Skip to content
bcoles edited this page Mar 27, 2011 · 31 revisions

While WhatWeb is primarily a website fingerprinter it can also be used for spidering, banner grabbing, vulnerability scanning and data mining.

Advanced Options

Plugin Selection

Plugins can be selected by directories, files or plugin names as a comma delimited list with the -p or --plugin command line option.

Each list item may have a modifier: + adds to the full set, - removes from the fullset and no modifier overrides the defaults.

Examples :

  • --plugins +plugins-disabled,-foobar
  • --plugins +/tmp/moo.rb
  • --plugins foobar (only select foobar)
  • -p title,md5,+./plugins-disabled/
  • -p ./plugins-disabled,-md5

IDS Evasion

WhatWeb features --wait and --max-threads commands.

Furthermore, change the useragent using the -U or --user-agent command line option to avoid the Snort IDS rule for WhatWeb

Aggression

WhatWeb features several levels of aggression. By default the aggression level is set to 1 passive which sends a single HTTP GET request.

Don't use aggressive modes with website --recursion spidering as it will repeat the tests and URL requests.

--aggression, -a

  • 1 passive - on-page
  • 2 polite - unimplemented
  • 3 impolite - guess URLs when plugin matches (smart, guess a few urls)
  • 4 aggressive - guess URLs for every plugin (guess a lot of urls like nikto)

Spidering

Default settings:

./whatweb target.com --aggression 1 --recursion --spider-skip-extensions zip,gz,tar,jpg,exe,png,pdf --max-links 250 --depth 10

--aggression, -a

1 passive - on-page, 2 polite - unimplemented, 3 impolite - guess URLs when plugin matches (smart, guess a few urls), 4 aggressive - guess URLs for every plugin (guess a lot of urls like nikto)

--recursion, -r

Follow links recursively. Only follows links under the path (default: off)

--depth, -d

Maximum recursion depth (default: 10)

--max-links, -m

Maximum number of links to follow on one page (default: 250)

--spider-skip-extensions

Redefine extensions to skip. (default: zip,gz,tar,jpg,exe,png,pdf)

WhatWeb Automation

Nmap

Nmap-to-WhatWeb (bash) and Tell-Me-Web (ruby) have been written to automate banner grabbing and web app fingerprinting. It takes Nmap standard output as input in stdin and parses it to WhatWeb for fingerprinting.

Google

WhatWeb can be used to confirm the results of a google query. Any google crawler can be used however gggooglescan-0.3 is used for this example.

./gggooglescan -v "powered by wordpress" | ./whatweb -i /dev/stdin --log-brief wordpress.log

A few proof of concept bash scripts were written to demonstrate the simplicity with which WhatWeb can be automated in large-scale network scanning :

  • Data Mine - mysql-mine - a simple script to mine mysql host & credentials from Google.
  • Data Mine - htpasswd-mine - a simple script to mine .htpasswd credentials from Google.
  • Data Mine - phpinfo-mine - a simple script to mine phpinfo() details from Google.
  • Data Mine - php-error-mine - a simple script to mine details from php errors from Google.
  • Locate Device - qnap-nas-mine - a simple script to locate and fingerprint QNAP-NAS devices from Google.
  • Locate Device - cisco-ip-phone-mine - a simple script to locate and fingerprint Cisco-IP-Phone devices from Google.
  • Defense - rfi-scanner-bot-mine - a simple script to locate and extract the command and control details from RFI-Scanner bot config files from Google.

Reconnaissance

Banner Grabbing

Banner grabbing is as easy as appending the port to the domain name.

$ ./whatweb -a 1 whatweb.net:21 whatweb.net:22
http://whatweb.net:21 ERROR: Connection refused - connect(2)
http://whatweb.net:22 ERROR: wrong status line: "SSH-2.0-OpenSSH_5.1p1 Debian-5"

OR

$ echo "21,22" | tr ',' '\n' | ./whatweb -a 1 --url-pattern whatweb.net:%insert% --input-file /dev/stdin
http://whatweb.net:21 ERROR: Connection refused - connect(2)
http://whatweb.net:22 ERROR: wrong status line: "SSH-2.0-OpenSSH_5.1p1 Debian-5"`

Data Mining

WhatWeb also extracts useful information from config files, error messages, administration panels, meta data and more without sending any additional requests. If you're going to send a GET request, you may as well grab whatever juicy info you can while you're there, right?

