Unlocking the Power of PowerShell Reverse Shells: A Complete Guide with EXE Conversion

Unveiling the Power of WhatWeb: Your Ultimate Website Identifier

In the vast landscape of the internet, websites come in all shapes and sizes, each powered by a unique combination of technologies. Have you ever wondered, "What is that website using?" If so, you're in luck because today we're going to introduce you to WhatWeb, a powerful web scanner that can answer that very question. Let's dive into the world of WhatWeb and explore its capabilities.

What is WhatWeb?

WhatWeb is an ingenious tool designed to identify websites and reveal the technologies running under their hood. Whether it's content management systems (CMS), blogging platforms, statistical analytics packages, JavaScript libraries, web servers, or even embedded devices, WhatWeb can uncover them all. With a vast library of over 1800 plugins, WhatWeb can recognize a wide range of web technologies, making it an invaluable resource for web enthusiasts and cybersecurity professionals.

Key Features

Versatility

One of the standout features of WhatWeb is its ability to adapt to your needs. It offers a range of scanning modes, allowing you to choose between speed and thoroughness. If you need quick results, the "stealthy" mode performs a single HTTP request, making it ideal for scanning public websites. On the other hand, for more in-depth analysis, you can opt for more aggressive modes developed for penetration tests.

Extensive Plugin Library

WhatWeb's strength lies in its extensive plugin library. These plugins are meticulously designed to recognize specific web technologies and provide detailed information. For example, the WordPress plugin not only checks for the standard meta HTML tag but also performs multiple tests, including checking the favicon, default installation files, login pages, and relative links containing "/wp-content/." This level of granularity ensures accurate identification even when websites attempt to conceal their technology stack.

User-Friendly Usage

Using WhatWeb is straightforward. You can initiate scans by providing URLs, hostnames, IP addresses, filenames, or IP ranges. It also supports reading targets from a file, allowing you to batch process multiple websites. The tool provides various options to customize your scans, such as adding prefixes or suffixes to target URLs and specifying the level of aggression.

Example Usage

To give you a taste of WhatWeb's capabilities, here's an example of scanning Reddit.com:

$ ./whatweb reddit.com

* Scan example.com.

  ./whatweb example.com

* Scan reddit.com slashdot.org with verbose plugin descriptions.

  ./whatweb -v reddit.com slashdot.org

* An aggressive scan of wired.com detects the exact version of WordPress.

  ./whatweb -a 3 www.wired.com

* Scan the local network quickly and suppress errors.

  whatweb --no-errors 192.168.0.0/24

* Scan the local network for https websites.

  whatweb --no-errors --url-prefix https:// 192.168.0.0/24

* Scan for crossdomain policies in the Alexa Top 1000.

  ./whatweb -i plugin-development/alexa-top-100.txt \  --url-suffix /crossdomain.xml -p crossdomain_xml

This command will analyze Reddit's website and provide detailed information about its technologies, including the country it's hosted in, HTTP server software, IP address, and more.

TARGET SELECTION:

  <TARGETs>                     Enter URLs, hostnames, IP addresses, filenames or

                                IP ranges in CIDR, x.x.x-x, or x.x.x.x-x.x.x.x

                                format.

  --input-file=FILE, -i         Read targets from a file. You can pipe

                                hostnames or URLs directly with -i /dev/stdin.

TARGET MODIFICATION:

  --url-prefix                  Add a prefix to target URLs.

  --url-suffix                  Add a suffix to target URLs.

  --url-pattern                 Insert the targets into a URL.

                                e.g. example.com/%insert%/robots.txt

AGGRESSION:

The aggression level controls the trade-off between speed/stealth and

reliability.

  --aggression, -a=LEVEL        Set the aggression level. Default: 1.

  1. Stealthy                   Makes one HTTP request per target and also

                                follows redirects.

  3. Aggressive                 If a level 1 plugin is matched, additional

                                requests will be made.

  4. Heavy                      Makes a lot of HTTP requests per target. URLs

                                from all plugins are attempted.

HTTP OPTIONS:

  --user-agent, -U=AGENT        Identify as AGENT instead of WhatWeb/0.5.5.

  --header, -H                  Add an HTTP header. eg "Foo:Bar". Specifying a

                                default header will replace it. Specifying an

                                empty value, e.g. "User-Agent:" will remove it.

  --follow-redirect=WHEN        Control when to follow redirects. WHEN may be

                                `never', `http-only', `meta-only', `same-site',

                                or `always'. Default: always.

  --max-redirects=NUM           Maximum number of redirects. Default: 10.

AUTHENTICATION:

  --user, -u=<user:password>    HTTP basic authentication.

  --cookie, -c=COOKIES          Use cookies, e.g. 'name=value; name2=value2'.

  --cookie-jar=FILE             Read cookies from a file.

PROXY:

  --proxy                       <hostname[:port]> Set proxy hostname and port.

