Bishop Fox, the largest private professional services firm focused on offensive security testing, has created a new AI-based, open source pentesting tool called Eyeballer. Senior Security Associate Dan Petro and Senior Security Analyst Gavin Stroy presented Eyeballer to the world today at a 2019 Black Hat Arsenal presentation, “A Picture is Worth a Thousand Vulns Weaponized Machine Learning to Target Website Screenshots,” in Las Vegas.
The machine learning Eyeballer tool was designed to help pentesters quickly identify what websites are “interesting” and which ones aren’t when looking at a large-scale external perimeter. Notably, Eyeballer doesn’t actually “hack into” anything. Its whole job is to look at screenshots of websites and identify the ones that are most likely to contain actionable leads for the human hacker.
“We strongly believe that the future of hacking includes augmenting human expertise with AI analysis. While there are a number of AI tools on the defensive side, there are few, if any, that pentesters can use for offensive security,” said Petro. “With Eyeballer, we wanted to make a practical pentesting tool that would help every offensive hacker do their jobs better and faster.”
Eyeballer uses a convolutional neural network to sift through mountains of screenshots and tells the hacker what is likely to have vulnerabilities and what isn’t, just by looking at it. Specifically, Eyeballer tags images with one or more labels that are of specific value to pentesters: things that human beings typically are looking for during large scale external engagements. For example: Is the site old-looking? Does it have a login? Is it the homepage of the app? Is this a custom 404 page?
In particular, finding websites that “look old” is extremely valuable when trying to break in. Old websites have a distinct look-and-feel that is hard to pinpoint an exact definition for, and impossible to make a traditional signature on. Yet, they’re extremely valuable targets for pentesters. Having AI that can identify “old looking” websites is extremely useful.
“In terms of accuracy, our latest Eyeballer models are hitting a benchmark of approximately 92% overall accuracy on an evaluation dataset,” add Stroy. “Eyeballer is a practical pentesting tool that security professionals can use now in the real world.”