Tools can obviously help, vulnerability scanners can help point out potentially exploitable services whether due to missing patches or simple misconfiguration. Port scanning steers a tester in the right direction for identifying common services of interest. However, a common frustration I encounter on a regular basis is finding interesting web servers. Finding web servers is obviously easy enough, but I often find myself verifying the contents of each web server manually in a browser to determine whether any are worthy of further investigation/exploitation. The majority will usually be running default content - maybe IIS in it's default state, but quickly identifying administrative interfaces or sites running custom applications can be very beneficial in concentrating efforts and importantly - saving time.
I've written a small Perl script to do just that - a quick visual overview of web sites and response capture from a list of hostnames/ports fed via STDIN. Pipe straight from your favourite port scanner, grep for http[s] into webscour.pl, and you'll get a nicely formatted HTML page containing thumbnails and the response headers from each site.
echo -e "www.google.co.uk:80\nwww.yahoo.co.uk" | ./webscour.pl /tmp/out.htm
The idea is you should be able to dismiss uninteresting sites very quickly, and identify more interesting sites for further manual examination. The script is clever enough to work out whether or not the site is running HTTPS, just fire it a list of hosts and optionally ports.
Any improvements/enhancements, please get in touch. Currently the only dependency other than a few common Perl modules is gnome-web-photo, but you could replace this with your favourite thumbnailer to get the same effect.
Download here. Enjoy.
