Skip to content

Advanced Usage

Jump to bottom Edit New page
bcoles edited this page Oct 18, 2010 · 31 revisions

While WhatWeb is primarily a website fingerprinter it can also be used for spidering, vulnerability scanning and data mining.

Banner Grabbing

Banner grabbing is as easy as appending the port to the domain name.

$ ./whatweb -a 1 whatweb.net:21 whatweb.net:22
http://whatweb.net:21 ERROR: Connection refused - connect(2)
http://whatweb.net:22 ERROR: wrong status line: "SSH-2.0-OpenSSH_5.1p1 Debian-5"

OR

$ echo "21,22" | tr ',' '\n' | ./whatweb -a 1 --url-pattern whatweb.net:%insert% --input-file /dev/stdin
http://whatweb.net:21 ERROR: Connection refused - connect(2)
http://whatweb.net:22 ERROR: wrong status line: "SSH-2.0-OpenSSH_5.1p1 Debian-5"`

Data Mining

WhatWeb also extracts useful information from config files, error messages, administration panels, meta data and more without sending any additional requests. If you're going to send a GET request, you may as well grab whatever juicy info you can while you're there, right?

WhatWeb automatically extracts the following types of data:

  • Local file paths
  • Hostnames
  • Subdomains
  • Usernames
  • Passwords
  • E-mail addresses
  • Active modules for certain web apps/hardware
  • Active ports
  • Bot command and control servers details
  • URLs
  • and more . . .

IDS Evasion

WhatWeb features --wait and --max-threads commands.

Furthermore, change the useragent using the -U or --user-agent command line option to avoid the Snort IDS rule for WhatWeb

Spidering

Default settings:

./whatweb target.com --aggression 1 --recursion --spider-skip-extensions zip,gz,tar,jpg,exe,png,pdf --max-links 250 --depth 10

--aggression, -a

1 passive - on-page, 2 polite - unimplemented, 3 impolite - guess URLs when plugin matches (smart, guess a few urls), 4 aggressive - guess URLs for every plugin (guess a lot of urls like nikto)

--recursion, -r

Follow links recursively. Only follows links under the path (default: off)

--depth, -d

Maximum recursion depth (default: 10)

--max-links, -m

Maximum number of links to follow on one page (default: 250)

--spider-skip-extensions

Redefine extensions to skip. (default: zip,gz,tar,jpg,exe,png,pdf)

XSS Scanner

It is possible to use WhatWeb as a very basic XSS scanner. Unfortunately WhatWeb only supports GET requests at this point.

Run WhatWeb against the target URL and inject <script>alert(1)</script> in the URL where required. For example:

$ ./whatweb -a 1 -p Vulnerable-To-XSS example.com/vuln.php?param1=<script>alert(1)</script> example.com/vuln.php?param2=<script>alert(1)</script>

OR

$ echo "vuln.php?param1=<script>alert(1)</script>,vuln.php?param2=<script>alert(1)</script>" | tr ',' '\n' | ./whatweb -a 1 -p Vulnerable-To-XSS --url-pattern example.com/%insert% --input-file /dev/stdin

If the Vulnerable-To-XSS plugin is returned then the system is vulnerable to XSS.

Add a custom footer

I - Basics

  1. Installation
  2. Features
  3. Example Usage
  4. Advanced Usage

II - Development

III - Bugs

Clone this wiki locally