Simple but effective Web Discovery & Web Vulnerability Analysis with whatweb
Whatweb is the perfect name for this tool. Simply it answers the question, “What is that Website?” Whatweb can identify all sorts of information about a live website, like:
- CMS platform
- Type of Script
- Google Analystics
- Webserver Platform
- IP address, Country
- 900+ Plugins & their libraries used
- Server Headers, Cookies and a lot more.
Whatweb offers both passive scanning and aggressive testing. Passive scanning, just extracts data from http headers simulating a normal visit. Aggressive options get more deeper with recursion & various types of queries & identifies all technologies just like a vulnerability scanner. So a pentester can use this tool as both a recon tool & vulnerability scanner. There are a various other features like proxy support, scan tuning, scanning a range of IPs, spidering etc.
Syntax: whatweb [options] <URLs>
Options is deprecated. Only major options or listed. Visit tool homepage for complete options
TARGET SELECTION: <URLs> Enter URLs, filenames or nmap-format IP ranges. --input-file=FILE, -i Identify URLs found in FILE, eg. -i /dev/stdin TARGET MODIFICATION: --url-prefix Add a prefix to target URLs --url-suffix Add a suffix to target URLs --url-pattern Insert the targets into a URL. Requires --input-file, AGGRESSION: The aggression level controls the trade-off between speed/stealth and reliability. --aggression, -a=LEVEL Set the aggression level. Default: 1 Aggression levels are: 1,2,3 & 4 HTTP OPTIONS: --user-agent, -U=AGENT Identify as AGENT instead of WhatWeb/0.4.8-dev. --follow-redirect=WHEN Control when to follow redirects.Default: always --max-redirects=NUM Maximum number of contiguous redirects. Default: 10 AUTHENTICATION: --user, -u=<user:password> HTTP basic authentication Add session cookies with --header, e.g. --header "Cookie: SESSID=1a2b3c;" PROXY: --proxy <hostname[:port]> Set proxy hostname and port Default: 8080 --proxy-user <username:password> Set proxy user and password PLUGINS: --list-plugins, -l List all plugins OUTPUT: --verbose, -v Verbose output includes plugin descriptions. Use twice for debugging. --colour,--color=WHEN control whether colour is used. WHEN='always', 'never' or 'auto' --quiet, -q Do not display brief logging to STDOUT --no-errors Suppress error messages LOGGING: --log-brief=FILE Log brief, one-line output --log-verbose=FILE Log verbose output --log-xml=FILE Log XML format PERFORMANCE & STABILITY: --max-threads, -t Number of simultaneous threads. Default: 25. --open-timeout Time in seconds. Default: 15 --read-timeout Time in seconds. Default: 30 --wait=SECONDS Wait SECONDS between connections HELP & MISCELLANEOUS: --help, -h This help --debug Raise errors in plugins --version Display version information. (WhatWeb 0.4.8-dev)
Lab 1: Perform Simple enumeration of websites over internet.
In this lab, we will perform simple enumeration of websites. The result of this is we can get to know the technologies used in the website & webserver.
Note: Please don’t use this against government or military websites without prior permission. The author of this article or tool itself are not responsible for any consequences if misused.
Attacker: Kali Linux VM
Command: whatweb www.facebook.com
To give a more verbose Output
Command: whatweb -v www.facebook.com
Practically, how we can use this information for Vulnerability Analysis is that, some times you may get that the webserver is an outdated version of Apache or IIS. Or sometimes, the website is running an old wordpress version vulnerable to many issues. Like that, you can find out the vulns & exploits for different versions of technologies used in the website.
Lab 2 : Perform Enumeration of a range of websites
whatweb allows you to test for a range of IP addresses. In this lab, we test a range of IPs on a local network. This can be useful while doing Pentests inside a production network or sometimes like finding out a list of Web-UIs or cpanels on a range of IPs.
Internal Network : 192.168.0.0/24
Attacker: Kali Linux
command: whatweb -v 192.168.0.1/24
Interestingly, the verbose output gives out coloured strings on interesting information. Take look at all those colours in the images below & identify all modules.
Try for yourself: Remember whatweb can scan for ranges outside the LAN, on the WAN also. Find out google’s IP address, and perform a scan on it’s range.
Don’t forget to subscribe also.