EyeWitness - Potential Modifications

This is the second post in relation to the new .Net implementation of EyeWitness and it will cover a few things that you should possibly do to modify the default EyeWitness application. If you missed the first post, check it out here.

EyeWitness is a .Net application, which means you can run it on Windows straight from the console when you also provide the path to a file containing the URLs you want scanned.

EyeWitness running from the console

However, we specifically chose to write the Windows version of EyeWitness in .Net so anyone could use EyeWitness through Beacon (or other agents which allow you to load and run .Net assemblies in memory).

EyeWitness running through Cobalt Strike's Beacon

When using EyeWitness, no matter how you deploy it, there are a couple options you could look into to modify how EyeWitness works out of the box.

Embed URLs within EyeWitness

First, EyeWitness receives the list of systems to target passed in as a parameter to the tool. Rather than providing command line parameters which can be captured if any command-line auditing is performed, you could choose to embed the URLs you want to scan within EyeWitness itself. You could do this by modifying the source code and adding the systems you are targeting to the source code directly, or as an embedded resource.

Embed Signature Files within EyeWitness

On the same note, EyeWitness makes a web request each time it runs to capture the latest signatures which enables it to categorize sites and detect any potential default credentials. Rather than having EyeWitness make two requests to get the latest signatures, you could also embed the signature files within the EyeWitness source code directly or as an embedded resource.

Change Default EyeWitness Settings

Finally, it could also be worth changing the default location where EyeWitness writes its output. By default, this is in the current account's AppData\Roaming directory. You could also choose to provide a different naming scheme to the folder that EyeWitness creates to store the report and its associated files in.

Source code locations to modify

While you're at it, when you are compiling your own version of EyeWitness, we would suggest that you compile in "Release" mode vs. "Debug" mode.

It should be noted that EyeWitness really isn't designed to be a "red team" tool. However, with some small changes, it's possible that you might be able to use it in various environments and lessen your likelihood for detection.

Hope this helps describe EyeWitness better, and feel free to Contact Us if you have any questions!