1
00:00:00,840 --> 00:00:02,190
Instructor: Welcome back.

2
00:00:02,190 --> 00:00:05,313
Now we are going to discuss a tool called WhatWeb.

3
00:00:06,390 --> 00:00:09,300
This tool is used to gather information

4
00:00:09,300 --> 00:00:12,180
and to scan any website on the internet.

5
00:00:12,180 --> 00:00:14,550
So it is primarily used to scan websites,

6
00:00:14,550 --> 00:00:17,100
since this tool recognizes web technologies,

7
00:00:17,100 --> 00:00:18,660
including web servers,

8
00:00:18,660 --> 00:00:19,950
embedded devices,

9
00:00:19,950 --> 00:00:21,090
JavaScript libraries

10
00:00:21,090 --> 00:00:23,220
and many more things.

11
00:00:23,220 --> 00:00:26,310
They explain it really well on the website page

12
00:00:26,310 --> 00:00:27,183
for this tool.

13
00:00:28,020 --> 00:00:29,940
So we can read right here,

14
00:00:29,940 --> 00:00:33,060
about all of the details that this tool has.

15
00:00:33,060 --> 00:00:37,320
We can notice they have over 1,700 plugins.

16
00:00:37,320 --> 00:00:41,460
Each one of them used to recognize something different.

17
00:00:41,460 --> 00:00:42,870
So they use these plugins

18
00:00:42,870 --> 00:00:44,760
to perform this scan on the website,

19
00:00:44,760 --> 00:00:48,333
and discover what technologies does that website run.

20
00:00:49,170 --> 00:00:52,410
What is important for us is the second paragraph,

21
00:00:52,410 --> 00:00:55,260
since down here it tells us that default level

22
00:00:55,260 --> 00:00:57,750
of aggression called stealthy is the fastest

23
00:00:57,750 --> 00:01:00,930
and requires only one HTTP request of a website.

24
00:01:00,930 --> 00:01:02,550
Now what this simply means is that

25
00:01:02,550 --> 00:01:06,900
this WhatWeb tool has different levels for scanning,

26
00:01:06,900 --> 00:01:10,350
and the default level is the level of aggression

27
00:01:10,350 --> 00:01:12,180
that is called stealthy,

28
00:01:12,180 --> 00:01:16,050
which we can use on any website that we want.

29
00:01:16,050 --> 00:01:18,810
The other levels of scanning are more aggressive,

30
00:01:18,810 --> 00:01:23,220
and should only be performed during penetration tests.

31
00:01:23,220 --> 00:01:26,400
So we should not use the more aggressive scans

32
00:01:26,400 --> 00:01:29,550
on the websites that we do not have permission to scan.

33
00:01:29,550 --> 00:01:32,790
We can however, use the stealthy scan on any website

34
00:01:32,790 --> 00:01:34,323
that we want on the internet.

35
00:01:35,250 --> 00:01:36,083
And don't worry,

36
00:01:36,083 --> 00:01:39,300
we are going to see all of these options in just a second.

37
00:01:39,300 --> 00:01:42,780
For now, it's good that we know what we can or cannot do.

38
00:01:42,780 --> 00:01:45,453
So let's test this tool out in our Kali Linux.

39
00:01:46,710 --> 00:01:49,140
To do it, open up your terminal,

40
00:01:49,140 --> 00:01:52,710
and to check out all of the options we can do with WhatWeb,

41
00:01:52,710 --> 00:01:55,650
you can simply just type whatweb in your terminal,

42
00:01:55,650 --> 00:01:56,823
and press enter.

43
00:01:57,990 --> 00:02:00,540
This will give you a smaller help menu,

44
00:02:00,540 --> 00:02:03,720
with some of the basic features that WhatWeb has.

