Hello Guys
Webserver Vulnerability using Nikto
Lead :- Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. Nikto is used for find
vulnerabilities like server and software misconfigurations,defaults files and programs,insecure files and programs,outdated server and programs. Nikto can run on any platform which has a Perl environment. It supports SSL, proxies, host authentication, attack encoding and more. It can be updated automatically from the command-line.
What You will learn ....
- You will learn how to use Nikto tool for Scanning the Web server.
- In this we will scan on apache server and Ubuntu 11.04.
- Scan multiple ports on a server, or multiple servers via input file (including nmap output)
- Identifies installed software via headers, favicons and files
- Authorization guessing handles any directory, not just the root directory
- Nikto is an open source Web server vulnerability scanner that performs comprehensive tests for over 6,100 potentially dangerous files/CGIs, checks for outdated versions of over 950 servers, and for version-specific problems on over 260 servers. This article outlines a scenario where Nikto is used to test a company’s Web server for vulnerabilities.
- Nikto is written by Chris Sullo and David Lodge.
What you should know....
Any system which supports a basic Perl installation should allow Nikto to run. It has been extensively tested on:
- Windows (using ActiveState Perl and Strawberry Perl). Some POSIX features, such as interactive commands may not work under Windows.
- Mac OSX
- Various Linux and Unix installations (including RedHat, Solaris, Debian, Ubuntu, BackTrack, etc.)
For SSL support the Net::SSLeay Perl module must be installed. Windows support for SSL is dependent on the installation package, but is rumored to exist for ActiveState's Perl.
About the Author
I m start my work as a Network Engineer in one company. I have handled all the kind of Networking work in this company for 2 year.Than I joined one US based company as a Linux Admin. My duty in this company is handling server level problem, VPN based problem, Cisco IP phone maintain and etc. During this period I was studying Master of Engineering in IT Systems and Network Security. I m studying there Ethical hacking and Cyber Forensic as my major subject.
Feature :-
• SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's
Perl/NetSSL)
• Full HTTP proxy support
• Checks for outdated server components
• Save reports in plain text, XML, HTML, NBE or CSV
• Template engine to easily customize reports
• Scan multiple ports on a server, or multiple servers via input file (including nmap output)
• LibWhisker's IDS encoding techniques
• Easily updated via command line
• Identifies installed software via headers, favicons and files
• Host authentication with Basic and NTLM
• Subdomain guessing
• Apache and cgiwrap username enumeration
• Mutation techniques to "fish" for content on web servers
• Scan tuning to include or exclude entire classes of vulnerability
checks
• Guess credentials for authorization realms (including many default id/pw combos)
• Authorization guessing handles any directory, not just the root
directory
• Enhanced false positive reduction via multiple methods: headers,
page content, and content hashing
• A "single" scan mode that allows you to craft an HTTP request by
hand
• Reports "unusual" headers seen
Perl/NetSSL)
• Full HTTP proxy support
• Checks for outdated server components
• Save reports in plain text, XML, HTML, NBE or CSV
• Template engine to easily customize reports
• Scan multiple ports on a server, or multiple servers via input file (including nmap output)
• LibWhisker's IDS encoding techniques
• Easily updated via command line
• Identifies installed software via headers, favicons and files
• Host authentication with Basic and NTLM
• Subdomain guessing
• Apache and cgiwrap username enumeration
• Mutation techniques to "fish" for content on web servers
• Scan tuning to include or exclude entire classes of vulnerability
checks
• Guess credentials for authorization realms (including many default id/pw combos)
• Authorization guessing handles any directory, not just the root
directory
• Enhanced false positive reduction via multiple methods: headers,
page content, and content hashing
• A "single" scan mode that allows you to craft an HTTP request by
hand
• Reports "unusual" headers seen
Installation of Nikto
Download tar file from Nekto website(http://www.cirt.net). Than run this command tar xvfz nikto.tar.gz
than it will extract all nikto config. file and than move into this folder.
Than next step is for scanning your web server and all the thing. First scan your machine.
root@bt:~/nikto# ./nikto.pl -host localhost
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on localhost:80
---------------------------------------------------------------------------
+ 0 host(s) tested
I m using backtrack. I scan my machine but I donot have any apache server on my machine so it show me that no web server found.
