A while back someone sent me a link to the following article, which discusses how to use the Python program EyeWitness in conjunction with Tor to screen shot .onion sites on the Dark Web: https://webbreacher.com/2017/09/02/dark-web-report-torghost-eyewitness-goodness/
EyeWitness can be found here: https://github.com/FortyNorthSecurity/EyeWitness and utilizes a background instance of FireFox to navigate to a .onion website and then screen shot it. You can take a list of links from a .txt file and have EyeWitness navigate to each one, take a screen shot (as well as capturing some other information), saving the results as a report in .html.
The idea behind it is great, but that post was published a couple of years ago, and when I got around to trying the same thing I couldn’t get it to work…..
As it turns out the most recent version of EyeWitness does not support the –proxy-type flag, and thus you can’t pipe the Tor requests through a proxy (which is required by Firefox to navigate Tor). After some tinkering and investigation, the last version of EyeWitness that supports the proxy option is 2.2.3, which is still available in the Releases tab on the EyeWitness GitHub repo: https://github.com/FortyNorthSecurity/EyeWitness/releases
################################################################################
# EyeWitness #
################################################################################
# FortyNorth Security - https://www.fortynorthsecurity.com #
################################################################################
[*] Error: You didn't specify a file! I need a file containing URLs!
usage: EyeWitness.py [--web] [--rdp] [--vnc] [--all-protocols] [-f Filename]
[-x Filename.xml] [--single Single URL] [--no-dns]
[--timeout Timeout] [--jitter # of Seconds]
[--threads # of Threads]
[--max-retries Max retries on a timeout]
[-d Directory Name] [--results Hosts Per Page]
[--no-prompt] [--user-agent User Agent]
[--cycle User Agent Type]
[--difference Difference Threshold]
[--proxy-ip 127.0.0.1] [--proxy-port 8080]
[--proxy-type socks5] [--show-selenium] [--resolve]
[--add-http-ports ADD_HTTP_PORTS]
[--add-https-ports ADD_HTTPS_PORTS]
[--only-ports ONLY_PORTS] [--prepend-https]
[--active-scan] [--resume ew.db] [--ocr]
EyeWitness is a tool used to capture screenshots from a list of URLs
Protocols:
--web HTTP Screenshot using Selenium
--rdp Screenshot RDP Services
--vnc Screenshot Authless VNC services
--all-protocols Screenshot all supported protocols, using Selenium for HTTP
Input Options:
-f Filename Line seperated file containing URLs to capture
-x Filename.xml Nmap XML or .Nessus file
--single Single URL Single URL/Host to capture
--no-dns Skip DNS resolution when connecting to websites
Timing Options:
--timeout Timeout Maximum number of seconds to wait while requesting a web page (Default: 7)
--jitter # of Seconds
Randomize URLs and add a random delay between requests
--threads # of Threads
Number of threads to use while using file based input
--max-retries Max retries on a timeout
Max retries on timeouts
Report Output Options:
-d Directory Name Directory name for report output
--results Hosts Per Page
Number of Hosts per page of VNC or RDP report
--no-prompt Don't prompt to open the report
Web Options:
--user-agent User Agent
User Agent to use for all requests
--cycle User Agent Type
User Agent Type (Browser, Mobile, Crawler, Scanner,
Misc, All
--difference Difference Threshold
Difference threshold when determining if user agent
requests are close "enough" (Default: 50)
--proxy-ip 127.0.0.1 IP of web proxy to go through
--proxy-port 8080 Port of web proxy to go through
--proxy-type socks5 Proxy type (socks5/http)
--show-selenium Show display for selenium
--resolve Resolve IP/Hostname for targets
--add-http-ports ADD_HTTP_PORTS
Comma-seperated additional port(s) to assume are http
(e.g. '8018,8028')
--add-https-ports ADD_HTTPS_PORTS
Comma-seperated additional port(s) to assume are https
(e.g. '8018,8028')
--only-ports ONLY_PORTS
Comma-seperated list of exclusive ports to use (e.g.
'80,8080')
--prepend-https Prepend http:// and https:// to URLs without either
--active-scan Perform live login attempts to identify credentials or
login pages.
Resume Options:
--resume ew.db Path to db file if you want to resume
RDP Options:
--ocr Use OCR to determine RDP usernames
After you’ve installed Tor (apt get tor and then
For example, if we look at the following 10 .onion links (links redacted for what I hope are obvious reasons).
And then run EyeWitness with the following options: python EyeWitness.py –web –timeout 60 -f links.txt –proxy-type socks5 –proxy-ip 127.0.0.1 –proxy-port 9050
It does a little thinking, and there are a few problems:
We see that based on response time from the .onion site, and the timeout limit, the results in our HTML report will not be in order. Additionally, there’s a bit of a problem regarding re-directs, in the sense that the .html report states there was an “unknown error” but when we click on the link, the site loads without any issues.
Further investigation is in order. I will update this post as I learn more.