July 12, 2010

WhatWeb tool for pen testers

The tool WhatWeb needs to be added to any pen tester’s arsenal. WhatWeb is not a web vulnerability scanner such as Nikto, Acunetix, and Skipfish, but rather identifies the platform the CMS is running on, a feature not so widely supported. WhatWeb has over 160 plug-ins used to identify many platforms. It uses two types of plug-ins, passive and aggressive. The passive plug-ins will try to identify the web applications using simple GET requests while the aggressive plug-ins use techniques such as URL guessing.

Example from WhatWeb’s project page

Download location

http://www.morningstarsecurity.com/research/whatweb