45
00:02:03,720 --> 00:02:06,360
As we can see, we can specify targets,

46
00:02:06,360 --> 00:02:08,220
which can be anything from URL's,

47
00:02:08,220 --> 00:02:10,530
host names or IP addresses,

48
00:02:10,530 --> 00:02:14,610
here is that aggression level which we specify like this,

49
00:02:14,610 --> 00:02:16,770
there is the aggression level one,

50
00:02:16,770 --> 00:02:18,210
which is stealthy,

51
00:02:18,210 --> 00:02:20,250
and the aggression level three,

52
00:02:20,250 --> 00:02:21,250
which is aggressive.

53
00:02:22,350 --> 00:02:24,360
The default level is level one,

54
00:02:24,360 --> 00:02:25,620
which is good to notice.

55
00:02:25,620 --> 00:02:29,010
So we don't want to change this if we scan a random website

56
00:02:29,010 --> 00:02:30,600
on the internet.

57
00:02:30,600 --> 00:02:33,600
We can also list all of the plugins that it uses,

58
00:02:33,600 --> 00:02:36,540
but we are not currently interested in this.

59
00:02:36,540 --> 00:02:39,423
And we can have also a verbose output.

60
00:02:40,710 --> 00:02:42,720
But these are just some of the options

61
00:02:42,720 --> 00:02:44,670
for the WhatWeb tool.

62
00:02:44,670 --> 00:02:47,490
To get even more available options with WhatWeb,

63
00:02:47,490 --> 00:02:48,737
we can type the command,

64
00:02:48,737 --> 00:02:51,190
whatweb --help

65
00:02:52,350 --> 00:02:53,580
Press Enter,

66
00:02:53,580 --> 00:02:56,700
and this will give us a much larger help menu,

67
00:02:56,700 --> 00:02:58,350
with all of the possible options

68
00:02:58,350 --> 00:03:00,900
that we can use for WhatWeb.

69
00:03:00,900 --> 00:03:03,420
And down here, here is the aggression level.

70
00:03:03,420 --> 00:03:05,283
We can see besides this stealthy,

71
00:03:05,283 --> 00:03:07,650
that we are going to use on random websites,

72
00:03:07,650 --> 00:03:09,300
and besides the aggressive scan,

73
00:03:09,300 --> 00:03:11,520
that you would use in a penetration test,

74
00:03:11,520 --> 00:03:14,550
there is even more aggressive scan called heavy,

75
00:03:14,550 --> 00:03:17,250
and it says right here makes a lot of HTTP requests

76
00:03:17,250 --> 00:03:18,360
per target.

77
00:03:18,360 --> 00:03:21,480
URLs from all plugins are attempted.

78
00:03:21,480 --> 00:03:23,400
So this is basically the deepest scan

79
00:03:23,400 --> 00:03:26,670
that WhatWeb tool can perform on a website.

80
00:03:26,670 --> 00:03:28,650
Up here are also the targets,

81
00:03:28,650 --> 00:03:30,690
so we specify a target first,

82
00:03:30,690 --> 00:03:32,493
and if I go all the way down,

83
00:03:34,350 --> 00:03:37,470
you will notice right here we got some of the examples

84
00:03:37,470 --> 00:03:38,943
of usage of WhatWeb.

85
00:03:40,110 --> 00:03:41,520
So we can see right here

86
00:03:41,520 --> 00:03:43,770
that the most simple example is running

87
00:03:43,770 --> 00:03:45,993
whatweb and then the domain name.

88
00:03:47,040 --> 00:03:49,710
So for the first run, let us go with this one.

89
00:03:49,710 --> 00:03:52,230
We are only going to specify website as an option.

90
00:03:52,230 --> 00:03:54,750
So just type down here whatweb,

91
00:03:54,750 --> 00:03:56,910
and since we are using the aggression level one,

92
00:03:56,910 --> 00:03:58,830
we can scan any website that we want,

93
00:03:58,830 --> 00:04:01,260
so I'm going to go with this one,

94
00:04:01,260 --> 00:04:04,770
and this is just another university website from my country.

95
00:04:04,770 --> 00:04:06,860
Feel free to scan any website that you want,

96
00:04:06,860 --> 00:04:09,363
or you can also go with this one if you'd like.

