Visual Reconnaissance
Automated screenshot and visual analysis tools for web application reconnaissance at scale.
Overview
Visual reconnaissance helps identify:
- Technologies and frameworks used
- Admin panels and login pages
- Outdated or vulnerable applications
- Interesting endpoints across large IP ranges
- Virtual host configurations
EyeWitness
Captures screenshots of web applications, RDP services, and VNC servers.
Installation
# Clone repository
git clone https://github.com/FortyNorthSecurity/EyeWitness.git
cd EyeWitness/Python/setup
./setup.sh
# Or using Docker
docker pull eyewitness/eyewitness
Basic Usage
# From file of URLs
./EyeWitness.py -f urls.txt --web
# From Nmap XML output
./EyeWitness.py -x nmap_scan.xml --web
# From file of IP addresses (auto-detect HTTP/HTTPS)
./EyeWitness.py -f ips.txt --web --no-prompt
# Specify output directory
./EyeWitness.py -f urls.txt --web -d /tmp/eyewitness_output
# Add custom headers
./EyeWitness.py -f urls.txt --web --user-agent "Custom Agent"
# With authentication
./EyeWitness.py -f urls.txt --web --username admin --password pass123
Advanced Options
# Screenshot only specific ports
./EyeWitness.py -f ips.txt --web --no-prompt --prepend-https --ports 443,8443
# Increase timeout for slow sites
./EyeWitness.py -f urls.txt --web --timeout 10
# Maximum number of retries
./EyeWitness.py -f urls.txt --web --max-retries 3
# Capture all protocols (HTTP, HTTPS, RDP, VNC)
./EyeWitness.py -f ips.txt --all-protocols
# RDP screenshots
./EyeWitness.py -f ips.txt --rdp
# VNC screenshots
./EyeWitness.py -f ips.txt --vnc
# Cycle through different user agents
./EyeWitness.py -f urls.txt --web --cycle-user-agents
# Add delay between requests
./EyeWitness.py -f urls.txt --web --delay 2
Integration with Nmap
# Scan and screenshot in one workflow
nmap -p 80,443,8080,8443 192.168.1.0/24 -oX nmap_scan.xml
./EyeWitness.py -x nmap_scan.xml --web --no-prompt
Output Format
EyeWitness generates:
- HTML report with thumbnails
- Individual screenshots
- Server header information
- Source code of pages
- Category organization (Default Credentials, Servers, etc.)
Aquatone
Specialized for visual inspection of web applications across many hosts.
Installation
# Download binary
wget https://github.com/michenriksen/aquatone/releases/download/v1.7.0/aquatone_linux_amd64_1.7.0.zip
unzip aquatone_linux_amd64_1.7.0.zip
chmod +x aquatone
mv aquatone /usr/local/bin/
# Or using Go
go install github.com/michenriksen/aquatone@latest
Basic Usage
# From list of hosts
cat hosts.txt | aquatone
# From list of URLs
cat urls.txt | aquatone
# Specify ports to scan
cat hosts.txt | aquatone -ports 80,443,8000,8080,8443
# Large port range
cat hosts.txt | aquatone -ports large
# Extra large port range
cat hosts.txt | aquatone -ports xlarge
# Custom ports
cat hosts.txt | aquatone -ports 80,443,3000,8080,8443,9090
# Custom output directory
cat hosts.txt | aquatone -out /tmp/aquatone_results
Advanced Features
# Increase threads for faster scanning
cat hosts.txt | aquatone -threads 10
# Take full-page screenshots
cat hosts.txt | aquatone -screenshot-timeout 30000
# Scan with proxy
cat hosts.txt | aquatone -proxy http://127.0.0.1:8080
# Disable HTTP requests (use with pre-defined URLs)
cat urls.txt | aquatone -scan-timeout 0
# Save response bodies
cat hosts.txt | aquatone -save-body
# Custom Chrome path
cat hosts.txt | aquatone -chrome-path /usr/bin/chromium
Integration with Subdomain Enumeration
# Amass + Aquatone
amass enum -d target.com | aquatone -ports 80,443,8080,8443
# Subfinder + Aquatone
subfinder -d target.com -silent | aquatone
# Assetfinder + httprobe + Aquatone
assetfinder --subs-only target.com | httprobe | aquatone
Output
Aquatone generates:
aquatone_report.html- HTML report with screenshotsaquatone_urls.txt- Discovered URLsaquatone_session.json- Session datascreenshots/- Individual PNG screenshotsheaders/- HTTP response headershtml/- Response bodies (if saved)
gowitness
A golang, web screenshot utility using Chrome Headless.
