Nikto is a free (GPL) tool for scanning the vulnerabilities of a webhost. It scans for dangerous CGI files, outdated versions, HTTP server options and installed web servers and their options. It also scans open ports, which can be exploited by hackers. It can save reports in plain text, XML, HTML, NBE or CSV.
Download: http://cirt.net/Nikto2
Requirements:
- Perl Environment (No knowledge necessary)
Installation: Download the compressed file and uncompress it. It should be ready to use, given perl is installed.
Usage Examples:
1. Scanning a host:
For a simple example, we scan www.example.com
perl nikto.pl -h example.com - ***** SSL support not available (see docs for SSL install) ***** - Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 72.41.204.238 + Target Hostname: example.com + Target Port: 80 + Start Time: 2011-09-08 20:25:40 --------------------------------------------------------------------------- + Server: Apache + Retrieved x-powered-by header: PHP/5.2.17 + No CGI Directories found (use '-C all' to force check all possible dirs) + robots.txt contains 1 entry which should be manually viewed. + Allowed HTTP Methods: GET, HEAD, OPTIONS + /WEB-INF/web.xml: JRUN default file found. + /admin.cgi: InterScan VirusWall administration is accessible without authentication. + /interscan/: InterScan VirusWall administration is accessible without authentication. + /SUNWmc/htdocs/: Sun SMC (Solaris Management Console) is running. + OSVDB-35878: /modules.php?name=Members_List&letter='%20OR%20pass%20LIKE%20'a%25'/*: PHP-Nuke module allows user names and passwords to be viewed. + OSVDB-682: /webalizer/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). + OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content. + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /some.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /some.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /some.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /Administration/: This might be interesting... + OSVDB-3092: /administration/: This might be interesting... + OSVDB-3092: /xmlrpc.php: xmlrpc.php was found. + /readme.html: This WordPress file reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /administration/: Admin login page/section found. + /wordpress/: A WordPress installation was found. + 6448 items checked: 49 error(s) and 21 item(s) reported on remote host + End Time: 2011-09-09 00:59:54 (16454 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
It took a whooping 16454 seconds to complete the scan.
2. If we want to test an open port, we can pass port number(s) as:
perl nikto.pl -h example.com -p 80,443
Port 80 is default
3. We can also set proxy:
To use system wide proxy, use -useproxy option:
perl nikto.pl -h example.com -p 80,443 -useproxy
To specify a proxy manually, we can pass it as:
perl nikto.pl -h example.com -p 80,443 -useproxy http://10.0.0.2:8888
4. To save the result as a specific format, use the -Format option.
perl nikto.pl -h example.com -Format htm
The supported -Format arguments are csv, htm, msf, txt and xml
5. Nikto supports plugins for scanning a target. Plugins allow other bits of code to hook into Nikto’s processing. We can specify which plugins to run against the host. For example:
perl nikto.pl -h example.com -Plugins embedded; content_search; headers
Plugins are separated by semi colon. @@ALL can be specified to run all the plugin, @@NONE runs no plugins, @@DEFAULT runs default plugins and @@MUTATE runs mutate plugins, which are meant to guess values like password files, directory names, sub-domains against a host.
@@DEFAULT runs the following plugins:
httpoptions;headers;mutiple_index;outdated;put_del_test;auth;report_xml;report_nbe;apacheusers;report_metasploit;cookies;embedded;apache_expect_xss;ssl;favicon;cgi;content_search;report_csv;msgs;report_html;tests(report:500);report_text;robots
To get a complete list of plugins, use:
perl nikto.pl -list-plugins
We can also pass parameters to plugins in the following format:
plugin-name[(parameter name[:parameter value ][,other parameters] )]
For example: tests(report:500)
6. Tuning the tests: -Tuning option can be used to specify the type of tests we want to perform on the host. For example, to test file uploads, use:
perl nikto.pl -h example.com -Tuning 06
To exclude a particular test, use x:
perl nikto.pl -h example.com -Tuning x06
By default, all the tests are preformed. List of available tests can be found in the official docs at http://cirt.net/nikto2-docs/options.html
7. Specifying a configuration file: We can tell Nikto to use a config file using -config option. A default config file (nikto.conf) is available in the downloaded tar of Nikto.
