Many penetration testers are familiar with peepingtom, a python program that’s commonly used to web scrape (gather intel about) web servers, to better assess which to attack (test) and how. Author Tim Tomes wrote peepingtom after struggling with an nmap-based approach to web scraping that is described in pauldotcom podcast #291 in 2012.
Recently, I've been playing with peepingtom to see whether it would be useful to include in a DNS abuse investigations training I deliver to public safety community members. Today, I'll explain how I installed peepingtom on my Macs. My installation is basically the same as the Linux install that's described in the Red Team Field Manual (RTFM, I strongly encourage you to get a copy).
Install dependencies: cURL and phantomjs
Peepingtom depends on cURL and phantomjs for correct operation. To install cURL, download http://curl.haxx.se/download/curl-7.38.0.tar.gz and unpack the curl folder to a folder. You can also open a Terminal and use wget and tar, which are included in your OpenBSD.
$tar –zxvf curl-7.38.0.tar.gz
Change to wherever you’ve unpacked the directory curl-7.38.0 and make the file:
$ cd curl-7.38.0
$ make && sudo make install
Be patient, the install takes a few minutes. You’ll be prompted for super user password to complete. Confirm your install by launching curl --help
Next, download phantomjs from http://phantomjs.org/download.html. For Mac OS, you’ll download and extract/unpack phantomjs-1.9.7-macosx.zip. The binary phantomjs in the folder phantomjs-1.9.7-macosx is ready to use.
Make a directory for peepingtom and use git clone to copy the peepingtom repository into your new directory:
$ mkdir peepingtom
$ git clone https://bitbucket.org/LaNMaSteR53/peepingtom.git
The last step is important: copy the phantomjs binary from phantomjs-1.9.7-macosx to the peepingtom directory.
Get acquainted with peepingtom
With curl installed and pythonjs in the peepingtom directory, get acquainted with the options:
Here’s an example to get you started. This command scrapes the IMDB page for Simple Life and directs the output to a folder called simplelife:
From a browser, open the file peepingtom.html in simplelife.
peepingtom gives you a snapshot of the page, snapshot of the source, and saves a copy of the web page source. Note that you will not execute any scripts on web pages you visit with peepingtom. This is a great way to safely grab content for offline examination. You can also use list input mode (-l) to scan URLs you've copied to a file, or domains/IP addresses for listening services (e.g., http/80)
Next Post: Use Cases
In my next post, I’ll share some examples of how you might use peepingtom to look for malicious domain names, URLs, and scripts in the content you’ve grabbed.