Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: f44de3eec8
Fetching contributors…

Cannot retrieve contributors at this time

file 219 lines (210 sloc) 17.345 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219
Version 0.4.8-dev Unreleased
* Added support for Ruby 1.9.1
* Added over 700 new plugins
* Added aggressive version detection using md5 static file matches to several plugins
* Added support for raw HTTP headers when scanning local files
* Added --dorks <plugin name> to return google dorks for the selected plugin
* Added google dorks to more than 500 plugins
* Added ./addons/hunter
* Added ./addons/gggooglescan
* Added ./addons/country-scanner
* Added SQL logging with `--log-sql` and `--log-sql-create` arguments. These are not listed in the usage.
* Added raw header support by monkey patching the net/http library
* Added context searching for plugin matches[]. Added the matches keyword, :search. Values can be "headers","headers[server]"(or any other HTTP header),"body"(default), "all" (the raw headers + body)
* Added methods for aggressive plugins to send HEAD and POST requests
* Added --grep, -g option to be easier than --custom-plugin. (Requested by Scott Bell)
* Removed the spidering feature and dependence on the customised and unsupported Anemone gem
* Removed the extra_urls feature
* Removed dependency on em-resolv-replace
* Updated whatweb.xsl
* Fixed a bug causing Mongo DB logging to fail
* Fixed a bug causing brief logging to not escape special characters
* Fixed meta refresh redirection but with HTML entities in the URL
* Redesigned and refactored much of Whatweb's code. Introduced the Target class
* Targets from input files are now executed ascending order
* Better support for UTF-8 encoded strings in plugins.
* :status and :url are now logical AND with other matches. They cannot match in isolation unless with each other.
* Updated Country plugin. Fixed IPv6 bug
* Changed version from 0.4.8 to 0.4.8-dev to show development version
* Plugin brief output is now sorted alphabetically by plugin name

Version 0.4.7 Released April 5th 2011
* Performance enhancements & bug fixes
* Added -p + as a shortcut for -p +plugins-disabled
* Added --quiet, -q - to not display brief logging to STDOUT
* Fix Makefile - you can now install whatweb over an old version
* Removed certainty from Mongo and JSON output unless certainty < 100
* Removed certainty info from verbose output unless certainty <100
* Bugfixes for error reporting
* Updated some error messages
* Changed default open and read timeouts to 15 and 30 seconds respectively
* Updated slow plugins
* Added plugins: TVersity, Ultimate-Bulletin-Board,
* Moved plugins to plugins-disabled: atom_feed, meta-city, meta-contact, meta-country, meta-geography, meta-state, meta-zipcode and script
* Renamed mailto plugin to email

