WitnessMe
Overview
섹션 제목: “Overview”WitnessMe is an automated web application reconnaissance tool that captures screenshots and fingerprints web technologies. It combines visual reconnaissance with automated technology detection, making it invaluable for:
- Capturing evidence of web applications for reports
- Identifying web technologies through visual analysis
- Building reconnaissance databases of target websites
- Documenting security assessment findings
- Rapid enumeration across multiple targets
The tool handles SSL/TLS issues, timeouts, and various HTTP configurations automatically.
Installation
섹션 제목: “Installation”From GitHub Source
섹션 제목: “From GitHub Source”git clone https://github.com/byt3bl33d3r/WitnessMe.git
cd WitnessMe
pip install -r requirements.txt
python witnessme.py --helpUsing pip
섹션 제목: “Using pip”pip install witnessme
witnessme --helpDocker Installation
섹션 제목: “Docker Installation”docker pull byt3bl33d3r/witnessme
docker run -it -v $(pwd)/screenshots:/app/screenshots byt3bl33d3r/witnessmeKali Linux
섹션 제목: “Kali Linux”apt update && apt install witnessme -yBasic Usage
섹션 제목: “Basic Usage”| Command | Description |
|---|---|
witnessme scan <target> | Capture screenshot from single URL |
witnessme scan <target> --proxy <proxy> | Scan through HTTP proxy |
witnessme scan <target> --timeout <seconds> | Set custom timeout |
witnessme scan <target> --port <port> | Specify non-standard port |
witnessme scan <file> | Scan targets from file (one per line) |
witnessme report | Generate HTML report of captures |
witnessme -h | Show help and all options |
Common Examples
섹션 제목: “Common Examples”Single Target Screenshot
섹션 제목: “Single Target Screenshot”witnessme scan https://example.comCaptures a screenshot from the target and saves it along with metadata including title, technologies detected, and HTTP response codes.
Scanning Multiple Targets
섹션 제목: “Scanning Multiple Targets”cat targets.txt
# http://192.168.1.10
# http://192.168.1.11:8080
# https://internal-app.local
witnessme scan targets.txtAutomatically processes each target from the file, captures screenshots, and stores results with detected information.
Scanning with Custom Timeout
섹션 제목: “Scanning with Custom Timeout”witnessme scan https://slow-app.example.com --timeout 30Increases timeout for slower-responding applications, useful for detecting services that take longer to render.
Scanning Behind Proxy
섹션 제목: “Scanning Behind Proxy”witnessme scan https://example.com --proxy http://127.0.0.1:8080Routes traffic through a proxy (Burp Suite, mitmproxy, etc.) for interception and further analysis.
Port Specification
섹션 제목: “Port Specification”witnessme scan http://example.com --port 8080
witnessme scan https://example.com --port 8443Scans non-standard HTTP/HTTPS ports commonly used for development or internal applications.
Advanced Usage
섹션 제목: “Advanced Usage”Batch Scanning with Output Management
섹션 제목: “Batch Scanning with Output Management”# Create directory for results
mkdir -p reconnaissance/screenshots
# Scan targets and organize results
witnessme scan targets.txt
# View captured screenshots
ls -la screenshots/
# Generate consolidated HTML report
witnessme reportProtocol Handling
섹션 제목: “Protocol Handling”# Force HTTP (ignores HTTPS redirects)
witnessme scan http://example.com
# Force HTTPS
witnessme scan https://example.com
# Try both HTTP and HTTPS
for proto in http https; do
witnessme scan ${proto}://example.com
doneIntegration with Nmap Results
섹션 제목: “Integration with Nmap Results”# Extract web services from Nmap XML
nmap -p 80,443,8080,8443,8000,9000 -sV --open example.com -oX results.xml
# Extract HTTP/HTTPS URLs
grep -oP 'portid="\K[0-9]+|<service name="\K[^"]+' results.xml | paste - - | \
awk '{print "http://example.com:" $1}' > web_targets.txt
# Screenshot all web services
witnessme scan web_targets.txtCustom Target List with Metadata
섹션 제목: “Custom Target List with Metadata”# Create advanced target list
cat targets.txt
# https://web1.example.com:443
# http://web2.example.local:8080
# https://10.0.0.5:9000
# Run scan
witnessme scan targets.txt
# Generate report with all findings
witnessme reportScreenshot Management
섹션 제목: “Screenshot Management”Directory Structure
섹션 제목: “Directory Structure”.
