EyeWitness

“TorWitness” Docker Container: Automated (Tor) Websites Screenshots

The idea of this Docker container came after reading the excellent Micah Hoffman’s blog post: Dark Web Report + TorGhost + EyeWitness == Goodness. Like Micah, I’m also receiving a daily file with new websites discovered on the (dark|deep) web (name it as you prefer). This service is provided by @hunchly Twitter account. Once a day, you get an XLS sheet with newly discovered websites. Micah explained how to process automatically these URLs. He’s using TorGhost with EyeWitness (written by Chris Truncer). It worked very well but it requires the installation of many libraries (EyeWitness has a lot of software dependencies) and I hate polluting my system with libraries used by only a few tools. That’s why I using Docker to run everything in a container. Also, processing a new XLS files every way is really a pain! So let’s automate as much as possible. To process the XLS file, I wrote a small Python script xlsxtract.py (see my previous blog post):

# ./xlsxtract.py -w 'New Today' -c A -r 2- -s /tmp/HiddenServices.xlsx
marketos2sttgxde.onion
s4usinb4eu7exiqj.onion
jt3wzqga4wrprwrf.onion
anonstni3rufuvab.onion
torhnpnu2vv5xtrh.onion
torl7e6yohnjtrn3.onion
anggactr2fturxop.onion
ntqb6tpjsdl4kpu7.onion
gfdbbv5mmprt3dor.onion
22222owjmamxwgv4.onion
cbehcy6letx6vnao.onion
2reich6dcr3dclrx.onion
36663z4ei2552lu6.onion

I built a Docker container (‘TorWitness’)  that performs the following tasks:

  • Setup TorGhost and connect to the Tor network
  • Extract .onion URLs from XLS files
  • Take screenshots of the URLs via EyeWitness

But, sometimes, it can be helpful to visit other websites (not only on the .onion) via the Tor network. That’s why you can pass your own list of URLs as an argument.

Here is an example of container execution:

$ cat $HOME/torwitness/urls.txt
https://blog.rootshell.be
https://isc.sans.edu
$ docker run \
     --rm \
     -it ÷
     -v $HOME/torwitness:/data \
     --cap-add=NET_ADMIN --cap-add=NET_RAW \
     torwitness \
     urls.txt
      _____           ____ _               _
     |_   _|__  _ __ / ___| |__   ___  ___| |_
       | |/ _ \| '__| |  _| '_ \ / _ \/ __| __|
       | | (_) | |  | |_| | | | | (_) \__ \ |_
       |_|\___/|_|   \____|_| |_|\___/|___/\__|
    v2.0 - SusmithHCK | www.khromozome.com
[done]
[12:19:18] Configuring DNS resolv.conf file.. [done]
 * Starting tor daemon...  [OK]
[12:19:18] Starting tor service..  [done]
[12:19:19] setting up iptables rules [done]
[12:19:19] Fetching current IP...
[12:19:19] CURRENT IP : 51.15.79.107
Using environment variables:
TIMEOUT=30
MAX_RETRIES=3
Found Onion URLs to process:
https://blog.rootshell.be
https://isc.sans.edu
################################################################################
#                                  EyeWitness                                  #
################################################################################
Starting Web Requests (2 Hosts)
Attempting to screenshot https://blog.rootshell.be
Attempting to screenshot https://isc.sans.edu
Finished in 22.2635469437 seconds
$ cd $HOME/torwitness
$ ls
results-20171025113745 urls.txt
$ cd results-20171025113745
$ firefox result.html

If you don’t pass a file to the Docker, it will parse XLSX files in the /data directory and extract .onion URLs. There are multiple cases where this container can be helpful:

  • Browsing the dark web
  • Performing reconnaissance phase
  • Hunting
  • Browsing attacker’s resources

To build the Docker, instructions and the Dockerfile are available on my GitHub repository.

Leave a Reply

Your email address will not be published. Required fields are marked *