Now i scan my windows machine which contain one web server.
root@bt:~/nikto# ./nikto.pl -host 192.168.12.56
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.12.56
+ Target Hostname: Hacker-PC.wifi.cdacpnq.in
+ Target Port: 80
+ Start Time: 2012-12-08 18:46:11 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.2 (Win32) OpenSSL/1.0.1c PHP/5.4.4
+ Retrieved x-powered-by header: PHP/5.4.4
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: http://Hacker-PC.wifi.cdacpnq.in/xampp/
+ Server leaks inodes via ETags, header found with file /index.html, fields: 0xca 0x4bdcd7fdd5680
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-682: /webalizer/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY
strings.
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts.
+ OSVDB-3268: /login/: Directory indexing found.
+ OSVDB-3092: /login/: This might be interesting...
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3092: /restricted/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 6544 items checked: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2012-12-08 18:49:09 (GMT-5) (178 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
This scan of one windows machine which contain one apache server on it. You can see PHPmy admin was installed on that machine. We can also scan some particular port by using Nikto. We can scan multiple port.
root@bt:~/nikto# ./nikto.pl -host 192.168.12.56 -p 80,443
-p is used for port. port 80 and 443 for scanning.
You can scan more complex test by using -mutate parameter.this can produce extra test.
root@bt:~/nikto# ./nikto.pl -host 192.168.12.56 -mutate 3 -mutate-options user-list.txt
Options of Nikto :-
-config+ Use this config file
-Display+ Turn on/off display outputs
-dbcheck check database and other key files for syntax errors
-Format+ save file (-o) format
-Help Extended help information
-host+ target host
-id+ Host authentication to use, format is id:pass or id:pass:realm
-list-plugins List all available plugins
-output+ Write output to this file
-nossl Disables using SSL
-no404 Disables 404 checks
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-root+ Prepend root value to all requests, format is /directory
-ssl Force ssl mode on port
-Tuning+ Scan tuning
-timeout+ Timeout for requests (default 10 seconds)
-update Update databases and plugins from CIRT.net
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
Some Terms used while scanning :-
- SPACE - Report current scan status
- v - Turn verbose mode on/off
- d - Turn debug mode on/off
- e - Turn error reporting on/off
- p - Turn progress reporting on/off
- r - Turn redirect display on/off
- c - Turn cookie display on/off
- o - Turn OK display on/off
- a - Turn auth display on/off
- q - Quit
- N - Next host
- P - Pause
Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).
Nikto.conf
Location :-
Nikto.conf
Location :-
- /etc/nikto.conf
- $home/nikto.conf
- nikto.conf
Variables :-
- CLIOPTS = -output results.txt -Format text
- NIKTODTD=docs/nikto.dtd (Path for XML output)
- RFIURL=http://cirt.net/rfiinc.txt (Full URL to an file for remote file inclusion)
- SKIPPORTS=21 111 (This ports never b scanned)
- SKIPIDS= (Contains a space separated list of Test IDs (tids) that Nikto will not run on the system)
- DEFAULTHTTPVER=1.0
- UPDATES= yes/no/auto
- LW_SSL_ENGINE=auto(Force LibWhisker to use the specified SSL library instead of the default select
- MAX_WARN=20 (Produces a warning of a number of MOVED responses are retrieved. This is currently unused.)
- PROMPTS = (Disables Nikto prompts if set to "no". This is currently only used to prompt for proxy authentication and sending updates.)
- CIRT = (The IP address that Nikto will use to update the databases and plugins, or will send version information back to (as described in the
UPDATESitem).
Vulnerability
The vulnerability hash contains all information about a vulnerability. It contains the below members. It should be read-only and should only be written using the
add_vulnerabilitymethod.Members of the Vulnerability structure
mark Hash ref to a mark data structure. message Message for the vulnerability. nikto_id Test ID (tid) of the vulnerability, this should be a unique number which'll identify the vulnerability. osvdb OSVDB reference to the vulnerability in the Open Source Vulnerability Database. This may be 0 if an OSVDB reference is not relevant or doesn't exist. method HTTP method used to find the vulnerability. uri URI for the result. result Any HTTP data, excluding headers.
Some important terms :-
- Asset: A resource of value, such as the data in a database or on the filesystem, a system resource, etc.
- Threat: A potential occurrence (malicious or otherwise) that may harm an asset.
- Vulnerability: A weakness or entry point that makes a threat possible.
- Attack: Hostile action taken to harm an asset.
- Exploit: A security hole which can potentially allow an attack.
- Countermeasure: A safeguard that addresses a threat and mitigates risk.
