Nikto web vulnerability scanner.

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Most of time i use nikto for scanning Targets website. It is easy but really powerful . Sometime it is sucks too , because of false positive. Just i will show how to scan your own site . It scan cgi and default file and directory.

Warning:Don’t do anything illegal, I am just sharing that how i practices . If you are black hat hacker and going attack third party website , or doing anything illegal then i am not Responsible for that…

I believe Sharing knowledge mean increasing knowledge .  

Nikto is a perl script. So we need to install perl for playing this (Be aware windows users). If you don’t have this tool yet then go and download it:
http://cirt.net/nikto2 . It is default installed in Backtrack .

Simply ,

root@bt:cd /pentest/web/nikto

root@bt:/pentest/web/nikto# ./nikto.pl -Help

   Options:
       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don’t ask, don’t send
                               auto  Don’t ask, just send
       -Cgidirs+           Scan these CGI dirs: “none”, “all”, or values like “/cgi/ /cgi-a/”
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator ()
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               msf+  Log to Metasploit
                               nbe   Nessus NBE format
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -IgnoreCode        Ignore Codes–treat as negative responses
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nocache           Disables the response cache
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -output+           Write output to this file
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Single            Single request mode
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval – Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval – Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -useproxy          Use the proxy defined in nikto.conf
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
                + requires a value

If we give command ./nikto.pl -Help or perl nikto.pl -Help then we get details and all options.

Simply We are going to scan our own company’s website … because we are pentesting it. So easy:

root@bt:/pentest/web/nikto# ./nikto.pl -h target.com :

I have tested it on my localhost for pasting here, There are output/vulnerability we may get:

root@bt:/pentest/web/nikto# ./nikto.pl -h target.com
– Nikto v2.1.5
—————————————————————————
+ Target IP:          ip address
+ Target Hostname:    target.com
+ Target Port:        80
+ Start Time:         2012-01-21 13:48:22 (time formate)
—————————————————————————
+ Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
+ Retrieved x-powered-by header: PHP/5.2.17
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.0-fips appears to be outdated (current is at least 1.0.0d). OpenSSL 0.9.8r is also current.
+ FrontPage/5.0.2.2635 appears to be outdated (current is at least 5.0.4.3) (may depend on server version)
+ FrontPage – http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
+ mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm — a DoS was not attempted.
+ OSVDB-3268: /~root/: Directory indexing found.
+ OSVDB-637: /~root/: Allowed to browse root’s home directory.
+ /cgi-sys/formmail.pl: Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found.
+ /cgi-sys/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /cgi-sys/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ Default account found for ‘Secured Frontpage on PennyStockAdvice.com’ at /_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false&listBorders=fals (ID ”, PW ‘_Cisco’). Cisco device.
+ OSVDB-3233: /mailman/listinfo: Mailman was found on the server.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /cgi-sys/FormMail-clone.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/mchat.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/scgiwrap: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /stats/: This might be interesting…
+ OSVDB-3092: /img-sys/: Default image directory should not allow directory listing.
+ OSVDB-3092: /java-sys/: Default Java directory should not allow directory listing.
+ OSVDB-3233: /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed.
+ OSVDB-3268: /_vti_bin/: Directory indexing found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: : Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ OSVDB-3092: /as/: This might be interesting… potential country code (American Samoa)
+ OSVDB-3092: /ms/: This might be interesting… potential country code (Montserrat)
+ 6474 items checked: 3 error(s) and 32 item(s) reported on remote host
+ End Time:           2012-01-21 13:58:55 (Time formate) (4233 seconds)
—————————————————————————
+ 1 host(s) tested

  As you can see there are many thing Nikto found out. Nikto is very effective for finding default file,directory.

Note: you have to understand the output of tools otherwise you can do nothing.

we can use various options(see help)…. For example a command:

root@bt:/pentest/web/nikto#./nikto.pl -host target.com -root /admin -port 443 -evasion 1

How is this working ? Simple:
-host=-h(The target site)
-root=send all request to /admin directory
-port = The site is not running on default 80 , I know it is running on 443.
-evasion=IDs evasion.  Evasion 1(Random URI encoding (non-UTF8))

I hope you got some idea about it… Just try to believe that Learning to use tools peoples does not need hacking training.

If your mind is skid then tools may not help you.. . Be aware about that before using tools .

For more information Visit  http://cirt.net/nikto2

Good Luck!!!

Leave a Reply

Your email address will not be published. Required fields are marked *