├── screenshots/
│ ├── 2024-01-15_102030/
│ │ ├── example.com.png
│ │ ├── example.com.json
│ │ └── index.html
│ └── 2024-01-15_112545/
│ └── ...
└── reports/
└── witnessme_report.htmlAccessing Results
섹션 제목: “Accessing Results”# View all screenshots
ls screenshots/*/
# View metadata for each screenshot
cat screenshots/*/example.com.json | jq .
# Find screenshots with specific technologies
grep -r "WordPress" screenshots/*/
# Export screenshot metadata to CSV
find screenshots/ -name "*.json" -exec grep -H "title" {} \;Technology Detection
섹션 제목: “Technology Detection”Detected Technologies
섹션 제목: “Detected Technologies”WitnessMe automatically identifies:
| Technology Category | Examples |
|---|---|
| CMS | WordPress, Joomla, Drupal, Magento |
| Frameworks | Django, Rails, Laravel, ASP.NET |
| Web Servers | Apache, Nginx, IIS, Tomcat |
| Databases | MySQL, PostgreSQL, MongoDB (via banners) |
| JavaScript Libraries | jQuery, Bootstrap, Angular, React |
| Admin Panels | cPanel, Plesk, WHM, Webmin |
| Monitoring Tools | Grafana, Prometheus, Splunk |
Understanding Detected Information
섹션 제목: “Understanding Detected Information”{
"target": "example.com:443",
"screenshot": "example.com.png",
"title": "Welcome to Example",
"response_code": 200,
"response_time_ms": 1240,
"technologies": [
{
"name": "WordPress",
"version": "5.9.2",
"confidence": "high"
},
{
"name": "Apache",
"confidence": "high"
}
],
"headers": {
"Server": "Apache/2.4.41"
}
}Report Generation
섹션 제목: “Report Generation”Creating HTML Reports
섹션 제목: “Creating HTML Reports”# Generate comprehensive HTML report
witnessme report
# Report includes:
# - All captured screenshots
# - Technology detection results
# - HTTP response codes
# - Response times
# - Navigation between findingsReport Structure
섹션 제목: “Report Structure”# View generated report
open report.html # macOS
xdg-open report.html # Linux
# Report contains:
# - Thumbnail gallery of all screenshots
# - Detailed findings for each target
# - Technology inventory
# - Sortable tables
# - Response code statisticsExporting Results for Further Analysis
섹션 제목: “Exporting Results for Further Analysis”# Extract all titles from screenshots
find screenshots/ -name "*.json" -exec jq -r '.title' {} \;
# Find all unique servers detected
find screenshots/ -name "*.json" -exec jq -r '.headers.Server' {} \; | sort -u
# Count screenshots by response code
find screenshots/ -name "*.json" -exec jq -r '.response_code' {} \; | sort | uniq -cAdvanced Configuration
섹션 제목: “Advanced Configuration”Proxy Configuration
섹션 제목: “Proxy Configuration”# HTTP proxy (for Burp Suite)
witnessme scan targets.txt --proxy http://127.0.0.1:8080
# SOCKS5 proxy (for Tor)
witnessme scan targets.txt --proxy socks5://127.0.0.1:9050
# Proxy with authentication
witnessme scan targets.txt --proxy http://user:pass@proxy.com:8080Timeout and Performance Settings
섹션 제목: “Timeout and Performance Settings”# Short timeout for quick enumeration
witnessme scan targets.txt --timeout 5
# Long timeout for slow applications
witnessme scan targets.txt --timeout 60
# Parallel scanning (if supported)
# Process multiple targets concurrently
witnessme scan targets.txt --threads 4SSL/TLS Handling
섹션 제목: “SSL/TLS Handling”# Skip SSL verification (insecure but useful for testing)
witnessme scan https://self-signed.local --ignore-ssl-errors
# Force specific TLS version
# Standard HTTPS works for most modern servers
witnessme scan https://example.comReal-World Reconnaissance Workflows
섹션 제목: “Real-World Reconnaissance Workflows”Complete Enumeration Workflow
섹션 제목: “Complete Enumeration Workflow”#!/bin/bash
# Step 1: Identify web servers with Nmap
nmap -p 80,443,8080-8090 --open -sV target.local -oX nmap.xml
# Step 2: Extract URLs from Nmap results
grep -oP 'portid="\K[0-9]+' nmap.xml | sort -u | while read port; do
echo "http://target.local:$port"
echo "https://target.local:$port"
done > web_targets.txt
# Step 3: Screenshot all web services
witnessme scan web_targets.txt
# Step 4: Generate comprehensive report
witnessme report
