Skip to content


EyeWitness is an open-source tool that is used to take screenshots of the website RDP services, and open VNC servers, provide some server header info and identify default credentials if known.

This tool can analyze different types of files, such as:

  • text files. 
  • .nessus files.
  • XML outputs from NMAP scans. 
  • It can generate HTML reports with screenshots of URLs.

EyeWitness is designed to run on Kali Linux.


  1. Navigate into the Python/setup directory
  2. Run the script


./ -f filename --timeout optionaltimeout


./EyeWitness -f urls.txt --web

./EyeWitness -x urls.xml --timeout 8 

./ -f urls.txt --web --proxy-ip --proxy-port 8080 --proxy-type socks5 --timeout 120


  –web                HTTP Screenshot using Selenium
  –headless        HTTP Screenshot using PhantomJS Headless
  –rdp                 Screenshot RDP Services
  –vnc                  Screenshot Authless VNC services
  –all-protocols   Screenshot all supported protocols, using Selenium for HTTP

Input Options:

-f FilenameLine seperated file containing URLs to capture
  -x Filename.xmlNmap XML or .Nessus file
  –single Single URL  Single URL/Host to capture
  –createtargetstargetfilename.txt Parses a .nessus or Nmap XML file into a line- seperated list of URLs
  –no-dnsSkip DNS resolution when connecting to websites

Timing Options: 

–timeout TimeoutMaximum number of seconds to wait while requesting a web page (Default: 7)
  –jitter # of SecondsRandomize URLs and add a random delay between requests
  –threads # of ThreadsNumber of threads to use while using file based input

Report Output Options:

-d Directory NameDirectory name for report output
–results Hosts Per PageNumber of Hosts per page of the report
 –no-promptDon’t prompt to open the report

Web Options:

–user-agent User AgentUser Agent to use for all requests
–cycle User Agent TypeUser Agent Type (Browser, Mobile, Crawler, Scanner, Misc, All
–difference Difference ThresholdDifference threshold when determining if user agent requests are close “enough” (Default: 50)
–proxy-ip IP of web proxy to go through
–proxy-port 8080     Port of web proxy to go through
–show-selenium      Show display for selenium
–resolve                   Resolve IP/Hostname for targets
–add-http-ports ADD_HTTP_PORTSComma-seperated additional port(s) to assume are http (e.g. ‘8018,8028’)
–add-https-ports ADD_HTTPS_PORTSComma-seperated additional port(s) to assume are https (e.g. ‘8018,8028’)
–prepend-https      Prepend http:\\ and https:\\ to URLs without either
–vhost-name hostnameHostname to use in Host header (headless + single mode only)
–active-scan    Perform live login attempts to identify credentials or login pages.

Resume Options:

–resume ew.db       Path to db file if you want to resume

Leave a Reply