WEBVTT

0:00:03.460000 --> 0:00:06.840000
 Hello everyone. In this video, we're
 going to be exploring the process

0:00:06.840000 --> 0:00:10.040000
 of taking website screenshots
 with eyewitness.

0:00:10.040000 --> 0:00:14.660000
 So eyewitness is a tool, an open source
 tool that is available in the

0:00:14.660000 --> 0:00:16.080000
 Kali Linux repos.

0:00:16.080000 --> 0:00:19.780000
 Now you might be asking yourself, well,
 what exactly is a website screenshot?

0:00:19.780000 --> 0:00:22.860000
 We've taken a look at how to download
 a copy of a website for offline

0:00:22.860000 --> 0:00:26.760000
 analysis. And I wouldn't call this
 downloading a copy of a website.

0:00:26.760000 --> 0:00:32.580000
 It just allows you to take a website and
 get or extract important information

0:00:32.580000 --> 0:00:36.900000
 that will be pertinent to your
 operations or your pen test.

0:00:36.900000 --> 0:00:41.600000
 So it'll sort of give you or perform
 some very basic passive web server

0:00:41.600000 --> 0:00:43.840000
 and web application fingerprinting.

0:00:43.840000 --> 0:00:48.760000
 And it also provides you with the ability
 to download all of the JavaScript

0:00:48.760000 --> 0:00:52.140000
 libraries that are being
 used on the website.

0:00:52.140000 --> 0:00:54.100000
 So a very, very useful tool.

0:00:54.100000 --> 0:00:55.180000
 And I use it quite a lot.

0:00:55.180000 --> 0:00:56.460000
 That's why I wanted to cover it.

0:00:56.460000 --> 0:00:58.680000
 So again, no lab here.

0:00:58.680000 --> 0:00:59.640000
 We're going to do this.

0:00:59.640000 --> 0:01:01.380000
 You can do this on your own system.

0:01:01.380000 --> 0:01:04.340000
 So I'm going to switch over
 to my Kali Linux system.

0:01:04.340000 --> 0:01:07.520000
 I'll show you how to install
 eyewitness and how to use it.

0:01:07.520000 --> 0:01:10.360000
 And sort of give you an ideas to some
 of the features that I utilize.

0:01:10.360000 --> 0:01:14.040000
 So let me switch over to
 my Kali Linux system.

0:01:14.040000 --> 0:01:17.800000
 Alright, so I'm back on
 my Kali Linux system.

0:01:17.800000 --> 0:01:20.840000
 And this is the GitHub
 repo for eyewitness.

0:01:20.840000 --> 0:01:28.660000
 And it, you know, it sort of gives
 you an introduction as to what the

0:01:28.660000 --> 0:01:33.400000
 screenshots of websites provide some server
 header info and identify default

0:01:33.400000 --> 0:01:35.020000
 credentials if known.

0:01:35.020000 --> 0:01:39.980000
 So this is very useful if you're dealing
 with a login form or an admin

0:01:39.980000 --> 0:01:45.900000
 panel. And you can actually utilize a
 tool like eyewitness to again perform

0:01:45.900000 --> 0:01:49.320000
 take a screenshot, display
 the server header info.

0:01:49.320000 --> 0:01:54.540000
 And also if this, if this admin panel,
 a panel or you know, content management

0:01:54.540000 --> 0:01:56.040000
 system is known.

0:01:56.040000 --> 0:02:00.980000
 This is a great way of, you know, displaying
 default credentials if known.

0:02:00.980000 --> 0:02:04.540000
 So it's designed to be run on Kali Linux
 and it will auto detect the file

0:02:04.540000 --> 0:02:06.260000
 you give it with the F flag.

0:02:06.260000 --> 0:02:09.540000
 So it allows you to input
 more than one URL.

0:02:09.540000 --> 0:02:11.680000
 And it takes input in the form of a file.


0:02:11.680000 --> 0:02:13.220000
 And it also works on Windows.

0:02:13.220000 --> 0:02:15.180000
 So let me show you how
 to install it on Kali.

0:02:15.180000 --> 0:02:17.140000
 As I said, it's part of the Kali repos.

0:02:17.140000 --> 0:02:20.800000
 So again, sudo apt get install.

0:02:20.800000 --> 0:02:24.320000
 And we can say eyewitness
 right over here.

0:02:24.320000 --> 0:02:25.660000
 And I already have it installed.

0:02:25.660000 --> 0:02:27.160000
 So I'll show you how to use it.

0:02:27.160000 --> 0:02:29.520000
 So the usage is very, very simple.

0:02:29.520000 --> 0:02:30.720000
 I'm currently on my desktop.

0:02:30.720000 --> 0:02:34.620000
 The first thing you need to provide
 is of course the text file or a CSV

0:02:34.620000 --> 0:02:41.160000
 file or even an Excel, an Excel sheet
 file with the URLs or the actual

0:02:41.160000 --> 0:02:43.800000
 sites that you'd like to
 take a screenshot off.

0:02:43.800000 --> 0:02:47.520000
 So the first thing we would need to
 do is just create that text file.

0:02:47.520000 --> 0:02:51.120000
 So I'm just going to call
 this domains.txt.

0:02:51.120000 --> 0:02:54.420000
 And in here, you know, you
 can put hackasploit.org.

0:02:54.420000 --> 0:03:00.160000
 And we can also put in forum.hackasploit
.org, just as a simple example.

0:03:00.160000 --> 0:03:02.000000
 And I'll write and quit.

0:03:02.000000 --> 0:03:05.340000
 There we are. So eyewitness
 is very easy to use.

0:03:05.340000 --> 0:03:07.820000
 I'll just open up the help menu here.

0:03:07.820000 --> 0:03:12.280000
 And you can go through some of the
 options you can specify here.

0:03:12.280000 --> 0:03:13.960000
 And the timing options.

0:03:13.960000 --> 0:03:17.600000
 But in this, in our case, because we're
 doing a simple web screenshot,

0:03:17.600000 --> 0:03:20.520000
 we're going to be utilizing the web
 option here, because it's going to

0:03:20.520000 --> 0:03:22.540000
 do it through Selenium.

0:03:22.540000 --> 0:03:26.420000
 And let me show you a practical example
 of how I typically use it.

0:03:26.420000 --> 0:03:28.120000
 So I'll say, you know, eyewitness.

0:03:28.120000 --> 0:03:29.680000
 And I'll say web.

0:03:29.680000 --> 0:03:33.560000
 The file that contains my domains
 is called domains.txt.

0:03:33.560000 --> 0:03:36.060000
 And then I specify where
 I want this saved.

0:03:36.060000 --> 0:03:40.220000
 So on my desktop, I can say, I want to
 save it in a folder called hackasploit.

0:03:40.220000 --> 0:03:41.360000
 It's all it enter.

0:03:41.360000 --> 0:03:43.780000
 It's going to start the web requests.

0:03:43.780000 --> 0:03:46.240000
 And it's going to attempt to screenshot
 the first domain and then the

0:03:46.240000 --> 0:03:49.680000
 second one. And I will wait
 for this to complete.

0:03:49.680000 --> 0:03:53.640000
 Once it's done, you can see there seems
 to be a timeout that's limiting

0:03:53.640000 --> 0:03:56.140000
 when connecting to hackasploit.org.

0:03:56.140000 --> 0:03:59.220000
 So we'll just wait for this to retry.

0:03:59.220000 --> 0:04:00.720000
 If there's an error, no problem.

0:04:00.720000 --> 0:04:03.160000
 We can do this on another
 site to demonstrate it.

0:04:03.160000 --> 0:04:07.100000
 But this might be because I
 think I've already done it.

0:04:07.100000 --> 0:04:10.200000
 But there we are.

0:04:10.200000 --> 0:04:12.560000
 And I'm going to open the report,
 which I personally like.

0:04:12.560000 --> 0:04:14.840000
 And this is very useful if
 you're doing bug bounties.

0:04:14.840000 --> 0:04:18.760000
 But this is what a web screenshot is
 essentially takes a screenshot of

0:04:18.760000 --> 0:04:22.680000
 the actual website itself, and then
 displays the web request info.

0:04:22.680000 --> 0:04:26.860000
 So we have the page title, the X powered
 by header, which tells us, you

0:04:26.860000 --> 0:04:27.640000
 know, it's running PHP.

0:04:27.640000 --> 0:04:32.140000
 So you can actually use this to do some
 of the web application fingerprinting

0:04:32.140000 --> 0:04:35.580000
 and, you know, web server fingerprinting
 in a passive way.

0:04:35.580000 --> 0:04:38.120000
 You know, of course, we've already
 explored how to do this.

0:04:38.120000 --> 0:04:40.660000
 But this is a great way of doing it.

0:04:40.660000 --> 0:04:42.860000
 We can view the headers.

0:04:42.860000 --> 0:04:45.700000
 And you can actually see that
 you have the source code.

0:04:45.700000 --> 0:04:48.620000
 So if you click on the source code,
 that's going to display the actual

0:04:48.620000 --> 0:04:54.500000
 website index index file or the actual
 source code of the homepage.

0:04:54.500000 --> 0:04:58.660000
 If you specify a custom path or a path
 to that file, then that's what

0:04:58.660000 --> 0:04:59.900000
 is going to be done.

0:04:59.900000 --> 0:05:01.840000
 A screenshot will be taken off that.

0:05:01.840000 --> 0:05:05.120000
 But from this, we can pretty much learn
 a lot about the web application,

0:05:05.120000 --> 0:05:07.000000
 the web server itself.

0:05:07.000000 --> 0:05:10.480000
 So, you know, for example, we can see
 we have the cloud flare cache status

0:05:10.480000 --> 0:05:13.980000
 header. So we know that, you know, this
 site is being protected by cloud

0:05:13.980000 --> 0:05:17.960000
 flare. And then of course, on page
 two, you have the same gun for the

0:05:17.960000 --> 0:05:21.440000
 forum. And in now, in this case, you
 can see quite a lot of information.

