Full Report
On a recent assessment I had an incredibly large IP space that was in scope. Almost an entire /8 to be precise. While it is possible to scan ranges like that with things like masscan, nmap and the likes, I was interested in web interfaces for this particular client as I quickly came to realise that they had a large amount of third party web services exposed with default login credentials left unchanged. Nessus would tell me that “there is a web interface running there”, but I wanted more in terms of what is running.
Analysis Summary
# Tool/Technique: gowitness
## Overview
`gowitness` is a tool developed in Golang designed to scan large IP spaces (like a /8) for exposed web interfaces, capture screenshots of these interfaces, record response headers, and extract information from SSL certificates. The primary motivation for its creation was to go beyond basic port scanning (like Nmap or Masscan) to gain visual confirmation of running web services, particularly those exposed with default credentials.
## Technical Details
- Type: Tool
- Platform: Cross-platform (Built using Golang, releases available for many platforms)
- Capabilities: CIDR range scanning, HTTP/HTTPS protocol scanning, web interface screenshotting (using Chrome Headless), recording response headers, extracting SSL certificate details, HTML report generation.
- First Seen: November 27, 2017
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Indirectly, by discovering vulnerable web interfaces)
- TA0007 - Discovery
- T1046 - Network Service Scanning
- T1595 - Active Scanning
- T1595.002 - Port Scanning
## Functionality
### Core Capabilities
- **Network Scanning:** Scans specified CIDR ranges on configurable ports (default includes 80, 443, 8080, 8443) using both HTTP and HTTPS protocols.
- **Screenshot Capture:** Uses Chrome Headless to take screenshots of discovered web interfaces.
- **Information Gathering:** Records HTTP response headers and details from presented SSL certificates (like DNS names).
- **Concurrency:** Leverages Goroutines to perform scans concurrently, configurable via a `--threads` parameter.
- **Reporting:** Generates an HTML report summarizing all scanned results, allowing users to scroll through captured screenshots and headers.
### Advanced Features
- **SSL Error Handling Proxy:** Implements an HTTP -> HTTPS reverse proxy mechanism using Golang's `net/http/httputil` package. This proxy allows Chrome Headless (which struggles with invalid SSL certificates when capturing screenshots) to connect via plain HTTP to localhost, bypassing SSL validation errors for screenshooting purposes.
- **Input Flexibility:** Can scan an entire CIDR range, a list of URLs from a file, or a single URL.
## Indicators of Compromise
- File Hashes: Not specified in the article.
- File Names: `gowitness` (binary name)
- Registry Keys: Not applicable (Tool execution, not persistent malware).
- Network Indicators: Scanning attempts across common web ports (80, 443, 8080, 8443).
- Behavioral Indicators: Creation and execution of numerous processes/threads leveraging Chrome Headless for web interaction; dynamic proxy setup on random ports for SSL bypass.
## Associated Threat Actors
- The article does not associate `gowitness` with specific known threat actor groups; it is presented as an offensive security tool used by penetration testers/assessors.
## Detection Methods
- **Signature-based detection:** Signatures could target the `gowitness` binary, though this changes often if built from source.
- **Behavioral detection:** Monitoring for rapid, concurrent scanning across large IP spaces combined with the execution of Chrome or Chromium instances performing extensive web navigation/rendering (especially those using command-line switches associated with headless mode). Detection of a dynamically initiated HTTP proxy service paired with headless browser activity.
- **YARA rules:** Not provided in the text.
## Mitigation Strategies
- **Prevention:** Restrict outbound scanning and connection attempts from internal networks to external/unauthorized hosts. Implement robust perimeter defenses.
- **Hardening recommendations:** Harden web services by ensuring they are not exposed unnecessarily over the public internet. Disable default login credentials immediately upon installation of third-party software. Use strong authentication mechanisms.
## Related Tools/Techniques
- EyeWitness (Similar tool focusing on web interface screenshots and default credential attempts)
- http-screenshot-html
- httpscreenshot
- Snapper
- Masscan/Nmap (Used for initial broader port scanning before focusing on web interfaces)