Nikto web vulnerability scanner.
I believe Sharing knowledge mean increasing knowledge .
root@bt:/pentest/web/nikto# ./nikto.pl -Help
-ask+ Whether to ask about submitting updates
yes Ask about each (default)
no Don’t ask, don’t send
auto Don’t ask, just send
-Cgidirs+ Scan these CGI dirs: “none”, “all”, or values like “/cgi/ /cgi-a/”
-config+ Use this config file
-Display+ Turn on/off display outputs:
1 Show redirects
2 Show cookies received
3 Show all 200/OK responses
4 Show URLs which require authentication
D Debug output
E Display all HTTP errors
P Print progress to STDOUT
S Scrub output of IPs and hostnames
V Verbose output
-dbcheck Check database and other key files for syntax errors
-evasion+ Encoding technique:
1 Random URI encoding (non-UTF8)
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Change the case of the URL
8 Use Windows directory separator ()
A Use a carriage return (0x0d) as a request spacer
B Use binary value 0x0b as a request spacer
-Format+ Save file (-o) format:
htm HTML Format
msf+ Log to Metasploit
nbe Nessus NBE format
txt Plain text
xml XML Format
(if not specified the format will be taken from the file extension passed to -output)
-Help Extended help information
-host+ Target host
-IgnoreCode Ignore Codes–treat as negative responses
-id+ Host authentication to use, format is id:pass or id:pass:realm
-key+ Client certificate key file
-list-plugins List all available plugins, perform no testing
-maxtime+ Maximum testing time per host
-mutate+ Guess additional file names:
1 Test all files with all root directories
2 Guess for password file names
3 Enumerate user names via Apache (/~user type requests)
4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 Attempt to brute force sub-domain names, assume that the host name is the parent domain
6 Attempt to guess directory names from the supplied dictionary file
-mutate-options Provide information for mutates
-nocache Disables the response cache
-nointeractive Disables interactive features
-nolookup Disables DNS lookups
-nossl Disables the use of SSL
-no404 Disables nikto attempting to guess a 404 page
-output+ Write output to this file
-Pause+ Pause between tests (seconds, integer or float)
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-RSAcert+ Client certificate file
-root+ Prepend root value to all requests, format is /directory
-Single Single request mode
-ssl Force ssl mode on port
-Tuning+ Scan tuning:
1 Interesting File / Seen in logs
2 Misconfiguration / Default File
3 Information Disclosure
4 Injection (XSS/Script/HTML)
5 Remote File Retrieval – Inside Web Root
6 Denial of Service
7 Remote File Retrieval – Server Wide
8 Command Execution / Remote Shell
9 SQL Injection
0 File Upload
a Authentication Bypass
b Software Identification
c Remote Source Inclusion
x Reverse Tuning Options (i.e., include all except specified)
-timeout+ Timeout for requests (default 10 seconds)
-Userdbs Load only user databases, not the standard databases
all Disable standard dbs and load only user dbs
tests Disable only db_tests and load udb_tests
-until Run until the specified time or duration
-update Update databases and plugins from CIRT.net
-useproxy Use the proxy defined in nikto.conf
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
If we give command ./nikto.pl -Help or perl nikto.pl -Help then we get details and all options.
Simply We are going to scan our own company’s website … because we are pentesting it. So easy:
root@bt:/pentest/web/nikto# ./nikto.pl -h target.com :
I have tested it on my localhost for pasting here, There are output/vulnerability we may get:
root@bt:/pentest/web/nikto# ./nikto.pl -h target.com
– Nikto v2.1.5
+ Target IP: ip address
+ Target Hostname: target.com
+ Target Port: 80
+ Start Time: 2012-01-21 13:48:22 (time formate)
+ Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/188.8.131.5235
+ Retrieved x-powered-by header: PHP/5.2.17
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.0-fips appears to be outdated (current is at least 1.0.0d). OpenSSL 0.9.8r is also current.
+ FrontPage/184.108.40.20635 appears to be outdated (current is at least 220.127.116.11) (may depend on server version)
+ FrontPage – http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
+ mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/18.104.22.16835 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm — a DoS was not attempted.
+ OSVDB-3268: /~root/: Directory indexing found.
+ OSVDB-637: /~root/: Allowed to browse root’s home directory.
+ /cgi-sys/formmail.pl: Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found.
+ /cgi-sys/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /cgi-sys/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ Default account found for ‘Secured Frontpage on PennyStockAdvice.com’ at /_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false&listBorders=fals (ID ”, PW ‘_Cisco’). Cisco device.
+ OSVDB-3233: /mailman/listinfo: Mailman was found on the server.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /cgi-sys/FormMail-clone.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/mchat.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/scgiwrap: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /stats/: This might be interesting…
+ OSVDB-3092: /img-sys/: Default image directory should not allow directory listing.
+ OSVDB-3092: /java-sys/: Default Java directory should not allow directory listing.
+ OSVDB-3233: /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed.
+ OSVDB-3268: /_vti_bin/: Directory indexing found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: : Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ OSVDB-3092: /as/: This might be interesting… potential country code (American Samoa)
+ OSVDB-3092: /ms/: This might be interesting… potential country code (Montserrat)
+ 6474 items checked: 3 error(s) and 32 item(s) reported on remote host
+ End Time: 2012-01-21 13:58:55 (Time formate) (4233 seconds)
+ 1 host(s) tested
As you can see there are many thing Nikto found out. Nikto is very effective for finding default file,directory.
Note: you have to understand the output of tools otherwise you can do nothing.
we can use various options(see help)…. For example a command:
root@bt:/pentest/web/nikto#./nikto.pl -host target.com -root /admin -port 443 -evasion 1
How is this working ? Simple:
-host=-h(The target site)
-root=send all request to /admin directory
-port = The site is not running on default 80 , I know it is running on 443.
-evasion=IDs evasion. Evasion 1(Random URI encoding (non-UTF8))
I hope you got some idea about it… Just try to believe that Learning to use tools peoples does not need hacking training.
If your mind is skid then tools may not help you.. . Be aware about that before using tools .
For more information Visit http://cirt.net/nikto2