1#!/bin/bash
2# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
3# This file is part of WhatWeb and may be subject to
4# redistribution and commercial restrictions. Please see the WhatWeb
5# web site for more information on licensing and terms of use.
6# http://www.morningstarsecurity.com/research/whatweb
7# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
8# Hunter finds web applications with Google then fingerprints them with WhatWeb
9# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
10VERSION="0.1.2"
11AUTHOR="Brendan Coles [ itsecuritysolutions.org ]"
12
13# Hunter settings
14VERBOSE="TRUE"
15LIST=""
16QUERY=""
17APP=""
18LOG="hunter.$(date +"%Y%m%d%H%M%S")-$$.log"
19
20# WhatWeb settings
21AGGRESSION="1"
22USERAGENT="Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341"
23PROXYUSER=""
24PROXY=""
25FILTER=""
26WHATWEB_QUIET=""
27
28# GGGoogleScan settings
29WAIT="0"
30DEPTH="5"
31GSCAN_QUIET=""
32
33# Check for WhatWeb in the current working directory
34WHATWEB="./whatweb"
35if [[ ! -e "$WHATWEB" ]]; then
36	# Check for WhatWeb directory relative to hunter
37	WHATWEB=`dirname $0`"/../whatweb"
38	if [[ ! -e "$WHATWEB" ]]; then
39		# Check if WhatWeb is installed
40		WHATWEB=`which whatweb 2>/dev/null`
41		if [[ -z "$WHATWEB" ]]; then
42			echo "[!] Fatal Error: WhatWeb must be in the parent directory, in the current working directory or installed. Homepage: http://www.morningstarsecurity.com/research/whatweb"
43			exit 1
44		fi
45	fi
46fi
47
48
49# expect gggooglescan to be in the addons/ folder
50GOOGLESCAN=`dirname "$0"`"/gggooglescan"
51if [[ ! -e "$GOOGLESCAN" ]]; then
52	echo "[!] Fatal Error: Expected to find gggooglescan in `dirname`. Homepage: http://www.morningstarsecurity.com/research/gggooglescan"
53	exit 1
54fi
55
56
57# Show usage and quit
58function usage {
59
60LRED="\033[1;32m"
61DRED="\033[0;32m"
62NOCOLOR="\033[0m"
63
64echo -e "
65$LRED         @@@  @@@   @@@  @@@   @@@  @@@   @@@@@@@   @@@@@@@@   @@@@@@@
66$LRED         @@!  @@@   @@!  @@@   @@!@!@@@     @@!     @@!        @@!  @@@
67$DRED         @!@!@!@!   @!@  !@!   @!@@!!@!     @!!     @!!!:!     @!@!!@!
68$DRED         !!:  !!!   !!:  !!!   !!:  !!!     !!:     !!:        !!: :!!
69$DRED          :   : :    :.:: :    ::    :       :      : :: :::    :   : :
70$NOCOLOR
71Hunter - Finds web applications with Google then fingerprints them with WhatWeb
72Version $VERSION by $AUTHOR
73
74Usage:   ./hunter [options]
75Example: ./hunter -a wordpress
76	 ./hunter -a wordpress -f "wordpress,title,httpserver"
77	 ./hunter -g \"site:wordpress.org\" -f wordpress
78
79Options:
80  -g QUERY		Search Google for QUERY
81  -a APPLICATION	Search Google for APPLICATION
82  -f APPLICATION	Filter results by comma delimited list of applications
83  -l KEYWORD		List supported applications. Filter by KEYWORD.
84			Use \".\" to list all applications.
85  -h			This help info
86  -q			Quiet. Do not display comment lines and errors to STDOUT
87
88Google Options:
89  -d NUM		Depth of Google results. NUM pages to return. Default: 5
90  -w SECONDS		Wait for SECONDS between each Google query. Default: 0
91
92WhatWeb Options:
93  -n AGGRESSION		Set WhatWeb aggression level. Default: 1 (passive)
94  -u USER-AGENT		Set WhatWeb user agent
95  -p <hostname:port>	Set WhatWeb proxy hostname and port
96  -c <username[:pass]>	Set WhatWeb proxy credentials
97"
98}
99
100
101# Command line options
102while getopts 'd:a:u:f:w:n:g:l:p:c:qh' OPTION
103do
104 case $OPTION in
105 h) usage; exit ;;
106 d) DEPTH=$OPTARG ;;
107 f) FILTER=$OPTARG ;;
108 n) AGGRESSION=$OPTARG ;;
109 u) USERAGENT=$OPTARG ;;
110 w) WAIT=$OPTARG ;;
111 q) VERBOSE="FALSE" ;;
112 p) PROXY=$OPTARG ;;
113 c) PROXYUSER=$OPTARG ;;
114 l) LIST=$OPTARG ;;
115 g) QUERY=$OPTARG ;;
116 a) APP=$OPTARG ;;
117 esac
118done
119shift $(($OPTIND -1 ))
120
121# List applications
122if [[ ! -z "$LIST" ]]; then
123	if [[ "$VERBOSE" == "TRUE" ]]; then
124		echo "[+] Listing applications matching \"$LIST\"" >&2
125	fi
126	"$WHATWEB" -I | grep "Dorks:" -B 5 | grep -E "^(\w)" | grep -i "$LIST"
127	exit
128fi
129
130# Show usage when no arguments are provided
131if [[ -z "$APP" && -z "$QUERY" ]]; then
132	usage
133        exit 1
134fi
135
136# Get dorks from WhatWeb if no Google query was provided
137if [[ -z "$QUERY" ]]; then
138
139	# Get dorks from WhatWeb
140	if [[ "$VERBOSE" == "TRUE" ]]; then
141		echo "[-] No query specified. Loading Google queries for $APP" >&2
142	fi
143
144	DORKS=`"$WHATWEB" --dorks "$APP"`
145
146	# Quit if no dorks were returned
147	if [[ -z "$DORKS" ]]; then
148		if [[ "$VERBOSE" == "TRUE" ]]; then
149			echo "[-] No Google queries were found." >&2
150		fi
151		exit 1
152	fi
153
154else
155	DORKS="$QUERY"
156fi
157
158# Show google dorks
159if [[ "$VERBOSE" == "TRUE" ]]; then
160	echo "[+] Using the following Google queries:" >&2
161	echo "$DORKS"
162fi
163
164# Set quiet args if required
165if [[ "$VERBOSE" == "FALSE" ]]; then
166	WHATWEB_QUIET="-q --no-errors"
167	# gggooglescan's quiet mode is broken in v0.4
168	if [[ ! -z `grep "getopts" "$GOOGLESCAN" | grep q` ]]; then
169		GSCAN_QUIET="-q"
170	fi
171fi
172
173# Pipe dorks to gggooglescan then pipe the results to WhatWeb
174echo "$DORKS" | while read LINE ; do "$GOOGLESCAN" $GSCAN_QUIET -d "$DEPTH" -s "$WAIT" "$LINE"; done | egrep -v "^#" | "$WHATWEB" $WHATWEB_QUIET -a "$AGGRESSION" -U "$USERAGENT" -i /dev/stdin --proxy "$PROXY" --proxy-user "$PROXYUSER" --log-brief="$LOG" -p "$FILTER" | grep -e " \[[0-9]"
175
176# Show log message
177if [[ "$VERBOSE" == "TRUE" ]]; then
178	echo "[+] Wrote output to $LOG" >&2
179fi
180
181