Scrying is a new tool for collecting RDP, Web, and VNC screenshots. The tool is still a work in progress and can be used already, but it’s not complete yet.
RDP, Web, and VNC are Remote Desktop services that help to control the computer remotely, if it is revealed that the account is leaked to the outside, it will be considered that Hackers have full control over your computer.
The web screen capture feature relies on whether Chromium or Google Chrome is installed.
Since Eyewitness recently stopped supporting RDP, there is no CLI tool that takes screenshots of RDP. Nessus still works, but it’s a bit difficult to export the image and can’t export the file either.
So this is a good chance for the author to write a new tool that is stronger than the previous tools.
Install Scrying
For web screenshots, the tool has to depend on whether you have Chromium or Google Chrome installed.
Download the latest Scrying release at GitHub. Debian is available for the distributions you need (install by command sudo dpkg -i scrying* .deb) and binaries for Windows, Mac, and Linux.
Use
Find a website, RDP server or VNC server:
$ scrying -t http://example.com
$ scrying -t rdp://192.0.2.1
$ scrying -t 2001:db8::5 --mode web
$ scrying -t 2001:db8::5 --mode rdp
$ scrying -t 192.0.2.2
$ scrying -t vnc://[2001:db8::53]:5901
Scrying will automatically get the screenshot from the Nmap output:
$ nmap -iL targets.txt -p 80,443,8080,8443,3389 -oX targets.xml
$ scrying --nmap targets.xml
Choose a different output folder for the image:
$ scrying -t 2001:db8::3 --output-dir /tmp/scrying_outputs
Run the file targets:
$ cat targets.txt
http://example.com
rdp://192.0.2.1
2001:db8::5
$ scrying -f targets.txt
Run by web proxy:
$ scrying -t http://example.com --web-proxy http://127.0.0.1:8080
$ scrying -t http://example.com --web-proxy socks5://\[::1\]:1080
The image file will be saved as a PNG in the following folder structure:
Check the results in the file output/report.html
Feature
Features with a tick next to that feature are already complete, others are in development:
- Automatically determines whether the input is the web address or RDP server
- Automatically create output directory if it does not already exist
- Save images with a consistent and unique name in server / IP
- Full support for IPv6 and IPv4 characters as well as hostnames
- Read the targets from the file and decide if they are RDP or HTTP or use hints
- Smartly parse the target from the results of Nmap and Nessus
- HTTP – use Chromium / Chrome in headless mode
- Cross-platform support – tested on Linux, Windows, and Mac
- Generating HTML reports makes it easy for you to see results
- VNC
- RDP
- Stream video – tracking
- timestamp option in the filename
- Read target from the output msf -o service in CSV format
- OCR on RDP username, directly or on image folder
- NLA / auth to check credentials
- Parse the JSON Dirble output to get a screenshot of the entire web page
Command syntax
USAGE:
scrying [FLAGS] [OPTIONS] <--file <FILE>...|--nmap <NMAP XML FILE>...|--nessus <NESSUS XML FILE>...|--target <TARGET>...>
FLAGS:
-s, --silent Suppress most log messages
--test-import Exit after importing targets
-v, --verbose Increase log verbosity
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-f, --file <FILE>... Targets file, one per line
-l, --log-file <LOG FILE> Save logs to the given file
-m, --mode <MODE>
Force targets to be parsed as `web`, `rdp`, `vnc` [default: auto] [possible values:
web, rdp, vnc, auto]
--nessus <NESSUS XML FILE>... Nessus XML file
--nmap <NMAP XML FILE>... Nmap XML file
-o, --output <OUTPUT DIR> Directory to save the captured images in [default: output]
--proxy <PROXY>
Default SOCKS5 proxy to use for connections e.g. socks5://[::1]:1080
--rdp-proxy <RDP PROXY>
SOCKS5 proxy to use for RDP connections e.g. socks5://[::1]:1080
--rdp-timeout <RDP TIMEOUT>
Seconds to wait after last bitmap before saving an image [default: 2]
-t, --target <TARGET>... Target, e.g. http://example.com, rdp://[2001:db8::4]
--threads <THREADS> Number of worker threads for each target type [default: 10]
--web-proxy <WEB PROXY>
HTTP/SOCKS Proxy to use for web requests e.g. http://[::1]:8080
