe
pip install -r requirements.txt
python witnessme.py --help

Using pip

pip install witnessme
witnessme --help

Docker Installation

docker pull byt3bl33d3r/witnessme
docker run -it -v $(pwd)/screenshots:/app/screenshots byt3bl33d3r/witnessme

Kali Linux

apt update && apt install witnessme -y

Basic Usage

Command	Description
`witnessme scan <target>`	Capture screenshot from single URL
`witnessme scan <target> --proxy <proxy>`	Scan through HTTP proxy
`witnessme scan <target> --timeout <seconds>`	Set custom timeout
`witnessme scan <target> --port <port>`	Specify non-standard port
`witnessme scan <file>`	Scan targets from file (one per line)
`witnessme report`	Generate HTML report of captures
`witnessme -h`	Show help and all options

Common Examples

Single Target Screenshot

witnessme scan https://example.com

Captures a screenshot from the target and saves it along with metadata including title, technologies detected, and HTTP response codes.

Scanning Multiple Targets

cat targets.txt
# http://192.168.1.10
# http://192.168.1.11:8080
# https://internal-app.local

witnessme scan targets.txt

Automatically processes each target from the file, captures screenshots, and stores results with detected information.

Scanning with Custom Timeout

witnessme scan https://slow-app.example.com --timeout 30

Increases timeout for slower-responding applications, useful for detecting services that take longer to render.

Scanning Behind Proxy

witnessme scan https://example.com --proxy http://127.0.0.1:8080

Routes traffic through a proxy (Burp Suite, mitmproxy, etc.) for interception and further analysis.

Port Specification

witnessme scan http://example.com --port 8080
witnessme scan https://example.com --port 8443

Scans non-standard HTTP/HTTPS ports commonly used for development or internal applications.

Advanced Usage

Batch Scanning with Output Management

# Create directory for results
mkdir -p reconnaissance/screenshots

# Scan targets and organize results
witnessme scan targets.txt

# View captured screenshots
ls -la screenshots/

# Generate consolidated HTML report
witnessme report

Protocol Handling

# Force HTTP (ignores HTTPS redirects)
witnessme scan http://example.com

# Force HTTPS
witnessme scan https://example.com

# Try both HTTP and HTTPS
for proto in http https; do
  witnessme scan ${proto}://example.com
done

Integration with Nmap Results

# Extract web services from Nmap XML
nmap -p 80,443,8080,8443,8000,9000 -sV --open example.com -oX results.xml

# Extract HTTP/HTTPS URLs
grep -oP 'portid="\K[0-9]+|<service name="\K[^"]+' results.xml | paste - - | \
  awk '{print "http://example.com:" $1}' > web_targets.txt

# Screenshot all web services
witnessme scan web_targets.txt

Custom Target List with Metadata

# Create advanced target list
cat targets.txt
# https://web1.example.com:443
# http://web2.example.local:8080
# https://10.0.0.5:9000

# Run scan
witnessme scan targets.txt

# Generate report with all findings
witnessme report

Screenshot Management

Directory Structure

.
├── screenshots/
│   ├── 2024-01-15_102030/
│   │   ├── example.com.png
│   │   ├── example.com.json
│   │   └── index.html
│   └── 2024-01-15_112545/
│       └── ...
└── reports/
    └── witnessme_report.html

Accessing Results

# View all screenshots
ls screenshots/*/

# View metadata for each screenshot
cat screenshots/*/example.com.json | jq .

# Find screenshots with specific technologies
grep -r "WordPress" screenshots/*/

# Export screenshot metadata to CSV
find screenshots/ -name "*.json" -exec grep -H "title" {} \;

Technology Detection

Detected Technologies

WitnessMe automatically identifies:

Technology Category	Examples
CMS	WordPress, Joomla, Drupal, Magento
Frameworks	Django, Rails, Laravel, ASP.NET
Web Servers	Apache, Nginx, IIS, Tomcat
Databases	MySQL, PostgreSQL, MongoDB (via banners)
JavaScript Libraries	jQuery, Bootstrap, Angular, React
Admin Panels	cPanel, Plesk, WHM, Webmin
Monitoring Tools	Grafana, Prometheus, Splunk

Understanding Detected Information

{
  "target": "example.com:443",
  "screenshot": "example.com.png",
  "title": "Welcome to Example",
  "response_code": 200,
  "response_time_ms": 1240,
  "technologies": [
    {
      "name": "WordPress",
      "version": "5.9.2",
      "confidence": "high"
    },
    {
      "name": "Apache",
      "confidence": "high"
    }
  ],
  "headers": {
    "Server": "Apache/2.4.41"
  }
}

Report Generation

Creating HTML Reports

# Generate comprehensive HTML report
witnessme report

# Report includes:
# - All captured screenshots
# - Technology detection results
# - HTTP response codes
# - Response times
# - Navigation between findings

Report Structure

# View generated report
open report.html  # macOS
xdg-open report.html  # Linux

# Report contains:
# - Thumbnail gallery of all screenshots
# - Detailed findings for each target
# - Technology inventory
# - Sortable tables
# - Response code statistics

