Skip to content

Recon Part 3 – Gobuster and EyeWitness

Gobuster

TheColonial wrote a really cool tool called Gobuster which is similar to fierce but programmed in Go. I wanted to include it here because I tend to have better performance using this tool than fierce, by a LOT. Gobuster can be found on github here. There are a few issues to work out when setting up your Go environment but the official documentation should walk anyone through it and, if you have issues with the workspace creation, this StackOverflow article was useful.  Essentially, make sure to build the workspace to the required specifications to compile the code. Once done you’re free to do something like ln -s /path/to/compiled/gobuster /path/to/recon/tools/gobuster to make it easier to access.

Scanning with Gobuster

Once completed you should grab a wordlist or use ones from the fierce directory we talked about earlier. When we try to run the script here’s our options:

So we’ve got a good set of options to investigate. One of the important things to note is that this doesn’t strictly do DNS brute-forcing but also allows directory scanning/traversal. We won’t go in to this right now but will cover it at a later time in an article on Burp, DirBuster, and GoBuster.

The important flags from above, ignoring the directory mode options, are:

  1. m – set this to ‘dns’ for now
  2. i – if we want to see IPs from scan
  3. w – Path to the wordlist
  4. u – Target URL/Domain

Test Gobuster Scan

Let’s try this again on XKCD:

A few things to note:

  1. This scan, for me, is many times faster than fierce (it also defaults to 10 threads instead of fierce’s one thread)
  2. This scan appears to be more accurate. While it does catch more than fierce I still recommend running both tools more than once for optimal results

Tell me if you have the same experience! I’d love to benchmark these tools in a later post and knowing what experiences others have would be great as well.

EyeWitness

Now on to one of my favorite tools in the recon arsenal! EyeWitness is a tool by ChrisTruncer which takes a set of IP addresses or hostnames, attempts to screenshot them, and creates a nice report file!

First, we’ll clone the repository from here:

Once cloned and built we can run a -h on it and see our options. I’m excluding some of the text for brevity:

The important things to note are the following:

  1. Use --web when looking for web page headers and screenshots while using an OS with a GUI
  2. Use –-headless when running from a GUI-less system, --web will not work on a terminal-only system
  3. Make sure your targets file (-f) is only IP addresses or URLs

Let’s take our XKCD scan we did earlier, modify it a bit for readability, and use this to prepare some data to run through EyeWitness.

Preparing EyeWitness Data

The command I will use to pull urls from GoBuster is this:

If we cat that file we’ll see the following:

This isn’t quite usable yet, we need the file to be in the form of: hostname <newline> hostname <newline>

Let’s write a quick bash command to extract this information for us:

This will generate a targets.txt file from the xkcd_urls.txt for us, it looks like this:

This looks okay but I decided I wanted to write something a little more reusable so I don’t have to remember how to do that each time. Here is a bash script I wrote to handle that in a reusable way:

This prompts for your input file, prompts for the name of the target, and then creates a directory for the target and saves your targets there! Pretty slick, right? Here’s what running it looks like:

Now if we cat that file we should have the same desired output:

Success!

Using EyeWitness

Now that we have our targets file, lets see how this works and run the following:

This returns the following:

So it looks like it worked! I’ll SCP the files to my desktop and we can take a look at the results.

EyeWitness Reports

Without going in to too much detail, here’s some of the information EyeWitness returns back to us:

  • Report Folder Contents

  • Summary section

  • Sample Report

 

As you can see, there’s some really good data – headers, source code, screenshots, and more.

It’s worth noting that, unlike our other scans/tools which are almost entirely passive and don’t touch target infrastructure, this will attempt to load each entry in our targets.txt file.

In our next article we will cover additional recon tools and strategies! As always, any criticism or feedback is welcome.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *