WhatWeb介紹
WhatWeb可識別Web技術,包括指紋識別、內容管理系統(CMS)、博客平臺、統計/分析包、JavaScript庫、Web服務器和嵌入式設備。WhatWeb有超過1800個插件,每個插件都能識別不同的東西。WhatWeb還標識版本號,電子郵件地址,帳戶ID,Web框架模塊,SQL錯誤等。
WhatWeb支持攻擊級別的設置來控制速度和穩定性。默認的攻擊級別稱為“隱身”,速度最快,只需要一個HTTP請求。適用于掃描公共網站。WhatWeb還開發了更高效的模式用于滲透測試。
WhatWeb截圖
WhatWeb特點
- 超過1800個插件
- 控制速度/隱身和可靠性之間的權衡
- 性能調整。控制同時掃描多少個網站。
- 多種日志格式:簡短,詳細,XML,JSON,MagicTree,RubyObject,MongoDB,ElasticSearch,SQL。
- 代理支持包括TOR
- 自定義HTTP標頭
- 基本HTTP身份驗證
- 控制網頁重定向
- IP地址范圍
- 模糊匹配
- 結果確定性意識
- 在命令行上定義的自定義插件
- IDN(國際域名)支持
WhatWeb安裝
WhatWeb是跨平臺兼容的,適用于任何Ruby 2.x環境,包括Windows,Mac OSX和Linux。
參考:https://github.com/urbanadventurer/WhatWeb/wiki/Installation
WhatWeb示例用法
使用WhatWeb掃描reddit.com。
$ ./whatweb reddit.comhttp://reddit.com [301 Moved Permanently] Country[UNITED STATES][US], HTTPServer[snooserv], IP[151.101.65.140], RedirectLocation[https://www.reddit.com/], UncommonHeaders[retry-after,x-served-by,x-cache-hits,x-timer], Via-Proxy[1.1 varnish]https://www.reddit.com/ [200 OK] Cookies[edgebucket,eu_cookie_v2,loid,rabt,rseor3,session_tracker,token], Country[UNITED STATES][US], Email[banner@2x.png,snoo-home@2x.png], Frame, HTML5, HTTPServer[snooserv], HttpOnly[token], IP[151.101.37.140], Open-Graph-Protocol[website], Script[text/javascript], Strict-Transport-Security[max-age=15552000; includeSubDomains; preload], Title[reddit: the front page of the internet], UncommonHeaders[fastly-restarts,x-served-by,x-cache-hits,x-timer], Via-Proxy[1.1 varnish], X-Frame-Options[SAMEORIGIN]
參數
Usage: whatweb [options] <URLs> TARGET SELECTION: <TARGETs> Enter URLs, hostnames, IP addresses, filenames or IP ranges in CIDR, x.x.x-x, or x.x.x.x-x.x.x.x format. --input-file=FILE, -i Read targets from a file. You can pipe hostnames or URLs directly with -i /dev/stdin. TARGET MODIFICATION: --url-prefix Add a prefix to target URLs. --url-suffix Add a suffix to target URLs. --url-pattern Insert the targets into a URL. Requires --input-file, eg. www.example.com/%insert%/robots.txt AGGRESSION: The aggression level controls the trade-off between speed/stealth and reliability. --aggression, -a=LEVEL Set the aggression level. Default: 1. Aggression levels are: 1. Stealthy Makes one HTTP request per target. Also follows redirects. 3. Aggressive If a level 1 plugin is matched, additional requests will be made. 4. Heavy Makes a lot of HTTP requests per target. Aggressive tests from all plugins are used for all URLs. HTTP OPTIONS: --user-agent, -U=AGENT Identify as AGENT instead of WhatWeb/0.5.0. --header, -H Add an HTTP header. eg "Foo:Bar". Specifying a default header will replace it. Specifying an empty value, eg. "User-Agent:" will remove the header. --follow-redirect=WHEN Control when to follow redirects. WHEN may be `never', `http-only', `meta-only', `same-site', or `always'. Default: always. --max-redirects=NUM Maximum number of contiguous redirects. Default: 10. AUTHENTICATION: --user, -u=<user:password> HTTP basic authentication. --cookie, -c=COOKIES Provide cookies, e.g. 'name=value; name2=value2'. --cookiejar=FILE Read cookies from a file. PROXY: --proxy <hostname[:port]> Set proxy hostname and port. Default: 8080. --proxy-user <username:password> Set proxy user and password. PLUGINS: --list-plugins, -l List all plugins. --info-plugins, -I=[SEARCH] List all plugins with detailed information. Optionally search with keywords in a comma delimited list. --search-plugins=STRING Search plugins for a keyword. --plugins, -p=LIST Select plugins. LIST is a comma delimited set of selected plugins. Default is all. Each element can be a directory, file or plugin name and can optionally have a modifier, eg. + or - Examples: +/tmp/moo.rb,+/tmp/foo.rb title,md5,+./plugins-disabled/ ./plugins-disabled,-md5 -p + is a shortcut for -p +plugins-disabled. --grep, -g=STRING|REGEXP Search for STRING or a Regular Expression. Shows only the results that match. Examples: --grep "hello" --grep "/he[l]*o/" --custom-plugin=DEFINITION\tDefine a custom plugin named Custom-Plugin, --custom-plugin=DEFINITION Define a