ScreenSniper: A Powerful Tool for PenTesting and Webpage Analysis

ScreenSniper: A Powerful Tool for PenTesting and Webpage Analysis

☣️ Mr. The Plague ☣️

In the fast-evolving world of cybersecurity, penetration testers need efficient tools to identify vulnerabilities quickly and accurately. Enter ScreenSniper, a Python-based penetration testing tool designed to analyze webpage screenshots and uncover potential security risks. By leveraging Tesseract OCR for text extraction and customizable JSON templates for pattern matching, ScreenSniper empowers testers to detect issues like exposed login pages, default server configurations, or sensitive information leaks with ease. Paired with its companion Website Screenshot Tool, it offers a comprehensive solution for authorized security testing. In this article, we’ll explore ScreenSniper’s features, installation, usage, and how it can supercharge your penetration testing workflow.

What is ScreenSniper?

>DOWNLOAD HERE

ScreenSniper is an open-source tool tailored for penetration testers who need to analyze webpage screenshots during authorized testing. It extracts text from screenshots using Tesseract OCR and matches it against predefined templates to generate meta tags, such as PageType: Login Page or SecurityRisk: Sensitive Information Exposure. These meta tags help testers quickly identify vulnerabilities, such as directory listings, default server pages, or exposed stack traces, making it an invaluable asset for security assessments.

Additionally, the Website Screenshot Tool, included in the same repository, automates the process of capturing screenshots from a list of URLs using Playwright’s headless Chromium browser. Together, these tools streamline the process of gathering and analyzing webpage data, saving testers time and effort.

Key Features of ScreenSniper

ScreenSniper is packed with features that make it a standout tool for penetration testing:

  • OCR-Powered Text Extraction: Utilizes Tesseract OCR to extract text from webpage screenshots, enabling detailed analysis of visual content.
  • Template-Based Detection: Matches extracted text against customizable JSON templates in the detectionPatterns/ directory to generate security-relevant meta tags.
  • Flexible Output Formats: Supports plain text, JSON, and XML outputs, allowing seamless integration into various workflows.
  • Verbose Debugging: An optional --verbose flag provides detailed preprocessing steps and extracted text for troubleshooting.
  • Customizable Templates: Easily add or modify detection templates to tailor the tool to specific testing needs.
  • Lightweight and Free: Built with open-source libraries, ScreenSniper is cost-free and resource-efficient.

The Website Screenshot Tool complements ScreenSniper with:

  • Concurrent Processing: Captures screenshots for multiple URLs simultaneously, with a semaphore to manage resource usage.
  • Headless Browser: Uses Playwright’s Chromium in headless mode for reliable webpage rendering.
  • Customizable Screenshots: Configurable viewport size and user agent ensure consistent results.
  • Robust Error Handling: Gracefully handles timeouts and errors for uninterrupted operation.

Installation Guide

Setting up ScreenSniper and the Website Screenshot Tool is straightforward. Below are the steps to get started.

Prerequisites

  • Python 3.8+: Ensure Python is installed on your system.
  • Tesseract OCR: Required for ScreenSniper’s text extraction.
    • Ubuntu: sudo apt-get install tesseract-ocr
    • macOS: brew install tesseract
    • Windows: Download from GitHub and add to your PATH.
  • Playwright: Required for the Website Screenshot Tool.
  • A list of URLs for screenshot capture (for the Website Screenshot Tool).

Installation Steps

  1. Clone the Repository: git clone https://github.com/DotNetRussell/ScreenSniper.git cd ScreenSniper
  2. Set Up a Virtual Environment (optional but recommended): python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
  3. Install Dependencies: pip install -r requirements.txt
  4. Install Playwright Browsers (for Website Screenshot Tool): playwright install
  5. Verify Tesseract Installation (for ScreenSniper): tesseract --version

Using ScreenSniper

ScreenSniper is designed for ease of use, with intuitive commands and flexible options. Here’s how to get started.

