Investigator Use
EyeWitness is an open-source reconnaissance tool developed by FortyNorth Security that automatically takes screenshots of web pages, RDP (Remote Desktop Protocol) services, and VNC servers during network assessments. For penetration testers, red team operators, and OSINT investigators mapping large web attack surfaces, EyeWitness dramatically reduces the time required to visually triage large numbers of discovered hosts.
The tool accepts input as a list of URLs, IP addresses, or output from network scanning tools like Nmap and Masscan. EyeWitness then visits each target, takes a screenshot, captures headers and page titles, and organizes everything into an HTML report with thumbnail previews. This report format allows investigators to quickly scan hundreds of pages visually, immediately spotting login panels, default device interfaces, administration pages, and misconfigured services without manually visiting each URL.
For OSINT investigators, EyeWitness is particularly useful when conducting reconnaissance on large organizations with many subdomains or IP ranges. After enumerating subdomains with tools like Amass or Subfinder, piping the results through EyeWitness produces a visual inventory of the entire web presence — revealing forgotten test servers, default-credential pages, and exposed internal applications.
EyeWitness also attempts to identify default credentials and common web technologies, flagging potential vulnerabilities for further investigation. The HTML report includes response codes, server headers, and page titles alongside screenshots — providing quick technical context without full manual analysis.
Installation requires Python and several dependencies including Selenium and a headless browser. The tool runs on Linux and is best deployed on a dedicated reconnaissance machine rather than a personal workstation, as it generates significant traffic. For authorized assessments, this behavior is expected; for passive OSINT, consider the footprint implications.
Limitations include JavaScript-heavy pages that may not render correctly in headless mode, and some sites that actively block automated browsers. Modern anti-bot protections may return CAPTCHAs or blank pages.
Document the target list, execution date, and retain the HTML report as evidence for authorized assessments. Always verify explicit authorization before running EyeWitness against any target.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
Change Detection
Archive & Capture
Monitor any website for changes with Visualping. Get instant alerts via email, SMS, API or Slack when a web page changes. Try it free today!
Follow that page
Archive & Capture
Follow That Page monitors web pages for content changes and sends alerts to support ongoing surveillance of investigation targets.
Image Wayback
Archive & Capture
ArcGIS Image Wayback archives satellite imagery over time, enabling investigators to compare historical and current aerial views of any location.
Screen Capture
Archive & Capture
ShareX is a free screen capture tool with scrolling capture, annotation, and OCR for documenting OSINT investigation findings.
SingleFile
Archive & Capture
Web Extension for saving a faithful copy of a complete web page in a single HTML file
URL Watch
Archive & Capture
Watch (parts of) webpages and get notified when something changes via e-mail, on your phone or via other means. Highly configurable.