Simple but effective Web Discovery & Web Vulnerability Analysis with whatweb

Whatweb is the perfect name for this tool. Simply it answers the question, “What is that Website?” Whatweb can identify all sorts of information about a live website, like:

  • Platform
  • CMS platform
  • Type of Script
  • Google Analystics
  • Webserver Platform
  • IP address, Country
  • 900+ Plugins & their libraries used
  • Server Headers, Cookies and a lot more.

Whatweb offers both passive scanning and aggressive testing. Passive scanning, just extracts data from http headers simulating a normal visit. Aggressive options get more deeper with recursion & various types of queries & identifies all technologies just like a vulnerability scanner. So a pentester can use this tool as both a recon tool & vulnerability scanner. There are a various other features like proxy support, scan tuning, scanning a range of IPs, spidering etc.

Homepage: http://www.morningstarsecurity.com/research/whatweb


Syntax: whatweb [options] <URLs>

Options is deprecated. Only major options or listed. Visit tool homepage for complete options

<URLs>                Enter URLs, filenames or nmap-format IP ranges.
--input-file=FILE, -i Identify URLs found in FILE, eg. -i /dev/stdin

--url-prefix          Add a prefix to target URLs
--url-suffix          Add a suffix to target URLs
--url-pattern         Insert the targets into a URL. Requires --input-file,

The aggression level controls the trade-off between speed/stealth and reliability.
--aggression, -a=LEVEL Set the aggression level. Default: 1
Aggression levels are: 1,2,3 & 4

--user-agent, -U=AGENT Identify as AGENT instead of WhatWeb/0.4.8-dev.
--follow-redirect=WHEN Control when to follow redirects.Default: always
--max-redirects=NUM   Maximum number of contiguous redirects. Default: 10

--user, -u=<user:password> HTTP basic authentication
Add session cookies with --header, e.g. --header "Cookie: SESSID=1a2b3c;"

--proxy               <hostname[:port]> Set proxy hostname and port Default: 8080
--proxy-user          <username:password> Set proxy user and password

--list-plugins, -l    List all plugins

--verbose, -v         Verbose output includes plugin descriptions. Use twice for debugging.
--colour,--color=WHEN control whether colour is used. WHEN='always', 'never' or 'auto'
--quiet, -q           Do not display brief logging to STDOUT
--no-errors           Suppress error messages

--log-brief=FILE      Log brief, one-line output
--log-verbose=FILE    Log verbose output
--log-xml=FILE        Log XML format

--max-threads, -t     Number of simultaneous threads. Default: 25.
--open-timeout        Time in seconds. Default: 15
--read-timeout        Time in seconds. Default: 30
--wait=SECONDS        Wait SECONDS between connections

--help, -h            This help
--debug               Raise errors in plugins
--version             Display version information. (WhatWeb 0.4.8-dev)

Lab 1: Perform Simple enumeration of websites over internet.

In this lab, we will perform simple enumeration of websites. The result of this is we can get to know the technologies used in the website & webserver.

Note: Please don’t use this against government or military websites without prior permission. The author of this article or tool itself are not responsible for any consequences if misused.


Attacker: Kali Linux VM

Target: www.facebook.com

Command: whatweb www.facebook.com
Basic Details

To give a more verbose Output

Command: whatweb -v www.facebook.com
Displaying Details about modules
Displaying Details about modules


Practically, how we can use this information for Vulnerability Analysis is that, some times you may get that the webserver is an outdated version of Apache or IIS. Or sometimes, the website is running an old wordpress version vulnerable to many issues. Like that, you can find out the vulns & exploits for different versions of technologies used in the website.

Lab 2 : Perform Enumeration of a range of websites

whatweb allows you to test for a range of IP addresses. In this lab, we test a range of IPs on a local network. This can be useful while doing Pentests inside a production network or sometimes like finding out a list of Web-UIs or cpanels on a range of IPs.


Internal Network :

Attacker: Kali Linux

command: whatweb -v

Interestingly, the verbose output gives out coloured strings on interesting information. Take look at all those colours in the images below & identify all modules.





Try for yourself: Remember whatweb can scan for ranges outside the LAN, on the WAN also. Find out google’s IP address, and  perform a scan on it’s range.

Don’t forget to subscribe also.

Facebook Comments

2 thoughts on “whatweb

  • August 30, 2016 at 10:35 pm

    I have recently downloaded whatweb on Ubuntu 16.04 and whatever I run (even just whatweb [URL or IP] I get the following error:

    $ whatweb google.com
    /usr/bin/whatweb: /usr/lib/ruby/vendor_ruby/rchardet/universaldetector.rb:39: invalid multibyte escape: /[\x80-\xFF]/ (SyntaxError)

    You have any idea what is going on?


Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: