Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

Eyeballer 2.0 Web Interface and Other New Features

Eyeballer 2.0 new updates and release announcement

Share

So there you are on an engagement with a large external footprint. There's thousands of exposed IP addresses for the target that have port 80 or 443 open, web ports. Naturally, one of the first things you'll do is fire up Gowitness (or some other screenshotting tool) and start looking around at the sites.

But what you’re presented with is a veritable sea of wonky and uninteresting webpages. Buried in them is something that you can follow up on (you hope). But manually perusing each and every screenshot is a tedious and laborious affair.

Eyeballer security tool spotting interesting screenshots
Figure 1: Playing "spot the interesting screenshot" can be annoying and time-consuming

What Eyeballer can do is automatically sift through these screenshots for you and pull out the relevant ones. Basically, you get to skip right to the fun part of hacking! Importantly, Eyeballer doesn’t search for any particular vulnerability. It is not a vulnerability scanner. What Eyeballer does is automatically label screenshots of websites so you can make sense of them faster.

We’re not discussing how Eyeballer works in this blog post; it’s a complex topic since it involves convolutional neural networks. But the TL;DR is that it uses Tensorflow, the same technology that apps use to tell the difference between pictures of cats and dogs or translate English to Japanese. But if you really can’t wait, just check out the source code here. If you’re a data scientist, it should be pretty straightforward. And if you’re not, well then just pretend like it’s magic.

We also just made a handy video about Eyeballer too, so you can watch that below.

WEB INTERFACE

Eyeballer has a new look; try it yourself at https://eyeballer.bishopfox.com. Go ahead and play around with it; I’ll wait!

Eyeballer 2.0 get a new interface and a new look

Now, I know what you’re thinking: “You want me to upload my sensitive files into your website? No way!”. Well, you should know that the Eyeballer web UI is safe to use on sensitive data. As the screenshot above says, no data ever leaves your computer. All the neural network magic happens right there in your browser, in static HTML and JavaScript. You can even host it locally offline if you really wanted. There is no backend server. It’s set up this way so that your data stays private. Keep your files, I don’t want them.

Using the Eyeballer web interface couldn’t be easier, too. Just drag and drop your screenshots onto the drag-zone, and the tool will do all the work:

Eyeballer 2.0 web interface with drag and drop

After you drop your screenshots in, Eyeballer will present the results like above. You can pick what labels to select just by clicking the label buttons in the middle. In the picture above, we chose to look at all of the hits for “Web Application” and excluded any labeled as “Custom 404” and “Parked Domain.” This gives us just results for websites with rich functionality that are prime candidates for further inspection.

Hitting the “Export” button will give you a CSV file with all the currently selected labels, letting you check them off as you go through them or even feed it into another tool.

EYEBALLERS LABELS

Eyeballer looks for these five labels; let’s take an in-depth look at them.

  1. Web Application
  2. Old Looking
  3. Login Page
  4. Custom 404
  5. Parked Domain

Web Application

Eyeballer screenshots of application web pages that can serve as surface area to attack

This tells you that there is a larger group of pages and functionality available here that can serve as surface area to attack. This is in contrast to a simple login page or default IIS landing page with no other functionality. This label should indicate to you that there is a web application here you can attack. You can see in the images above that there’s buttons to click and content to peruse: all features that can potentially contain vulnerabilities.

Web applications are one of the primary things that you’re probably interested in when using Eyeballer, so this feature is super useful.

Old Looking

Eyeballer screenshots of old looking, blocky frames

Blocky frames, broken CSS, that certain "je ne sais quoi" of a website that looks like it was designed in the early 2000s. You know it when you see it. Old websites aren't just ugly; they're also typically super vulnerable. When you're looking to hack into something, these websites are a goldmine.

Login Page

Eyebeller screenshots of login pages that are valuable for pen testing

Login pages are valuable to pen testing; they indicate that there's additional functionality you can’t currently access. It also means there's a simple follow-up process of credential enumeration attacks.

You might think that you can set a simple heuristic to find login pages, but in practice it's really hard. Modern sites often don't just use a simple input tag we can grep for; they’re built dynamically in the DOM, which makes detection difficult. But Eyeballer can easily pick them out just by looking.

Custom 404

custom Eyeballer detects Custom 404 pages screenshots with pictures of broken robots or sad looking dogs

Modern sites love to have cutesy custom 404 pages with pictures of broken robots or sad looking dogs. Unfortunately, they also love to return HTTP 200 response codes while they do it. More often, the "404" page doesn't even contain the text "404" in it. These pages are typically uninteresting, despite having a lot going on visually, and Eyeballer can help you sift them out.

Parked Domain

Eyeballer detects parked domain web pages that are not valid attack surface

Parked domains are websites that look real-ish, but aren't valid attack surface. They're stand-in pages, usually devoid of any real functionality, consist almost entirely of ads, and are usually not run by our actual target. It's what you get when the domain specified is wrong or lapsed. Finding these pages and removing them from scope is really valuable over time.

Bishop Fox Cosmos

Lastly, Bishop Fox’s Cosmos (formerly CAST) offering is now using Eyeballer! Attack surface discovery is a big part of what we do, and it often entails large web-based attack surfaces. This is the ideal scenario for Eyeballer to identify the “interesting” targets quickly.

Eyeballer is not (yet) Skynet. But it lets us quickly find those vulnerability diamonds-in-the-rough in an automated fashion so our operators can spend more time hacking and less time staring at thousands of screenshots.


Dan petro

About the author, Dan Petro

Lead Researcher at Bishop Fox

Dan Petro is a Lead Researcher at Bishop Fox and focuses on application penetration testing (static and dynamic), product security reviews, network penetration testing (external and internal), and cryptographic analysis. Dan has presented at several Black Hats and DEF CONs on topics such as hacking smart safes, hijacking Google Chromecasts, and weaponizing AI. He has developed several open-source tools including Untwister, which breaks pseudorandom number generators. Additionally, Dan has been quoted in Wired, The Guardian, Business Insider, and Mashable. Dan holds both a Bachelor of Science and a Master of Science in Computer Science from Arizona State University.
More by Dan

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.