HTTP screenshots with Nmap, Chrome, and Selenium
Several months back I tweeted out a gist of a simple website screenshot python script I wrote as an attempt to fill a gap in tooling that I couldn’t seem to find anywhere. The options I was presented with were either too complex, inconsistent, or outdated. My ideal candidate would be something that integrated easily into Nmap and behaved as closely to a real browser as possible. Luckily after some research I found that selenium coupled with the chrome webdriver could provide just that.
Time and again I have been faced with a seemingly endless scope of IP addresses and a limited amount of time to review them. Whether it be a pentest, red team assessment, or bug bounty, having the ability to quickly identify targets of interest is crucial. Using Trustwave’s http-screenshot Nmap script as a template, I wrapped my python script with a Lua script and registered it with Nmap. After a few test runs against large target sets, I think it’s polished enough to release.
Given the script’s additional dependencies I assume it probably isn’t a candidate for an official Nmap repo pull request, so it’s currently hosted on my forked repo under the http_screenshot branch. After cloning the branch, the following steps will get the script operational.
pip install selenium
Download latest google chrome and install
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb dpkg -i ./google-chrome-stable_current_amd64.deb
Identify google chrome version
Go to the chrome driver download page
Download the version identified from the previous version check (Match to your version) and unzip
wget https://chromedriver.storage.googleapis.com/74.0.3729.169/chromedriver_linux64.zip unzip ./chromedriver_linux64.zip
Move chromedriver to a directory in the PATH env variable or add its directory to the PATH
mv ./chromedriver /usr/bin
Attempts both HTTP and HTTPs protocols
Resolves IP address to domain as some websites render differently for IP and domain name.
Matches resolved domain to SSL certificate subjectName and screenshots both
The script leverages Nmap’s fingerprinting capability (-sV) to determine when it should be executed against the target. It has been added to the default set of scripts so adding -sC will execute the script if the service is determined to be HTTP. As a bonus feature, this branch also includes changes to identify HTTP services running on nonstandard ports so the default scripts will be executed against them as well. The script currently drops all screenshots in the current directory.
nmap -Pn -n -p443 --open -sC -sV securifera.com Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-11 11:34 EDT Nmap scan report for securifera.com (18.104.22.168) Host is up (0.076s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/ssl Apache httpd (SSL-only mode) | http-screenshot: |_ Screenshot saved. |_http-server-header: Apache |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=securifera.com | Subject Alternative Name: DNS:securifera.com, DNS:www.securifera.com | Not valid before: 2019-04-20T15:55:09 |_Not valid after: 2019-07-19T15:55:09 |_ssl-date: TLS randomness does not represent time | tls-alpn: | http/1.1 |_ http/1.1