{"id":12843,"date":"2019-03-28T23:37:25","date_gmt":"2019-03-28T23:37:25","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=12843"},"modified":"2019-03-28T23:37:25","modified_gmt":"2019-03-28T23:37:25","slug":"nikto-a-web-application-vulnerability-and-cgi-scanner-for-web-servers","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/28\/nikto-a-web-application-vulnerability-and-cgi-scanner-for-web-servers\/","title":{"rendered":"Nikto \u2013 A Web Application Vulnerability and CGI Scanner for Web Servers"},"content":{"rendered":"

Nikto Web Scanner<\/strong>\u00a0is an another good to have tool for any Linux administrator\u2019s arsenal. It\u2019s an Open source web scanner released under the GPL license, which is used to perform comprehensive tests on Web servers for multiple items including over\u00a06500<\/strong>\u00a0potentially dangerous\u00a0files<\/strong>\/CGIs<\/strong>.<\/p>\n

Suggested Read:<\/b>\u00a0WPSeku \u2013 A Vulnerability Scanner to Find Security Issues in WordPress<\/a><\/p>\n

It\u2019s written by\u00a0Chris Solo<\/strong>\u00a0and\u00a0David Lodge<\/strong>\u00a0for\u00a0Vulnerability<\/strong>\u00a0assessment, it checks for outdated versions over\u00a01250<\/strong>\u00a0Web servers and over\u00a0270<\/strong>\u00a0version specific problems. It also scans and reports for outdated web server software and plugins.<\/p>\n

Features of Nikto Web Scanner<\/h3>\n
    \n
  1. Supports SSL<\/li>\n
  2. Supports full HTTP proxy<\/li>\n
  3. Supports text, HTML, XML and CSV to save reports.<\/li>\n
  4. Scan for multiple ports<\/li>\n
  5. Can scan on multiple servers by taking inputs from files like nmap output<\/li>\n
  6. Support LibWhisker IDS<\/li>\n
  7. Capable enough to identify installed software with headers, files, and favicons<\/li>\n
  8. Logs for Metasploits<\/li>\n
  9. Reports for \u201cunusual \u201d headers.<\/li>\n
  10. Apache and cgiwrap user enumeration<\/li>\n
  11. Authenticate hosts with Basic and NTLM<\/li>\n
  12. Scans can be Auto-paused at a specified time.<\/li>\n<\/ol>\n

    Nikto Requirements<\/h3>\n

    A system with basic\u00a0Perl<\/strong>,\u00a0Perl Modules<\/strong>,\u00a0OpenSSL<\/strong>\u00a0installation should enable\u00a0Nikto<\/strong>\u00a0to run. It has been thoroughly tested on\u00a0Windows<\/strong>,\u00a0Mac OSX<\/strong>\u00a0and various\u00a0Unix<\/strong>\/Linux<\/strong>\u00a0distributions such as\u00a0Red Hat<\/strong>,\u00a0Debian<\/strong>,\u00a0Ubuntu<\/strong>,\u00a0BackTrack<\/strong>, etc.<\/p>\n

    Installation of Nikto Web Scanner on Linux<\/h3>\n

    Most of the today\u2019s Linux systems comes with pre-installed\u00a0Perl<\/strong>,\u00a0Perl Modules<\/strong>, and\u00a0OpenSSL<\/strong>\u00a0packages. If not included, you can install them using the default system package manager utility called\u00a0yum<\/strong>\u00a0or\u00a0apt-get<\/strong>.<\/p>\n