custom plugin named Custom-Plugin, Examples: ":text=>'powered by abc'" ":version=>/powered[ ]?by ab[0-9]/" ":ghdb=>'intitle:abc \"powered by abc\"'" ":md5=>'8666257030b94d3bdb46e05945f60b42'" --dorks=PLUGIN List Google dorks for the selected plugin. OUTPUT: --verbose, -v Verbose output includes plugin descriptions. Use twice for debugging. --colour,--color=WHEN control whether colour is used. WHEN may be `never', `always', or `auto'. --quiet, -q Do not display brief logging to STDOUT. --no-errors Suppress error messages. LOGGING: --log-brief=FILE Log brief, one-line output. --log-verbose=FILE Log verbose output. --log-errors=FILE Log errors. --log-xml=FILE Log XML format. --log-json=FILE Log JSON format. --log-sql=FILE Log SQL INSERT statements. --log-sql-create=FILE Create SQL database tables. --log-json-verbose=FILE Log JSON Verbose format. --log-magictree=FILE Log MagicTree XML format. --log-object=FILE Log Ruby object inspection format. --log-mongo-database Name of the MongoDB database. --log-mongo-collection Name of the MongoDB collection. Default: whatweb. --log-mongo-host MongoDB hostname or IP address. Default: 0.0.0.0. --log-mongo-username MongoDB username. Default: nil. --log-mongo-password MongoDB password. Default: nil. --log-elastic-index Name of the index to store results. Default: whatweb --log-elastic-host Host:port of the elastic http interface. Default: 127.0.0.1:9200 PERFORMANCE & STABILITY: --max-threads, -t Number of simultaneous threads. Default: 25. --open-timeout Time in seconds. Default: 15. --read-timeout Time in seconds. Default: 30. --wait=SECONDS Wait SECONDS between connections. This is useful when using a single thread. HELP & MISCELLANEOUS: --short-help Short usage help. --help, -h Complete usage help. --debug Raise errors in plugins. --version Display version information. (WhatWeb 0.5.0). EXAMPLE USAGE:* Scan example.com. ./whatweb example.com* Scan reddit.com slashdot.org with verbose plugin descriptions. ./whatweb -v reddit.com slashdot.org* An aggressive scan of wired.com detects the exact version of WordPress. ./whatweb -a 3 www.wired.com* Scan the local network quickly and suppress errors. whatweb --no-errors 192.168.0.0/24* Scan the local network for https websites. whatweb --no-errors --url-prefix https:// 192.168.0.0/24* Scan for crossdomain policies in the Alexa Top 1000. ./whatweb -i plugin-development/alexa-top-100.txt \ --url-suffix /crossdomain.xml -p crossdomain_xml
記錄和輸出
支持以下類型的日志記錄:
- --log-brief = FILE Brief,one-line,greppable format
- --log-verbose = FILE詳細
- --log-xml = FILE XML格式。提供了XSL樣式表
- --log-json = FILE JSON格式
- --log-json-verbose = FILE JSON詳細格式
- --log-magictree = FILE MagicTree XML格式
- --log-object = FILE Ruby對象檢查格式
- --log-mongo-database MongoDB數據庫的名稱
- --log-mongo-collection MongoDB集合的名稱。默認值:whatweb
- --log-mongo-host MongoDB主機名或IP地址。默認值:0.0.0.0
- --log-mongo-username MongoDB用戶名。默認值:nil
- --log-mongo-password MongoDB密碼。默認值:nil
- --log-elastic-index用于存儲結果的索引的名稱。默認值:whatweb
- --log-elastic-host Host:彈性http接口的端口。默認值:127.0.0.1:9200
- --log-errors = FILE記錄錯誤。這通常以紅色打印到屏幕上。
您可以通過指定多個命令行日志記錄選項同時輸出到多個日志。想要SQL輸出的高級用戶應閱讀源代碼以查看不支持的功能。
WhatWeb插件
比賽用:
- 文本字符串(區分大小寫)
- 常用表達
- Google Hack數據庫查詢(有限的關鍵字集)
- MD5哈希
- URL識別
- HTML標記模式
- 用于被動和激進操作的自定義ruby代碼
列出支持的插件:
$ ./whatweb -l
搜索插件
$ ./whatweb -I phpBB WhatWeb Detailed Plugin ListSearching for phpBB================================================================================Plugin: phpBB--------------------------------------------------------------------------------Description: phpBB is a free forum Website: http://phpbb.org/ Author: Andrew HortonVersion: 0.3 Features: [Yes] Pattern Matching (7) [Yes] Version detection from pattern matching [Yes] Function for passive matches [Yes] Function for aggressive matches [Yes] Google Dorks (1) Google Dorks:[1] "Powered by phpBB"================================================================================
FreeBuf
無憂智庫
看雪學苑
黑白之道
安全牛
虹科網絡安全
一顆小胡椒
骨哥說事
安全圈
CNCERT國家工程研究中心
系統安全運維
娜璋AI安全之家
