IVRE: screenshot all the things!

The title of this blog comes from a nice article from 2014 named Scan Internet and Screenshot all the things

Some people have been asking us how the screenshots published with the Internet-wide Modbus scan had been taken.

Truth is, there was nothing to be proud of, and nothing worth publishing. As an example, I used a PhantomJS script to screenshot a Web-based RDP client…

But there are some great news: four Nmap scripts are now integrated to IVRE to take screenshots, and handle four different protocols.

The scripts

  • http-screenshot.nse uses a simple PhantomJS script to render Web pages.
  • x11-screenshot.nse uses ImageMagick import command to grab screenshots from open X11 servers.
  • nvc-screenshot.nse a very basic implementation of the RFB protocol sends a “framebuffer update request” command and parses the result. This script requires Lua version 5.3, which has been integrated in Nmap version 7.25BETA2, and ImageMagick convert command.
  • rtsp-screenshot.nse uses ffmpeg to capture an image from RTSP servers. It relies on a modified version of the rtsp-url-brute.nse script to get valid RTSP URLs for each server. Thanks to Caroline for this one!

Usage

Each script has its own self-documentation that should be sufficient. If you have any question, open an issue!

Have fun!

Caroline and I have run an Internet-wide scan of most frequently used ports for “screenshotable” protocols, using Masscan with banner collection. Then, since IVRE matches Nmap fingerprints against Masscan results (to identify services, products and versions based on the collected banners), we identified the relevant targets and started Nmap scans against them using --script screenshot.

As a teaser, here are some of out favorite screenshots, but there are many others out there. Go get IVRE and find them!

SCR01 SCR02 SCR03

SCR04 SCR05 SCR06

SCR07 SCR08 SCR09

SCR10 SCR11 SCR12

SCR13 SCR14 SCR15

SCR16 SCR17 SCR18

SCR19 SCR20 SCR21

SCR22 SCR23 SCR24