loading
loading
Recon
Identify websites: CMS, servers, libraries, analytics, and embedded devices.
overview
WhatWeb reads the responses a website returns and matches them against more than 1,800 plugins to name the software behind it: the CMS, blogging platform, web server, JavaScript libraries, analytics packages, and even embedded devices. Each detection carries a confidence, and plugins can pull version strings, email addresses, and account IDs out of the same responses.
Aggression levels tune the trade-off between stealth and depth. A stealthy pass sends one request per target; aggressive follows up when a plugin partly matches; heavy throws every plugin's checks at every URL. WhatWeb reaches guarded apps through proxies, cookies, Basic Auth, and custom headers, and it accepts single URLs, hostnames, IP addresses, or whole CIDR ranges.
Reach for WhatWeb after host discovery, once you have a list of live sites and need to know what each one runs before deciding how to test it. On Trickest it runs as a Recon node that writes a folder and a file, so you can route hosts by technology into the scanner tuned for that stack.
use cases
Fingerprint a host to learn its CMS, web server, libraries, and analytics before choosing how to test it.
Feed IP ranges in CIDR form or an input file so WhatWeb profiles a whole scope, not one URL at a time.
Pick a stealthy single-request pass to stay quiet, or a heavy pass to confirm versions and enrich detections when noise is acceptable.
Use the results to send every host running a given platform into a scanner tuned for that stack.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| targets | STRING | · | URLs, hostnames, IPs, or IP ranges in CIDR, x.x.x-x, or x.x.x.x-x.x.x.x format. |
| input-file | FILE | --input-file | Read targets from a file for bulk scanning. |
| aggression-level | STRING | -a | Trade stealth against depth: Stealthy, Aggressive, or Heavy. |
| Select-plugins | STRING | -p | Run only the named plugins from a comma-delimited list. Default is all. |
| number-of-threads | STRING | -t | Number of concurrent threads. Default 25. |
| user-agent | STRING | -U | Send a custom User-Agent instead of the default WhatWeb string. |
| Http-header | STRING | -H | Add or remove an HTTP request header. |
| Proxy | STRING | --proxy | Route requests through a proxy. Format: hostname[:port]. |
Showing key inputs. whatweb exposes 22 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| Proxy | STRING | --proxy | Set proxy hostname and port. Format: hostname[:port]. |
| Cookies | STRING | -c | Provide cookies, e.g. 'name=value; name2=value2'. |
| targets | STRING | · | URLs, hostnames, IP addresses, or IP ranges in CIDR, x.x.x-x, or x.x.x.x-x.x.x.x format. |
| http-auth | STRING | -u | HTTP basic authentication. Format: user:password. |
| input-file | FILE | --input-file | Read targets from a file. |
| proxy-user | STRING | --proxy-user | Set proxy user and password. Format: username:password. |
| user-agent | STRING | -U | Identify as a chosen agent string instead of the default WhatWeb user agent. |
| Http-header | STRING | -H | Add an HTTP header. An empty value, e.g. 'User-Agent:', removes the header. |
| Cookies-file | FILE | --cookiejar | Read cookies from a file. |
| color-output | STRING | --color | Control whether colour is used. Options: never, always, auto. |
| google-dorks | STRING | -dorks | List Google dorks for the selected plugin. |
| open-timeout | STRING | --open-timeout | Timeout for opening the connection in seconds. Default 15. |
| plugins-list | BOOLEAN | -l | List all plugins. |
| read-timeout | STRING | --read-timeout | Timeout for reading the answer in seconds. Default 30. |
| custom-plugin | STRING | --custom-plugin | Define a custom plugin inline, e.g. a text match like 'powered by abc'. |
| Select-plugins | STRING | -p | Select plugins from a comma-delimited list. Default is all. |
| follow-redirect | STRING | --follow-redirect | Control when to follow redirects. Options: never, http-only, meta-only, same-site, always. Default always. |
| aggression-level | STRING | -a | Trade-off between speed/stealth and reliability. Stealthy sends one request per target; Aggressive follows up on level-1 matches; Heavy runs many requests per target. |
| No-error-messages | BOOLEAN | --no-errors | Suppress error messages. |
| number-of-threads | STRING | -t | Number of threads. Default 25. |
| Search-string-regexp | STRING | -g | Search for a string or regular expression and show only matching results. |
| maximum-number-of-redirects | STRING | --max-redirects | Maximum number of contiguous redirects. Default 10. |
example
# aggressive fingerprint of a host list, 50 threads, errors mutedwhatweb -a 3 -t 50 --no-errors --input-file hosts.txthttp://example.com [200 OK] Country[RESERVED][ZZ], HTTPServer[nginx/1.24.0], IP[203.0.113.10], Title[Example Domain], UncommonHeaders[x-request-id]http://blog.example.com [301 Moved Permanently] HTTPServer[nginx/1.24.0], IP[203.0.113.11], RedirectLocation[https://blog.example.com/], Title[301 Moved Permanently]https://blog.example.com [200 OK] Bootstrap, Cookies[wordpress_test_cookie], HTML5, HTTPServer[nginx/1.24.0], JQuery[3.7.1], MetaGenerator[WordPress 6.4.3], Script[text/javascript], Title[Company Blog], WordPress[6.4.3], X-Powered-By[PHP/8.2.15]https://shop.example.com [200 OK] Apache[2.4.58], Cookies[PHPSESSID], HTTPServer[Apache/2.4.58 (Debian)], IP[198.51.100.24], Magento, Open-Graph-Protocol, Script, Title[Store], X-Frame-Options[SAMEORIGIN]https://api.example.com [401 Unauthorized] HTTPServer[Werkzeug/3.0.1 Python/3.11], IP[198.51.100.25], WWW-Authenticate[Basic realm], nginxhttps://dev.example.com [200 OK] Drupal, HTTPServer[Apache/2.4.58], HttpOnly[SESS], IP[203.0.113.12], MetaGenerator[Drupal 10], PHP, Script, Title[Dev Portal]https://cam.example.com [200 OK] Country[RESERVED][ZZ], HTTPServer[Boa/0.94.14rc21], IP[198.51.100.30], Title[Network Camera], WWW-Authenticate[Basic realm]guidance
Use WhatWeb to fingerprint web technologies across single hosts, ranges, or lists with tunable aggression. For a Wappalyzer-style detection engine built for raw bulk throughput, use webanalyze. For liveness plus tech in one probe, use httpx.
Deep single-site fingerprinter. WhatWeb adds aggression levels and range/CIDR targets.
Go port of Wappalyzer tuned for fast bulk scanning of host lists.
Probes liveness and runs tech detection inline, so one node both filters and fingerprints.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A target list feeds WhatWeb, which fingerprints each host and writes the technology profile as a queryable output.
Facts on this page come from the live Trickest tool library.