Whatweb – A Scanning Tool to Find Security Vulnerabilities in Web App

Whatweb is the perfect name for this tool. Simply it answers the question, “What is that Website?” Whatweb can identify all sorts of information about a live website, like:

• Platform
• CMS platform
• Type of Script
• Google Analytics
• Web server Platform
• IP address, Country
• 900+ Plugins & their libraries used
• Server Headers, Cookies and a lot more.

Whatweb offers both passive scanning and aggressive testing. Passive scanning just extracts data from HTTP headers simulating a normal visit. Aggressive options get deeper with recursion & various types of queries & identify all technologies just like a vulnerability scanner.

So a pentester can use this tool as both a recon tool & vulnerability scanner. There are various other features like proxy support, scan tuning, scanning a range of IPs, spidering etc.

Whatweb Options

Syntax: whatweb [options] <URLs>

Options is deprecated. Only major options or listed. Visit whatweb tool homepage for complete options

TARGET SELECTION:
<URLs>                Enter URLs, filenames or nmap-format IP ranges.
--input-file=FILE, -i Identify URLs found in FILE, eg. -i /dev/stdin

TARGET MODIFICATION:
--url-prefix          Add a prefix to target URLs
--url-suffix          Add a suffix to target URLs
--url-pattern         Insert the targets into a URL. Requires --input-file,

AGGRESSION:
The aggression level controls the trade-off between speed/stealth and reliability.
--aggression, -a=LEVEL Set the aggression level. Default: 1
Aggression levels are: 1,2,3 & 4

HTTP OPTIONS:
--user-agent, -U=AGENT Identify as AGENT instead of WhatWeb/0.4.8-dev.
--follow-redirect=WHEN Control when to follow redirects.Default: always
--max-redirects=NUM   Maximum number of contiguous redirects. Default: 10

AUTHENTICATION:
--user, -u=<user:password> HTTP basic authentication
Add session cookies with --header, e.g. --header "Cookie: SESSID=1a2b3c;"

PROXY:
--proxy               <hostname[:port]> Set proxy hostname and port Default: 8080
--proxy-user          <username:password> Set proxy user and password

PLUGINS:
--list-plugins, -l    List all plugins

OUTPUT:
--verbose, -v         Verbose output includes plugin descriptions. Use twice for debugging.
--colour,--color=WHEN control whether colour is used. WHEN='always', 'never' or 'auto'
--quiet, -q           Do not display brief logging to STDOUT
--no-errors           Suppress error messages

LOGGING:
--log-brief=FILE      Log brief, one-line output
--log-verbose=FILE    Log verbose output
--log-xml=FILE        Log XML format

PERFORMANCE & STABILITY:
--max-threads, -t     Number of simultaneous threads. Default: 25.
--open-timeout        Time in seconds. Default: 15
--read-timeout        Time in seconds. Default: 30
--wait=SECONDS        Wait SECONDS between connections

HELP & MISCELLANEOUS:
--help, -h            This help
--debug               Raise errors in plugins
--version             Display version information. (WhatWeb 0.4.8-dev)

Whatweb Lab 1: Perform Simple enumeration of websites over the internet.

In this lab, we will perform simple enumeration of websites. The result of this is we can get to know the technologies used in the website & webserver.

Note: Please don’t use this against government or military websites without prior permission. The author of this article or tool itself are not responsible for any consequences if misused.

Scenario:

Attacker: Kali Linux VM

Target: www.facebook.com

Command: whatweb www.facebook.com

To give a more verbose Output

Command: whatweb -v www.facebook.com

Practically, how we can use this information for Vulnerability Analysis is that sometimes you may get that the webserver is an outdated version of Apache or IIS. Or sometimes, the website is running an old WordPress version vulnerable to many issues. Like that, you can find out the vulns & exploits for different versions of technologies used in the website.

Whatweb Lab 2: Perform Enumeration of a range of websites

whatweb allows you to test for a range of IP addresses. In this lab, we test a range of IPs on a local network. This can be useful while doing Pentests inside a production network or sometimes like finding out a list of Web-UIs or cpanels on a range of IPs.

Scenario:

Internal Network : 192.168.0.0/24

Attacker: Kali Linux

command: whatweb -v 192.168.0.1/24

Interestingly, the verbose output gives out coloured strings of interesting information. Take look at all those colours in the images below & identify all modules.

Try for yourself: Remember whatweb can scan for ranges outside the LAN, on the WAN also. Find out google’s IP address, and  perform a scan on it’s range.

Read more here to explore the whatweb tool.