- Version 1.4 -------------------------------------------------------------

<> Options have been changed around a bit.  New option snapshot looks like:

 -- whisker / v1.4.0 / rain forest puppy / www.wiretrip.net --

        -n+ *nmap output (machine format, v2.06+)
        -h+ *scan single host (IP or domain)
        -H+ *host list to scan (file)
        -F+ *(for unix multi-threaded front end use only)
        -s+  specifies the script database file (defaults to scan.db)
        -V   use virtual hosts when possible
        -p+  specify a different default port to use
        -S+  force server version (e.g. -S "Apache/1.3.6")
        -u+  user input; pass XXUser to script
        -i   more info (exploit information and such)
        -v   verbose.  Print more information
        -d   debug. Print extra crud++ (to STDERR)
	-W   HTML/web output
        -l+  log to file instead of stdout
        -a+  authorization username[:password]
        -P+  password file for -L and -U

        -I 1 IDS-evasive mode 1 (URL encoding)
        -I 2 IDS-evasive mode 2 (/./ directory insertion)
        -I 3 IDS-evasive mode 3 (premature URL ending)
        -I 4 IDS-evasive mode 4 (long URL)
        -I 5 IDS-evasive mode 5 (fake parameter)
        -I 6 IDS-evasive mode 6 (TAB separation) (not NT/IIS)
        -I 7 IDS-evasive mode 7 (case sensitivity)
        -I 8 IDS-evasive mode 8 (Windows  delimiter)
        -I 9 IDS-evasive mode 9 (session splicing) (slow)
        -I 0 IDS-evasive mode 0 (NULL method)

        -M 1 use HEAD method (default)
        -M 2 use GET method
        -M 3 use GET method w/ byte-range
        -M 4 use GET method w/ socket close
        
        -A 1 alternate db format: Voideye exp.dat
        -A 2 alternate db format: cgichk*.r (in rebol)
        -A 3 alternate db format: cgichk.c/messala.c (not cgiexp.c)

-- Utility options (changes whisker behavior):

        -U   brute force user names via directories
        -L+  brute force login name/password
             (parameter is URL; use with -a for username)

        + requires parameter;  * one must exist;


<> Added user brute forcing by checking for the existance of /~user/.  This
	typically results in one of the following:

	404 - user not valid
	404 - user dir mode +x to webserver, but no public html dir
	403 - user dir not mode +x to webserver
	200 - user dir mode +x, has public html dir

	So we can compile valid user lists by watching for 403's and 200's.
	As a bonus, we could rescan 200's for their own cgi-bin et. al.

	You can have whisker go straight to check user dirs by using the -U
	option.  Whisker will try to look in ./lists/userlist.txt for a default
	user list; however, this can be overridden with -P.  It is also 
	available for use inside scripts by using the 'bruteuserdir' command.

	For example, to check for valid users on www.technotronic.com
	using a user list found in /tmp/users, you would run:

	whisker.pl -h www.technotronic.com -U -P /tmp/users

<> Included the 'listgen.pl' utility.  This utility is for demonstration and
	WILL NOT BE SUPPORTED OR FURTHER DEVELOPED.  The utility allows you
	to generate usernames by making various combinations/generations
	with the included word list files (found in ./lists).  If someone wants
	to take over development of this, be my guest.  To be useful, the user
	should be able to submit 'rules' on how to combine the words, a la
	John the Ripper rules or some-such.  John::Ripper is in the works,
	and practically finished (after the next bought of laziness passes,
	I will finish it :).  Check out the commandline options for listgen.pl
	to see what it can do.

<> Proxy support has been removed until version v2.0.  The previous proxy
	commandline options have been re-used into other v1.4 features.

<> Added 'Basic' user authentication cracking/support.  First off, whisker can
	now send *BASIC* authentication information during normal scanning by 
	using the -a option, in the format of 'user:password'.  Whisker will 
	then proceed to send this auth combo with every request (useful
	when you already know a valid auth).

	Of course, if you don't know a valid auth, whisker can help there too.
	Use the -L option, specifying a URL *THAT REQUIRES AUTHENTICATION*,
	along with the -a option to specify a username, and whisker will
	start brute-forcing the correct password combo.  The -P option can
	be used to specify a password list (defaults to ./lists/pass.txt).

	For example, to brute force the 'admin' user on www.badkittycam.com, 
	knowing that /members/ requires authorization, you would run:

	whisker.pl -h www.badkittycam.com -L /members/ -a admin

	Digest and NTLM authentication will be added in v2.0.

<> Adaptive use of perl modules.  I coded whisker in such a way that allows it
	to use particular perl modules, if available, to gain speed increases.
	In particular, the MIME::Base64 module compiled with C, as well
	as the LWP::Parallel module will *greatly* increase user authentication
	brute-forcing.  However, if your system doesn't have these modules,
	whisker can still make do without.  I prefer this option, because
	while LWP::Parallel is cool, it requires a headache of other modules
	to be installed (libwww-perl, which requires URL, HTML::Parser, etc).
	All these modules are available on CPAN (http://www.cpan.org/), or 
	in RPM format from RedHat (ftp://ftp.redhat.com/).  I will also mirror
	tarball copies on my site, for ease of download and use with whisker.

	This way whisker is still usable, and still has not dependancies on
	'this or that' perl module (other than the standard GetOpts and Socket).

