Nikto

De Backtrack-fr

Sommaire

Introduction

Nikto est un scanner de vulnérabilité web Open Source (GPL) qui effectue des tests complets contre les serveurs Web. Il teste plus de 3500 fichiers potentiellement dangereux / CGI. Nikto n'est pas conçu comme un outil trop furtif. Il permet de tester un serveur web rapidement mais il est facilement repérable dans les logs. Il peut quand même être bien utile pour tester la sécurité de son serveur web.

Usage

bt nikto # ./nikto.pl -e -host   

Options d'utilisation

  Options:
      -config+                 use this config file
      -Cgidirs+                scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
      -Display+                turn on/off display outputs:
                                  1     Show redirects
                                  2     Show cookies received
                                  3     Show all 200/OK responses
                                  4     Show URLs which require authentication
                                  D     Debug Output
                                  V     Verbose Output
      -dbcheck                 check database and other key files for syntax errors (cannot be abbreviated)
      -evasion+                ids evasion technique:
                                  1     Random URI encoding (non-UTF8)
                                  2     Directory self-reference (/./)
                                  3     Premature URL ending
                                  4     Prepend long random string
                                  5     Fake parameter
                                  6     TAB as request spacer
                                  7     Change the case of the URL
                                  8     Use Windows directory separator (\)
      -findonly                find http(s) ports only, don't perform a full scan
      -Format+                 save file (-o) format:
                                  htm   HTML Format
                                  csv   Comma-separated-value
                                  txt   Plain text (default if not specified)
      -host+                   target host
      -Help                    Extended help information
      -id+                     host authentication to use, format is userid:password
      -mutate+                 Guess additional file names:
                                  1     Test all files with all root directories
                                  2     Guess for password file names
                                  3     Enumerate user names via Apache (/~user type requests)
                                  4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
      -nolookup                skip name lookup
      -output+                 write output to this file
      -port+                   port to use (default 80)
      -Pause+                  pause between tests (seconds)
      -root+                   prepend root value to all requests, format is /directory
      -ssl                     force ssl mode on port
      -Single                  Single request mode
      -timeout+                timeout (default 2 seconds)
      -Tuning+                 scan tuning:
                                  0     File Upload
                                  1     Interesting File / Seen in logs
                                  2     Misconfiguration / Default File
                                  3     Information Disclosure
                                  4     Injection (XSS/Script/HTML)
                                  5     Remote File Retrieval - Inside Web Root
                                  6     Denial of Service
                                  7     Remote File Retrieval - Server Wide
                                  8     Command Execution / Remote Shell
                                  9     SQL Injection
                                  a     Authentication Bypass
                                  b     Software Identification
                                  c     Remote Source Inclusion
                                  x     Reverse Tuning Options (i.e., include all except specified)
      -useproxy                use the proxy defined in config.txt
      -update                  update databases and plugins from cirt.net (cannot be abbreviated)
      -Version                 print plugin and database versions
      -vhost+                  virtual host (for Host header)
  + requires a value

Configuration

Le fichier de configuration se trouve dans le répertoire courant (/pentest/scanners/nikto ) et se nomme config.txt :

#########################################################################################################
# CONFIG STUFF 
#########################################################################################################
# default command line options, can't be an option that requires a value.  used for ALL runs.
# CLIOPTS=-g -a 

# location of nmap to use with port scanning (rather than Nikto internals)
# and any options to pass to it
NMAP=/usr/local/bin/nmap
NMAPOPTS=-P0

# ports never to scan
SKIPPORTS=21 111

# IDs never to alert on (Note: this only works for IDs loaded from db_tests)
SKIPIDS=000703

# if Nikto is having difficulty finding the 'plugins', set the full install path here
# EXECDIR=/usr/local/nikto

# the default HTTP version to try... can/will be changed as necessary
DEFAULTHTTPVER=1.0 

# Nikto can submit updated version strings to CIRT.net. It won't do this w/o permission. You should
# send updates because it makes the data better for everyone ;)  *NO* server specific information
# such as IP or name is sent, just the relevant version information.
# UPDATES=yes  #-- ask before each submission if it should send
# UPDATES=no   #-- don't ask, don't send
# UPDATES=auto #-- automatically attempt submission *without prompting*
UPDATES=yes

