If you put the following in a Gemfile file in the app then users can do

bundle install

to install all the gems

source 'https://rubygems.org'

gem 'netaddr'
gem 'nokogiri'
gem 'selenium-webdriver'
gem 'timeout'
gem 'similar_text'

If you don't have one of the required gems installed you get a standard ruby error, I've implemented the following in one of my apps which catches the exception and handles it nicely.

begin
require 'nonStandardGem'
rescue LoadError => e
# catch error and provide feedback on installing gem
if e.to_s =~ /cannot load such file -- (.*)/
missing_gem = $1
puts "\nError: #{missing_gem} gem not installed\n"
puts "\t use: "gem install #{missing_gem}" to install the required gem\n\n"
exit
else
puts "There was an error loading the gems:"
puts
puts e.to_s
exit
end
end

Use a templating system like Cheetah or something for the report templating, it would make things much more extensible and manageable.

I've forked the repo and would like to try to add this. Basically a parameter to say how many screenshots to take of each site. It can be used to pick up rotating banners or maybe differences caused by load balancers.

I was thinking of using a JavaScript library and where you show the single image have forward and back to step through each image.

This display model could also be used along with the multiple user agent option suggested in the previous ticket.

as the title says please

Page title "HP IP Console Switch G2"
Username Admin
Password

Hi,

I have install your project and missing xvfb because my Debian server hasn't interface.

I think that in setup.sh, it must install xvfb.

What do you think @ChrisTruncer ?

You could use multiline strings in the source at several places. Example:

Instead of:

html = "<html>\n"
html += "<head>\n"
html += "<title>" + title + "</title>\n"

Write this:

html = """
<html>
<head>
<title>{t}</title>
""".format(t=title).strip()

You can also format a multiline string.

When testing an https site and the certificate is invalid mention it in the left hand box of the report.

I ran a single URL to test the install was working, came to run a file full and got the error below.

Checked and found that there is already an Xvfb running on display 99. This could be as a result of things not closing down properly due to the 2.6 issue but thought I'd mention it just in case there is a bug around closing Xvfb down.

EyeWitness

Fatal server error:
Server is already active for display 99
If this server is no longer running, remove /tmp/.X99-lock
and start again.

Here is a challenge for you, rather than taking a flat text file as input, how about parsing an nmap file (probably xml) and pulling out all the web servers found.

Obviously you could easily pull out common web ports such as 80, 443 and 8080 but it would be interesting to see if you can spot where nmap has found web servers on other ports.

Nessus also does various outputs, latest one does csv and database so that might be worth looking at as well.

I want to export the report as PDF from the browser, with it over multiple pages I can't create a single PDF.

There's some peculiar handling of unicode strings right now that involves searching for u' and removing it, this can be handled better, ideally the whole app can just be unicode aware, natively.

I had www.bbc.co.uk in my list and the filename in the screens directory was bbc.co.uk.png so I added the url of bbc.co.uk and and ended up with just a single screenshot as one overwrote the other.

Hello,

So i've got a rather lengthy file, and on each line there is the protocol (http:// or https://) followed by the IP address and port. So a snippet of the file would be similar to the following:

http://192.168.1.2:4040
https://192.168.2.4:8080
...etc...

EyeWitness chugs along fine for a few hundred, and then I receive the following error:

ghost.ghost.Error: You must specified a value to confirm "Please use the wizard navigation buttons at the bottom of the page.

Once this error is thrown a single time, it is thrown on every subsequent IP address that is tested.

I'm looking into it myself. Thanks!

Look into adding a second screenshot library, potentially selenium. Personally, I like having options, and fallbacks in case things fail. I'd like to have the ability to use a different library/engine in case, for some reason, ghost has issues with a certain, or multiple, websites.

I haven't ran across any issues yet, but I like having contingencies.

I've got an nmap XML file which was created by scanning IPs. Five of the IPs have the same reverse DNS entry. When you parse it you just look at hostname not IP so only take one screenshot not five.

I had to look at this because I've got vim set up to alert me when things aren't compliant.

http://legacy.python.org/dev/peps/pep-0008/

The new code I'm writing will be compliant and I've updated some of your existing code in my burst branch. don't know if you want to update the main branch as well or leave me to do wit along with my changes.

Just had a thought...many sites show different content based upon the user agent presented to the server. What if EyeWitness was modified to have a certain flag. When that flag was triggered (maybe you could only do this if sending a single site and not a whole subnet), EyeWitness would look at the site using multiple UserAgents (iphone, droid, FF, IE6-9, GoogleBot, Safari...).

Instead of just presenting the user with all the content coming back, EyeWitness could look at the byte size of the content of a "normal" request and then each of the other UserAgent requests. If the byte size was significantly different, it'd probably indicate that the server is serving different content. If the size is the same, ignore or just note it but don't show it (for space-savings).

