Home Tech Scrying: RDP, Web and VNC screen capture tool

Scrying: RDP, Web and VNC screen capture tool

Scrying: RDP, Web and VNC screen capture tool
Scrying: RDP, Web and VNC screen capture tool

Scrying is a new tool for collecting RDP, Web, and VNC screenshots. The tool is still a work in progress and can be used already, but it’s not complete yet.

RDP, Web, and VNC are Remote Desktop services that help to control the computer remotely, if it is revealed that the account is leaked to the outside, it will be considered that Hackers have full control over your computer.

The web screen capture feature relies on whether Chromium or Google Chrome is installed.

Since Eyewitness recently stopped supporting RDP, there is no CLI tool that takes screenshots of RDP. Nessus still works, but it’s a bit difficult to export the image and can’t export the file either.

So this is a good chance for the author to write a new tool that is stronger than the previous tools.

Install Scrying

For web screenshots, the tool has to depend on whether you have Chromium or Google Chrome installed.

Download the latest Scrying release at GitHub. Debian is available for the distributions you need (install by command sudo dpkg -i scrying* .deb) and binaries for Windows, Mac, and Linux.


Find a website, RDP server or VNC server:

$ scrying -t http://example.com

$ scrying -t rdp://

$ scrying -t 2001:db8::5 --mode web

$ scrying -t 2001:db8::5 --mode rdp

$ scrying -t

$ scrying -t vnc://[2001:db8::53]:5901

Scrying will automatically get the screenshot from the Nmap output:

$ nmap -iL targets.txt -p 80,443,8080,8443,3389 -oX targets.xml

$ scrying --nmap targets.xml

Choose a different output folder for the image:

$ scrying -t 2001:db8::3 --output-dir /tmp/scrying_outputs

Run the file targets:

$ cat targets.txt




$ scrying -f targets.txt

Run by web proxy:

$ scrying -t http://example.com --web-proxy

$ scrying -t http://example.com --web-proxy socks5://\[::1\]:1080

The image file will be saved as a PNG in the following folder structure:

Scrying: RDP, Web and VNC 7 screenshot capture tool

Check the results in the file output/report.html


Features with a tick next to that feature are already complete, others are in development:

  • Automatically determines whether the input is the web address or RDP server
  • Automatically create output directory if it does not already exist
  • Save images with a consistent and unique name in server / IP
  • Full support for IPv6 and IPv4 characters as well as hostnames
  • Read the targets from the file and decide if they are RDP or HTTP or use hints
  • Smartly parse the target from the results of Nmap and Nessus
  • HTTP – use Chromium / Chrome in headless mode
  • Cross-platform support – tested on Linux, Windows, and Mac
  • Generating HTML reports makes it easy for you to see results
  • VNC
  • RDP
  • Stream video – tracking
  • timestamp option in the filename
  • Read target from the output msf -o service in CSV format
  • OCR on RDP username, directly or on image folder
  • NLA / auth to check credentials
  • Parse the JSON Dirble output to get a screenshot of the entire web page

Command syntax

    scrying [FLAGS] [OPTIONS] <--file <FILE>...|--nmap <NMAP XML FILE>...|--nessus <NESSUS XML FILE>...|--target <TARGET>...>

    -s, --silent         Suppress most log messages
        --test-import    Exit after importing targets
    -v, --verbose        Increase log verbosity
    -h, --help           Prints help information
    -V, --version        Prints version information

    -f, --file <FILE>...                 Targets file, one per line
    -l, --log-file <LOG FILE>            Save logs to the given file
    -m, --mode <MODE>
            Force targets to be parsed as `web`, `rdp`, `vnc` [default: auto]  [possible values:
            web, rdp, vnc, auto]
        --nessus <NESSUS XML FILE>...    Nessus XML file
        --nmap <NMAP XML FILE>...        Nmap XML file
    -o, --output <OUTPUT DIR>            Directory to save the captured images in [default: output]
        --proxy <PROXY>
            Default SOCKS5 proxy to use for connections e.g. socks5://[::1]:1080

        --rdp-proxy <RDP PROXY>
            SOCKS5 proxy to use for RDP connections e.g. socks5://[::1]:1080

        --rdp-timeout <RDP TIMEOUT>
            Seconds to wait after last bitmap before saving an image [default: 2]

    -t, --target <TARGET>...             Target, e.g. http://example.com, rdp://[2001:db8::4]
        --threads <THREADS>              Number of worker threads for each target type [default: 10]
        --web-proxy <WEB PROXY>
            HTTP/SOCKS Proxy to use for web requests e.g. http://[::1]:8080
Previous articleHow to create a VPN Using Free Amazon AWS VPS
Next article5 Best Assassin’s Creed RPG You Should Play


Please enter your comment!
Please enter your name here