W9scan is an excellent Plug-in type web vulnerability scanner that scan the code with the 1200+ built-in plugins and performs one-time detection on the website. It performs Web fingerprint reconnaissance,Port detection,website structure analysis, vulnerability scanning(detects SQL injection & XSS), directory carwling etc., At the end of the execution W9scan will generate an detailed HTML report of the target.
Demo
Installation Manual
Step 1: Download or Clone the W9scan tool in to your machine.
root:~#git clone https://github.com/w-digital-scanner/w9scan.git
Step 2: Navigate the W9san directory
root:~#cd W9scan
Step 3: Change the Installation file into the executable format
root:~/W9scan#chmod +777 w9scan.py
Step 4: Run the W9scan tool by using the following command in your terminal
root:~/W9scan#python w9scan.py -u
User Manual
-
python w9scan.py --update Update procedure
-
python w9scan.py --guide Start w9scan in wizard mode
-
python w9scan.py -u "https://x.hacking8.com" Quickly scan a website
-
python w9scan.py -u "https://blog.hacking8.com/" -p emlog Specify the plugin to scan the website
-
python w9scan.py -u "@1.txt" -p emlog Specify plugins to scan websites in batches
-
python w9scan.py -s emlog Search for the presence of a plugin
-
--banner Output banner
-
--debug Output debugging information
Fingerprint detection
-
Finds the website CMS (300+)
-
Finds the Ports and its Service information
-
Finds the website scripting Language
-
Finds the type of Operating System running
-
Fingerprints the Web Application Firewall if exits
Attack parameters
-
SQL injection (based on crawler)
-
XSS injection (based on crawler)
-
Mass Fuzz parameter scanning
-
CVE vulnerability
-
1200+Designated plug-in directed verification attack,
-
struts Vulnerability collection (including automatic detection)
-
Shellshock cgi test
-
heartbeat Bleeding vulnerability scan
-
IIS parsing vulnerability
-
IIS Put vulnerability
Brute force
-
Performs Crawling based bruteforce attacks to find the Backup files and directories
-
Common Directory enumeration
-
Common documents enumeration
-
Subdomain brute force analysis
-
fckeditorPath enumeration
-
Common mdbdatabase enumeration
-
git svn Leak identification
-
TOMCAT web.xml Give way
Information Gathering
- Performs crawling and checks for any Emails information
- Private IP Disclosure Detection
- E-mail (based on reptiles)
- Detect Warnings, Fatal Error,..
- Grabs the Banner Information (server & Framework)
- PHP version recognition
- IP address attribution
- Integrated Wappalyzerrecognition script for finding site information
- robots.txt Parsing
- Detect Insecure HTTP Security headers
- Detect Insecure Cookie Attributes