EyeWitness is an open-source tool that is used to take screenshots of the website RDP services, and open VNC servers, provide some server header info and identify default credentials if known.
This tool can analyze different types of files, such as:
- text files.
- .nessus files.
- XML outputs from NMAP scans.
- It can generate HTML reports with screenshots of URLs.
EyeWitness is designed to run on Kali Linux.
Setup:
- Navigate into the Python/setup directory
- Run the setup.sh script
Usage:
./EyeWitness.py -f filename --timeout optionaltimeout
Examples:
./EyeWitness -f urls.txt --web ./EyeWitness -x urls.xml --timeout 8 ./EyeWitness.py -f urls.txt --web --proxy-ip 127.0.0.1 --proxy-port 8080 --proxy-type socks5 --timeout 120








Protocols:
–web | HTTP Screenshot using Selenium |
–headless | HTTP Screenshot using PhantomJS Headless |
–rdp | Screenshot RDP Services |
–vnc | Screenshot Authless VNC services |
–all-protocols | Screenshot all supported protocols, using Selenium for HTTP |
Input Options:
-f Filename | Line seperated file containing URLs to capture |
-x Filename.xml | Nmap XML or .Nessus file |
–single Single URL | Single URL/Host to capture |
–createtargets | targetfilename.txt Parses a .nessus or Nmap XML file into a line- seperated list of URLs |
–no-dns | Skip DNS resolution when connecting to websites |
Timing Options:
–timeout Timeout | Maximum number of seconds to wait while requesting a web page (Default: 7) |
–jitter # of Seconds | Randomize URLs and add a random delay between requests |
–threads # of Threads | Number of threads to use while using file based input |
Report Output Options:
-d Directory Name | Directory name for report output |
–results Hosts Per Page | Number of Hosts per page of the report |
–no-prompt | Don’t prompt to open the report |
Web Options:
–user-agent User Agent | User Agent to use for all requests |
–cycle User Agent Type | User Agent Type (Browser, Mobile, Crawler, Scanner, Misc, All |
–difference Difference Threshold | Difference threshold when determining if user agent requests are close “enough” (Default: 50) |
–proxy-ip 127.0.0.1 | IP of web proxy to go through |
–proxy-port 8080 | Port of web proxy to go through |
–show-selenium | Show display for selenium |
–resolve | Resolve IP/Hostname for targets |
–add-http-ports ADD_HTTP_PORTS | Comma-seperated additional port(s) to assume are http (e.g. ‘8018,8028’) |
–add-https-ports ADD_HTTPS_PORTS | Comma-seperated additional port(s) to assume are https (e.g. ‘8018,8028’) |
–prepend-https | Prepend http:\\ and https:\\ to URLs without either |
–vhost-name hostname | Hostname to use in Host header (headless + single mode only) |
–active-scan | Perform live login attempts to identify credentials or login pages. |
Resume Options:
–resume ew.db | Path to db file if you want to resume |