Installation
# Using Go
go install github.com/sensepost/gowitness@latest
# Or download binary
wget https://github.com/sensepost/gowitness/releases/download/3.1.1/gowitness-3.1.1-linux-amd64
chmod +x gowitness-3.1.1-linux-amd64
mv gowitness-3.1.1-linux-amd64 /usr/local/bin/gowitness
Basic Usage
# Single URL
gowitness single https://example.com
# From file
gowitness file -f urls.txt
# From CIDR range
gowitness scan --cidr 192.168.1.0/24
# From Nmap XML
gowitness nmap -f nmap_scan.xml
# Specify output directory
gowitness file -f urls.txt -o /tmp/gowitness_output
Advanced Options
# Custom ports
gowitness scan --cidr 192.168.1.0/24 --ports 80,443,8080,8443
# Add delay
gowitness file -f urls.txt --delay 2
# Increase timeout
gowitness file -f urls.txt --timeout 15
# Full page screenshot
gowitness file -f urls.txt --fullpage
# Custom resolution
gowitness file -f urls.txt --resolution-x 1920 --resolution-y 1080
# Custom user agent
gowitness file -f urls.txt --user-agent "Custom Agent"
# Use proxy
gowitness file -f urls.txt --proxy http://127.0.0.1:8080
# Threads
gowitness file -f urls.txt --threads 10
Report Server
# Generate screenshots
gowitness file -f urls.txt
# Start web server to view results
gowitness report server
# Access at http://localhost:7171
Database Queries
# List all URLs in database
gowitness report list
# Export to JSON
gowitness report export -f json > report.json
# Export specific fields
gowitness report export -f json --fields url,title,status > urls.json
Comparison
| Feature | EyeWitness | Aquatone | gowitness |
|---|---|---|---|
| Speed | Medium | Fast | Very Fast |
| Protocols | HTTP/HTTPS/RDP/VNC | HTTP/HTTPS | HTTP/HTTPS |
| Report Quality | Excellent | Good | Good |
| Active Dev | Yes | No (archived) | Yes |
| Database | No | No | Yes (SQLite) |
| Dependencies | Many (Python) | Chrome | Minimal (Go) |
| Best For | Comprehensive scans | Domain recon | Fast bulk scans |
Workflow Examples
Full External Assessment
# 1. Subdomain enumeration
amass enum -passive -d target.com -o subs.txt
# 2. Probe for live hosts
cat subs.txt | httprobe -c 50 > live.txt
# 3. Screenshot everything
cat live.txt | aquatone -ports large
# 4. Review aquatone_report.html for interesting targets
Internal Network Sweep
# 1. Port scan with Nmap
nmap -p 80,443,8000,8080,8443 -iL internal_ips.txt -oX internal_scan.xml
# 2. Screenshot all web services
./EyeWitness.py -x internal_scan.xml --web --no-prompt -d internal_screens
# 3. Review for default credentials, admin panels, interesting apps
Bug Bounty Reconnaissance
# 1. Gather subdomains from multiple sources
subfinder -d target.com -silent > subs1.txt
amass enum -passive -d target.com >> subs2.txt
cat subs1.txt subs2.txt | sort -u > all_subs.txt
# 2. Find live hosts
cat all_subs.txt | httprobe -c 100 > live_hosts.txt
# 3. Visual inspection
gowitness file -f live_hosts.txt --threads 20
# 4. Start report server
gowitness report server
# 5. Review for unique applications, admin panels, outdated tech
Large Scale Internet Scanning
# 1. Use masscan for large ranges
masscan -p80,443,8080,8443 0.0.0.0/0 --rate 10000 -oL masscan_results.txt
# 2. Convert to IPs
grep "open" masscan_results.txt | awk '{print $4":"$3}' > targets.txt
# 3. Screenshot with gowitness (fast)
gowitness file -f targets.txt --threads 50 --timeout 5
Tips and Tricks
Creating URL Lists from Nmap
# Extract HTTP services
grep "open" nmap_scan.txt | grep -E "80|443|8080|8443" | awk '{print $2}' | sed 's/$//' > ips.txt
# Convert to URLs
cat ips.txt | while read ip; do echo "http://$ip"; echo "https://$ip"; done > urls.txt
Filtering Interesting Screenshots
Look for:
- Login pages (admin, portal, dashboard)
- Default credentials pages
- Outdated software with known CVEs
- Unusual ports with web interfaces
- Jenkins, phpMyAdmin, cPanel, Webmin
- Custom applications
- Error messages revealing paths/versions
Automating Analysis
# Extract page titles from EyeWitness
grep -i "title" EyeWitness_output/source/* | sort -u
# Find admin panels
grep -iE "admin|login|dashboard|panel" EyeWitness_output/source/* | cut -d: -f1 | sort -u
# Look for default credentials
grep -iE "default|password|username" EyeWitness_output/source/*
Integration with Burp Suite
# Configure gowitness to use Burp as proxy
gowitness file -f urls.txt --proxy http://127.0.0.1:8080
# All requests go through Burp for inspection/testing
Useful Links
- EyeWitness GitHub
- Aquatone GitHub
- gowitness GitHub
- httprobe GitHub
- Masscan GitHub
- Default Credentials Cheat Sheet
Quick Reference
# EyeWitness - comprehensive with RDP/VNC
./EyeWitness.py -f urls.txt --web --no-prompt
# Aquatone - domain-focused
cat subdomains.txt | aquatone -ports 80,443,8080,8443
# gowitness - fast bulk scanning
gowitness file -f urls.txt --threads 20
gowitness report server
# Full workflow
amass enum -d target.com | httprobe | aquatone