Version 0.4.6 Released March 25th 2011
* Updated ~230 plugins
* Added ~600 new plugins
* Added Escenic CMS plugin from Erik Inge Bolsø
* Added EscenicEngine5 plugin by nikosk
* Added barracuda-load-balancer, binarysec-firewall, citrix-netscaler, cloudflare, evercookie, juniper-netscreen-secure-access, juniper-load-balancer, profense-firewall, vTigerCRM, watchguard-firewall, www-authenticate plugins by Aung Khant
* Moved some plugins into disabled-plugins, as they clutter output. adobe_flash.rb, footer-hash.rb, frame.rb, header-hash.rb, md5.rb, script.rb, shortcut-icon.rb, tagpattern-hash.rb
* Renamed disabled-plugins/ to plugins-disabled/
* Changed $ANEMONE_SKIP_REGEX=Regexp.union line to be compatible with Ruby 1.8.6. Thanks to Michal Ambroz
* Added plugin reporting support for :model=>, :firmware=>, :module=>
* Added --wait SECONDS between connections. Combine with -t 1 if preferred.
* Added meta-refresh redirect support. eg. <meta http-equiv="refresh" content="0;url=../default/mail/index.html">. Only for non-spidering
* Added {:version=>/regexp/, :offset} to remove cargo cult programming. eg.
{:version=>/<meta name="Generator" (content|CONTENT)="(ASPNUKE|ASP-Nuke) ([^->"]+)/, :offset=>2, :name=>"meta generator tag" }
* Replaced :probability with :certainty in my-plugins/plugin-template.rb.txt. Thanks Erik Inge Bolsø
* Added support for em-resolv-replace which speeds up whatweb many times. http://github.com/mperham/em-resolv-replace
* Added XML stylesheet "whatweb.xsl" for XML reports
* Added reporting of version detection with matches to the Plugin Info, eg. whatweb -I
* Changed whatweb -I behaviour to search plugins for keywords. eg. './whatweb -I nuke' brings up ASP-Nuke, PHPNuke, DotNetNuke, etc.
* Bugfix: Changed webpage data for when working with files, not URIs. Now it passes empty hashes, etc instead of nil which caused plugins to report errors.
* Added MongoDB logging. Use with --log-mongo-database, --log-mongo-host, --log-mongo-collection, --log-mongo-username, --log-mongo-password. Only database has no default.
* Added JSON logging. Must have the json ruby gem installed or be using Ruby 1.9
* Added MagicTree logging.
* MagicTree logging updated by Gremwell.
* Added error logging.
* Added Verbose logging.
* Added XML header and footer to XML logs
* Modified XML logging to record modules separately
* Bug fix: Escaping the XML log properly for &, <, >, "
* All logs are now flushed/synced
* Bug fix: References to :probability instead of :certainty in some logging
* Changed error message for non resolving hostnames from "undefined method `closed?' for nil:NilClass" to "Cannot resolve hostname"
* Added ascii whatweb logo
* Moved Plugin class into lib/plugins.rb
* Added startup and shutdown for plugins
* Model and Firmware results now display in dark green
* Added :filepath match type
* Added vulnerability matching support, this is still in the experimental phase and not supported.
* Added vulnerability matching code to the awstats plugin.
* Precompiled regular expressions in matches[] for speed improvement
* Changed internal sleep times from 1s to 0.5s
* Added --debug to raise errors found in plugins
* Usage displays faster when no arguments are provided
* Added version string to the help usage
* Added advanced plugin template
* Removed How to write whatweb plugins text file as it's deprecated by the wiki
* Brief output escapes [] and all characters before SPACE with URL encoding
* Added --quiet, -q to suppress Brief Output on stdout by default. Thanks to cdybedahl for this idea.
* Improved OSX compatibility with a patch from matti for symlinks
* Added :status for HTTP Status codes to match[]. :status has a logical AND with a :url, it can't be by itself.
* Updated plugin list and plugin info output
* Bug fix: Now redirects for HTTP statuses 300 through 399. Previously redirected for 301,302 and 307.
* Bug fix: :account didn't have regular expression support
* Changed :modules to :module, deprecated :accounts to :account
* Added redirect control. options are 'never',`http-only', `meta-only', `same-site', `same-domain', 'always'
* Added --max-redirects. Control the maximum number of contiguous redirects followed
* Added custom headers. Can be used multiple times. Examples: --header or -H. eg. "foo:bar" or "user-agent: blinky". Specifying a default header will replace it. Specifying an empty value removes hte header, eg. "User-Agent:"
* Added support for HTTP basic authentication. -u and --user
* Added plugin-development/get-pattern by Aung Khant
* Added to plugin-development/: wget-alexa-top-1m, wget-ip-to-country, alexa-top-1000.txt, alexa-top-100.txt, wikipedia-top-1000.txt
* Added nmap-style IP address range support