97
00:04:10,680 --> 00:04:12,063
If I press here Enter,

98
00:04:13,500 --> 00:04:14,640
in just a few seconds,

99
00:04:14,640 --> 00:04:17,493
we should get response for this website.

100
00:04:18,870 --> 00:04:19,800
And here it is,

101
00:04:19,800 --> 00:04:23,040
we already got something, we got two responses,

102
00:04:23,040 --> 00:04:25,980
as we can see by the links, right here.

103
00:04:25,980 --> 00:04:27,660
The command has finished executing,

104
00:04:27,660 --> 00:04:29,700
so let us just go through these results

105
00:04:29,700 --> 00:04:31,173
and see what we got.

106
00:04:32,010 --> 00:04:34,890
It tells us that it most likely performed a redirect

107
00:04:34,890 --> 00:04:38,010
as soon as we tried getting this link.

108
00:04:38,010 --> 00:04:41,940
We can also see that we got the Apache web server,

109
00:04:41,940 --> 00:04:43,893
we even get the version which is 2.4.6,

110
00:04:45,900 --> 00:04:47,610
we got some cookies right here,

111
00:04:47,610 --> 00:04:49,530
which the website uses,

112
00:04:49,530 --> 00:04:52,080
we got from which country it is,

113
00:04:52,080 --> 00:04:54,930
which type of HTTP server it uses.

114
00:04:54,930 --> 00:04:58,200
If I go down here, here is the IP address of this website.

115
00:04:58,200 --> 00:05:00,720
Here's the PHP version that they use,

116
00:05:00,720 --> 00:05:02,220
and the redirect location,

117
00:05:02,220 --> 00:05:03,240
if you remember I told you

118
00:05:03,240 --> 00:05:06,510
that it most likely redirected us to a different page,

119
00:05:06,510 --> 00:05:08,910
here is to where it redirected us.

120
00:05:08,910 --> 00:05:13,200
And once we got redirected we got the response of 200 OK,

121
00:05:13,200 --> 00:05:15,690
and this is just an HTTP response code,

122
00:05:15,690 --> 00:05:18,363
which tells us that we successfully loaded a page.

123
00:05:19,590 --> 00:05:21,420
We got the same Apache version,

124
00:05:21,420 --> 00:05:22,800
the Bootstrap version,

125
00:05:22,800 --> 00:05:24,480
which cookies it uses,

126
00:05:24,480 --> 00:05:26,520
down here we got the country,

127
00:05:26,520 --> 00:05:29,940
and we also managed to extract some of the emails.

128
00:05:29,940 --> 00:05:31,590
As we can see down here,

129
00:05:31,590 --> 00:05:34,050
these are some of the emails from the page

130
00:05:34,050 --> 00:05:36,690
that belong to this domain.

131
00:05:36,690 --> 00:05:40,200
Down here we also see that it uses HTML5,

132
00:05:40,200 --> 00:05:41,820
which HTTP server it has,

133
00:05:41,820 --> 00:05:43,470
which Apache version it has,

134
00:05:43,470 --> 00:05:45,540
once again, which PHP version,

135
00:05:45,540 --> 00:05:47,310
the IP address,

136
00:05:47,310 --> 00:05:50,340
it also uses Jquery, Lightbox

137
00:05:50,340 --> 00:05:53,610
and bunch of other things we can see right here.

138
00:05:53,610 --> 00:05:57,000
But I don't really like how this is outputted.

139
00:05:57,000 --> 00:05:58,830
It is hard to read.

140
00:05:58,830 --> 00:06:00,750
To output this a little bit prettier,

141
00:06:00,750 --> 00:06:04,140
we can use this verbose option that I saw

142
00:06:04,140 --> 00:06:05,340
in the help menu.

143
00:06:05,340 --> 00:06:06,173
Here it is.

144
00:06:07,470 --> 00:06:09,600
And what this verbose option does is

145
00:06:09,600 --> 00:06:12,570
it also includes plugin descriptions.

