whatweb是一个web应用程序指纹识别工具。可自动识别CMS、BLOG等Web系统。目前 whatweb已经更新至0.4.6版,工具的详细介绍参见这里:http://www.pulog.org/tools/727/web-scaning-whatweb/。新版改动不小,0.4.6版主要改变如下:

  • Updated ~230 plugins
  • Added ~600 new plugins
  • Added Escenic CMS plugin from Erik Inge Bolsø
  • Added EscenicEngine5 plugin by nikosk
  • Added barracuda-load-balancer, binarysec-firewall, citrix-netscaler, cloudflare, evercookie, juniper-netscreen-secure-access,
  • juniper-load-balancer, profense-firewall, vTigerCRM, watchguard-firewall, www-authenticate plugins by Aung Khant
  • Moved some plugins into disabled-plugins, as they clutter output. adobe_flash.rb, footer-hash.rb, frame.rb, header-hash.rb, md5.rb, script.rb, shortcut-icon.rb, tagpattern-hash.rb
  • Renamed disabled-plugins/ to plugins-disabled/
  • Changed $ANEMONE_SKIP_REGEX=Regexp.union line to be compatible with Ruby 1.8.6. Thanks to Michal Ambroz
  • Added plugin reporting support for  :model=>, :firmware=>, :module=>
  • Added –wait SECONDS between connections. Combine with -t 1 if preferred.
  • Added meta-refresh redirect support. eg. <meta http-equiv=”refresh” content=”0;url=../default/mail/index.html”>. Only for non-spidering
  • Added {:version=>/regexp/,  ffset} to remove cargo cult programming. eg.
  • {:version=>/<meta name=”Generator” (content|CONTENT)=”(ASPNUKE|ASP-Nuke) ([^->"]+)/,  ffset=>2,  :name=>”meta generator tag” }
  • Replaced :probability with :certainty in my-plugins/plugin-template.rb.txt. Thanks Erik Inge Bolsø
  • Added support for em-resolv-replace which speeds up whatweb many times. http://github.com/mperham/em-resolv-replace
  • Added XML stylesheet “whatweb.xsl” for XML reports
  • Added reporting of version detection with matches to the Plugin Info, eg. whatweb -I
  • Changed whatweb -I behaviour to search plugins for keywords. eg. ‘./whatweb -I nuke’ brings up ASP-Nuke, PHPNuke, DotNetNuke, etc.
  • Bugfix: Changed webpage data for when working with files, not URIs. Now it passes empty hashes, etc instead of nil which caused plugins to report errors.
  • Added MongoDB logging. Use with –log-mongo-database, –log-mongo-host, –log-mongo-collection, –log-mongo-username, –log-mongo-password. Only database has no default.
  • Added JSON logging. Must have the json ruby gem installed or be using Ruby 1.9
  • Added MagicTree logging.
  • MagicTree logging updated by Gremwell.
  • Added error logging.
  • Added Verbose logging.
  • Added XML header and footer to XML logs
  • Modified XML logging to record modules separately
  • Bug fix: Escaping the XML log properly for &, <, >, “
  • All logs are now flushed/synced
  • Bug fix: References to :probability instead of :certainty in some logging
  • Changed error message for non resolving hostnames from “undefined method `closed?’ for nil:NilClass” to “Cannot resolve hostname”
  • Added ascii whatweb logo
  • Moved Plugin class into lib/plugins.rb
  • Added startup and shutdown for plugins
  • Model and Firmware results now display in dark green
  • Added :filepath match type
  • Added vulnerability matching support, this is still in the experimental phase and not supported.
  • Added vulnerability matching code to the awstats plugin.
  • Precompiled regular expressions in matches[] for speed improvement
  • Changed internal sleep times from 1s to 0.5s
  • Added –debug to raise errors found in plugins
  • Usage displays faster when no arguments are provided
  • Added version string to the help usage
  • Added advanced plugin template
  • Removed How to write whatweb plugins text file as it’s deprecated by the wiki
  • Brief output escapes [] and all characters before SPACE with URL encoding
  • Added –quiet, -q to suppress Brief Output on stdout by default. Thanks to cdybedahl for this idea.
  • Improved OSX compatibility with a patch from matti for symlinks
  • Added :status for HTTP Status codes to match[]. :status has a logical AND with a :url, it can’t be by itself.
  • Updated plugin list and plugin info output
  • Bug fix: Now redirects for HTTP statuses 300 through 399. Previously redirected for 301,302 and 307.
  • Bug fix: :account didn’t have regular expression support
  • Changed :modules to :module, deprecated :accounts to :account
  • Added redirect control. options are ‘never’,`http-only’, `meta-only’, `same-site’, `same-domain’, ‘always’
  • Added –max-redirects. Control the maximum number of contiguous redirects followed
  • Added custom headers. Can be used multiple times. Examples: –header or -H. eg. “foo:bar” or “user-agent: blinky”. Specifying a default
  • header will replace it. Specifying an empty value removes hte header, eg. “User-Agent:”
  • Added support for HTTP basic authentication. -u and –user
  • Added plugin-development/get-pattern by Aung Khant
  • Added to plugin-development/: wget-alexa-top-1m, wget-ip-to-country, wafp_to_whatweb, alexa-top-1000.txt, alexa-top-100.txt, wikipedia-top-1000.txt

工具更多信息及下载:http://github.com/urbanadventurer/WhatWeb