Skip to content
yehgdotnet edited this page Oct 27, 2010 · 31 revisions

While WhatWeb is primarily a website fingerprinter it can also be used for spidering, banner grabbing, vulnerability scanning and data mining.

Advanced Options

IDS Evasion

WhatWeb features --wait and --max-threads commands.

Furthermore, change the useragent using the -U or --user-agent command line option to avoid the Snort IDS rule for WhatWeb

Spidering

Default settings:

./whatweb target.com --aggression 1 --recursion --spider-skip-extensions zip,gz,tar,jpg,exe,png,pdf --max-links 250 --depth 10

--aggression, -a

1 passive - on-page, 2 polite - unimplemented, 3 impolite - guess URLs when plugin matches (smart, guess a few urls), 4 aggressive - guess URLs for every plugin (guess a lot of urls like nikto)

--recursion, -r

Follow links recursively. Only follows links under the path (default: off)

--depth, -d

Maximum recursion depth (default: 10)

--max-links, -m

Maximum number of links to follow on one page (default: 250)

--spider-skip-extensions

Redefine extensions to skip. (default: zip,gz,tar,jpg,exe,png,pdf)

Reconnaissance

Banner Grabbing

Banner grabbing is as easy as appending the port to the domain name.

$ ./whatweb -a 1 whatweb.net:21 whatweb.net:22
http://whatweb.net:21 ERROR: Connection refused - connect(2)
http://whatweb.net:22 ERROR: wrong status line: "SSH-2.0-OpenSSH_5.1p1 Debian-5"

OR

$ echo "21,22" | tr ',' '\n' | ./whatweb -a 1 --url-pattern whatweb.net:%insert% --input-file /dev/stdin
http://whatweb.net:21 ERROR: Connection refused - connect(2)
http://whatweb.net:22 ERROR: wrong status line: "SSH-2.0-OpenSSH_5.1p1 Debian-5"`

Data Mining

WhatWeb also extracts useful information from config files, error messages, administration panels, meta data and more without sending any additional requests. If you're going to send a GET request, you may as well grab whatever juicy info you can while you're there, right?

WhatWeb automatically extracts the following types of data:

  • Local file paths
  • Hostnames
  • Subdomains
  • Usernames
  • Passwords
  • E-mail addresses
  • Active modules for certain web apps/hardware
  • Active ports
  • Bot command and control servers details
  • URLs
  • and more . . .

Subdomain Enumeration

WhatWeb automatically extracts subdomains however you can load the Subdomains plugin specifically for grabbing subdomains.

$ ./whatweb -a 1 -p Subdomains google.com
http://google.com [301] Subdomains[www]
http://www.google.com/ [200] Subdomains[www,video,maps,news,mail]

OR

.$ /whatweb -a 1 -p Subdomains --color never google.com | cut -d"[" -f3- | cut -d"]" -f1 | tr ',' '\n' | sort -u
mail
maps
news
video
www

Information Disclosure Scanning

WhatWeb passively grabs the local file path from PHP errors. You can scan for incorrectly configured PHP scripts at known locations and retrieve the local file path. For example, in Wordpress the /wp-content/themes/default/index.php file usually errors and spits out the local file path.

Check Wordpress Local Path Disclosure for a list of Wordpress files which disclose the local file path.

Note: Any special characters (spaces, brackets and semi-colons, etc) must be escaped or URL encoded.

$ ./whatweb -a 1 example.com/wp-content/themes/default/index.php example.com/wp-content/plugins/hello.php

OR

$ echo "/wp-content/themes/default/index.php,/wp-content/plugins/hello.php" | tr ',' '\n' | ./whatweb -a 1 --url-pattern example.com/%insert% --input-file /dev/stdin

Vulnerability Scanning

RCE Scanning

It is possible to use WhatWeb as a very basic Remote Command Execution scanner. Unfortunately WhatWeb only supports GET requests at this point.

Run WhatWeb against the target URL and inject phpinfo(); in the URL where required. For example:

Note: The brackets and semi-colon in phpinfo(); must be escaped. Unfortunately the escaped commands cannot be shown on this page due to the wiki formatting.

$ ./whatweb -a 1 example.com/vuln.php?param1=phpinfo(); example.com/vuln.php?param2=phpinfo();

OR

$ echo "vuln.php?param1=phpinfo();,vuln.php?param2=phpinfo();" | tr ',' '\n' | ./whatweb -a 1 --url-pattern example.com/%insert% --input-file /dev/stdin

If the phpinfo() plugin is returned then the system is vulnerable to Remote Command Execution with PHP.

SQLi Scanning

It is possible to use WhatWeb as a very basic SQL Injection scanner. Unfortunately WhatWeb only supports GET requests at this point.

Run WhatWeb against the target URL and inject your required SQL query in the URL where required. For example:

Note: Any special characters (spaces, brackets and semi-colons, etc) must be escaped or URL encoded.

$ ./whatweb -a 1 "example.com/vuln.php?param1=1'order%20by%2010--" "example.com/vuln.php?param1=1'order%20by%209--" "example.com/vuln.php?param1=1'order%20by%208--" "example.com/vuln.php?param1=1'order%20by%207--" "example.com/vuln.php?param1=1'order%20by%206--" "example.com/vuln.php?param1=1'order%20by%205--"

OR

$ echo "vuln.php?param1=1'order%20by%2010--,vuln.php?param1=1'order%20by%209--,vuln.php?param1=1'order%20by%208--,vuln.php?param1=1'order%20by%207--,vuln.php?param1=1'order%20by%206--,vuln.php?param1=1'order%20by%205--" | tr ',' '\n' | ./whatweb -a 1 --url-pattern example.com/%insert% --input-file /dev/stdin

If the mySQL-Error plugin is returned then the system is vulnerable to SQL Injection with mySQL.

XSS Scanner

It is possible to use WhatWeb as a very basic XSS scanner. Unfortunately WhatWeb only supports GET requests at this point.

Run WhatWeb against the target URL and inject <script>alert(1)</script> in the URL where required. For example:

Note: Any special characters (spaces, brackets and semi-colons, etc) must be escaped or URL encoded.

$ ./whatweb -a 1 -p Vulnerable-To-XSS example.com/vuln.php?param1=<script>alert(1)</script> example.com/vuln.php?param2=<script>alert(1)</script>

OR

$ echo "vuln.php?param1=<script>alert(1)</script>,vuln.php?param2=<script>alert(1)</script>" | tr ',' '\n' | ./whatweb -a 1 -p Vulnerable-To-XSS --url-pattern example.com/%insert% --input-file /dev/stdin

If the Vulnerable-To-XSS plugin is returned then the system is vulnerable to XSS.