1WHATWEB(1) General Commands Manual WHATWEB(1)
2
6 WhatWeb - Next generation Web scanner. Identify technologies used by
7 websites.
8
10 whatweb [options] <URLs>
11
14 WhatWeb identifies websites. It's goal is to answer the question, "What
15 is that Website?". WhatWeb recognises web technologies including con‐
16 tent management systems (CMS), blogging platforms, statistic/analytics
17 packages, JavaScript libraries, web servers, and embedded devices.
18 WhatWeb has over 1800 plugins, each to recognise something different.
19 WhatWeb also identifies version numbers, email addresses, account ID's,
20 web framework modules, SQL errors, and more.
21 WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb sup‐
23 ports an aggression level to control the trade off between speed and
24 reliability. When you visit a website in your browser, the transaction
25 includes many hints of what web technologies are powering that website.
26 Sometimes a single webpage visit contains enough information to iden‐
27 tify a website but when it does not, WhatWeb can interrogate the web‐
28 site further. The default level of aggression, called 'passive', is the
29 fastest and requires only one HTTP request of a website. This is suit‐
30 able for scanning public websites. More aggressive modes were developed
31 for in penetration tests.
32 Most WhatWeb plugins are thorough and recognise a range of cues from
34 subtle to obvious. For example, most WordPress websites can be identi‐
35 fied by the meta HTML tag, e.g. '<meta name="generator" content="Word‐
36 Press 2.6.5">', but a minority of WordPress websites remove this iden‐
37 tifying tag but this does not thwart WhatWeb. The WordPress WhatWeb
38 plugin has over 15 tests, which include checking the favicon, default
39 installation files, login pages, and checking for "/wp-content/" within
40 relative links.
41 Features:
44 * Over 1800 plugins
46 * Control the trade off between speed/stealth and reliability
48 * Performance tuning. Control how many websites to scan concur‐
50 rently.
51 * Multiple log formats: Brief (greppable), Verbose (human read‐
53 able), XML, JSON, MagicTree, RubyObject, MongoDB, SQL.
54 * Proxy support including TOR
56 * Custom HTTP headers
58 * Basic HTTP authentication
60 * Control over webpage redirection
62 * IP address ranges
64 * Fuzzy matching
66 * Result certainty awareness
68 * Custom plugins defined on the command line
70 * IDN (International Domain Name) support
72
76 <TARGETs>
77 Enter URLs, hostnames, IP adddresses, filenames or IP ranges in
78 CIDR, x.x.x-x, or x.x.x.x-x.x.x.x format.
79 --input-file=FILE -i
81 Identify URLs found in FILE
82
84 --url-prefix
85 Add a prefix to target URLs
86 --url-suffix
88 Add a suffix to target URLs
89 --url-pattern
91 Insert the targets into a URL. Requires --input-file, eg.
92 www.example.com/%insert%/robots.txt
93
95 The aggression level controls the trade-off between speed/stealth and
96 reliability.
97 --aggression -a=LEVEL
99 Set the aggression level. Default: 1.
100 1. Stealthy Makes one HTTP request per target and also follows
102 redirects.
103 3. Aggressive If a level 1 plugin is matched, additional requests
104 will be made.
105 4. Heavy Makes a lot of HTTP requests per target. URLs from
106 all plugins are attempted.
107
110 --user-agent, -U=AGENT
111 Identify as AGENT instead of WhatWeb/0.4.9.
112 --header, -H
114 Add an HTTP header. eg "Foo:Bar". Specifying a default header
115 will replace it. Specifying an empty value, e.g. "User-Agent:"
116 will remove it.
117 --follow-redirect=WHEN
119 Control when to follow redirects. WHEN may be `never', `http-
120 only', `meta-only', `same-site', or `always'. Default: always.
121 --max-redirects=NUM
123 Maximum number of redirects. Default: 10.
124
127 --user, -u=<user:password>
128 HTTP basic authentication.
129 --cookie, -c=COOKIES
131 Use cookies, e.g. 'name=value; name2=value2'.
132
135 --proxy <hostname[:port]> Set proxy hostname and port. Default: 8080.
136 --proxy-user
138 <username:password> Set proxy user and password.
139
142 --list-plugins, -l
143 List all plugins.
144 --info-plugins, -I=[SEARCH]
146 List all plugins with detailed information. Optionally search
147 with keywords in a comma delimited list.
