WhatWeb Cheatsheet
Purpose: Identify web technologies — CMS, frameworks, web servers, JS libraries, analytics, version numbers — via signature plugins.
Basic Usage
whatweb <target> # Default scan
whatweb https://target.tld
whatweb -v https://target.tld # Verbose (full plugin output)
whatweb -a 3 https://target.tld # Aggression level 3
whatweb target.tld --colour=never # No ANSI in output
Common Flags
| Flag | Description |
|---|---|
-v |
Verbose — full plugin details, not just summary |
-a <0-4> |
Aggression level (see below) |
-i <file> |
Read targets from file |
--input-file <file> |
Same as -i |
-U <ua> |
Custom User-Agent |
--header "K: V" |
Add custom header (repeatable) |
-c "<cookie>" |
Set Cookie header |
--user "<u:p>" |
HTTP Basic auth |
--proxy <host:port> |
Use proxy |
--proxy-user <u:p> |
Proxy auth |
--follow-redirect <mode> |
never, http-only, meta-only, same-site, always |
-t <n> |
Threads (default 25) |
--open-timeout <s> |
Connect timeout |
--read-timeout <s> |
Read timeout |
--log-brief <file> |
One-line summary log |
--log-verbose <file> |
Verbose log |
--log-xml <file> |
XML output |
--log-json <file> |
JSON output |
--log-magictree <file> |
MagicTree XML |
--log-sql <file> |
SQL insert statements |
-l |
List plugins |
-I <plugin> |
Show plugin info |
--plugins <list> |
Only run listed plugins (comma-separated) |
--no-errors |
Suppress connection errors |
Aggression Levels (-a)
| Level | Name | Behavior |
|---|---|---|
1 |
Stealthy | One GET per target, never follows redirects beyond that |
2 |
(unused) | Reserved |
3 |
Aggressive | Triggers extra requests when plugins want them (e.g. /wp-login.php) |
4 |
Heavy | Many requests per plugin; noisy, may set off WAF/IDS |
whatweb -a 1 target.tld # Single request, low noise
whatweb -a 3 target.tld # Recommended for thorough enum
whatweb -a 4 -v target.tld # Full noise, full detail
Bulk / List Scanning
whatweb -i targets.txt --log-brief whatweb.txt
whatweb -i urls.txt -a 3 --log-json whatweb.json --no-errors
cat ips.txt | whatweb --log-verbose verbose.log
CIDR / range scan:
whatweb 192.168.1.0/24 --log-brief subnet.txt
whatweb 192.168.1.1-50 -a 1
Routing Through Burp / ZAP
whatweb --proxy 127.0.0.1:8080 https://target.tld
whatweb --proxy 127.0.0.1:8080 --proxy-user user:pass target.tld
Plugin Inspection
whatweb -l # List all plugins
whatweb -l | grep -i wordpress # Find a plugin
whatweb -I WordPress # Show what a plugin checks for
whatweb --plugins WordPress,Apache https://target.tld
whatweb --plugins +/path/to/custom.rb target.tld # Add custom plugin
Output Formats
# Brief one-liners (good for diffing scans)
whatweb -i list.txt --log-brief brief.txt
# Verbose, human-readable
whatweb -a 3 -v target.tld --log-verbose detailed.log
# Machine-readable
whatweb -i list.txt --log-json result.json
whatweb -i list.txt --log-xml result.xml
Practical Recipes
# Stack fingerprint of a single target
whatweb -a 3 -v https://target.tld
# Survey an internal subnet, no errors clutter
whatweb 10.67.10.0/24 -a 1 --no-errors --log-brief lab-stack.txt
# Quiet recon through Burp for later replay
whatweb --proxy 127.0.0.1:8080 -a 1 target.tld
# Pair with wafw00f for stack + WAF in one pass
wafw00f https://target.tld && whatweb -a 3 -v https://target.tld
Tips
- Default aggression is
1— bump to3for real enumeration. - WhatWeb reports plugin matches with confidence; treat low-confidence hits as leads, not facts.
- Combine with
curl -sILto confirm headers WhatWeb reported. - For CMS-specific deep dives, switch to dedicated tools after WhatWeb (
wpscan,droopescan,joomscan). - Output to JSON if you need to diff stacks across hosts or over time.