Home

                         .$$$     $.                                   .$$$     $.                         
                         $$$$     $$. .$$$  $$$ .$$$$$$.  .$$$$$$$$$$. $$$$     $$. .$$$$$$$. .$$$$$$.                         
                         $ $$     $$$ $ $$  $$$ $ $$$$$$. $$$$$ $$$$$$ $ $$     $$$ $ $$   $$ $ $$$$$$.                         
                         $ `$     $$$ $ `$  $$$ $ `$  $$$ $$' $ `$ `$$ $ `$     $$$ $ `$      $ `$  $$$'                         
                         $. $     $$$ $. $$$$$$ $. $$$$$$ `$  $. $  :' $. $     $$$ $. $$$$   $. $$$$$.                         
                         $::$  .  $$$ $::$  $$$ $::$  $$$     $::$     $::$  .  $$$ $::$      $::$  $$$$                         
                         $;;$ $$$ $$$ $;;$  $$$ $;;$  $$$     $;;$     $;;$ $$$ $$$ $;;$      $;;$  $$$$                         
                         $$$$$$ $$$$$ $$$$  $$$ $$$$  $$$     $$$$     $$$$$$ $$$$$ $$$$$$$$$ $$$$$$$$$'                         

Identify content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more. When you visit a website in your browser the transaction includes many unseen hints about how the webserver is set up and what software is delivering the webpage. Some of these hints are obvious, eg. "Powered by XYZ" and others are more subtle. WhatWeb recognises these cues and reports what it finds.

WhatWeb has over 750 plugins and needs community support to develop more. Plugins can identify systems with obvious identifying hints removed by also looking for subtle clues. For example, a WordPress site might remove the tag but the WordPress plugin also looks for "wp-content" which is less easy to disguise. Plugins are flexible and can return any datatype, for example plugins can return version numbers, email addresses, account ID's and more.

There are both passive and aggressive plugins. Passive plugins use information on the page, in cookies and in the URL to identify the system. A passive request is as light weight as a simple GET / HTTP/1.1 request. Aggressive plugins guess URLs and request more files. Plugins are easy to write, you don't need to know ruby to make them.

New to WhatWeb?

• Download
  • WhatWeb 0.4.5 - Stable - August 17th 2010
  • WhatWeb 0.4.6-dev - Development Build
  • WhatWeb 0.4.6-dev-unstable - Unstable Development Build
• Check out the Features which have earned WhatWeb community recognition.
• Learn what makes WhatWeb a next generation web scanner.
• Find out how to Install WhatWeb, see the list of Plugins or find out about WhatWeb Usage and Advanced Usage.
• Learn how you can contribute to make WhatWeb better!

News

February 2011

• WhatWeb has been integrated into VulnIT 3.0

December 2010

• WhatWeb added to VulnerabilityAssessment.co.uk

November 2010

• WhatWeb's first birthday! One year since WhatWeb 0.3 was released on November 2nd 2009 at Kiwicon III.
• WhatWeb has been integrated into BackBox.
• WhatWeb added to the Rochester Institute of Technology SPARSA Wiki (Security Practices and Research Student Association)
• WhatWeb and BlindElephant were featured in the How Does Your Gut Stack Up presentation at Kiwicon4.
  • How Does Your Gut Stack Up - no videos - 6,890 KB
  • How Does Your Gut Stack Up - slides+videos - Low Quality NSV - 14,452 KB
  • How Does Your Gut Stack Up - slides+videos - High Quality AVI - ~115MB

October 2010

• Project milestone : 500 plugins!

September 2010

• WhatWeb has been integrated into Backtrack.
• WhatWeb has been included on the DVD supplement to the Russian hacking magazine Хакер volume 140.

August 2010

• WhatWeb has been integrated into Pentoo.
• WhatWeb 0.4.5 was featured on Packetstorm Security during August 2010.
• WhatWeb 0.4.5 released on August 17th 2010.
• A modsecurity rule for WhatWeb has been added to AtomiCorp's rule set.
  • Avoiding the rule is as easy as using the -U or --user-agent command line option.

July 2010

• WhatWeb 0.4.4 was featured on Packetstorm Security during July 2010.

June 2010

• Project milestone : 100 plugins!
• WhatWeb 0.4.4 released on 29th June 2010.

May 2010

• WhatWeb 0.4.3 released on 24th May 2010.

April 2010

• WhatWeb 0.4.2 released on 30th April 2010.

March 2010

• WhatWeb 0.4.1 released on 28th March 2010.
• WhatWeb 0.4 released on 14th March 2010.
• A Snort IDS rule for WhatWeb has been created.
  • Avoiding the rule is as easy as using the -U or --user-agent command line option.

November 2009

• WhatWeb 0.3 released on 2nd November 2009.

Development

Read the RoadMap and developer Discussion regarding the future of WhatWeb.

Core

• Open Issues
• Known Issues

Plugins

• Latest Plugins
  • All plugins in the latest development build.
• Plugins [Pending]
  • Plugins pending peer-review and testing.
• Plugins [To Update]
  • Plugins which could be improved or contain bugs.
• Plugins [To Do]
  • Plugins allocated for development.
• Resources for writing plugins
  • A list of applications not yet allocated for development and how to find live samples.
• How to develop WhatWeb plugins
  • An in depth guide to plugin development with examples and example code.
• Plugin Development Tools
  • What they do and how to use them.