WHACK is a containerized web reconnaissance and vulnerability scanning toolkit. It orchestrates multiple well-known tools to perform discovery, fingerprinting, and vulnerability checks on web targets — all from a single command.
WHACK runs the following tools automatically:
- Nmap – Port and service detection
- WhatWeb – Web technology fingerprinting
- WafW00f – Web Application Firewall (WAF) detection
- Ffuf – Content and directory brute forcing
- Nikto – Web server vulnerability scanning
Results are cleaned, parsed, and saved into a CSV report, with a structured summary displayed in the terminal.
-h, --help show this help message and exit
-u, --url URL Target URL. Example: http://example.com
-p, --port PORT Target port(s), comma-separated. Default: 80,443
-t, --tool TOOL Tools to run, comma-separated. Options: all (default), nmap, whatweb, wafwoof, ffuf, nikto
This tool is intended for authorized testing and educational purposes only. Do not use it against systems you don't own or have explicit permission to test.
Make sure Docker is installed on your system.
docker pull anitamaq/whack:latestsudo depending on your system setup.
Basic usage:
docker run -it --rm anitamaq/whack -u http://TARGETWith custom ports:
docker run -it --rm anitamaq/whack -u http://TARGET -p 8080,8443docker run -it --rm --network host anitamaq/whack -u http://127.0.0.1:3000 -p 3000). On Windows/macOS, --network host is not supported. Instead, use your machine’s local IP address (e.g., 192.168.x.x) in the target URL.
If you want to run WHACK directly on your system (not in Docker):
- Clone the repository
git clone https://github.com/yourusername/whack.git
cd whack - Install the required Python dependencies
pip install -r requirements.txt- Run the script
sudo python3 main.py -u http://target.comPull Requests are welcome! If you have suggestions for improvements, bug fixes, or new features, feel free to fork the repo and open a PR.
For major changes or ideas, open an issue first to discuss what you’d like to do.