I just had a request to add a scanning capability in to EyeWitness. The use case was if there is a compromised machine, they wanted to wrap EyeWitness into an executable, drop it on a box, have it do some basic checks for web servers (Maybe check the ip and subnet it currently is in, and then check those IPs with maybe a top 10 list of web server ports), and generate a file containing the "live" web servers. That list could then be fed back in to EyeWitness and used to get the server info.

as the title says, -? should act as -h

Got this while it was creating the report after scanning 46 URLs from an nmap XML file.

[*] ERROR: Web page possibly blank or SSL error!
Traceback (most recent call last):
File "./EyeWitness.py", line 1549, in
IOError: [Errno 24] Too many open files: '/home/robin/reports/xx/screenshots_named/report.html'

Then I tried to run it again and got this at URL 37:

Attempting to capture: http://xxx.com:80 (37/46)

(process:7534): GLib-ERROR **: Creating pipes for GWakeup: Too many open files

Trace/breakpoint trap

Page Title: Unknown
Content-Type: text/html
Connection: close
Content-Length: 745
WWW-Authenticate: Basic realm="Aastra 6755i"
Server: Aragorn

username: admin
password: 22222

From here: http://www.3cx.com/sip-phones/aastra/

Hi,

maybe this issue is stupid and inappropriate (or already answered).
But is there a possibility to execute javascript with EyeWitness.

For instance if the page contain only

<script>
    window.location.replace("https://github.com");
</script>

I want EyeWitness to screenshot gitHub.

Your setup script tries to install ruby 2.1 through apt but I handle all my ruby versions through rvm so don't want anything installed through the distro.

You could try running rvm list and then grepping out the version you want, if it is found then don't install from the distro. You can also create some files, can't remember their names off hand, that tell rvm to switch to a certain version of ruby when you go into the directory. That would be good to make sure they are using the correct version when they enter the directory.

Is this enough to identify it?

Page Title: 401 Unauthorized
WWW-Authenticate: Basic realm="SPIP Configuration", Digest realm="SPIP Configuration", nonce="140837670", algorithm="MD5"
Server: Polycom SoundPoint IP Telephone HTTPd

On page:
401 Unauthorized

Polycom SoundPoint IP Telephone HTTPd Server at 1.2.3.4 Port 80

username: Polycom
password: 456

EyeWitness expects to be ran from the directory it is installed in otherwise it fails trying to find signatures.txt.

When I create the URL file I didn't put the http:// on the URLs and the app failed, I'd check and if there is no protocol assume http.

Barracuda WAFs have their title tag on the same line as the opening html tag, i.e.

So you don't pick it up.

When you can detect it the default credentials are admin/admin

For an extra check, the http server is BarracudaHTTP 4.0

let me give the name of the output file.

Don't know if this is to vague or not but
"Page Title: Portfolio "
probably refers to Extensis Portfolio which has default creds of administrator/password

Don't know what your rules fire on but here is the full info just in case anything helps.

Page Title: Portfolio
Content-Length: 4096
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA/Tomcat-5.5
Expires: Thu, 01 Jan 1970 01:00:00 GMT
Server: Apache-Coyote/1.1
Last-Modified: Fri, 07 Jan 2011 12:07:20 GMT
ETag: W/"4096-1294402040312"
Pragma: No-cache
Cache-Control: no-cache
Date: Thu, 15 May 2014 11:12:00 GMT
Content-Type: text/html

It is a flash app so all you get in the page is a request to install flash

https://github.com/ChrisTruncer/EyeWitness/blob/master/EyeWitness.py#L58

IMO defining your own regex for directory validation here is not necessary or desirable. For example, I want to provide an absolute path on OSX which is denied because it contains forward-slashes (/) - at minimum. A valid directory can also contain spaces, hyphens, unicode, etc. Some sort of OS specific check should be performed to see if a provided path is correct, or simply wrap the directory creation/file creation in a try/except and fail gracefully if it doesn't work out.

Here's some starting points for how to do that, no particularly great ways but I think just doing it in a try/except and handling error cases there is suitable.

• https://stackoverflow.com/questions/9532499/check-whether-a-path-is-valid-in-python-without-creating-a-file-at-the-paths-ta
• https://stackoverflow.com/questions/17558181/determine-if-string-input-could-be-a-valid-directory-in-python

add a parameter to allow the specifying of the output directory to override the current timestamp directory name

As the title says really

Do a search based on HTML title tag value and identify if multiple websites have the same title. If they do, group them together in the report, so it shows potentially all the same sites (mirrors?) grouped together.

I need proxy support so just hacked this together to hardcode it in, thought you might like it.

It works in the same way as you set the user agent, by modifying the Firefox profile, for now I've just thrown mine into the selenium_driver method, I'll hand it over to you to integrate properly into the cli parameters.

profile['network.proxy.type'] = 1
profile['network.proxy.http'] = "localhost"
profile['network.proxy.http_port'] = 3128
profile['network.proxy.ssl'] = "localhost"
profile['network.proxy.ssl_port'] = 3128

This is pretty similar to the off by one bug. Not sure how/when this was introduced, but when running the python eyewitness with multiple sites in a text file, the first page is blank, and then the report seems to start on the second page. Link structure is off.

I know it's going to have to do with the counters. I just need to look into this and fix it for good.

I think I am going to be adding Selenium into Python, rewrite it to make it much more efficient (and OO), and use that as the primary language for EyeWitness.

I plan on keeping Ruby around, but I might throw it into its own repo, or into a sub folder. I think the python version is a lot more stable

The only change to setup.sh from last night is the check for root user but you've also added all the extra files, shouldn't the setup be referencing those in some way?

This is what I get when I run it which is the same as I got originally. When you had the setup download the script from your server Ghost.py did install but didn't work for EyeWitness. Before this setup would work I had to uninstall it.

setup # ./setup.sh
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-pip is already the newest version.
The following packages were automatically installed and are no longer required:
guile-1.8-libs libkadm5clnt-mit8 libkadm5srv-mit8 libtasn1-3-dev libx264-140 openssh-blacklist openssh-blacklist-extra
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Requirement already satisfied (use --upgrade to upgrade): Ghost.py in /usr/local/lib/python2.7/dist-packages/Ghost.py-0.1b3-py2.7.egg
Cleaning up...

setup # pip uninstall Ghost.py
Uninstalling Ghost.py:
/usr/local/lib/python2.7/dist-packages/Ghost.py-0.1b3-py2.7.egg
Proceed (y/n)? y
Successfully uninstalled Ghost.py

setup # ./setup.sh
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-pip is already the newest version.
The following packages were automatically installed and are no longer required:
guile-1.8-libs libkadm5clnt-mit8 libkadm5srv-mit8 libtasn1-3-dev libx264-140 openssh-blacklist openssh-blacklist-extra
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Downloading/unpacking Ghost.py
Could not find a version that satisfies the requirement Ghost.py (from versions: 0.1a, 0.1a2, 0.1a3, 0.1b, 0.1b2, 0.1b3)
Cleaning up...
No distributions matching the version for Ghost.py
Storing complete log in /root/.pip/pip.log

I just ran the setup script on a debian box, apt-get install failed but the setup script kept running then failed miserably. You can probably check the return code from apt-get to see if it is OK to continue.

The ParseError attribute was added in Python 2.7 so you fail with the following error if ran in Python 2.6. Don't know if you want to support 2.6 or not but if not then maybe check for the version on start up and fail gracefully.

Traceback (most recent call last):
File "./EyeWitness.py", line 1302, in
url_list, number_urls = logistics(url_filename, create_targets)
File "./EyeWitness.py", line 465, in logistics
except XMLParser.ParseError:
AttributeError: 'module' object has no attribute 'ParseError'

Just a thought, as there are a few configurable options, timeout, UA, proxy (?) is it time to create a config file so that we can store our preferred settings?

I'd like a default one but the ability to specify an alternative, that way I could have one that runs through my proxy but have the default one go direct.

I just overwrote an existing directory by accident, can there be a warning of some kind to stop me making silly mistakes when using -d

My /etc/issue file contains:

BackTrack 5 R2 - Code Name Revolution 32 bit \n \l

But this isn't in the osinfo case statement. I just manually ran through the Kali setup and it worked except you also need to add python-argparse to the list of packages to be installed.

Checked and the app ran fine after that.

Hi,

EyeWitness is perfect when I have a small amount of website to screenshot.
But when I have more than 10 000 web sites it becomes a bit more complicated.
Recently I got he following error after approximately 500 urls:

(python:7511): GLib-ERROR **: Creating pipes for GWakeup: Too many open files

I know that my bug report is a bit short.

./EyeWitness.rb:142:in parse': invalid option: -? (OptionParser::InvalidOption) from ./EyeWitness.rb:1102:in

The fix is to wrap the parse on line 141 in a begin rescue block catching OptionParser::InvalidOption

141 begin
142 opt_parser.parse!(args)
143 options
144 rescue OptionParser::InvalidOption
145 puts "Invalid option given"
146 exit
147
148 end

Hello there, I came across your project and tried it out for a few minutes.
Here is the traceback of the issued command and the command used to "achieve" the exception.

Command
"python EyeWitness.py --skipcreds --single https://github.com/Daxda/EyeWitness.git

Traceback

Trying to screenshot https://github.com/Daxda/EyeWitness.git
Traceback (most recent call last):
  File "EyeWitness.py", line 1174, in <module>
    script_path, operating_system)
  File "EyeWitness.py", line 877, in table_maker
    ":</b> " + html_encode(value) + "\n"
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 501: ordinal not in range(128)

line 1691 appends the script directory onto the provided directory name rather than doing whatever the first page does.

Traceback (most recent call last):
File "./EyeWitness.py", line 1691, in
".html", 'w') as page_out:
IOError: [Errno 2] No such file or directory: '/home/robin/tools/web/EyeWitness//home/robin/reports/xxx/xxxx/internal/screenshots_443/report_page2.html'

If you use -d with a directory name ending in a / which doesn't exist the script won't run and complains "[*] Error: Please provide a valid folder name/Path"

If you run it without the / on the end it runs OK. If you point it at a directory which exists then the mkdir fails trying to create the directory.

Just for testing or quick grabs it would be good to have an option to pass a URL on the command line.