网站指纹识别之WhatWeb

网站指纹识别之WhatWeb

在信息搜集过程中，对目标服务器进行指纹识别是非常有必要的，因为识别出目标是哪种Web容器或者CMS后，就可以根据这个信息再进一步查找与其相关的漏洞，然后利用相应的漏洞进行渗透测试。
1. 介绍：
WhatWeb是比较常用的工具之一，它可以识别包括内容管理系统 (CMS)、博客平台、统计/分析包、JavaScript库、网络服务器和嵌入式设备。WhatWeb有900多个插件，每个插件都可以识别不同的东西。WhatWeb还可以识别版本号、电子邮件地址、帐户ID、Web框架模块、SQL错误等。
特点：
*超过900个插件
*控制速度/隐蔽性和可靠性之间的权衡
*插件包括示例URL
*性能调整。控制同时扫描多少个网站。
*多种日志格式：Brief(greppable)，Verbose(human readable)，XML，JSON，MagicTree，RubyObject，MongoDB。
*递归网络爬取
*代理支持包括TOR
*自定义HTTP标头
*基本HTTP身份验证
*控制网页重定向
*Nmap样式的IP范围
*模糊匹配
*结果确定性感知
*在命令行上定义的自定义插件
2. 用法示例
Kali里已经集成了WhatWeb，直接运行命令即可实现简单的网络指纹识别：

也可以使用更高的攻击级别来识别正在使用的Jenkins版本。

3.帮助：
输入WhatWeb --help后可以查看详细帮助：

WhatWeb - Next generation web scanner version 0.5.1.
Developed by Andrew Horton (urbanadventurer) and Brendan Coles (bcoles).
Homepage: https://www.morningstarsecurity.com/research/whatweb

Usage: whatweb [options] <URLs>

TARGET SELECTION:
  <TARGETs>			Enter URLs, hostnames, IP addresses, filenames or
  				IP ranges in CIDR, x.x.x-x, or x.x.x.x-x.x.x.x
  				format.
  --input-file=FILE, -i		Read targets from a file. You can pipe
				hostnames or URLs directly with -i /dev/stdin.

TARGET MODIFICATION:
  --url-prefix			Add a prefix to target URLs.
  --url-suffix			Add a suffix to target URLs.
  --url-pattern			Insert the targets into a URL.
				e.g. example.com/%insert%/robots.txt

AGGRESSION:
The aggression level controls the trade-off between speed/stealth and
reliability.
  --aggression, -a=LEVEL	Set the aggression level. Default: 1.
  1. Stealthy			Makes one HTTP request per target and also
  				follows redirects.
  3. Aggressive			If a level 1 plugin is matched, additional
  				requests will be made.
  4. Heavy			Makes a lot of HTTP requests per target. URLs
  				from all plugins are attempted.

HTTP OPTIONS:
  --user-agent, -U=AGENT	Identify as AGENT instead of WhatWeb/0.5.1.
  --header, -H			Add an HTTP header. eg "Foo:Bar". Specifying a
				default header will replace it. Specifying an
				empty value, e.g. "User-Agent:" will remove it.
  --follow-redirect=WHEN	Control when to follow redirects. WHEN may be
				`never', `http-only', `meta-only', `same-site',
				or `always'. Default: always.
  --max-redirects=NUM		Maximum number of redirects. Default: 10.

AUTHENTICATION:
  --user, -u=<user:password>	HTTP basic authentication.
  --cookie, -c=COOKIES		Use cookies, e.g. 'name=value; name2=value2'.
  --cookie-jar=FILE		Read cookies from a file.

PROXY:
  --proxy			<hostname[:port]> Set proxy hostname and port.
				Default: 8080.
  --proxy-user			<username:password> Set proxy user and password.

PLUGINS:
  --list-plugins, -l		List all plugins.
  --info-plugins, -I=[SEARCH]	List all plugins with detailed information.
				Optionally search with keywords in a comma
				delimited list.
  --search-plugins=STRING	Search plugins for a keyword.
  --plugins, -p=LIST		Select plugins. LIST is a comma delimited set
				of selected plugins. Default is all.
				Each element can be a directory, file or plugin
				name and can optionally have a modifier, +/-.
				Examples: +/tmp/moo.rb,+/tmp/foo.rb
				title,md5,+./plugins-disabled/
				./plugins-disabled,-md5
				-p + is a shortcut for -p +plugins-disabled.
  --grep, -g=STRING|REGEXP	Search for STRING or a Regular Expression. Shows
				only the results that match.
				Examples: --grep "hello"
				--grep "/he[l]*o/"
  --custom-plugin=DEFINITION	Define a custom plugin named Custom-Plugin,
				Examples: ":text=>'powered by abc'"
				":version=>/powered[ ]?by ab[0-9]/"
				":ghdb=>'intitle:abc \"powered by abc\"'"
				":md5=>'8666257030b94d3bdb46e05945f60b42'"
				"{:text=>'powered by abc'}"
  --dorks=PLUGIN		List Google dorks for the selected plugin.

