Sources for Plugin Writing

               ,'``.._   ,'``.
              :,--._:)\,:,._,.:       HYPNOTOAD DESIRES
              :`--,''   :`...';\      WHATWEB PLUGINS !
               `,'       `---'  `.
               /                 :
              /                   \
            ,'                     :\.___,-.
           `...,---'``````-..._    |:       \
             (                 )   ;:    )   \  _,-.
              `.              (   //          `'    \
               :               `.//  )      )     , ;
             ,-|`.            _,'/       )    ) ,' ,'
            (  :`.`-..____..=:.-':     .     _,' ,'
             `,'\ ``--....-)='    `._,  \  ,') _ '``._
          _.-/ _ `.       (_)      /     )' ; / \ \`

ASCII art stolen from r33b.net

Have you ever wanted to target your exploits more efficiently? Ever wanted to engage in stealthy, large-scale internet scanning? Ever wanted to write a data-mining script for a web service? Ever wanted to parse local or remote files through several regular expressions and generate a tidy, grep-able report? Ever lost a web-app on your network because the only admin was hit by a bus during the install? Ever wanted to write and distribute a simple HTTP GET application but became overwhelmed with the amount of error-checking, escaping, encoding, HTTP authorization, HTML parsing and error-logging required for what is essentially a really simple task? Bored? Write a WhatWeb plugin!

Here's a list of sources for applications which require fingerprinting :

• http://php.opensourcecms.com
• http://www.free-php.net/free-php-scripts/
• https://secure.wikimedia.org/wikipedia/en/wiki/List_of_content_management_systems
• http://www.microsoft.com/web/gallery/
• http://webxadmin.free.fr/article/jsp-cms-list-1032.php
• http://www.builtwith.com - http://trends.builtwith.com/
• http://scan.sucuri.net/
• http://poweredsites.org/
• http://www.exploit-db.com/

Web Applications

If you discover that an application on this list is extremely outdated, does not have any examples on the internet or the source is not publicly available then please remove it.

These apps are mostly from bugtraq and exploit-db :

• Swiftlet
• Helma (eg, www.pcapr.com)
• Obcommerce
• AJ Article Persistent
• AJ HYIP MERIDIAN
• AJ HYIP PRIME
• Allomani - Super Multimedia
• Angel LMS
• Azaronline Design
• BaconMap
• Bilder Upload Script
• BlogBird
• BloofoxCMS
• BS Auction
• BS Auto Classifieds
• BS Classifieds Ads
• BS Events Directory
• BS Scripts Directory
• Django
• DBHcms
• DeluxeBB
• digiSHOP
• Digger Solutions Newsletter Open Source
• DM Filemanager
• Dolphin
• DZCP
• Ecomat CMS
• Edgephp Clickbank Affiliate Marketplace
• eoCMS
• E-Php Content Management System
• eLouai's Force Download Script
• Energine
• Entrans
• Expression CMS
• Free PHP photo gallery script
• IBM Bladecenter Management
• iNet Online Community
• infinix
• IXXO Cart for Joomla
• Lara
• Micro CMS
• MetInfo
• MyCart
• MyBB
• MultiPowUpload
• Novaboard
• NinkoBB
• OrangeHRM
• Pecio CMS
• PageDirector CMS
• PHPShop
• PHP auctions
• PHP Lowbids
• PHP Coupon Script
• PHPDirector Game Edition
• Pre Dynamic Institution Web
• Pre E-Smart Cart
• Pre Podcast Portal
• Pre SoftClones Marketing Management System
• Pre Web Host System
• Pre Multi-Vendor Shopping Malls
• PTCPay
• Seo Panel
• Simpli Easy (AFC Simple) Newsletter
• Simple Document Management System
• Simple Forum PHP demo
• Simploo CMS
• TFTgallery
• Site2Nite
• SugarCRM
• Tycoon CMS
• W-Agora
• Wiccle Web Builder CMS / iWiccle CMS Community Builder
• YPNinc JokeScript
• YPNinc PHP Realty Script
• ZeeAdbox
• ZeeMatri
• ZeeNetworking
• zf-cms
• JBI CMS
• MiniBB
• JAF CMS
• SweetRice CMS
• Site2Nite Business eListings
• Online Work Order System (OWOS) Professional Edition
• Comrie Software Pay Roll Time Sheet & Punch Card
• Site2Ntite Vacation Rental (VRBO) Listings
• MetInfo
• Xnova Legacies

# 4 ShodanHQ results for WWW-Authenticate: Basic realm="GoogleDB"
examples %w|
62.241.56.221
62.241.55.220
82.210.35.116
82.210.34.117
|

# Passive #
def passive
    m=[]

    # WWW Authenticate Realm
    m << { :name=> "WWW Authenticate Realm" } if @meta["www-authenticate"] =~ /Basic realm="GoogleDB"/

    m

end

Hacker Safe Scans

• Identify and differentiate 3rd party hacker safe scan traces and logos
• 6 Google results for "this website is hacker safe"
  • Beyond Security
  • IIScan
  • Mcfee
  • WebSafe Shield
  • TRUSTe
  • TRUST Guard
  • SafeTested

