1.
An EyeWitness View into
your Network
@ChrisTruncer

2.
Whoami
● Christopher Truncer (@ChrisTruncer)
○ Florida State Seminole
○ Open Source Developer
■ Veil Framework
■ Egress-Assess
■ Just-Metadata, etc
○ Mandiant’s Red Team
● Rohan Vazarkar (@CptJesus)

3.
What’s this talk about?
● Our Host Identification Process
● Intro to EyeWitness and the Problem it
Solves
● EyeWitness 2.0
● Demo

4.
Typical Assessment Lifecycle
http://image.slidesharecdn.com/gates-open-source-information-gathering-brucon-111108214432-phpapp02/95/open-source-
information-gathering-brucon-edition-9-728.jpg?cb=1320788708

5.
First Step
● Discovery/Recon - why care?
○ Do you know all your assets?
○ Does your customer?
○ Do you know all the services running
on your systems?

6.
Blue Teamers
● People just randomly plug stuff into
your network!
○ Wifi APs
○ Computers
○ Wifi devices (phones)
● Are you periodically looking for them?

7.
Red Teamers
● Want to find anything we can attack
or use to gain a foothold
○ Rogue access point
○ Long-ago forgotten system
○ Misconfigured services
● Our initial discovery scans can help
identify quick wins
○ Why be sophisticated when I can
login w/ tomcat:tomcat

8.
Scans
● Penetration Test
○ NMap
○ Nessus
● Red Team
○ Potentially neither
○ Likely highly targeted scans

9.
NMap Timing
● Timing
○ ping a few
live hosts
○ identify the
time it took
to receive a
response

10.
NMap Timing
● Timing Options
○ --initial-rtt-timeout 200ms
○ --max-rtt-timeout 100ms
○ --max-retries 1
○ --max-scan-delay 0
■ Usually

11.
NMap Scan
● nmap -vvv -Pn -n --open --initial-rtt-
timeout 175ms --max-rtt-timeout 100ms
--max-retries 1 --max-scan-delay 0 -iL
<inputfile> -oA results -
p21,22,23,25,135,139,443,445,3306,3389

12.
NMap Scan
● Once complete, make a list of live
systems
● Full port scan against live systems with -A
○ Potentially provides banner
information
○ Useful for parsing and identifying
services for screenshots :)

13.
Nessus
● Obvious use case is for vulnerability
information...
● ...but can be useful for identifying live
systems if not needing stealth
● .nessus files are contain a lot of
information we can use
○ Easy to parse xml
○ Essentially provides the same content
as nmap xml

14.
Point of Recon & Enumeration
● Identify live hosts
on the network
● Identify any active
services
● Obtain system/OS
version information
● Generate a list of
hosts to investigate
further
● Identify quick wins
https://nmap.org/images/nmap-401-demoscan-798x774.gif

15.
Why Automate?
● Previous steps lead up to this list
● Find hundreds, or thousands, of
HTTP(s) servers
○ Manual review…. no thanks
● Thousands of RDP servers
● How do we begin to process/analyze
these systems if not in an automated
manner?

16.
Development Began

17.
Problems to Solve
● Automate web
screenshots
● Generate a
usable report
● Take input in
multiple formats
● Identify default
credentials
● Wanted to learn

18.
Existing Tools
● NMap - NSE Plugin
● PeepingTom - by Tim Tomes
○ Closest to what I wanted
● Nessus - Commercial Product

19.
Started With This

20.
StackOverflow
http://stackoverflow.com/questions/16344700/take-a-screenshot-from-a-website-from-commandline-
or-with-python

21.
Developed a POC

22.
Needed Improvements
● File Input:
○ Text File
○ NMap
○ Nessus
● Report Generation
● User Agent Switching
● Default credentials signatures

23.
Report Generation
● Simple - HTML table tags
● Store server header and screenshots
● Multi-Page Reports (don’t crash your
browser)
● Link structure for reports
○ Off by one bugs aren’t fun

24.
EyeWitness 1.0

25.
Improvements (still)

26.
Updates Needed
● Library Issues
○ Ghost - good,
but a hack
● Spaghetti code
● Group “similar”
pages
● No way to resume
a scan
● Other protocols?
https://c2.staticflickr.com/8/7248/7021453583_c8e2b7597f.jpg

27.
Fix the Problems
● Drop Ghost
○ Didn’t want to do this - pure python is
nice
○ Stability issues forced our hand
○ Lack of development

28.
Library Solution
● PhantomJS ● Selenium
http://38.media.tumblr.com/c5d6de716be379af2e7bf68dce080cd2/
tumblr_inline_n0b4hyJnfG1sr0bzb.png
http://www.seleniumhq.org/selenium-rc.png

29.
Spaghetti Code Fixes
● What we called the “nuke_it_all”
principal
○ rm -rf it all and start over
● Went from approx 100 variables to
more of a OO design

30.
http://cdn.meme.am/instances/54834100.jpg

31.
Result Groupings
● We investigated multiple solutions
○ Levenshtein Distance (thanks
@Digininja)
■ Measure the distance between
strings
○ Fuzzy Sorting
■ This was the winner

32.
Introduce Categories
● Sorting similar pages works
● Expand into categories
○ High Value Targets
○ iDrac
○ VoIP
○ Crap
○ Printers
■ So annoying, they are worse
than Crap

33.
Resuming Scans
● If a scan died on the last website,
the whole scan died
○ You’d have the artifacts
■ Source Code
■ Screenshots
○ No Report
○ Very frustrating for large lists

34.
Resuming Scans
● Rohan began investigating a fix
○ SQLite to the rescue!
■ We wanted to stay lightweight
without a db requirement
■ Track URLs scanned and
completed
■ Allows us to tie into this for
other purposes

35.
Protocols?
● We wanted to
add in RDP and
VNC
● Found a python
library which
does exactly
what we
needed!
https://github.com/citronneur/rdpy

36.
EyeWitness 2.0

37.
EyeWitness 2.0
● Modularized the tool
○ Future updates/support is
significantly easier
● Added in auxiliary scripts for
interacting with the database

38.
Auxiliary Scripts
● Search - Searches database for
website with string specified
● Recategorize - Creates new report
based off of updated sigs
● Mikto - Generates URL list for Mikto
(multi-threaded Nikto)
● Tomcat (upcoming) - Searches for
and brute force tomcat servers

39.
Writing Signatures
● Signatures are easy to add
● View the source code, then write it!
○ <sig>|<Name> <Creds>
○ <sig>;<sig>;<sig>...|<Name> <Creds>

40.
Adding to Categories
● Categories are also easy to add
● View the source code, then write it!
○ <sig>|<category>
○ <sig>;<sig>;<sig>...|<category>
● Same signature for default creds can be
used for categories

41.
EyeWitness Stats
● Originally: 409 lines
● Currently: 3500+ Lines
● Reasons?
○ signatures
○ report generation
○ .. real guess?

42.
Future Work
● Additional Aux Modules
● Additional Protocol Support
○ x11?
○ ideas?
● Optical Character Recognition
○ Hunt for users via RDP

43.
?
● Github
○ https://github.com/ChrisTruncer/EyeWitness
● Chris Truncer
○ @ChrisTruncer
○ CTruncer@christophertruncer.com
● Rohan Vazarkar
○ @CptJesus
○ rvazarkar@verisgroup.com