<> Fixed a situation that caused whisker to output weirdness when the server 
	up and dropped the connection (requesting .htr on IIS 4.0 is a perfect
	example).  This is not whisker's fault, but the fault of flaky
	servers.  My bad for thinking people actually read and followed RFCs.

<> All HTTP return values can be program-wide (re)defined, now located in the
	XXC200, XXC404, XXC403, etc.  Let's say a particular CGI handler
	spits back a weird HTTP return code (202).  You can now define
	XXC200=202, and then whisker will treat every 202 as a logical
	200 (it will report that it exists).  You can even use this to look
	for particular return codes (set XXC200=500 will alert you to all
	CGI scripts that cause a Server Error).

<> You can now specify the default port to scan on the commandline via the 
	-p option.

<> Fixed nmap machine output parsing routine to allow for newer nmaps that
	have comments (old whisker chokes on lines starting with '#').

<> Thanks to the Perl Pocket Reference by O'Reilly (ROCK!), I have been
	clued into $^O, so now Windows users do not need to set funky
	environment variables to get whisker to work correctly.

<> Obfuscated more of the code, just because I could. ;)

<> Whisker now can be used as a CGI.  Just throw whisker into your cgi-bin
	directory (with appropriate file extension); a request to whisker
	without any parameters will display the default scan form.  The
	URL parameters are identical to the commandline options; however,
	options are limited to 'hVpSivM' due to security reasons.
	Whisker detects it's being used as a CGI by monitoring the 
	existance of the REQUEST_METHOD and GATEWAY_INTERFACE environment
	variables, and adapts accordingly.

<> Going with the above, whisker can output HTML (regardless of being used
	as a CGI or not).  Invoke this feature with the -W commandline
	switch.

<> Added the 'usemeth' command, which is more preferable to the older useget/
	usepost/usehead commands.  Also note that usemeth is CASE SENSITIVE, so 
	you can now do fun stuff like exploit Netscape's "get" bug (versus the 
	standard "GET") easily within whisker.  Also added the
	'defaultmeth' command, which restores the method to the original.
	I found that 'restoremeth' tended to get clobbered, so this is a 
	failsafe.

<> Whisker now internally adjusts and corrects for the chaos that is
	otherwise known as ISAPI handlers.  The whole slew of
	idc/ida/idq/cfm/htw/htr/dll severely suck, so whisker will
	(attempt to, best it can) adjust for stupid reporting (like giving 
	a HTTP 200 response even though the file doesn't exist).  As an added 
	bonus, whisker will report on physical paths returned by ida, ida, idq, 
	and htw.

<> SSL support is officially to be had by using sslproxy by Christian
	Starkjohann <cs@obdev.at>, at http://www.obdev.at/Products/.  It
	runs on both Win and Unix, so life is good.  Copies are available
	from my site just in case you can't find them.  RTFM for usage.

<> More commands:

	clear 		- will clear an array or variable
		i.e.:
		clear @array
		clear $variable
		

	push 		- push value onto array
		i.e.:
		push @array value


	usemeth		- use the specified method
		i.e.:
		usemeth GET
		usemeth SOMEweirdMETHOD


	defaultmeth	- restore to the default (-M) method, regardless.
		i.e.:
		usemeth SOMETHING
		# do something
		defaultmeth


	bruteuserdir	- whisker will run a user brute force, placing the
			  results in @Users
		i.e.:
		# look for /cgi-bin/'s in user dirs
		bruteuserdir
		scan () @Users >> /cgi-bin/



<> Adjusted many commands (such as set) to allow for the '$' variable
	prefix, to make life easier to live (or at least, scripts easier
	to code).

<> And of course, updated scan databases!

<> FYI, public apologies to the maintainers of samspade.org.  It seems so many
	people did/are abusing the samspade.org bounce scan contained in v1.3,
	that the site was/is experiencing critical server traffic.  To date,
	all proxy (and associated bounce scans) have been removed; inclusion
	in future versions is still being considered.  In the meantime, I would
	like to remind everyone to not abuse free resources.

- Credits -------------------------------------------------------------------

Many people have contributed feedback on whisker, which I do appreciate!  If
you don't see something you recommended, odds are it's being saved/worked on
for release in version 2.0, which will again (hopefully) raise the bar on what
we know as web scanners.  That said, I would like to make special thanks to 
the following people, who have gone out of their way in making major 
contributions:

.sozni			sozni@usa.net
Philip Stoev		philip@einet.bg
Jericho/Attrition	jericho@attrition.org

Double special thanks to .sozni, who has by far contributed and help shape
whisker to date.  I'm also pleased to announce he'll be a primary
developer in whisker v2.0--that means there's no excuse for me not getting
it done. ;)

- Cruft ----------------------------------------------------------------------

Whisker is a (by)product of rain forest puppy's (rfp@wiretrip.net) 
imagination.  Whisker version 1.4 and prior are released under the GNU Public
License.  Obviously, there are no implied warranties--hell, I won't even
guarantee this stuff works. ;)  

Keep in mind that tools are not evil, but rather the people running them.
Whisker was designed and bred to fulfill a legitimate security assessment 
need; use for illegal purposes is not intended, nor implied with this tool.

Updates and such are at http://www.wiretrip.net/rfp/

Produced in August of the 2K.
