wig

Overview

wig is a Web Information Gatherer designed to identify web application technologies and fingerprint CMSs (WordPress, Joomla, Drupal, etc.), web frameworks, programming languages, JavaScript libraries, and server software. It’s particularly useful for reconnaissance and vulnerability assessment during authorized penetration tests.

The tool combines multiple detection techniques including:

HTTP header analysis
HTML source code inspection
File and directory detection
Cookie analysis
JavaScript library detection

Installation

From Source (GitHub)

git clone https://github.com/jekyller/wig.git
cd wig
pip install -r requirements.txt
python wig.py --help

Using pip

pip install wig
wig --help

Docker

docker pull jekyller/wig
docker run -it jekyller/wig -h <target>

Kali Linux

apt update && apt install wig -y

Basic Usage

Command	Description
`wig -h <target>`	Scan a single target (domain or IP)
`wig -h <target> -v`	Verbose output (more detailed detection)
`wig -h <target> -r`	Return all detected plugins/themes/versions
`wig -h <target> -f <file>`	Scan targets from file (one per line)
`wig -h <target> -o <file>`	Output results to JSON file
`wig -h <target> -x <proxy>`	Use HTTP proxy for scanning
`wig -h <target> --ssl`	Force HTTPS connection

Common Examples

Basic Fingerprinting

wig -h example.com

Identifies the CMS, version, plugins, and themes running on the target. Output shows detected technologies with confidence levels.

Verbose Scanning with File Output

wig -h example.com -v -o results.json

Performs detailed scanning and saves JSON-formatted results including all detected components, versions, and confidence scores.

Batch Scanning Multiple Targets

cat targets.txt
# example1.com
# example2.com
# 192.168.1.100

wig -f targets.txt -o batch_results.json

Scans multiple targets from a file and consolidates results into a single JSON output.

Scanning Behind a Proxy

wig -h example.com -x http://127.0.0.1:8080 -v

Routes traffic through a proxy (useful for intercepting with Burp Suite for further analysis).

Force HTTPS Scanning

wig -h secure.example.com --ssl -v

Ensures HTTPS is used for the connection, bypassing HTTP redirects.

Advanced Usage

Output Options

# JSON output for parsing with jq
wig -h example.com -o data.json
cat data.json | jq '.cms[]'

# Combine with grep for quick filtering
wig -h example.com -v | grep -i "wordpress"

# Save full verbose output to file
wig -h example.com -v 2>&1 | tee scan.txt

Proxy Integration

# Scan through Burp Suite for further testing
wig -h example.com -x http://127.0.0.1:8080

# Use SOCKS5 proxy (requires additional setup)
wig -h example.com -x socks5://127.0.0.1:9050

Rate Limiting and Timing

# Standard scan (default timeout)
wig -h example.com

# The tool automatically handles rate limiting
# Useful for larger scans to avoid detection

Detection Methods

HTTP Headers

wig analyzes response headers for server information, X-Powered-By, X-AspNet-Version, and other telltale indicators:

# View headers manually
curl -I https://example.com

# wig processes these automatically
wig -h example.com

HTML Source Analysis

The tool scans HTML for:

Meta tags and generators
CSS/JS file paths and versions
Comments containing version info
Framework-specific code patterns

File and Directory Detection

# wig checks for known CMS files/directories
# wp-admin/ (WordPress)
# joomla.php (Joomla)
# drupal (Drupal)
# README files with version info

Examines cookies for CMS-specific values like:

PHPSESSID variations
WordPress-specific cookies
Joomla tokens

Interpreting Results

Understanding the Output

[+] CMS: WordPress (3 plugins detected)
[+] Version: 5.9.2 (confidence: 95%)
[+] Plugins: 
    - WooCommerce (v6.1.0)
    - Yoast SEO (v18.0)
    - Contact Form 7

Confidence Levels:

High (90%+): Version determined by file hashes or exact version strings
Medium (60-89%): Based on multiple indicators
Low (<60%): Single indicator or generic detection