# Hacker Safe  [[Example URL|http://www.nonijuice.us/cart/tahitian-noni-original.htm]]
  { :url=>"/images/hackersafe.gif", :md5=>"e9bb07c576dc473f2f120d600b410562" },
  { :url=>"/hackersafe.gif", :md5=>"e9bb07c576dc473f2f120d600b410562" },
  { :url=>"/images/hacker_safe.gif", :md5=>"ac092240ec08923021b21189991e3741" },
  { :url=>"/hacker_safe.gif", :md5=>"ac092240ec08923021b21189991e3741" },

# Comodo  [[Example URL|http://www.nonijuice.us/cart/tahitian-noni-original.htm]]
  { :url=>"/images/secure_site.gif", :md5=>"ca98e22a0d22e7ee4bd0263db703cd38" },
  { :url=>"/secure_site.gif", :md5=>"ca98e22a0d22e7ee4bd0263db703cd38" },

Hardware - Routers

http://fhscanhttplibrary.googlecode.com/svn/!svn/bc/70/HTTPCore/trunk/release/KnownRouters.ini

http://fhscanhttplibrary.googlecode.com/svn-history/r70/HTTPCore/trunk/release/RouterAuth.ini

The Danish Interpretation Systems (DIS) CU 6005 Central Unit is a powerful microprocessor based control unit designed for the DIS DCS 6000 system. Only one DIS CU 6005 is needed for control of all types of conference units.

• 3 results for "dis cu" ext:cfg password @ 2010-09-04
• 67.217.38.2/attachments/svc/documents/1257915636218.Hub.cfg
• 67.217.38.2/attachments/svc/documents/1257915666218.spoke1.cfg
• 67.217.38.2/attachments/svc/documents/1257915687093.spoke2.cfg
• 67.217.38.2/attachments/svc/documents/1257915718296.spoke2.cfg

More config files at the URLs listed below. Plugins have already been written for the Aruba and Nortel devices.

• http://www.opus1.com/nac/lv06configs/
• http://www.opus1.com/nac/lv07configs/
• http://www.opus1.com/nac/lv08configs/
• http://www.opus1.com/nac/ny06configs/

Web Servers

From server: HTTP header. Separate plugins for ease of maintainability and cleaner output. Plugins for some HTTP servers have already been written.

http://fhscanhttplibrary.googlecode.com/svn/!svn/bc/70/HTTPCore/trunk/release/Webservers.ini

http://fhscanhttplibrary.googlecode.com/svn/!svn/bc/70/HTTPCore/trunk/release/KnownWebservers.ini

See ShodanHQ and http-stats.com for more examples.

Third-Party Addons

Separate plugins for ease of maintainability and cleaner output.

• Analytics ( Yahoo ..)
• CaptCha (Recaptcha, ..etc)
• Video Players (Youtube, Vimeo, ...etc)
• Widgets (addthis,..etc)

Favicon Hashes

These hashes are from the OWASP Favicon Database Project

A plugin needs to be written for each one of these apps. Most require additional research however in some cases a plugin already exists and just needs to be updated with the md5 hash.