WhatWeb automatically extracts the following types of data:

  • Local file paths
  • Hostnames
  • Usernames
  • Passwords
  • E-mail addresses
  • Active modules for certain web apps/hardware
  • Active ports
  • URLs
  • and more . . .

Several plugins are stored in the ./plugins-disabled/ directory by default as their output is rather lengthy :

  • Subdomains
  • Meta-Keywords
  • Meta-Description
  • (I)Frame source URL(s)
  • Script source URL(s)
  • Flash source URL(s)
  • RSS Feed source URL(s)
  • Shortcut-Icon
  • HTML Comments
  • Links
  • and more . . .

To enable these plugins use the + modifier on the the -p argument, for example :

$ ./whatweb -a 1 -p +plugins-disabled example.com

WhatWeb also supports mining profile information from a number of social networks :

  • bebo
  • Facebook
  • Friendster
  • GitHub
  • hi5
  • Myspace
  • Netlog
  • SourceForge
  • Tagged
  • Windows-Live

Subdomain Discovery

WhatWeb can extract subdomains passively by loading the Subdomains plugin from the plugins-disabled directory.

$ ./whatweb -a 1 -p ./plugins-disabled/subdomains.rb google.com
http://google.com [301] Subdomains[www]
http://www.google.com/ [200] Subdomains[www,video,maps,news,mail]

OR

$ ./whatweb -a 1 -p ./plugins-disabled/subdomains.rb --color never google.com | cut -d"[" -f3- | cut -d"]" -f1 | tr ',' '\n' | sort -u
mail
maps
news
video
www

Logging

** Reporting **

An XSL file titled whatweb.xsl is provided for pretty XML reporting. Simply choose the --log-xml command line option :

$ ./whatweb -a 1 example.com --log-xml scan.xml

Then open scan.xml from the current working directory in your favorite browser.

MagicTree XML

WhatWeb can generate output which is compatible with the MagicTree XML format using the --log-magictree command line option. For example:

$ ./whatweb -a 1 microsoft.com --log-magictree scan.xml

$ ./whatweb -a 1 microsoft.com --log-magictree scan.xml

Logging to MongoDB

You need the Charset plugin which requires the gem 'rchardet' for proper operation. Be warned, this eats CPU which is why it is in the plugins-disabled folder.

By default MongoDB is only accessible to localhost. Each database has many collections. Each collection has many documents (records).

$ ./whatweb -a 1 example.com --log-mongo-host localhost --log-mongo-database scanning --log-mongo-collection australia

Vulnerability Scanning

Authentication Bruteforce

Using --custom-plugin in combination with --url-pattern and -i works in authentication bruteforce attacks. Limited to HTTP GET.

kryn.cms has no CAPTCHA nor lockout. It is vulnerable to authentication brute force as a result. In this example the --custom-plugin argument defines a regex match which detects the json returned by a valid login. Note that the special characters are escaped for command-line input.

./whatweb --url-pattern http://demo.kryn.org/admin/user:login/json:1?username=admin\&passwd=%insert% --custom-plugin "{:string=>/username":"([^"]+)"/}" -i list

Note that this type of attack would also work by writing a regex match for the login failure message and parsing the results to fgrep like so:

./whatweb --url-pattern http://demo.kryn.org/admin/user:login/json:1?username=admin&passwd=%insert% --custom-plugin "{:string=>/^0$/}" -i list | fgrep -v "Custom-Plugin"

Information Disclosure Scanning

WhatWeb passively grabs the local file path from PHP errors. You can scan for incorrectly configured PHP scripts at known locations and retrieve the local file path. For example, in Wordpress the /wp-content/themes/default/index.php file usually errors and spits out the local file path.

Check Wordpress Local Path Disclosure for a list of Wordpress files which disclose the local file path.

