-
Notifications
You must be signed in to change notification settings - Fork 914
Advanced Usage
While WhatWeb is primarily a website fingerprinter it can also be used for spidering, vulnerability scanning and data mining.
Banner Grabbing
Banner grabbing is as easy as appending the port to the URL.
$ ./whatweb -a 1 whatweb.net:21 whatweb.net:22
http://whatweb.net:21 ERROR: Connection refused - connect(2)
http://whatweb.net:22 ERROR: wrong status line: "SSH-2.0-OpenSSH_5.1p1 Debian-5"OR
$ echo "21,22" | tr ',' '\n' | ./whatweb -a 1 --url-pattern whatweb.net:%insert% --input-file /dev/stdin
http://whatweb.net:21 ERROR: Connection refused - connect(2)
http://whatweb.net:22 ERROR: wrong status line: "SSH-2.0-OpenSSH_5.1p1 Debian-5"`Data Mining
If you're going to send a GET request, you may as well grab whatever juicy info you can while you're there, right?
WhatWeb has many plugins designed to automatically extract useful information from config files, administration panels, meta data and more.
IDS Evasion
WhatWeb features --wait and --max-threads commands.
Furthermore, change the useragent using the -U or --user-agent command line option to avoid the Snort IDS rule for WhatWeb
Spidering
Default settings:
./whatweb target.com --aggression 1 --recursion --spider-skip-extensions zip,gz,tar,jpg,exe,png,pdf --max-links 250 --depth 10
--aggression, -a
1 passive - on-page, 2 polite - unimplemented, 3 impolite - guess URLs when plugin matches (smart, guess a few urls), 4 aggressive - guess URLs for every plugin (guess a lot of urls like nikto)
--recursion, -r
Follow links recursively. Only follows links under the path (default: off)
--depth, -d
Maximum recursion depth (default: 10)
--max-links, -m
Maximum number of links to follow on one page (default: 250)
--spider-skip-extensions
Redefine extensions to skip. (default: zip,gz,tar,jpg,exe,png,pdf)
XSS Scanner
It is possible to use WhatWeb as a very basic XSS scanner. Unfortunately WhatWeb only supports GET requests at this point.
Run WhatWeb against the target URL and inject <script>alert(1)</script> in the URL where required. For example:
./whatweb -a 1 example.com/vuln.php?vuln_param=<script>alert(1)</script>
If the Vulnerable-To-XSS plugin is returned then the system is vulnerable to XSS.