0:05:21.440000 --> 0:05:28.880000
 So if we take a look at the actual
 content security policy as well as

0:05:28.880000 --> 0:05:32.940000
 the, the other head, as you can see
 that it's running discourse, so on

0:05:32.940000 --> 0:05:36.780000
 and so forth. And you can also view
 the source code for that particular,

0:05:36.780000 --> 0:05:39.600000
 for that particular domain or website.

0:05:39.600000 --> 0:05:43.760000
 Now, one thing that I really like is
 head over into the folder where I

0:05:43.760000 --> 0:05:48.400000
 saved this, which is under my desktop
 and under Hackersploit, you can

0:05:48.400000 --> 0:05:51.780000
 see that you're going to have the screens,
 which are the screenshots,

0:05:51.780000 --> 0:05:55.140000
 and then the source code, which
 again is just for the homepage.

0:05:55.140000 --> 0:06:00.080000
 But you'll also have the different,
 you're going to have the different

0:06:00.080000 --> 0:06:04.340000
 JavaScript libraries or jQuery
 libraries in this case.

0:06:04.340000 --> 0:06:08.660000
 And of course, in this case, we've not explicitly
 pulled them, these particular

0:06:08.660000 --> 0:06:10.860000
 libraries are for this report here.

0:06:10.860000 --> 0:06:14.180000
 So if we take a look at the reports,
 you can see there's page one and

0:06:14.180000 --> 0:06:18.880000
 page two, and then you also have
 the request stored in a CSV file.

0:06:18.880000 --> 0:06:22.960000
 So all the requests that were made and
 the open ports on each of the sites

0:06:22.960000 --> 0:06:23.900000
 right over here.

0:06:23.900000 --> 0:06:30.180000
 So if you want to save additional information,
 if we take a look at the

0:06:30.180000 --> 0:06:33.120000
 eyewitness help menu, I just
 want to show you this here.

0:06:33.120000 --> 0:06:35.200000
 So I'll give that a couple of seconds.

0:06:35.200000 --> 0:06:38.660000
 The web options, there we are, you
 can specify a custom user agent.

0:06:38.660000 --> 0:06:43.020000
 In addition to that, you can actually
 pass the request through a proxy,

0:06:43.020000 --> 0:06:46.680000
 which again, we're not covering because
 we're not exploring web proxies,

0:06:46.680000 --> 0:06:50.400000
 although we will be taking a look at
 burpsweet, but you can do that as

0:06:50.400000 --> 0:06:55.700000
 well. You can, you know, prepend HTTP
 or HTTPS without using either.

0:06:55.700000 --> 0:07:01.740000
 And also, with regards to the input
 options, you can see those options

0:07:01.740000 --> 0:07:06.300000
 there, but the output options
 should be specified here.

0:07:06.300000 --> 0:07:11.580000
 One second, what am I
 looking for exactly?

0:07:11.580000 --> 0:07:13.440000
 There we are. All right.

0:07:13.440000 --> 0:07:15.720000
 So that's the ports, but there we are.

0:07:15.720000 --> 0:07:17.860000
 So you can show the display for Selenium.


0:07:17.860000 --> 0:07:19.460000
 That's what I wanted to highlight.

0:07:19.460000 --> 0:07:23.860000
 And you can then combine this with HD
 track, or you know, you can download

0:07:23.860000 --> 0:07:26.900000
 a copy of the website and then
 analyze the source code.

0:07:26.900000 --> 0:07:30.080000
 If you need additional information
 regarding the headers, you can also

0:07:30.080000 --> 0:07:33.620000
 get that. So this is a tool that I
 use quite a lot when I'm doing bug

0:07:33.620000 --> 0:07:37.360000
 bounty specifically, just to give me
 an ideas to what I'm dealing with.

0:07:37.360000 --> 0:07:41.780000
 Plus, as I said, it saves everything
 into a nice folder with a report

0:07:41.780000 --> 0:07:43.560000
 that again can be used.

0:07:43.560000 --> 0:07:47.120000
 You can actually take this info and
 then put it into an actual report.

0:07:47.120000 --> 0:07:51.560000
 It's not the cleanest of reports, but
 again, it makes a lot of sense.

0:07:51.560000 --> 0:07:53.940000
 And you can actually see
 what the site looks like.

0:07:53.940000 --> 0:07:57.480000
 It's great if you have different projects
 of your testing, different domains,

0:07:57.480000 --> 0:08:01.440000
 but you have the resolved IP here,
 which points towards the Cloudflare

0:08:01.440000 --> 0:08:07.380000
 name server or the IP provided by the
 Cloudflare name server, which of

0:08:07.380000 --> 0:08:09.480000
 course, in this case is proxied.

0:08:09.480000 --> 0:08:13.080000
 And the same thing should
 be for the actual forum.

0:08:13.080000 --> 0:08:17.140000
 You can see they all point towards
 the same IP address there.