Version 0.4.5 Released August 17th 2010
* Added 5 plugins from Tonmoy Saikia. They are: Commonspot, TextPattern, Mediawiki, DUclassified and Mailman
* Added 119 plugins from Brendan Coles. They are: Alcatel-Lucent-Omniswitch, Allinta-CMS, anyInventory, Arab-Portal, AVTech-Video-Web-Server, Barracuda-Spam-Firewall, Basilic, Biromsoft-WebCam, BlueNet-Video-Server, BM-Classifieds, Brother-Printer, BusinessSpace, BXR, Campsite, Canon-Network-Camera, Cisco-VPN-3000-Concentrator, CMSQLite, ColdFusion, coWiki, cpCommerce, CruxCMS, CruxPA, Dell-Printer, D-Link-Network-Camera, DMXReady, DT-Centrepiece, EazyCMS, eLitius, EMO-Realty-Manager, Empire-CMS, envezion~media, eSyndiCat, Evo-Cam, FestOS, Flax-Article-Manager, FluentNET, Forest-Blog, GuppY, HP-LaserJet-Printer, i-Catcher-Console, iDVR, Intellinet-IP-Camera, Interspire-Shopping-Cart, IPCop-Firewall, IQeye-Netcam, iRealty, iScripts-CyberMatch, iScripts-EasySnaps, iScripts-MultiCart, iScripts-ReserveLogic, iScripts-SocialWare, JAMM-CMS, Jamroom, Linksys-NAS, Linksys-Network-Camera, Linksys-Wireless-G-Camera, LocazoList-Classifieds, Lucky-Tech-iGuard, Mobotix-Network-Camera, MyioSoft-Ajax-Portal, My-PHP-Indexer, My-WebCamXP-Server, NetBotz-Network-Monitoring-Device, Netious-CMS, Netsnap-Web-Camera, Nukedit, Open-Blog, ORCA-Platform, ORITE-301-Camera, PageUp-People, Panasonic-Network-Camera, Parked-Domain, PHPDirector, PHPEasyData, phPhotoAlbum, Pixel-Ads-Script, Pixie, Pligg-CMS, PortalApp, Pressflow, RunCMS, sabros.us, samPHPweb, SHOUTcast-Administrator, SimpNews, SkaLinks, SmodCMS, Snap-Appliance-Server, Softbiz-Freelancers-Script, Softbiz-Online-Auctions-Script, Softbiz-Online-Classifieds, Sony-Network-Camera, Sony-Video-Network-Station, Stardot-Express, StarDot-NetCam, Star-Network, Subdreamer-CMS, Subrion-CMS, SyndeoCMS, syntaxCMS, TaskFreak, Team-Board, The-PHP-Real-Estate-Script, TomatoCMS, Toshiba-Network-Camera, Veo-Observer, VisionGS-Webcam, WebDVR, WebEye-Network-Camera, WebPress, WhiteBoard, Winamp-Web-Interface, Windows-Internet-Printing, Xerox-Printers, xGB, XHP-CMS, Zeus-Cart, Zoph, Zyxel-Vantage-Service-Gateway
* Added 11 plugins from Caleb Anderson. They are: AdobeFlash, AtomFeed, CodeIgniterProfiler, DublinCore, MicrosoftODBCError, MysqlSyntaxError, OpenGraphProtocol, OpenID, OpenSearch, PasswordField, RSSFeed
* Updated plugins: Aardvark-Topsites-PHP, Confluence, Open-Source-Ticket-Request-System, PHP-Link-Directory, PHP-Shell, Vulnerable-to-XSS, Zoph
* Updated mailto plugin
* Verbose output now shows which patterns were matched within a plugin
* Fixed bug: Removed Makefile reference to 'disabled-plugins' folder
* Ruby 1.9 compatability fix. requires digest/md5 instead of md5
* Ruby 1.9 compatability fix. Replace UTF8 chars in frog-cms, dotnetnuke and mno-go-search and wordpress-supercache
* Fixed spelling error of verion in help information
* Fixed a typo where -t is shown as the command line option for proxies
* Modified command line usage and is now in 80x24 terminal format
* MD5sum of body is now available as @md5sum to all plugins
* :md5 is available in matches[], eg. {:name=>"must be treshna.com",:md5=>"8666257030b94d3bdb46e05945f60b42"}
* tag pattern of HTML elements in body is now available as @tagpattern to all plugins
* :tagpattern is available in matches[], eg. {:name=>"must be google.com",:tagpattern=>""!doctype,html,head,meta,title,/title,script,/script,style,/style, etc...."}
* :url is available in plugins. eg. {:url=>"/wp-login.php", :text=>'action=lostpassword'}, this will match the url and the text passively and when scanning aggressively, it will request the specified url and check for the text. Another example, {:url=>"/readme.html", :md5=>'9ea06ab0184049bf4ea2410bf51ce402', :version=>"3.0"},
* Added --url-prefix, eg. whatweb --url-prefix www.morningstarsecurity.com/ -i ./guess-files
* Added --url-suffix, eg. whatweb --url-suffix /robots.txt -i ./target-urls
* Added --url-pattern, eg. whatweb --url-pattern www.example.com/%insert%/.htaccess -i ./folder-list
* Added --custom-plugin to define a plugin on the command line. eg, ./whatweb --custom-plugin ":text=>'powered by abc'" -i ./targets or --custom-plugin "{:text=>'powered by abc'},{:regexp=>/meta abc/i}" -i ./targets
* Plugin errors are now in red, added target name
* Added --open-timeout and --read-timeout
* Removed div-span plugin, replaced with HTML tag pattern hash
* Added --spider-skip-extensions. Redefine the file extensions that Anemone will skip. The list is comma delimited.
* Moved plugin-template.rb to my-plugins and added more example, comments, etc
* Added $DEBUG = false. If set to true, it will raise errors in plugins to assist plugin development.

Version 0.4.4 Released June 29th 2010
* :probability is renamed to :certainty. :certainty in plugins is no longer required, it defaults to 100 if not specified.
* Fixed bug with ruby 1.8.5 when loading plugins
* Added author names to plugin info, eg. whatweb -I
* Added 67 plugins from Brendan Coles, bringing WhatWeb up to 163 plugins. 360-Web-Manager,ANECMS,AWStats,Aardvark-Topsites-PHP,ArGoSoft-Mail-Server,Axis-Network-Camera,BeEF,BlognPlus,Burning-Board-Lite,CGI,CGIProxy,CMScontrol,CMSimple,Confluence,DUforum,DUgallery,F3Site,File-Upload-Manager,Google-API,Google-Hack-Honeypot,IMGallery,JGS-Portal,Kloxo,Liferay,Lime-Survey,Linksys-USB-HDD,Loggix,Microsoft-Sharepoint,Open-Freeway,Open-Source-Ticket-Request-System,PG-Roomate-Finder-Solution,PHP-Fusion,PHP-Layers,PHP-Link-Directory,PHP-Shell,PHPFM,PHPraid,PhilBoard,Piwik,QNAP-NAS,Saurus-CMS,Site-Sift,TWiki,Trac,Turbo-Seek,Umbraco,VideoShareEnterprise,Virtualmin,Vulnerable-To-XSS,WWWBoard,Web-Calendar-System,Web-Data-Administrator,WoW-Raid-Manager,X7-Chat,Zen-Cart,Zikula,boastMachine,ezBOO-WebStats,jobberBase,mojoPortal,php-ping,phpFreeChat,phpMyAdmin,phpPgAdmin,phpSysInfo,phpinfo,uPortal
* Added references to Security-Assessment.com
* Updates to README, CHANGELOG, plugin-template.rb.txt

