Shmoocon is one of those few security conferences that has been around for quite some time, each year selling out of tickets in record timing, and only allowing those with the quickest mouse clicks to obtain them. Luckily for Steve Breen and me, we had the privilege of giving our talk “httpscreenshot – A Tool for Both Teams” this year at Shmoocon, securing tickets for ourselves.
The reason that we named this talk “A Tool for Both Teams” was we believe that both red teams and blue teams can benefit from using it just the same. I’ve been on both teams myself, defending networks, as well as breaking into them, so I feel justified in talking about the problems faced on both.
On the blue team, the biggest problem we’re trying to solve is for networks and systems administrators not having a good idea what is sitting on their networks. On the red team, every single network we are targeting (and in turn, supposed to be assessing) is an unknown to us, and we don’t always have a lot of time to explore it. Our solution to these two problems is httpscreenshot.
httpscreenshot is a set of two python scripts (httpscreenshot and cluster) developed internally over the past two years that takes screenshots of websites quickly and reliably. The cluster script then perform “fuzzy matching” on the HTML output of the pages to produce an immediately usable output with “similar” pages grouped together.
What we believe sets httpscreenshot apart from other similar tools out there are the amount of features that we’ve put into it, but keeping the tool fast and thorough. Here is a quick list of the features of the tool:
- Has the ability to parse gnmap output from nmap and masscan
- Performs autodetection of SSL if version scans weren’t run
- Scrapes SSL certificates for domain names and alt names to add to the queue (no more missing vhosts due to hitting by IP address)
- Runs headless or configurable fail-over to FireFox so you can use your favorite remote server easily
- Threaded, so it’s pretty quick
- Saves output of websites to both PNG and HTML so you can easily grep the source if you’re looking for something specific
One of the few ways that I’ve leveraged this tool myself has been on bug bounties. For any bounties out there that allow for fairly open scope such as Facebook, Google, eBay, etc…. this tool is a fantastic way to quickly uncover attack surface (as demonstrated in the demo at the end of this post). Just a few weeks ago Ryan Dewhurst (@ethicalhack3r) mention that he found Jenkins on one of Facebook’s acquisitions on a non-standard, netting him some fairly easy cash. I found the same on eBay, and the cluster portion of httpscreenshot put them all together for me for multiple submissions. 🙂
If you find the tool useful, want to provide some feedback, or need any help with it, just reach out to @breenmachine or me (@jstnkndy) on Twitter, IRC (breenmachine or juken), or raise an issue on github (github.com/breenmachine/httpscreenshot). If you want to see the tool in action, check out the demo below or go play with it yourself!
About the Author:
Justin Kennedy (@jstnkndy) is a Principal Security Consultant at NTT Com Security and currently leads the Offensive Security team there. His expertise lies in social engineering, physical security, and other areas of penetration testing and offensive security. Justin’s background includes systems administration, network defense, and being mischievous. When he’s not popping boxes and rolling networks, you can often find him being a coffee and beer snob.