Exporting Results for Further Analysis

# Extract all titles from screenshots
find screenshots/ -name "*.json" -exec jq -r '.title' {} \;

# Find all unique servers detected
find screenshots/ -name "*.json" -exec jq -r '.headers.Server' {} \; | sort -u

# Count screenshots by response code
find screenshots/ -name "*.json" -exec jq -r '.response_code' {} \; | sort | uniq -c

Advanced Configuration

Proxy Configuration

# HTTP proxy (for Burp Suite)
witnessme scan targets.txt --proxy http://127.0.0.1:8080

# SOCKS5 proxy (for Tor)
witnessme scan targets.txt --proxy socks5://127.0.0.1:9050

# Proxy with authentication
witnessme scan targets.txt --proxy http://user:pass@proxy.com:8080

Timeout and Performance Settings

# Short timeout for quick enumeration
witnessme scan targets.txt --timeout 5

# Long timeout for slow applications
witnessme scan targets.txt --timeout 60

# Parallel scanning (if supported)
# Process multiple targets concurrently
witnessme scan targets.txt --threads 4

SSL/TLS Handling

# Skip SSL verification (insecure but useful for testing)
witnessme scan https://self-signed.local --ignore-ssl-errors

# Force specific TLS version
# Standard HTTPS works for most modern servers
witnessme scan https://example.com

Real-World Reconnaissance Workflows

Complete Enumeration Workflow

#!/bin/bash
# Step 1: Identify web servers with Nmap
nmap -p 80,443,8080-8090 --open -sV target.local -oX nmap.xml

# Step 2: Extract URLs from Nmap results
grep -oP 'portid="\K[0-9]+' nmap.xml | sort -u | while read port; do
  echo "http://target.local:$port"
  echo "https://target.local:$port"
done > web_targets.txt

# Step 3: Screenshot all web services
witnessme scan web_targets.txt

# Step 4: Generate comprehensive report
witnessme report

# Step 5: Analyze results
open report.html

Monitoring Web Application Changes

#!/bin/bash
# Baseline scan
witnessme scan https://app.example.com
cp screenshots/* baseline/

# After infrastructure change
witnessme scan https://app.example.com
cp screenshots/* after_change/

# Compare screenshots
diff baseline/app.example.com.json after_change/app.example.com.json

Large-Scale Infrastructure Scanning

# Generate target list from CIDR range
nmap -p 80,443 --open 10.0.0.0/24 -oG nmap.grep | grep "open" | awk '{print $2}' > targets.txt

# Screenshot all web servers
time witnessme scan targets.txt

# Generate report with all findings
witnessme report

# Summary statistics
find screenshots/ -name "*.json" | wc -l
echo "Total targets scanned"

Troubleshooting

Connection Issues

# Test connectivity manually
curl -v https://example.com

# If behind corporate proxy
witnessme scan https://example.com --proxy http://proxy.corp.com:8080

# If SSL certificate errors
# Use --ignore-ssl-errors flag (verify target legitimacy first)
witnessme scan https://internal-app.local --ignore-ssl-errors

Screenshot Capture Failures

# Enable verbose output
witnessme scan https://example.com -v

# Increase timeout if page loads slowly
witnessme scan https://example.com --timeout 30

# Check disk space
df -h screenshots/

Large Batch Performance

# For very large target lists, process in chunks
split -l 100 targets.txt targets_

for file in targets_*; do
  echo "Processing $file..."
  witnessme scan $file
  sleep 5
done

Integration with Other Tools

Combining with Web Vulnerability Scanners

# Get screenshots first
witnessme scan https://example.com

# Identify technology from screenshots
grep -r "WordPress" screenshots/

# Then run targeted scanner
wpscan --url https://example.com -e vp

Feeding Results to Burp Suite

# Capture all web services
witnessme scan targets.txt --proxy http://127.0.0.1:8080

# All traffic flows through Burp for detailed testing
# Screenshots provide visual inventory
# Burp performs active vulnerability testing

Creating Evidence Documentation

# Generate HTML report for documentation
witnessme report

# Report can be included in security assessment documentation
# Provides visual proof of discovered web applications
# Timestamp and URL information included

Best Practices

Authorization First: Obtain written permission before scanning any target
Organized Results: Create separate directories for different scan dates/targets
Proxy Usage: Route through Burp Suite for simultaneous detailed analysis
Timeout Adjustment: Set appropriate timeouts based on network conditions
Regular Reporting: Generate reports for documentation and stakeholder communication
Backup Findings: Keep copies of key screenshots in case original directories are cleared
Privacy: Redact sensitive information from reports before sharing
Evidence Chain: Maintain timestamps and metadata for legal/compliance requirements

Performance Metrics

Typical Scan Times

# Single target
witnessme scan https://example.com
# ~2-5 seconds depending on page complexity and network

# Multiple targets (10 URLs)
witnessme scan targets.txt
# ~30-60 seconds

# Large batch (100+ targets)
witnessme scan large_targets.txt
# ~5-15 minutes depending on timeouts and network

Conclusion

WitnessMe provides rapid, automated visual reconnaissance of web applications. Its ability to capture screenshots, detect technologies, and generate comprehensive reports makes it essential for reconnaissance phases of authorized security assessments and infrastructure documentation.