    On Red Hat\/CentOS\/Fedora<\/h5>\n
    [root@tecmint ]# yum install perl perl-Net-SSLeay openssl<\/pre>\n
    On Debian\/Ubuntu\/Linux Mint<\/h5>\n
    [root@tecmint ]# apt-get install perl openssl libnet-ssleay-perl<\/pre>\n
    Next, clone the latest stable\u00a0Nikto<\/strong>\u00a0source files from its Github repository, move into\u00a0Nikto\/programs\/<\/strong>\u00a0directory and run it using perl:<\/p>\n
    $ git clone https:\/\/github.com\/sullo\/nikto.git\r\n$ cd nikto\/programs\r\n$ perl nikto.pl -h \r\n<\/pre>\n
    Sample Output<\/h5>\n
    Option host requires an argument\r\n\r\n       -config+            Use this config file\r\n       -Display+           Turn on\/off display outputs\r\n       -dbcheck            check database and other key files for syntax errors\r\n       -Format+            save file (-o) format\r\n       -Help               Extended help information\r\n       -host+              target host\r\n       -id+                Host authentication to use, format is id:pass or id:pass:realm\r\n       -list-plugins       List all available plugins\r\n       -output+            Write output to this file\r\n       -nossl              Disables using SSL\r\n       -no404              Disables 404 checks\r\n       -Plugins+           List of plugins to run (default: ALL)\r\n       -port+              Port to use (default 80)\r\n       -root+              Prepend root value to all requests, format is \/directory\r\n       -ssl                Force ssl mode on port\r\n       -Tuning+            Scan tuning\r\n       -timeout+           Timeout for requests (default 10 seconds)\r\n       -update             Update databases and plugins from CIRT.net\r\n       -Version            Print plugin and database versions\r\n       -vhost+             Virtual host (for Host header)\r\n   \t\t+ requires a value\r\n\r\n\tNote: This is the short help output. Use -H for full help text.\r\n<\/pre>\n
    The \u201cOption host requires an argument<\/strong>\u201d is clearly telling that we didn\u2019t include the needed parameters while doing a test. So, we need to add a basic necessary parameter to do a test run.<\/p>\n
    Basic Testing<\/h4>\n
    The basic scan requires a host that you want to target, by default it scans port\u00a080<\/strong>\u00a0if nothing is specified. The host can either be a\u00a0hostname<\/strong>\u00a0or an\u00a0IP Address<\/strong>\u00a0of a system. You can specify a host using \u201c-h<\/strong>\u201d option.<\/p>\n
    For example, I want to do a scan on an IP\u00a0172.16.27.56<\/strong>\u00a0on TCP port\u00a080<\/strong>.<\/p>\n
    [root@tecmint nikto-2.1.5]# perl nikto.pl -h 172.16.27.56<\/pre>\n
    Sample Output<\/h6>\n
    - Nikto v2.1.5\r\n---------------------------------------------------------------------------\r\n+ Target IP:          172.16.27.56\r\n+ Target Hostname:    example.com\r\n+ Target Port:        80\r\n+ Start Time:         2014-01-10 00:48:12 (GMT5.5)\r\n---------------------------------------------------------------------------\r\n+ Server: Apache\/2.2.15 (CentOS)\r\n+ Retrieved x-powered-by header: PHP\/5.3.3\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ Server leaks inodes via ETags, header found with file \/robots.txt, inode: 5956160, size: 24, mtime: 0x4d4865a054e32\r\n+ File\/dir '\/' in robots.txt returned a non-forbidden or redirect HTTP code (200)\r\n+ \"robots.txt\" contains 1 entry which should be manually viewed.\r\n+ Apache\/2.2.15 appears to be outdated (current is at least Apache\/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.\r\n+ Multiple index files found: index.php, index.htm, index.html\r\n+ DEBUG HTTP verb may show server debugging information. See http:\/\/msdn.microsoft.com\/en-us\/library\/e8z01xdh%28VS.80%29.aspx for details.\r\n+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST\r\n+ OSVDB-3233: \/phpinfo.php: Contains PHP configuration information\r\n+ OSVDB-12184: \/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.\r\n+ OSVDB-3092: \/test.html: This might be interesting...\r\n+ OSVDB-3268: \/icons\/: Directory indexing found.\r\n+ OSVDB-3233: \/icons\/README: Apache default file found.\r\n+ \/connect.php?path=http:\/\/cirt.net\/rfiinc.txt?: Potential PHP MySQL database connection string found.\r\n+ OSVDB-3092: \/test.php: This might be interesting...\r\n+ 6544 items checked: 0 error(s) and 16 item(s) reported on remote host\r\n+ End Time:           2014-01-10 00:48:23 (GMT5.5) (11 seconds)\r\n---------------------------------------------------------------------------\r\n+ 1 host(s) tested<\/pre>\n
    If you want to scan on a different port number, then add \u201c-p<\/strong>\u201d [-port<\/strong>] option. For example, I want to do a scan on IP\u00a0172.16.27.56<\/strong>\u00a0on TCP port\u00a0443<\/strong>.<\/p>\n
    [root@tecmint nikto-2.1.5]# perl nikto.pl -h 172.16.27.56 -p 443<\/pre>\n
    Sample Output<\/h6>\n