Version 0.4.3 Released May 24th 2010
* Added GPLv2 notices
* Added Makefile (Thanks Michal Ambroz <rebus AT seznam.cz>)
* Added man pages (Thanks Michal Ambroz <rebus AT seznam.cz>)
* Added --version
* Added Invalid command line argument handling
* Added @cookie variable to plugins but is not availble for recursive use
* Changed output colour of page titles
* Changed plugin names to use a CamelCase convention
* Merged the google analytics GA and Urchin plugins
* Modified MovableType plugin
* Added Cookie names plugin
* Added Concrete5 CMS plugin
* Added CushyCMS plugin
* Added FrogCMS plugin
* Added ModxCMS plugin
* Added TypoLight plugin
* Added ExpressionEngine plugin
* Fixed a bug in Tomcat plugin
* New feature, my-plugins/ folder. Keep your personal plugins separate.
* Usage info shows correct defaults
* Fixed a bug where aggressive plugins didn't use the proxy settings
* Added XML (naive) logging
* Updated usage to show how to pipe HTML to /dev/stdin
* Added --no-redirect option. Do not follow HTTP 3xx redirects

Version 0.4.2 Released April 30th 2010
* Added header-hash plugin. Makes a hash of the first 500 characters. This is useful to identify unknown systems
* Added footer-hash plugin. Makes a hash of the last 500 characters, only if the page has > 1000 characters. This is useful to identify unknown systems
* Added div-span-structure plugin. Makes a hash of a signature of div and span tags. This is useful to identify unknown systems
* Added MikroTik Router plugin. Recognises version
* Fixed a bug where the URL had a ? suffix. This caused some types of http servers to repspond incorrectly.
* Added SquirrelMail plugin. Recognises version
* Added SearchFitShoppingCart plugin. Recognises version
* Added RoundCube plugin.
* Modified OSCommerce plugin. Recognises security warnings about file permissions and installation directory.
* Changed output colour to be more readable. Plugins that create hashes are in grey
* Changed output order of plugins, so plugins that create hashes come last

Version 0.4.1 Released April 28th 2010
* Removed dependency on rubygems and libxslt by modifying and locally including the Anemone gem. This also simplified installation
* Fixed a bug which didn't send URL parameters. eg. would send /index.php instead of /index.php?q=foo
* Improved installation instructions. Henri Salo contacted me to say ruby-dev is required for Anemone
* Removed UTF-8 character in formmail
* Changed require 'md5' to require 'digest/md5' for compatibility with ruby 1.9
* Fixed bug in Tomcat plugin
* Added SilverStripe plugin
* Added DotNetNuke plugin
* Added HTML5 plugin
* Added PHP error plugin
* Modified PHP-Nuke plugin
* Changed the plugin development script, wget-list to retry only twice
* Added proxy support
* Default threads is now 25
* Default max recursive spidering depth is now 10
* Default max number of links to follow on a single page is now 250

Version 0.4 Released March 13th 2010
* Added HTTPS support
* Improved installation instructions
* Improved documentation
* Better compatibility with ruby 1.9. Changed a case statement syntax, changed when 0: to when 0 then.
* Removed UTF-8 characters in plugins that were causing crashes
* Added php-nuke plugin, passively recognises modules
* Added Fluxbb plugin, can identify versions aggressively
* Added meta powered-by plugin. Matches tags like <meta name="powered-by" content="abc/1.23" />
* Added powered by plugin. Matches "Powered by BobsCMS", any text following powered by
* Improved plugin info listing invoked by ./whatweb -I. Shows number of examples and matches, and shows presence of passive and aggressive functions
* Changed output style. Before strings are surrounded by single quotes, now all strings are surrounded by square brackets
* Added OpenCMS plugin submitted by Emilio Casbas
* Added TomCat plugin submitted by Louis Nyffenegger
* Improved meta-generator plugin
* Fixed a bug in processing a target list from a file where a trailing space would be interpreted incorrectly

Version 0.3 Released November 2nd 2009 at Kiwicon III
Something went wrong with that request. Please try again.