148 --search-plugins=STRING
150 Search plugins for a keyword.
151 --plugins, -p=LIST
153 Select plugins. LIST is a comma delimited set of selected plug‐
154 ins. Default is all. Each element can be a directory, file or
155 plugin name and can optionally have a modifier, +/-.
156 Examples: +/tmp/moo.rb,+/tmp/foo.rb
158 title,md5,+./plugins-disabled/
159 +./plugins-disabled,-md5
160 -p + is a shortcut for -p +plugins-disabled.
161 --grep, -g=STRING|REGEXP
164 Search for STRING or a Regular Expression. Shows only the results that match.
165 Examples: --grep "hello"
167 --grep "/he[l]*o/"
168 --custom-plugin=DEFINITION
171 Define a custom plugin named Custom-Plugin,
172 Examples: ":text=>'powered by abc'"
174 ":version=>/powered[ ]?by ab[0-9]/"
175 ":ghdb=>'intitle:abc
176 ":md5=>'8666257030b94d3bdb46e05945f60b42'"
177 "{:text=>'powered by abc'}"
178 --dorks=PLUGIN
181 List Google dorks for the selected plugin.
182
186 --verbose, -v
187 Verbose output includes plugin descriptions. Use twice for de‐
188 bugging.
189 --colour,--color=WHEN
191 control whether colour is used. WHEN may be `never', `always',
192 or `auto'.
193 --quiet, -q
195 Do not display brief logging to STDOUT.
196 --no-errors
198 Suppress error messages.
199
202 --log-brief=FILE
203 Log brief, one-line output.
204 --log-verbose=FILE
206 Log verbose output.
207 --log-errors=FILE
209 Log errors.
210 --log-xml=FILE
212 Log XML format.
213 --log-json=FILE
215 Log JSON format.
216 --log-sql=FILE
218 Log SQL INSERT statements.
219 --log-sql-create=FILE
221 Create SQL database tables.
222 --log-json-verbose=FILE
224 Log JSON Verbose format.
225 --log-magictree=FILE
227 Log MagicTree XML format.
228 --log-object=FILE
230 Log Ruby object inspection format.
231 --log-mongo-database
233 Name of the MongoDB database.
234 --log-mongo-collection
236 Name of the MongoDB collection. Default: whatweb.
237 --log-mongo-host
239 MongoDB hostname or IP address. Default: 0.0.0.0.
240 --log-mongo-username
242 MongoDB username. Default: nil.
243 --log-mongo-password
245 MongoDB password. Default: nil.
246 --log-elastic-index
248 Name of the index to store results. Default: whatweb
249 --log-elastic-host
251 Host:port of the elastic http interface. Default:
252 127.0.0.1:9200s
253
257 --max-threads, -t
258 Number of simultaneous threads. Default: 25.
259 --open-timeout
261 Time in seconds. Default: 15.
262 --read-timeout
264 Time in seconds. Default: 30.
265 --wait=SECONDS
267 Wait SECONDS between connections. This is useful when using a
268 single thread.
269
272 --short-help
273 Short usage help.
274 --help, -h
276 Complete usage help.
277 --debug
279 Raise errors in plugins.
280 --version
282 Display version information.
283
286 Scan example.com.
287 ./whatweb example.com
288 Scan reddit.com slashdot.org with verbose plugin descriptions.
290 ./whatweb -v reddit.com slashdot.org
291 An aggressive scan of wired.com detects the exact version of WordPress.
293 ./whatweb -a 3 www.wired.com
294 Scan the local network quickly and suppress errors.
296 whatweb --no-errors 192.168.0.0/24
297 Scan the local network for https websites.
299 whatweb --no-errors --url-prefix https://192.168.0.0/24
300 Scan for crossdomain policies in the Alexa Top 1000.
302 ./whatweb -i plugin-development/alexa-top-100.txt --url-suffix
303 /crossdomain.xml -p crossdomain_xml
304
308 Report bugs and feature requests to https://github.com/urbanadven‐
309 turer/WhatWeb
310
313 Developed by Andrew Horton (urbanadventurer) and Brendan Coles
314 (bcoles).
315
318 https://www.morningstarsecurity.com/research/whatweb
319
322 https://github.com/urbanadventurer/WhatWeb/
323 December 14th, 2020 WHATWEB(1)