perl nikto.pl -h example.com -config nikto.conf
8. Controlling the display: Using the -Display parameter, we can control the type of information we want to see from Nikto. For example:
perl nikto.pl -h example.com -Display V
prints complete verbose information.
perl nikto.pl -h example.com -Display V - ***** SSL support not available (see docs for SSL install) ***** - Nikto v2.1.4 --------------------------------------------------------------------------- V:Thu Sep 8 06:01:40 2011 - Initialising plugin nikto_apacheusers V:Thu Sep 8 06:01:40 2011 - Loaded "Apache Users" plugin. V:Thu Sep 8 06:01:40 2011 - Initialising plugin nikto_embedded V:Thu Sep 8 06:01:40 2011 - Loaded "Embedded Detection" plugin. V:Thu Sep 8 06:01:40 2011 - Initialising plugin nikto_content_search V:Thu Sep 8 06:01:40 2011 - Loaded "Content Search" plugin. V:Thu Sep 8 06:01:40 2011 - Initialising plugin nikto_report_html V:Thu Sep 8 06:01:40 2011 - Loaded "Report as HTML" plugin. V:Thu Sep 8 06:01:40 2011 - Initialising plugin nikto_put_del_test V:Thu Sep 8 06:01:40 2011 - Loaded "Put/Delete test" plugin. V:Thu Sep 8 06:01:40 2011 - Initialising plugin nikto_report_msf V:Thu Sep 8 06:01:41 2011 - Loaded "Report data to Metasploit" plugin. V:Thu Sep 8 06:01:41 2011 - Initialising plugin nikto_core ... ...
9. -output option is used to specify the output file. The format is taken from the file extension, unless overridden by -Format option.
10. Single request mode: Instead of allowing Nikto to perform multiple TCP requests, we can specify a single request mode. In this case, Nikto prompts for the required options.
perl nikto.pl -Single -------------------------------------------- Nikto 2.1.4 -------------------------------------------- Single Request Mode Hostname or IP: example.com Port (80): URI (/): SSL (0): Proxy host: Proxy port: Show HTML Response (1): HTTP Version (1.1): HTTP Method (GET): User-Agent (Mozilla/4.75 (Nikto/2.1.4): Connection (Keep-Alive): Data: force_bodysnatch (0): force_close (1): http_space1 ( ): http_space2 ( ): include_host_in_uri (0): invalid_protocol_return_value (1): max_size (0): protocol (HTTP): require_newline_after_headers (0): retry (0): ssl_save_info (0): timeout (10): uri_password (): uri_postfix (): uri_prefix (): uri_user (): Enable Encoding (0): -------------------------------------------- Done with questions Host Name: example.com Host IP: 72.41.204.238 HTTP Response Code: -------------------------------------------- Connection Details Connection: Keep-Alive Host: example.com User-Agent: Mozilla/4.75 (Nikto/2.1.4 data: force_bodysnatch: 0 force_close: 1 force_open: 0 host: example.com http_space1: http_space2: ignore_duplicate_headers: 1 include_host_in_uri: 0 invalid_protocol_return_value: 1 max_size: 0 method: GET port: 80 protocol: HTTP require_newline_after_headers: 0 retry: 0 ssl: 0 ssl_save_info: 0 timeout: 10 trailing_slurp: 0 uri: / uri_param_sep: ? uri_postfix: uri_prefix: version: 1.1 -------------------------------------------- Response Headers error: error reading HTTP response http_data_sent: 1 uri: / -------------------------------------------- Response Content
0 komentar:
Posting Komentar