# Warning if MAX_WARN OK or MOVED responses are retrieved
MAX_WARN=20

# Prompt... if set to 'no' you'll never be asked for anything. Good for automation.
#PROMPTS=no

# cirt.net : set the IP so that updates can work without name resolution
CIRT=209.172.49.178

#########################################################################################################
# PROXY STUFF
#########################################################################################################
#PROXYHOST=127.0.0.1
#PROXYPORT=8080
#PROXYUSER=proxyuserid
#PROXYPASS=proxypassword 

#########################################################################################################
# COOKIE STUFF
#########################################################################################################
# send a cookie with all requests, helpful if auth cookie is needed
#STATIC-COOKIE=cookiename=cookievalue

CLIOPTS permet de fixer des options de scan, vous pouvez donc scanner a votre facon (exemple -g) en decommentant la ligne et en enlevant le -a final.

NMAP vous permet d'utiliser nmap.

NMAPOPTS vous permet de specifier les options de nmap.

SKIPPORTS permet d'eviter de scanner certains ports.

SKIPIDS

DEFAULTHTTPVER permet le choix de la version HTTP.

PROXY STUFF permet de passer par un proxy en decommentant les lignes.

COOKIE STUFF permet d'envoyer un cookie à toutes les requêtes si nécessaire

Exemple d'utilisation

   perl nikto.pl -h 192.168.0.1

Pour tester un port specifique, utiliser l'option -p (-port). Ceci va scanner l'IP 192.168.0.1 sur le port TCP 443:

   perl nikto.pl -h 192.168.0.1 -p 443

Il n'y a pas besoin de specifier que le port 443 pourrait etre SSL, Nikto va d'abord tester le HTTP et si ça ne marche pas ensuite le HTTPS. Si vous êtes sur qu'il s'agit s'un server SSL, vous pouvez spécifier l'option -s (-ssl), ca accelerera la vitesse du test.

Multiple Port Testing

   perl nikto.pl -h 192.168.0.1 -p 80,88,443

Exemple concret

bt nikto # ./nikto.pl -e 1 -host hxxp://192.168.1.44/joomla12 -F txt -o monfile.txt
---------------------------------------------------------------------------
- Nikto 2.01/2.01     -     cirt.net
+ Target IP:       192.168.1.44
+ Target Hostname: joomla12
+ Target Port:     80
+ Using IDS Evasion:    Random URI encoding (non-UTF8)
+ Start Time:      2008-09-16 10:26:17
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
+ No CGI Directories found (use '-C all' to force check all possible dirs)
- Root page / redirects to: hxxp://joomla12/apache2-default/
- Retrieved X-Powered-By header: PHP/5.2.0-8+etch10
+ /robots.txt - contains 13 'disallow' entries which should be manually viewed (added to mutation file lists) (GET).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ PHP/5.2.0-8+etch10 appears to be outdated (current is at least 5.2.4)
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current.
+ mod_python/3.2.10 appears to be outdated (current is at least 3.3.1)
+ PHP/5.2.0-8+etch10 appears to be outdated (current is at least 5.2.4)
+ mod_perl/2.0.2 appears to be outdated (current is at least 5.8.0)
+ OSVDB-0: GET /joomla12/help/ : Help directory should not be accessible
+ OSVDB-0: GET /joomla12/index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
+ OSVDB-8193: GET /joomla12/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc : EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-12184: GET /joomla12/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3092: GET /joomla12/administrator/ : This might be interesting...
+ OSVDB-3092: GET /joomla12/includes/ : This might be interesting...
+ OSVDB-3093: GET /joomla12/index.php?base=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?IDAdmin=test : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?pymembs=admin : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?SqlQuery=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?tampon=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?topic=<script>alert(document.cookie)</script>%20 : This might be interesting... has been  seen in web logs from an unknown scanner.
+ OSVDB-3761: GET /joomla12/?pattern=/etc/*&sort=name : The TCLHttpd 3.4.2 server allows directory listings via dirlist.tcl.
+ 2963 items checked: 22 item(s) reported on remote host
+ End Time:        2008-09-16 10:27:08 (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Liens

file:///pentest/scanners/nikto/docs/nikto_manual.html

http://www.cirt.net/nikto2

reverse cell phone lookup

reverse lookup

Outils personnels