146
00:06:12,570 --> 00:06:15,030
It'll also tell us for each plugin,

147
00:06:15,030 --> 00:06:18,810
that the WhatWeb tool managed to discover,

148
00:06:18,810 --> 00:06:21,750
it'll tell us what exactly that plugin is.

149
00:06:21,750 --> 00:06:22,980
So let's try it out.

150
00:06:22,980 --> 00:06:25,833
If I type whatweb and then the same website,

151
00:06:27,810 --> 00:06:31,413
but I add -v option at the end and press Enter,

152
00:06:33,720 --> 00:06:36,030
it'll pretty much give us the same result,

153
00:06:36,030 --> 00:06:39,120
just it'll be outputted a whole lot better,

154
00:06:39,120 --> 00:06:40,620
and easier to read.

155
00:06:40,620 --> 00:06:43,570
If I scroll all the way up to the beginning of the command,

156
00:06:45,120 --> 00:06:47,490
remember we got two responses.

157
00:06:47,490 --> 00:06:50,670
Here is the IP address and this is the first request,

158
00:06:50,670 --> 00:06:53,280
or first response which tells us to move,

159
00:06:53,280 --> 00:06:54,210
to the actual website.

160
00:06:54,210 --> 00:06:56,073
So the redirect response,

161
00:06:57,120 --> 00:06:58,620
we get all of this information

162
00:06:58,620 --> 00:06:59,940
that we got previously,

163
00:06:59,940 --> 00:07:02,310
but we also get this section right here

164
00:07:02,310 --> 00:07:04,650
which says Detected Plugins.

165
00:07:04,650 --> 00:07:07,650
And for example, if we didn't know what Apache was,

166
00:07:07,650 --> 00:07:11,220
we could read right here what Apache is.

167
00:07:11,220 --> 00:07:13,530
And down here we get the version

168
00:07:13,530 --> 00:07:16,083
that this website has of the Apache.

169
00:07:17,070 --> 00:07:19,920
We also get for cookies, same thing.

170
00:07:19,920 --> 00:07:22,830
For HTTP server, we can see which operating system,

171
00:07:22,830 --> 00:07:24,660
which Apache server it is,

172
00:07:24,660 --> 00:07:26,760
which PHP version it is,

173
00:07:26,760 --> 00:07:28,770
it tells us right here what PHP is,

174
00:07:28,770 --> 00:07:30,605
for example, if we didn't know,

175
00:07:30,605 --> 00:07:34,320
PHP is a widely-used general-purpose scripting language,

176
00:07:34,320 --> 00:07:35,820
redirect location,

177
00:07:35,820 --> 00:07:37,500
so after this request,

178
00:07:37,500 --> 00:07:39,753
it redirects us to this location,

179
00:07:40,680 --> 00:07:45,393
and down here we get the response 200 for the actual page.

180
00:07:46,350 --> 00:07:47,820
We get once again the country,

181
00:07:47,820 --> 00:07:49,320
the IP address,

182
00:07:49,320 --> 00:07:51,570
and all of the detected plugins,

183
00:07:51,570 --> 00:07:53,010
and we can read through this

184
00:07:53,010 --> 00:07:55,983
and discover what is this website running.

185
00:07:56,880 --> 00:07:59,310
And it is outputted a whole lot better

186
00:07:59,310 --> 00:08:01,683
and easier to read than the previous command.

187
00:08:02,610 --> 00:08:03,443
Okay, good.

188
00:08:03,443 --> 00:08:05,820
So we managed to get the information

189
00:08:05,820 --> 00:08:08,370
as to what a certain website is running,

190
00:08:08,370 --> 00:08:09,840
which technologies it has.

191
00:08:09,840 --> 00:08:11,580
And in the next video,

192
00:08:11,580 --> 00:08:14,190
we're going to deeply go into this tool

193
00:08:14,190 --> 00:08:16,680
and try to perform some of the more aggressive scans

194
00:08:16,680 --> 00:08:19,680
as well as experiment with some of the different options

195
00:08:19,680 --> 00:08:21,003
of WhatWeb as well.