Basic Command

To analyze a webpage screenshot and generate meta tags in the default plain text format:

python screenSniper.py path/to/screenshot.png

Example Output (for a screenshot of a login page with amFOSS CMS):

PageType: Login Page
Technology: amFOSS CMS
SecurityRisk: Check for Known CMS Vulnerabilities
File Path: testImages/login-cms.png

Advanced Options

  • Verbose Output: View preprocessing steps and extracted text for debugging: python screenSniper.py path/to/screenshot.png --verbose This generates detailed logs and debug images (e.g., debug_resized.png, debug_threshold.png) to troubleshoot OCR issues.
  • Output Formats: Choose between plain text, JSON, or XML:
    • JSON:python screenSniper.py path/to/screenshot.png --output-format json Output:{ "meta_tags": [ "PageType: Login Page", "Technology: amFOSS CMS", "SecurityRisk: Check for Known CMS Vulnerabilities", "File Path: testImages/login-cms.png" ] }
    • XML:python screenSniper.py path/to/screenshot.png --output-format xml Output:<?xml version="1.0" ?> <result> <meta_tags> <meta_tag>PageType: Login Page</meta_tag> <meta_tag>Technology: amFOSS CMS</meta_tag> <meta_tag>SecurityRisk: Check for Known CMS Vulnerabilities</meta_tag> <meta_tag>File Path: testImages/login-cms.png</meta_tag> </meta_tags> </result>

Using the Website Screenshot Tool

To capture screenshots of websites, prepare a file (e.g., urls.txt) with one URL per line:

google.com
github.com
example.com

Run the script by piping the URLs:

cat urls.txt | python3 screenshot.py

Output:

Saved screenshot for https://google.com as google.com.png
Saved screenshot for https://github.com as github.com.png

Screenshots are saved as PNG files in the current directory, named after the domain.

Customizing Detection Templates

ScreenSniper’s flexibility lies in its customizable JSON templates, stored in the detectionPatterns/ directory. Each template defines conditions for matching text and generating meta tags.

Example Template: login_page.json

{
  "name": "Login Page",
  "conditions": ["login", "sign in", "username", "password", "user", "pass", "forgot"],
  "negative_conditions": ["logout", "sign out"],
  "meta_tags": [
    "PageType: Login Page"
  ]
}

Adding a New Template

To detect password reset pages:

  1. Create detectionPatterns/password_reset.json:{ "name": "Password Reset Page", "conditions": ["forgot", "reset", "password"], "meta_tags": [ "PageType: Password Reset Page", "SecurityRisk: Check for Insecure Reset Mechanism" ] }
  2. Test it on a screenshot of a password reset page.

Troubleshooting Tips

  • OCR Errors: If text extraction fails, use --verbose to inspect debug images. Ensure screenshots are high-resolution and text is legible.
  • Tesseract Not Found: Verify Tesseract is in your PATH or set the path explicitly in screenSniper.py:pytesseract.pytesseract.tesseract_cmd = r"C:\Program Files\Tesseract-OCR\tesseract.exe"
  • Template Not Matching: Check extracted text with --verbose and add more keyword variations to the template.
  • Screenshot Tool Timeouts: Adjust the timeout value in screenshot.py if URLs load slowly.

Contributing to ScreenSniper

ScreenSniper is open-source and welcomes contributions. To contribute:

  1. Fork the repository.
  2. Create a feature branch (git checkout -b feature/your-feature).
  3. Commit changes (git commit -m "Add your feature").
  4. Push to the branch (git push origin feature/your-feature).
  5. Open a pull request.

Ideas for Contributions:

  • Add detection templates for new vulnerabilities or technologies.
  • Improve OCR accuracy with alternative libraries like PaddleOCR.
  • Implement batch processing for multiple screenshots.
  • Integrate automated testing for detected vulnerabilities.

Why Choose ScreenSniper?

ScreenSniper stands out for its simplicity, flexibility, and power. Its OCR-driven analysis, customizable templates, and multiple output formats make it a versatile tool for penetration testers. The Website Screenshot Tool adds efficiency by automating screenshot capture, allowing testers to focus on analysis rather than manual tasks. Licensed under the MIT License, ScreenSniper is free to use and modify, making it accessible to security professionals and enthusiasts alike.

Whether you’re auditing a single webpage or conducting a large-scale security assessment, ScreenSniper and its screenshot tool provide a robust, open-source solution to enhance your workflow. Clone the repository from GitHub today and start uncovering vulnerabilities with ease!