Whatweb – A Scanning Tool to Find Security Vulnerabilities in Web App

WhatWeb is the perfect name for this tool. It answers the question, “What is that Website?” WhatWeb can identify a wide range of information about a live website, including:

• Platform
• CMS Platform
• Type of Script
• Google Analytics
• Web Server Platform
• IP Address & Country
• 900+ Plugins & Their Libraries Used
• Server Headers, Cookies, and much more

WhatWeb offers both passive scanning and aggressive testing. Passive scanning extracts data from HTTP headers, simulating a normal visit, making it non-intrusive. Aggressive scanning digs deeper, using recursion and various types of queries to identify technologies, similar to a vulnerability scanner.

Pentesters can use WhatWeb for both reconnaissance and vulnerability scanning. It also supports various advanced features like proxy support, scan tuning, scanning IP ranges, and spidering.

WhatWeb Options

Syntax:

whatweb [options] <URLs>

Note: The options are deprecated. Only the major options are listed here. For the full list, please visit the WhatWeb tool homepage.

Target Selection

• <URLs> – Enter URLs, filenames, or nmap-format IP ranges.
• –input-file=FILE, -i – Identify URLs found in the file, e.g., -i /dev/stdin.

Target Modification

• –url-prefix – Add a prefix to target URLs.
• –url-suffix – Add a suffix to target URLs.
• –url-pattern – Insert targets into a URL. Requires –input-file.

Aggression

The aggression level controls the trade-off between speed/stealth and reliability:

• –aggression, -a=LEVEL – Set the aggression level. Default: 1. Aggression levels: 1, 2, 3, and 4.

HTTP Options

• –user-agent, -U=AGENT – Identify as AGENT instead of WhatWeb/0.4.8-dev.
• –follow-redirect=WHEN – Control when to follow redirects. Default: always.
• –max-redirects=NUM – Maximum number of contiguous redirects. Default: 10.

Authentication

• –user, -u=user:password – HTTP basic authentication. Add session cookies with –header, e.g., --header "Cookie: SESSID=1a2b3c;".

Proxy

• –proxy <hostname[:port]> – Set proxy hostname and port. Default: 8080.
• –proxy-user username:password – Set proxy username and password.

Plugins

• –list-plugins, -l – List all plugins.

Output

• –verbose, -v – Verbose output includes plugin descriptions. Use twice for debugging.
• –colour, –color=WHEN – Control whether color is used. WHEN=’always’, ‘never’, or ‘auto’.
• –quiet, -q – Do not display brief logging to STDOUT.
• –no-errors – Suppress error messages.

Logging

• –log-brief=FILE – Log brief, one-line output.
• –log-verbose=FILE – Log verbose output.
• –log-xml=FILE – Log in XML format.

Performance & Stability

• –max-threads, -t – Set the number of simultaneous threads. Default: 25.
• –open-timeout – Set the open timeout in seconds. Default: 15.
• –read-timeout – Set the read timeout in seconds. Default: 30.
• –wait=SECONDS – Wait SECONDS between connections.

Help & Miscellaneous

• –help, -h – This help.
• –debug – Raise errors in plugins.
• –version – Display version information. (WhatWeb 0.4.8-dev).

WhatWeb Lab 1: Perform Simple Enumeration of Websites

In this lab, we perform a simple enumeration of websites to identify the technologies used in the website and webserver.

Note: Please do not use this tool against government or military websites without prior permission. The author or tool developers are not responsible for any consequences if misused.

Scenario:

• Attacker: Kali Linux VM
• Target: www.facebook.com

Command:

whatweb www.facebook.com

To give a more verbose Output

Command: whatweb -v www.facebook.com

Practically, how we can use this information for Vulnerability Analysis is that sometimes you may get that the webserver is an outdated version of Apache or IIS. Or sometimes, the website is running an old WordPress version vulnerable to many issues. Like that, you can find out the vulns & exploits for different versions of technologies used in the website.

Whatweb Lab 2: Perform Enumeration of a range of websites

whatweb allows you to test for a range of IP addresses. In this lab, we test a range of IPs on a local network. This can be useful while doing Pentests inside a production network or sometimes like finding out a list of Web-UIs or cpanels on a range of IPs.

Scenario:

Internal Network : 192.168.0.0/24

Attacker: Kali Linux

command: whatweb -v 192.168.0.1/24

Interestingly, the verbose output gives out coloured strings of interesting information. Take look at all those colours in the images below & identify all modules.

Try for yourself: Remember whatweb can scan for ranges outside the LAN, on the WAN also. Find out google’s IP address, and  perform a scan on it’s range.

Read more here to explore the whatweb tool.