JSON Output Structure

{
  "target": "example.com",
  "scan_date": "2024-01-15T10:30:00",
  "cms": {
    "name": "WordPress",
    "version": "5.9.2",
    "confidence": "95%"
  },
  "plugins": [...],
  "themes": [...],
  "headers": {...}
}

Advanced Techniques

Custom User Agent

# wig uses rotating user agents by default
# Modify requests manually if needed via proxy
wig -h example.com -x http://127.0.0.1:8080
# Then modify User-Agent in Burp

Chaining with Other Tools

# Find WordPress sites, then scan with wig
wig -h example.com -v | grep -i wordpress

# Export results for further analysis
wig -h example.com -o scan.json
python3 -c "import json; data=json.load(open('scan.json')); print(data['cms'])"

# Use results with WPScan for WordPress-specific scanning
wig -h example.com | grep WordPress && wpscan --url example.com

Database Updates

Updating Fingerprints

# wig maintains a database of known signatures
# Update the tool regularly for latest signatures
git clone https://github.com/jekyller/wig.git
cd wig && git pull

# Or reinstall via pip
pip install --upgrade wig

Custom Signatures

wig loads signature files from its database. The default signatures include:

CMS fingerprints (WordPress, Joomla, Drupal, Magento, etc.)
Web frameworks (Django, Rails, ASP.NET, etc.)
JavaScript libraries (jQuery, Bootstrap, Angular, etc.)
Server software (Apache, Nginx, IIS, etc.)

Performance and Optimization

Fast Scanning

# Basic scan (quick, minimal verbosity)
wig -h example.com

# Verbose scan (more thorough, slower)
wig -h example.com -v

# Return all data
wig -h example.com -r

Batch Operations with Control

#!/bin/bash
# Scan multiple targets with delay
for target in $(cat targets.txt); do
  echo "Scanning $target..."
  wig -h $target -o ${target}_results.json
  sleep 2  # Delay between scans
done

Limitations and Considerations

What wig Cannot Do

Exploit vulnerabilities (it’s a passive reconnaissance tool)
Bypass authentication
Test authenticated areas
Detect custom CMS installations
Identify all plugins (especially lesser-known ones)

Avoiding Detection

# wig attempts to be relatively stealthy
# Use proxy/Tor for additional anonymity
wig -h example.com -x socks5://127.0.0.1:9050

# Slower scanning with delays
for target in targets.txt; do
  wig -h $target
  sleep 5
done

Troubleshooting

Connection Issues

# Test connectivity first
curl -v https://example.com

# If behind firewall, use proxy
wig -h example.com -x http://proxy.company.com:8080

No Results Detected

# Enable verbose mode for diagnostics
wig -h example.com -v

# Check for redirects
curl -L -I https://example.com

# Verify target is reachable
ping example.com

Timeout Issues

# If slow connection causes issues, wig has built-in timeouts
# Try from different network or use proxy with better latency
wig -h example.com

Best Practices

Authorization: Obtain written permission before scanning any target
Documentation: Record all detected technologies for the vulnerability assessment report
Verification: Manually verify critical findings before acting on them
Updates: Keep wig and its signature database current
Chaining: Use results with specialized tools (WPScan for WordPress, DrupalScan for Drupal)
Proxying: Route through Burp Suite or similar for deeper analysis
Rate Limiting: Scan responsibly to avoid triggering WAF/IDS alerts

Integration with Other Tools

WordPress-Specific Analysis

# Identify WordPress installation
wig -h example.com | grep -i wordpress

# Use WPScan for deeper enumeration
wpscan --url example.com -e vp

Web Server Fingerprinting

# wig detects web servers automatically
# Chain with Shodan or Censys for mass scanning
wig -h example.com

Nmap Integration

# Identify web servers with Nmap
nmap -p 80,443 --script http-title example.com

# Follow up with wig for application fingerprinting
wig -h example.com

Conclusion

wig is a powerful tool for passive web application reconnaissance during authorized security assessments. Its ability to identify CMS installations, versions, and plugins makes it invaluable for targeting vulnerability research and attack planning in controlled, authorized scenarios.

wig