Change background image
  1. What's up? I see you're viewing as a Guest. How about registering, it only takes like 2 minutes. This will enable you to do more on our forum and stay updated.

WHISKERS: Search for a source....

Discussion in 'PC General' started by vettacossx-alpha, May 24, 2011.

Thread Status:
This thread is more than 180 days old.
  1. vettacossx-alpha

    vettacossx-alpha Midnight Mage Member

    Why Post Whiskers? First of all its a bitch to source on your own, Plus... Well lets just say SONY will remember this code pretty well and its worth having around... Being i have good source info saying a tool called whisker was used to scan the network for the vulns ;) LOL


    One of the first robust, automated Web checking tools available, Whisker has garnered somewhat
    of a cult following over the years—and rightly so. This tool contains a sizable list of Web vulnerabilities that have been discovered to date. Collected by RFP from a variety of sources, including
    Nomad Mobile Research Center (NMRC), World Wide Web Consortium (W3C), Fyodor's,, Bugtraq, cgichk.c, Network Associates' CyberCop, Packetstorm, ucgi.c,
    and various other sources, the tool is a robust Web vulnerability checker that you should know
    Whisker runs on both Windows and UNIX platforms, making it highly usable by Windows and UNIX
    diehards alike (thus its popularity). Whisker works by attempting to connect to the target Web server
    with every entry in its scan.db file, which defines the checks to perform. If the connection is successful and the output from the server is in the expected format, Whisker will claim that it is vulnerable. Although the engine isn't the most intelligent and can produce false positives on occasion, it's
    one of the most robust Web checkers available.

    Here, Whisker connected to the Web server on port 80 of 1 92.1 68.0.5 and identified it as an Apache/
    1 .3.1 2 for Windows (Win32). It identified four programs running on the Web server: ApacheJServ/
    1 .1, mod_ssl/2.6.4, OpenSSL/0.9.5a, and mod_perl/1 .22.

    by rain forest puppy, rfp (at) wiretrip (dot) net [email concealed]
    Platforms: Perl (any system supporting perl)
    Categories: Auditing, Network, Web
    Version: 1.4
    Whisker is an advanced CGI vulnerability scanner. It is scriptable and has many good features, such as querying for system type and basing scans on the information gathered (ie, determining between IIS and Apache webservers)

    - "Multi-threaded" front end (Unix only).
    - More updates to server.db and scan.db.
    - Changed the 'set' command to take .= (append) as well.
    - Added multi-file scans
    - Changed options around.
    - whisker will internally 'read' the output from a .cfm script and determine if it really exists, eliminating *all* false reports.
    - Added support for variables and tab's, cr's, and lf's in strings.
    - You can now use a variable for 'server' and 'scan' matching
    - Scan database files don't have to be in the current directory
    - Whisker defaults to scan.db, so it's not required to specify -s <file>
    - Whisker will automatically rescan servers with dumb.db if they need it
    - NMAP information is now available inside the scripts
    - Redid the bounce options
    - Support for distributed proxies
    - Ability to use other CGI scanners' databases
    - Better timeout control (Unix only).
    - Implemented ability to use 'GET' method, but still close the connection after all the headers have arrived.
    - EXPERIMENTAL SSL support.
    - SamSpade bounce by Styx was added
    - Other little tweaks to variable handling and new variables added
    - Netcraft changed their output, so I had to change to match it.


    whisker-1.4.0.tar.gz (166.4 KB)
    MD5 | 82bfffab803d74c8d6e064e3c4533a34
    Direct Download

Thread Status:
This thread is more than 180 days old.

Share This Page