Note: Any special characters (spaces, brackets and semi-colons, etc) must be escaped or URL encoded.

$ ./whatweb -a 1 example.com/wp-content/themes/default/index.php example.com/wp-content/plugins/hello.php

OR

$ echo "/wp-content/themes/default/index.php,/wp-content/plugins/hello.php" | tr ',' '\n' | ./whatweb -a 1 --url-pattern example.com/%insert% --input-file /dev/stdin

echo "/wp-content/themes/default/index.php,/wp-content/plugins/hello.php" | tr ',' '\n' | ./whatweb --url-pattern http://www.consumidor.gov.ar/%insert% -i /dev/stdin

It is also possible to use inspathx plugins in WhatWeb using the --url-pattern argument.

For example to run the wordpress-3.0.4 inspathx plugin against wordpress.com :

cat /path/to/inspathx/paths/wordpress-3.0.4 | egrep -v "^#" | ./whatweb -i /dev/stdin --url-pattern wordpress.com/%insert%

RCE Scanning

It is possible to use WhatWeb as a very basic Remote Command Execution scanner. Unfortunately WhatWeb only supports GET requests at this point.

Run WhatWeb against the target URL and inject phpinfo(); in the URL where required. For example:

Note: The brackets and semi-colon in phpinfo(); must be escaped. Unfortunately the escaped commands cannot be shown on this page due to the wiki formatting.

$ ./whatweb -a 1 example.com/vuln.php?param1=phpinfo(); example.com/vuln.php?param2=phpinfo();

OR

$ echo "vuln.php?param1=phpinfo();,vuln.php?param2=phpinfo();" | tr ',' '\n' | ./whatweb -a 1 --url-pattern example.com/%insert% --input-file /dev/stdin

If the phpinfo() plugin is returned then the system is vulnerable to Remote Command Execution with PHP.

SQLi Scanning

It is possible to use WhatWeb as a very basic SQL Injection scanner. Unfortunately WhatWeb only supports GET requests at this point.

Run WhatWeb against the target URL and inject your required SQL query in the URL where required. For example:

Note: Any special characters (spaces, brackets and semi-colons, etc) must be escaped or URL encoded.

$ ./whatweb -a 1 "example.com/vuln.php?param1=1'order%20by%2010--" "example.com/vuln.php?param1=1'order%20by%209--" "example.com/vuln.php?param1=1'order%20by%208--" "example.com/vuln.php?param1=1'order%20by%207--" "example.com/vuln.php?param1=1'order%20by%206--" "example.com/vuln.php?param1=1'order%20by%205--"

OR

$ echo "vuln.php?param1=1'order%20by%2010--,vuln.php?param1=1'order%20by%209--,vuln.php?param1=1'order%20by%208--,vuln.php?param1=1'order%20by%207--,vuln.php?param1=1'order%20by%206--,vuln.php?param1=1'order%20by%205--" | tr ',' '\n' | ./whatweb -a 1 --url-pattern example.com/%insert% --input-file /dev/stdin

If the mySQL-Error plugin is returned then the system may be vulnerable to SQL Injection with mySQL.

XSS Scanner

It is possible to use WhatWeb as a very basic XSS scanner. Unfortunately WhatWeb only supports GET requests at this point.

Run WhatWeb against the target URL and inject <script>alert(1)</script> in the URL where required. For example:

Note: Any special characters (spaces, brackets and semi-colons, etc) must be escaped or URL encoded.

$ ./whatweb -a 1 -p Vulnerable-To-XSS example.com/vuln.php?param1=<script>alert(1)</script> example.com/vuln.php?param2=<script>alert(1)</script>

OR

$ echo "vuln.php?param1=<script>alert(1)</script>,vuln.php?param2=<script>alert(1)</script>" | tr ',' '\n' | ./whatweb -a 1 -p Vulnerable-To-XSS --url-pattern example.com/%insert% --input-file /dev/stdin

If the Vulnerable-To-XSS plugin is returned then the system may be vulnerable to XSS.

WhatWeb will automatically retrieve the values for X-XSS-Protection and X-Frame-Options from the HTTP header if present.