So there you are on an engagement with a large external footprint. There's thousands of exposed IP addresses for the target that have port 80 or 443 open, web ports. Naturally, one of the first things you'll do is fire up Gowitness (or some other screenshotting tool) and start looking around at the sites.
But what you’re presented with is a veritable sea of wonky and uninteresting webpages. Buried in them is something that you can follow up on (you hope). But manually perusing each and every screenshot is a tedious and laborious affair.
What Eyeballer can do is automatically sift through these screenshots for you and pull out the relevant ones. Basically, you get to skip right to the fun part of hacking! Importantly, Eyeballer doesn’t search for any particular vulnerability. It is not a vulnerability scanner. What Eyeballer does is automatically label screenshots of websites so you can make sense of them faster.
We’re not discussing how Eyeballer works in this blog post; it’s a complex topic since it involves convolutional neural networks. But the TL;DR is that it uses Tensorflow, the same technology that apps use to tell the difference between pictures of cats and dogs or translate English to Japanese. But if you really can’t wait, just check out the source code here. If you’re a data scientist, it should be pretty straightforward. And if you’re not, well then just pretend like it’s magic.
We also just made a handy video about Eyeballer too, so you can watch that below.
Eyeballer has a new look; try it yourself at https://eyeballer.bishopfox.com. Go ahead and play around with it; I’ll wait!
Using the Eyeballer web interface couldn’t be easier, too. Just drag and drop your screenshots onto the drag-zone, and the tool will do all the work:
After you drop your screenshots in, Eyeballer will present the results like above. You can pick what labels to select just by clicking the label buttons in the middle. In the picture above, we chose to look at all of the hits for “Web Application” and excluded any labeled as “Custom 404” and “Parked Domain.” This gives us just results for websites with rich functionality that are prime candidates for further inspection.
Hitting the “Export” button will give you a CSV file with all the currently selected labels, letting you check them off as you go through them or even feed it into another tool.
Eyeballer looks for these five labels; let’s take an in-depth look at them.
- Web Application
- Old Looking
- Login Page
- Custom 404
- Parked Domain
This tells you that there is a larger group of pages and functionality available here that can serve as surface area to attack. This is in contrast to a simple login page or default IIS landing page with no other functionality. This label should indicate to you that there is a web application here you can attack. You can see in the images above that there’s buttons to click and content to peruse: all features that can potentially contain vulnerabilities.
Web applications are one of the primary things that you’re probably interested in when using Eyeballer, so this feature is super useful.
Blocky frames, broken CSS, that certain "je ne sais quoi" of a website that looks like it was designed in the early 2000s. You know it when you see it. Old websites aren't just ugly; they're also typically super vulnerable. When you're looking to hack into something, these websites are a goldmine.
Login pages are valuable to pen testing; they indicate that there's additional functionality you can’t currently access. It also means there's a simple follow-up process of credential enumeration attacks.
You might think that you can set a simple heuristic to find login pages, but in practice it's really hard. Modern sites often don't just use a simple input tag we can grep for; they’re built dynamically in the DOM, which makes detection difficult. But Eyeballer can easily pick them out just by looking.
Modern sites love to have cutesy custom 404 pages with pictures of broken robots or sad looking dogs. Unfortunately, they also love to return HTTP 200 response codes while they do it. More often, the "404" page doesn't even contain the text "404" in it. These pages are typically uninteresting, despite having a lot going on visually, and Eyeballer can help you sift them out.
Parked domains are websites that look real-ish, but aren't valid attack surface. They're stand-in pages, usually devoid of any real functionality, consist almost entirely of ads, and are usually not run by our actual target. It's what you get when the domain specified is wrong or lapsed. Finding these pages and removing them from scope is really valuable over time.
Bishop Fox Cosmos
Lastly, Bishop Fox’s Cosmos (formerly CAST) offering is now using Eyeballer! Attack surface discovery is a big part of what we do, and it often entails large web-based attack surfaces. This is the ideal scenario for Eyeballer to identify the “interesting” targets quickly.
Eyeballer is not (yet) Skynet. But it lets us quickly find those vulnerability diamonds-in-the-rough in an automated fashion so our operators can spend more time hacking and less time staring at thousands of screenshots.
You might be interested in these related posts.