EyeWitness is a recon / triage tool developed by Christopher Truncer (FortyNorth Security). Its role is simple and powerful — automatically screenshot a large set of web hosts and bundle them into a single HTML report. Fire nmap or rustscan and you can get back hundreds of open web ports. Opening each one in a browser to check "which is a login page," "is it a default page," "is it an old app" isn't realistic. EyeWitness opens every host with a headless browser behind the scenes and takes a screenshot, attaching each host's response headers, identified technology, and (where known) default credentials in the report. The result: you can "eyeball them all at once and quickly pick the interesting targets — login panels, admin consoles, abandoned old apps." It can also screenshot RDP and VNC services.
What EyeWitness is — screenshot automation + an HTML report for triage #
A port-scan result is nothing but "a list of IPs and ports." Even with 300 lines of 443/tcp open https, which one is a foothold can't be known until you look at the content. What EyeWitness solves is exactly automating that "looking."
Hand it a list of hosts / URLs, and EyeWitness opens each one in a headless browser in turn and takes a screenshot, simultaneously recording the server's response-header info and, where possible, inferring the running technology. Finally it bundles them into a single browsable HTML report (report.html). The report lays out the screenshot, headers, and inferred info per host, and on top of that auto-categorizes them into groups like "Identified Login Pages" and "High Value Targets."
The recon flow is roughly three stages: port scan → triage (selection) → manual testing. EyeWitness owns the middle triage. If nmap answers "where is open" and ffuf or Burp handle "deep-diving an individual host," EyeWitness is the tool to decide which hosts to deep-dive at a glance. On Kali it is often pre-installed; if not, install it with apt install eyewitness.
Legal and ethical considerations #
EyeWitness looks like a "just looking" tool, but its reality is actually opening HTTP / RDP / VNC connections to the target hosts. Aiming it at third-party hosts without permission is access with no legitimate authority, and can be an illegal act under Japan's Unauthorised Computer Access Act or laws against obstruction of business, and the equivalents elsewhere. "I only took a screenshot" is no excuse.
- Assets you own or administer — your own server fleet, a VPS you pay for, an isolated learning lab.
- A scope you have explicit written permission for — a pentest contract where target hosts and period are documented. Do not include a single out-of-scope host in the input list.
- Legitimate learning platforms — Hack The Box, TryHackMe, and other environments where the operator permits recon.
Be especially careful with the workflow of feeding an nmap XML straight in. If an out-of-permission IP slipped into the scan range, EyeWitness will automatically go and connect to it too. Always check the contents of the list or XML before passing it, and limit it to the authorized scope only. The very act of "screenshotting third-party hosts you have no permission for" can be unauthorized access / abuse.
What it can do — screenshots / headers / credential hints / categorization #
What EyeWitness gathers in a single run goes beyond mere images. The information that accelerates triage is condensed into the report.
| What it collects | Content | Meaning for triage |
|---|---|---|
| Web screenshots | Captures HTTP / HTTPS screens | Instantly spot login pages / default pages by eye |
| RDP / VNC screenshots | Also captures remote-desktop / VNC screens | Find abandoned remote-control services |
| Response headers | Records Server and other headers | Get a read on the running software / version |
| Technology inference | Guesses the running technology | Quickly judge whether it's a known vulnerable product |
| Default-credential hints | Notes initial passwords for known products | Know which unchanged default creds to try |
Switch the capture mode to match the host type. For web only use --web; to capture RDP / VNC use --rdp / --vnc; to try everything at once use --all-protocols.
EyeWitness's report doesn't just line up the captured images — it auto-sorts them into categories like "Identified Login Pages" and "High Value Targets." Of hundreds of hosts, you can go straight to the login / admin screens worth seeing first, dramatically cutting the manual viewing burden. A host with a suggested default credential becomes a candidate to try right away.
The basics — a list / nmap XML / a single host #
EyeWitness runs once you decide how to feed the input and where to output. There are three ways to pass input: "a list of URLs/hosts (-f)," "an nmap/Nessus XML (-x)," and "a single URL (--single)." Specify the output directory with -d.
Capture from a URL list #
Passing a one-host-per-line text file with -f is the most basic. Capture web screens with --web.
$ eyewitness --web -f urls.txt -d recon_shots
# --web HTTP/HTTPS screenshot mode
# -f urls.txt one-host-per-line input list
# -d recon_shots output directory for the report and screenshotsCapture from an nmap XML #
Output nmap as XML with -oX and EyeWitness reads it with -x, extracting the web services from the XML itself and capturing them. Being able to feed the scan result straight in is the strength.
$ eyewitness -x nmap.xml --web -d shots --no-prompt
# -x nmap.xml extract web from the nmap (or Nessus) XML
# --no-prompt run to completion without pausing for inputA single host / RDP and VNC together #
To check just one, use --single. To try RDP, VNC, and web at once, use --all-protocols against a list.
$ eyewitness --single https://10.0.0.5 --web
$ eyewitness --all-protocols -f hosts.txt -d shots
# --single URL capture only a single host
# --all-protocols try Web + RDP + VNC togetherThe recon pipeline — from scan to report to deep dive #
EyeWitness shows its true value built in as one stage of a recon pipeline rather than used alone. The classic flow goes like this.
-oX nmap.xml.eyewitness -x nmap.xml --web --no-prompt extracts the web services and bulk-screenshots them.report.html and narrow to the "interesting hosts" — login pages, admin consoles, old apps.The point is that EyeWitness supports the decision not to deep-dive everything. Firing ffuf at all of hundreds of hosts wastes both time and load. By taking a bird's-eye view with EyeWitness first and then concentrating ffuf / Burp on the hits only, you can spend your limited time on high-value targets.
$ nmap -p 80,443,8080 -oX nmap.xml 10.0.0.0/24
$ eyewitness -x nmap.xml --web -d shots --no-prompt
# review shots/report.html, pick the hits, then…
$ ffuf -w wordlist.txt -u https://10.0.0.5/FUZZRelated tools and operational tips #
EyeWitness isn't the only tool that "screenshots many web hosts." Choose by use case and taste.
| Tool | Characteristics |
|---|---|
EyeWitness | The classic. Triage-focused, with headers, default credentials, and categorization in the report. Can capture RDP / VNC too |
Aquatone | Specialized in bulk-host screenshots + HTML report generation. A staple after subdomain enumeration |
gowitness | Go-based, fast and lightweight. Easy to run as a single binary |
httpx | By ProjectDiscovery. Centered on HTTP probing with screenshots also possible. Pairs well with other PD tools |
The main options for using EyeWitness comfortably are below. They help with automation and catching what would otherwise be missed.
| Option | Effect |
|---|---|
--threads <n> |
Number of concurrent threads. Raise for speed, lower for lighter load |
--timeout <sec> |
Per-host timeout in seconds. Don't let slow hosts stall the run |
--prepend-https |
Also try https:// for hosts without a scheme (avoid misses) |
--no-prompt |
Run to completion without pausing for input (for pipelines / cron) |
--resolve |
Include DNS PTR / resolution info in the report |
--results <n> |
Number of screenshots per report page |
--user-agent "<UA>" |
Set a custom User-Agent |
EyeWitness actually connects to every host in the list / XML you pass. That is precisely why the biggest operational caution is "don't mix out-of-scope hosts into the input." Especially when automating with --no-prompt, always check the list contents before running. For hosts you worry about missing, use --prepend-https; if a slow host stalls the whole scan, set a shorter --timeout. Keep triage entirely within the authorized scope.
