Running an EyeWitness Docker Container (Great for macOS!)

During an engagement recently, I wanted to get an EyeWitness Docker container setup and working.

EyeWitness Docker - Introduction

For those of you who have never used it before, EyeWitness is a great tool for taking screenshots, especially of websites.

Unfortunately, it has a lot of requirements, some of which are a huge hassle in macOS.

Thankfully, Chris has included a dockerfile in the repo, so this will show how to set that up and run it.

Prerequisites

First, you must have Docker installed.

Next, clone the repository to your machine.

Rays-MacBook-Pro:tools doyler$ git clone https://github.com/ChrisTruncer/EyeWitness
Cloning into 'EyeWitness'...
remote: Counting objects: 2468, done.
remote: Compressing objects: 100% (32/32), done.
remote: Total 2468 (delta 19), reused 13 (delta 6), pack-reused 2427
Receiving objects: 100% (2468/2468), 1.38 MiB | 0 bytes/s, done.
Resolving deltas: 100% (1572/1572), done.

Installation

With the repository cloned, and Docker installed, it is time to build the container.

Rays-MacBook-Pro:EyeWitness doyler$ docker build --build-arg user=$USER --tag eyewitness .
Sending build context to Docker daemon  2.537MB
Step 1/11 : FROM phusion/baseimage
latest: Pulling from phusion/baseimage
22ecafbbcc4a: Pull complete 
580435e0a086: Pull complete  

...

[*] Setup script completed successfully, enjoy EyeWitness! 🙂

Removing intermediate container 6facb61bf09f
 ---> 788698f06a6e
Step 10/11 : USER $user
 ---> Running in e8461b03d83a
Removing intermediate container e8461b03d83a
 ---> 6aa13c7a3633
Step 11/11 : ENTRYPOINT ["python", "EyeWitness.py", "-d", "/tmp/EyeWitness/results", "--no-prompt"]
 ---> Running in 49c7d4023cf1
Removing intermediate container 49c7d4023cf1
 ---> 0adf7b8c6f36
Successfully built 0adf7b8c6f36
Successfully tagged eyewitness:latest

EyeWitness Docker - Execution

With the container setup, it was time to test my installation.

First, I verified my current directory structure and what files existed.

Rays-MacBook-Pro:eyewitness_test doyler$ pwd
/Users/doyler/Documents/__ENGAGEMENTS/External/eyewitness_test
Rays-MacBook-Pro:eyewitness_test doyler$ ls
external-targets-expanded.txt	nmap_fast.xml

Next, I modified one of the suggested commands for my usage.

Rays-MacBook-Pro:EyeWitness doyler$ docker run \
    --rm \
    -it \
    -e DISPLAY=$DISPLAY \
    -v /Users/doyler/Documents/__ENGAGEMENTS/External/eyewitness_test:/tmp/EyeWitness \
    eyewitness \
    -x /tmp/EyeWitness/nmap_fast.xml \
    --results 10000 --no-prompt --no-dns --headless

The parameters in the above command are as follows:

  • --rm - automatically cleans up the container and remove the file system when the container exits
  • -it - keep STDIN open even if not attached (i) and allocate a pseudo-tty (t)
  • -e DISPLAY=$DISPLAY - set the DISPLAY environment variable
  • -v /Users/doyler/Documents/__ENGAGEMENTS/External/eyewitness_test:/tmp/EyeWitness - mount a shared filesystem on /tmp/EyeWitness of the container
  • eyewitness - the application in the container to run, in this case eyewitness
  • -x /tmp/EyeWitness/nmap_fast.xml - the XML input file (nmap_fast.xml) for EyeWitness
  • --results 10000 - number of hosts (10,000) per page of report
  • --no-prompt - don't prompt to open the report
  • --no-dns - skip DNS resolution when connecting to websites
  • --headless - HTTP Screenshot using PhantomJS Headless

With the command executing, I was able to follow the progress and success!

 
################################################################################
#                                  EyeWitness                                  #
################################################################################

Starting Web Requests (234 Hosts)
/usr/local/lib/python2.7/dist-packages/selenium/webdriver/phantomjs/webdriver.py:49: UserWarning: Selenium support for PhantomJS has been deprecated, please use headless versions of Chrome or Firefox instead
  warnings.warn('Selenium support for PhantomJS has been deprecated, please use headless '
Attempting to screenshot https://127.0.0.1

...

[*] Completed 15 out of 234 services

Once the execution was complete, I had an entire report structure on my host in the results folder.

Rays-MacBook-Pro:eyewitness_test doyler$ ls -al results/
total 13104
drwxr-xr-x   16 doyler  staff      544 Jan 22 14:56 .
drwxr-xr-x    5 doyler  staff      170 Jan 22 14:54 ..
-rw-r--r--    1 doyler  staff   150996 Jan 22 14:56 bootstrap.min.css
-rw-r--r--    1 doyler  staff    46654 Jan 22 14:56 bootstrap.min.js
-rw-r--r--    1 doyler  staff     5034 Jan 22 14:56 dataTables.bootstrap4.min.css
-rw-r--r--    1 doyler  staff     2070 Jan 22 14:56 dataTables.bootstrap4.min.js
-rw-r--r--    1 doyler  staff  5932032 Jan 22 14:56 ew.db
-rw-r--r--    1 doyler  staff     6621 Jan 22 14:55 ghostdriver.log
-rw-r--r--    1 doyler  staff    95957 Jan 22 14:36 jquery-1.11.3.min.js
-rw-r--r--    1 doyler  staff    86659 Jan 22 14:56 jquery-3.2.1.min.js
-rw-r--r--    1 doyler  staff    81906 Jan 22 14:56 jquery.dataTables.min.js
-rw-r--r--    1 doyler  staff     7202 Jan 22 14:54 open_ports.csv
-rw-r--r--    1 doyler  staff   268678 Jan 22 14:56 report.html
drwxr-xr-x   51 doyler  staff     1734 Jan 22 14:56 screens
drwxr-xr-x  204 doyler  staff     6936 Jan 22 14:56 source
-rw-r--r--    1 doyler  staff      684 Jan 22 14:54 style.css

Once I opened the report.html file, my browser greeted me with a standard EyeWitness HTTP report!

EyeWitness Docker - Report

EyeWitness Docker - Conclusion

While running EyeWitness in a Docker container isn't always necessary, it is a great addition to the project.

I found it very useful on MacOS just due to dependency issues, but it would also be handy for cloud or automated deployments.

Let me know if you have any other command or configuration suggestions, or an even better way to automate large-scale HTTP screenshot taking!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.