1#!/bin/bash 2# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 3# This file is part of WhatWeb and may be subject to 4# redistribution and commercial restrictions. Please see the WhatWeb 5# web site for more information on licensing and terms of use. 6# http://www.morningstarsecurity.com/research/whatweb 7# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 8# Hunter finds web applications with Google then fingerprints them with WhatWeb 9# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 10VERSION="0.1.2" 11AUTHOR="Brendan Coles [ itsecuritysolutions.org ]" 12 13# Hunter settings 14VERBOSE="TRUE" 15LIST="" 16QUERY="" 17APP="" 18LOG="hunter.$(date +"%Y%m%d%H%M%S")-$$.log" 19 20# WhatWeb settings 21AGGRESSION="1" 22USERAGENT="Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341" 23PROXYUSER="" 24PROXY="" 25FILTER="" 26WHATWEB_QUIET="" 27 28# GGGoogleScan settings 29WAIT="0" 30DEPTH="5" 31GSCAN_QUIET="" 32 33# Check for WhatWeb in the current working directory 34WHATWEB="./whatweb" 35if [[ ! -e "$WHATWEB" ]]; then 36 # Check for WhatWeb directory relative to hunter 37 WHATWEB=`dirname $0`"/../whatweb" 38 if [[ ! -e "$WHATWEB" ]]; then 39 # Check if WhatWeb is installed 40 WHATWEB=`which whatweb 2>/dev/null` 41 if [[ -z "$WHATWEB" ]]; then 42 echo "[!] Fatal Error: WhatWeb must be in the parent directory, in the current working directory or installed. Homepage: http://www.morningstarsecurity.com/research/whatweb" 43 exit 1 44 fi 45 fi 46fi 47 48 49# expect gggooglescan to be in the addons/ folder 50GOOGLESCAN=`dirname "$0"`"/gggooglescan" 51if [[ ! -e "$GOOGLESCAN" ]]; then 52 echo "[!] Fatal Error: Expected to find gggooglescan in `dirname`. Homepage: http://www.morningstarsecurity.com/research/gggooglescan" 53 exit 1 54fi 55 56 57# Show usage and quit 58function usage { 59 60LRED="\033[1;32m" 61DRED="\033[0;32m" 62NOCOLOR="\033[0m" 63 64echo -e " 65$LRED @@@ @@@ @@@ @@@ @@@ @@@ @@@@@@@ @@@@@@@@ @@@@@@@ 66$LRED @@! @@@ @@! @@@ @@!@!@@@ @@! @@! @@! @@@ 67$DRED @!@!@!@! @!@ !@! @!@@!!@! @!! @!!!:! @!@!!@! 68$DRED !!: !!! !!: !!! !!: !!! !!: !!: !!: :!! 69$DRED : : : :.:: : :: : : : :: ::: : : : 70$NOCOLOR 71Hunter - Finds web applications with Google then fingerprints them with WhatWeb 72Version $VERSION by $AUTHOR 73 74Usage: ./hunter [options] 75Example: ./hunter -a wordpress 76 ./hunter -a wordpress -f "wordpress,title,httpserver" 77 ./hunter -g \"site:wordpress.org\" -f wordpress 78 79Options: 80 -g QUERY Search Google for QUERY 81 -a APPLICATION Search Google for APPLICATION 82 -f APPLICATION Filter results by comma delimited list of applications 83 -l KEYWORD List supported applications. Filter by KEYWORD. 84 Use \".\" to list all applications. 85 -h This help info 86 -q Quiet. Do not display comment lines and errors to STDOUT 87 88Google Options: 89 -d NUM Depth of Google results. NUM pages to return. Default: 5 90 -w SECONDS Wait for SECONDS between each Google query. Default: 0 91 92WhatWeb Options: 93 -n AGGRESSION Set WhatWeb aggression level. Default: 1 (passive) 94 -u USER-AGENT Set WhatWeb user agent 95 -p <hostname:port> Set WhatWeb proxy hostname and port 96 -c <username[:pass]> Set WhatWeb proxy credentials 97" 98} 99 100 101# Command line options 102while getopts 'd:a:u:f:w:n:g:l:p:c:qh' OPTION 103do 104 case $OPTION in 105 h) usage; exit ;; 106 d) DEPTH=$OPTARG ;; 107 f) FILTER=$OPTARG ;; 108 n) AGGRESSION=$OPTARG ;; 109 u) USERAGENT=$OPTARG ;; 110 w) WAIT=$OPTARG ;; 111 q) VERBOSE="FALSE" ;; 112 p) PROXY=$OPTARG ;; 113 c) PROXYUSER=$OPTARG ;; 114 l) LIST=$OPTARG ;; 115 g) QUERY=$OPTARG ;; 116 a) APP=$OPTARG ;; 117 esac 118done 119shift $(($OPTIND -1 )) 120 121# List applications 122if [[ ! -z "$LIST" ]]; then 123 if [[ "$VERBOSE" == "TRUE" ]]; then 124 echo "[+] Listing applications matching \"$LIST\"" >&2 125 fi 126 "$WHATWEB" -I | grep "Dorks:" -B 5 | grep -E "^(\w)" | grep -i "$LIST" 127 exit 128fi 129 130# Show usage when no arguments are provided 131if [[ -z "$APP" && -z "$QUERY" ]]; then 132 usage 133 exit 1 134fi 135 136# Get dorks from WhatWeb if no Google query was provided 137if [[ -z "$QUERY" ]]; then 138 139 # Get dorks from WhatWeb 140 if [[ "$VERBOSE" == "TRUE" ]]; then 141 echo "[-] No query specified. Loading Google queries for $APP" >&2 142 fi 143 144 DORKS=`"$WHATWEB" --dorks "$APP"` 145 146 # Quit if no dorks were returned 147 if [[ -z "$DORKS" ]]; then 148 if [[ "$VERBOSE" == "TRUE" ]]; then 149 echo "[-] No Google queries were found." >&2 150 fi 151 exit 1 152 fi 153 154else 155 DORKS="$QUERY" 156fi 157 158# Show google dorks 159if [[ "$VERBOSE" == "TRUE" ]]; then 160 echo "[+] Using the following Google queries:" >&2 161 echo "$DORKS" 162fi 163 164# Set quiet args if required 165if [[ "$VERBOSE" == "FALSE" ]]; then 166 WHATWEB_QUIET="-q --no-errors" 167 # gggooglescan's quiet mode is broken in v0.4 168 if [[ ! -z `grep "getopts" "$GOOGLESCAN" | grep q` ]]; then 169 GSCAN_QUIET="-q" 170 fi 171fi 172 173# Pipe dorks to gggooglescan then pipe the results to WhatWeb 174echo "$DORKS" | while read LINE ; do "$GOOGLESCAN" $GSCAN_QUIET -d "$DEPTH" -s "$WAIT" "$LINE"; done | egrep -v "^#" | "$WHATWEB" $WHATWEB_QUIET -a "$AGGRESSION" -U "$USERAGENT" -i /dev/stdin --proxy "$PROXY" --proxy-user "$PROXYUSER" --log-brief="$LOG" -p "$FILTER" | grep -e " \[[0-9]" 175 176# Show log message 177if [[ "$VERBOSE" == "TRUE" ]]; then 178 echo "[+] Wrote output to $LOG" >&2 179fi 180 181