# Step 5: Analyze results
open report.htmlMonitoring Web Application Changes
섹션 제목: “Monitoring Web Application Changes”#!/bin/bash
# Baseline scan
witnessme scan https://app.example.com
cp screenshots/* baseline/
# After infrastructure change
witnessme scan https://app.example.com
cp screenshots/* after_change/
# Compare screenshots
diff baseline/app.example.com.json after_change/app.example.com.jsonLarge-Scale Infrastructure Scanning
섹션 제목: “Large-Scale Infrastructure Scanning”# Generate target list from CIDR range
nmap -p 80,443 --open 10.0.0.0/24 -oG nmap.grep | grep "open" | awk '{print $2}' > targets.txt
# Screenshot all web servers
time witnessme scan targets.txt
# Generate report with all findings
witnessme report
# Summary statistics
find screenshots/ -name "*.json" | wc -l
echo "Total targets scanned"Troubleshooting
섹션 제목: “Troubleshooting”Connection Issues
섹션 제목: “Connection Issues”# Test connectivity manually
curl -v https://example.com
# If behind corporate proxy
witnessme scan https://example.com --proxy http://proxy.corp.com:8080
# If SSL certificate errors
# Use --ignore-ssl-errors flag (verify target legitimacy first)
witnessme scan https://internal-app.local --ignore-ssl-errorsScreenshot Capture Failures
섹션 제목: “Screenshot Capture Failures”# Enable verbose output
witnessme scan https://example.com -v
# Increase timeout if page loads slowly
witnessme scan https://example.com --timeout 30
# Check disk space
df -h screenshots/Large Batch Performance
섹션 제목: “Large Batch Performance”# For very large target lists, process in chunks
split -l 100 targets.txt targets_
for file in targets_*; do
echo "Processing $file..."
witnessme scan $file
sleep 5
doneIntegration with Other Tools
섹션 제목: “Integration with Other Tools”Combining with Web Vulnerability Scanners
섹션 제목: “Combining with Web Vulnerability Scanners”# Get screenshots first
witnessme scan https://example.com
# Identify technology from screenshots
grep -r "WordPress" screenshots/
# Then run targeted scanner
wpscan --url https://example.com -e vpFeeding Results to Burp Suite
섹션 제목: “Feeding Results to Burp Suite”# Capture all web services
witnessme scan targets.txt --proxy http://127.0.0.1:8080
# All traffic flows through Burp for detailed testing
# Screenshots provide visual inventory
# Burp performs active vulnerability testingCreating Evidence Documentation
섹션 제목: “Creating Evidence Documentation”# Generate HTML report for documentation
witnessme report
# Report can be included in security assessment documentation
# Provides visual proof of discovered web applications
# Timestamp and URL information includedBest Practices
섹션 제목: “Best Practices”- Authorization First: Obtain written permission before scanning any target
- Organized Results: Create separate directories for different scan dates/targets
- Proxy Usage: Route through Burp Suite for simultaneous detailed analysis
- Timeout Adjustment: Set appropriate timeouts based on network conditions
- Regular Reporting: Generate reports for documentation and stakeholder communication
- Backup Findings: Keep copies of key screenshots in case original directories are cleared
- Privacy: Redact sensitive information from reports before sharing
- Evidence Chain: Maintain timestamps and metadata for legal/compliance requirements
Performance Metrics
섹션 제목: “Performance Metrics”Typical Scan Times
섹션 제목: “Typical Scan Times”# Single target
witnessme scan https://example.com
# ~2-5 seconds depending on page complexity and network
# Multiple targets (10 URLs)
witnessme scan targets.txt
# ~30-60 seconds
# Large batch (100+ targets)
witnessme scan large_targets.txt
# ~5-15 minutes depending on timeouts and networkConclusion
섹션 제목: “Conclusion”WitnessMe provides rapid, automated visual reconnaissance of web applications. Its ability to capture screenshots, detect technologies, and generate comprehensive reports makes it essential for reconnaissance phases of authorized security assessments and infrastructure documentation.