OUTPUT:
  --verbose, -v			Verbose output includes plugin descriptions.
				Use twice for debugging.
  --colour,--color=WHEN		control whether colour is used. WHEN may be
				`never', `always', or `auto'.
  --quiet, -q			Do not display brief logging to STDOUT.
  --no-errors			Suppress error messages.

LOGGING:
  --log-brief=FILE		Log brief, one-line output.
  --log-verbose=FILE		Log verbose output.
  --log-errors=FILE		Log errors.
  --log-xml=FILE		Log XML format.
  --log-json=FILE		Log JSON format.
  --log-sql=FILE		Log SQL INSERT statements.
  --log-sql-create=FILE		Create SQL database tables.
  --log-json-verbose=FILE	Log JSON Verbose format.
  --log-magictree=FILE		Log MagicTree XML format.
  --log-object=FILE		Log Ruby object inspection format.
  --log-mongo-database		Name of the MongoDB database.
  --log-mongo-collection	Name of the MongoDB collection.
				Default: whatweb.
  --log-mongo-host		MongoDB hostname or IP address.
				Default: 0.0.0.0.
  --log-mongo-username		MongoDB username. Default: nil.
  --log-mongo-password		MongoDB password. Default: nil.
  --log-elastic-index		Name of the index to store results. Default: whatweb
  --log-elastic-host		Host:port of the elastic http interface. Default: 127.0.0.1:9200

PERFORMANCE & STABILITY:
  --max-threads, -t		Number of simultaneous threads. Default: 25.
  --open-timeout		Time in seconds. Default: 15.
  --read-timeout		Time in seconds. Default: 30.
  --wait=SECONDS		Wait SECONDS between connections.
				This is useful when using a single thread.

HELP & MISCELLANEOUS:
  --short-help			Short usage help.
  --help, -h			Complete usage help.
  --debug			Raise errors in plugins.
  --version			Display version information.

EXAMPLE USAGE:
* Scan example.com.
  ./whatweb example.com

* Scan reddit.com slashdot.org with verbose plugin descriptions.
  ./whatweb -v reddit.com slashdot.org

* An aggressive scan of wired.com detects the exact version of WordPress.
  ./whatweb -a 3 www.wired.com

* Scan the local network quickly and suppress errors.
  whatweb --no-errors 192.168.0.0/24

* Scan the local network for https websites.
  whatweb --no-errors --url-prefix https:// 192.168.0.0/24

* Scan for crossdomain policies in the Alexa Top 1000.
  ./whatweb -i plugin-development/alexa-top-100.txt \
  --url-suffix /crossdomain.xml -p crossdomain_xml

root@kali2020:/# 

4. 记录和输出
详细输出可以用-v来指定：

支持以下类型的日志记录：

–log-brief=FILE Brief, one-line, greppable format
–log-verbose=FILE Verbose
–log-xml=FILE XML 格式。提供XSL样式表
–log-json=FILE JSON格式
–log-json-verbose=FILE JSON详细格式
–log-magictree=FILE MagicTree XML格式
–log-object=FILE Ruby对象检查格式
–log-mongo-database的名称MongoDB 数据库
–log-mongo-collection MongoDB 集合的名称。默认值：whatweb
–log-mongo-host MongoDB 主机名或 IP 地址。默认值：0.0.0.0
–log-mongo-username MongoDB 用户名。默认值：nil
–log-mongo-password MongoDB 密码。默认值：nil
–log-errors=FILE 记录错误。这通常以红色打印到屏幕上。

您可以通过指定多个命令行日志记录选项同时输出到多个日志。

5.温馨提示：
上面讲的WhatWeb在使用时要注意别去识别带有安全防护的目标或者误入了蜜罐，否则被这些安全设备记录下来可就不好了：