                                Default: 8080.

  --proxy-user                  <username:password> Set proxy user and password.

PLUGINS:

  --list-plugins, -l            List all plugins.

  --info-plugins, -I=[SEARCH]   List all plugins with detailed information.

                                Optionally search with keywords in a comma

                                delimited list.

  --search-plugins=STRING       Search plugins for a keyword.

  --plugins, -p=LIST            Select plugins. LIST is a comma delimited set

                                of selected plugins. Default is all.

                                Each element can be a directory, file or plugin

                                name and can optionally have a modifier, +/-.

                                Examples: +/tmp/moo.rb,+/tmp/foo.rb

                                title,md5,+./plugins-disabled/

                                ./plugins-disabled,-md5

                                -p + is a shortcut for -p +plugins-disabled.

  --grep, -g=STRING|REGEXP      Search for STRING or a Regular Expression. Shows

                                only the results that match.

                                Examples: --grep "hello"

                                --grep "/he[l]*o/"

  --custom-plugin=DEFINITION    Define a custom plugin named Custom-Plugin,

                                Examples: ":text=>'powered by abc'"

                                ":version=>/powered[ ]?by ab[0-9]/"

                                ":ghdb=>'intitle:abc \"powered by abc\"'"

                                ":md5=>'8666257030b94d3bdb46e05945f60b42'"

                                "{:text=>'powered by abc'}"

  --dorks=PLUGIN                List Google dorks for the selected plugin.

OUTPUT:

  --verbose, -v                 Verbose output includes plugin descriptions.

                                Use twice for debugging.

  --colour,--color=WHEN         control whether colour is used. WHEN may be

                                `never', `always', or `auto'.

  --quiet, -q                   Do not display brief logging to STDOUT.

  --no-errors                   Suppress error messages.

LOGGING:

  --log-brief=FILE              Log brief, one-line output.

  --log-verbose=FILE            Log verbose output.

  --log-errors=FILE             Log errors.

  --log-xml=FILE                Log XML format.

  --log-json=FILE               Log JSON format.

  --log-sql=FILE                Log SQL INSERT statements.

  --log-sql-create=FILE         Create SQL database tables.

  --log-json-verbose=FILE       Log JSON Verbose format.

  --log-magictree=FILE          Log MagicTree XML format.

  --log-object=FILE             Log Ruby object inspection format.

  --log-mongo-database          Name of the MongoDB database.

  --log-mongo-collection        Name of the MongoDB collection.

                                Default: whatweb.

  --log-mongo-host              MongoDB hostname or IP address.

                                Default: 0.0.0.0.

  --log-mongo-username          MongoDB username. Default: nil.

  --log-mongo-password          MongoDB password. Default: nil.

  --log-elastic-index           Name of the index to store results. Default: whatweb

  --log-elastic-host            Host:port of the elastic http interface. Default: 127.0.0.1:9200

PERFORMANCE & STABILITY:

  --max-threads, -t             Number of simultaneous threads. Default: 25.

  --open-timeout                Time in seconds. Default: 15.

  --read-timeout                Time in seconds. Default: 30.

  --wait=SECONDS                Wait SECONDS between connections.

                                This is useful when using a single thread.

HELP & MISCELLANEOUS:

  --short-help                  Short usage help.

  --help, -h                    Complete usage help.

  --debug                       Raise errors in plugins.

  --version                     Display version information.

Plugins Galore

WhatWeb's plugins cover a wide array of web technologies. You can list available plugins, get detailed information about a specific one, or search for plugins based on keywords. The tool even supports custom plugins defined on the command line, giving you the flexibility to extend its functionality as needed.

Logging and Output

WhatWeb offers various logging options, allowing you to save results in different formats. Whether you prefer brief, verbose, XML, JSON, MagicTree, RubyObject, MongoDB, or SQL formats, WhatWeb has you covered. This flexibility makes it easy to integrate WhatWeb into your existing workflow or analysis tools.

Performance and Stability

To ensure efficient scans and reliable results, WhatWeb provides options to adjust the number of threads, timeouts, and wait times between connections. These settings allow you to fine-tune the tool's performance based on your requirements.

Optional Dependencies

For advanced features like MongoDB logging and character set detection, you can enable optional dependencies such as the Mongo gem and rchardet gem.

Conclusion

WhatWeb is a must-have tool for anyone curious about the technologies behind websites or involved in web security assessments. Its extensive plugin library, customization options, and robust logging capabilities make it a valuable asset in the world of web analysis. Whether you're a web enthusiast, a penetration tester, or a cybersecurity professional, WhatWeb is a powerful companion in your quest to uncover the secrets of the web.

If you're ready to start exploring the web's hidden technologies, you can learn more and download WhatWeb from its official homepage.So, next time you stumble upon a website and wonder, "What is that website using?" Remember, WhatWeb has the answer!