# penguin
{ :url=>"/favicon.ico", :md5=>"6399cc480d494bf1fcd7d16c42b1c11b"  },

# SocialText
{ :url=>"/favicon.ico", :md5=>"506190fc55ceaa132f1bc305ed8472ca"},

# PHPwiki
{ :url=>"/favicon.ico", :md5=>"2cc15cfae55e2bb2d85b57e5b5bc3371" },

# XOOPS cms
{ :url=>"/favicon.ico", :md5=>"389a8816c5b87685de7d8d5fec96c85b" },

# Drupal CMS
{ :url=>"/favicon.ico", :md5=>"e6a9dc66179d8c9f34288b16a02f987e" },

# NetScreen WebUI
{ :url=>"/favicon.ico", :md5=>"f1876a80546b3986dbb79bad727b0374" },

# Netscape 4.1
{ :url=>"/favicon.ico", :md5=>"226ffc5e483b85ec261654fe255e60be" },

# Netscape iPlanet 6.0"
{ :url=>"/favicon.ico", :md5=>"b25dbe60830705d98ba3aaf0568c456a" },

# Netscape 6.0 (AOL)"
{ :url=>"/favicon.ico", :md5=>"41e2c893098b3ed9fc14b821a2e14e73" },

# SunOne 6.1
{ :url=>"/favicon.ico", :md5=>"a28ebcac852795fe30d8e99a23d377c1" },

# Zero byte favicon
{ :url=>"/favicon.ico", :md5=>"d41d8cd98f00b204e9800998ecf8427e" },

# DotNetNuke (http://www.dotnetnuke.com)
{ :url=>"/favicon.ico", :md5=>"5b0e3b33aa166c88cee57f83de1d4e55" },

# Lotus-Domino
{ :url=>"/favicon.ico", :md5=>"7dbe9acc2ab6e64d59fa67637b1239df" },

# Wordpress
{ :url=>"/favicon.ico", :md5=>"fa54dbf2f61bd2e0188e47f5f578f736" },

# Wordpress - obsolete version
{ :url=>"/favicon.ico", :md5=>"6cec5a9c106d45e458fc680f70df91b0" },

# E-zekiel
{ :url=>"/favicon.ico", :md5=>"81ed5fa6453cf406d1d82233ba355b9a" },

# 3-byte invalid favicon: domain sellers"
{ :url=>"/favicon.ico", :md5=>"ecaa88f7fa0bf610a5a26cf545dcd3aa" },

# vBulletin forum
{ :url=>"/favicon.ico", :md5=>"c1201c47c81081c7f0930503cae7f71a" },

# Powered by Reynolds Web Solutions (Car sales CMS)
{ :url=>"/favicon.ico", :md5=>"edaaef7bbd3072a3a0c3fb3b29900bcb" },

Cookies

These cookies are from http://seclists.org/pen-test/2006/Jan/att-210/cookie_fingerprinting.txt

A plugin needs to be written for each one of these apps. Most require additional research however in some cases a plugin already exists and just needs to be updated with regex for the cookie.

# BEA WebLogic (www.bea.com)
if @meta["set-cookie"] =~ WebLogicSession=PLLHV8No5ImB2wUo2mupD49Bdo2HxEXq7OjhAAEl1EP6tMr1KbtI|-2011799079004677001/-1062729195/6/7001/7001/7002/7002/7001/-1|-3433517045111774782/-1062729194/6/7001/7001/7002/7002/7001/-1; path=/

# Sane NetTracker (www.sane.com)
if @meta["set-cookie"] =~ SaneID=213.63.123.42-1018349510644; path=/; expires=Tue, 09-Apr-07 06:51:50 GMT; domain=.sane.com

# Vignette (www.vignette.com)
if @meta["set-cookie"] =~ ssuid=Maxliw00vvM00001fbb6Oxn0wa; path= /; expires=Saturday, 06-Sep-2014 23:50:08 GMT
if @meta["set-cookie"] =~ vgnvisitor=Mawd0M00heY0000~fBiFkE0035; path= /; expires=Saturday, 06-Sep-2014 23:50:08 GMT

# IBM Net.Commerce (www.ibm.com)
if @meta["set-cookie"] =~ SESSION_ID=203363,JdjXE+hB9ph06hBJ4NSD04uHsq/FktC/rNib7MJjNS3jk5fXEK9XBtkAx0zI7NkI; path=/;

# Netscape Enterprise Server (www.sun.com)
if @meta["set-cookie"] =~ NSES40Session=2%253A3e57d375%253Adc59172283a7e72c;path=/;expires=Sat, 22-Feb-2003 20:15:57 GMT

# iPlanet (www.sun.com)
if @meta["set-cookie"] =~ iPlanetUserId=213.23.123.42:29511018555049; EXPIRES=Friday, 31-Dec-2010 23:59:59 GMT; DOMAIN=.iplanet.com; PATH=/

# RealMedia OpenAdStream
if @meta["set-cookie"] =~ RMID=d442af2b3d1ccf30; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.xxxx.net

# Caucho Resin
if @meta["set-cookie"] =~ JSESSIONID=afbx7QRlFZje; path=/

# Jakarta Tomcat/JSERV (jakarta.apache.org/tomcat/)
if @meta["set-cookie"] =~ JSESSIONID=4ah34a8xo1;Path=/

# Roxen Web Server (www.roxen.com)
if @meta["set-cookie"] =~ RoxenUserID=07761bc31df67ae8c4441a89bc7ceed5

# ApacheJServ (java.apache.org/jserv)
if @meta["set-cookie"] =~ JServSessionIdroot=vvni7vxu8n; path=/

# IBM Tivoli Policy Director WebSeal (www.ibm.com)
if @meta["set-cookie"] =~ PD-S-SESSION-ID=2_L7kl8vzZ9b8LMEwpm0PgqqQRIh2ZZakRamBlgvMXqIIAABDZ; Path=/; Secure

# Sun Java System Application Server (Netscape/iPlanet Applicaton Server)
if @meta["set-cookie"] =~ gx_session_id_=f42d0282513ff402; path=/

# OpenMarket/FatWire Content Server (www.fatwire.com)
if @meta["set-cookie"] =~ SS_X_CSINTERSESSIONID=0001P73k2FUEYEU4Ks5TtKxcs2K:vv0b9pej; path=/
if @meta["set-cookie"] =~ CSINTERSESSIONID=0001xquPwAx2NFUFvi7yw-43f35:vv7sdeqs;Path=/