    - Nikto v2.1.5\r\n---------------------------------------------------------------------------\r\n+ Target IP:          172.16.27.56\r\n+ Target Hostname:    example.com\r\n+ Target Port:        443\r\n---------------------------------------------------------------------------\r\n+ SSL Info:        Subject: \/O=*.mid-day.com\/OU=Domain Control Validated\/CN=*.mid-day.com\r\n                   Ciphers: DHE-RSA-AES256-GCM-SHA384\r\n                   Issuer:  \/C=US\/ST=Arizona\/L=Scottsdale\/O=Starfield Technologies, Inc.\/OU=http:\/\/certificates.starfieldtech.com\/repository\/CN=Starfield Secure Certification Authority\/serialNumber=10688435\r\n+ Start Time:         2014-01-10 01:08:26 (GMT5.5)\r\n---------------------------------------------------------------------------\r\n+ Server: Apache\/2.2.15 (CentOS)\r\n+ Server leaks inodes via ETags, header found with file \/, inode: 2817021, size: 5, mtime: 0x4d5123482b2e9\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ Apache\/2.2.15 appears to be outdated (current is at least Apache\/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.\r\n+ Server is using a wildcard certificate: '*.mid-day.com'\r\n+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE\r\n+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST\r\n+ OSVDB-3268: \/icons\/: Directory indexing found.\r\n+ OSVDB-3233: \/icons\/README: Apache default file found.\r\n+ 6544 items checked: 0 error(s) and 8 item(s) reported on remote host\r\n+ End Time:           2014-01-10 01:11:20 (GMT5.5) (174 seconds)\r\n---------------------------------------------------------------------------\r\n+ 1 host(s) tested<\/pre>\n
    You can also specify\u00a0hosts<\/strong>,\u00a0ports<\/strong>\u00a0and\u00a0protocols<\/strong>\u00a0using a full\u00a0URL<\/strong>\u00a0syntax, and it will be scanned.<\/p>\n
    [root@tecmint nikto-2.1.5]# perl nikto.pl -h http:\/\/172.16.27.56:80<\/pre>\n
    You can also scan any website. For example, here I did a scan on\u00a0google.com<\/strong>.<\/p>\n
    [root@tecmint nikto-2.1.5]# perl nikto.pl -h http:\/\/www.google.com<\/pre>\n
    Sample Output<\/h6>\n
    - Nikto v2.1.5\r\n---------------------------------------------------------------------------\r\n+ Target IP:          173.194.38.177\r\n+ Target Hostname:    www.google.com\r\n+ Target Port:        80\r\n+ Start Time:         2014-01-10 01:13:36 (GMT5.5)\r\n---------------------------------------------------------------------------\r\n+ Server: gws\r\n+ Cookie PREF created without the httponly flag\r\n+ Cookie NID created without the httponly flag\r\n+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN\r\n+ Uncommon header 'x-xss-protection' found, with contents: 1; mode=block\r\n+ Uncommon header 'alternate-protocol' found, with contents: 80:quic\r\n+ Root page \/ redirects to: http:\/\/www.google.co.in\/?gws_rd=cr&ei=xIrOUomsCoXBrAee34DwCQ\r\n+ Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place\r\n+ Uncommon header 'x-content-type-options' found, with contents: nosniff\r\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\r\n+ File\/dir '\/groups\/' in robots.txt returned a non-forbidden or redirect HTTP code (302)\r\n\u2026.<\/pre>\n
    The above command will perform a bunch of http requests (i.e. more than\u00a02000<\/strong>\u00a0tests) on the web server.<\/p>\n
    Multiple Port Testing<\/h4>\n
    You can also perform multiple ports scanning in the same session. To scan multiple ports on the same host, add \u201c-p<\/strong>\u201d [-port<\/strong>] option and specify the list of ports. Ports can be defined as a range (i.e.,\u00a080-443<\/strong>), or as a comma separated (i.e.,\u00a080,443<\/strong>). For example, I want to scan a ports\u00a080<\/strong>\u00a0and\u00a0443<\/strong>\u00a0on the host\u00a0172.16.27.56<\/strong>.<\/p>\n
    [root@tecmint nikto-2.1.5]# perl nikto.pl -h 172.16.27.56 -p 80,443<\/pre>\n
    Sample Output<\/h6>\n
    - Nikto v2.1.5\r\n---------------------------------------------------------------------------\r\n+ No web server found on cmsstage.mid-day.com:88\r\n---------------------------------------------------------------------------\r\n+ Target IP:          172.16.27.56\r\n+ Target Hostname:    example.com\r\n+ Target Port:        80\r\n+ Start Time:         2014-01-10 20:38:26 (GMT5.5)\r\n---------------------------------------------------------------------------\r\n+ Server: Apache\/2.2.15 (CentOS)\r\n+ Retrieved x-powered-by header: PHP\/5.3.3\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n\r\n---------------------------------------------------------------------------\r\n+ Target IP:          172.16.27.56\r\n+ Target Hostname:    example.com\r\n+ Target Port:        443\r\n---------------------------------------------------------------------------\r\n+ SSL Info:        Subject: \/O=*.mid-day.com\/OU=Domain Control Validated\/CN=*.mid-day.com\r\n                   Ciphers: DHE-RSA-AES256-GCM-SHA384\r\n                   Issuer:  \/C=US\/ST=Arizona\/L=Scottsdale\/O=Starfield Technologies, Inc.\/OU=http:\/\/certificates.starfieldtech.com\/repository\/CN=Starfield Secure Certification Authority\/serialNumber=10688435\r\n+ Start Time:         2014-01-10 20:38:36 (GMT5.5)\r\n---------------------------------------------------------------------------\r\n+ Server: Apache\/2.2.15 (CentOS)\r\n+ All CGI directories 'found', use '-C none' to test none\r\n+ Apache\/2.2.15 appears to be outdated (current is at least Apache\/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.\r\n.....<\/pre>\n
    Using a Proxy<\/h4>\n
    Let\u2019s say a system where\u00a0Nikto<\/strong>\u00a0is running only has access to the target host via an\u00a0HTTP<\/strong>\u00a0proxy, the test can still be performed using two different ways. One is using\u00a0nikto.conf<\/strong>\u00a0file and another way is to run directly from the\u00a0command line<\/strong>.<\/p>\n
    Using Nikto.conf File<\/h5>\n
    Open\u00a0nikto.conf<\/strong>\u00a0file using any command line editor.<\/p>\n
    [root@localhost nikto-2.1.5]# vi nikto.conf<\/pre>\n
    Search for the variable \u201cPROXY<\/strong>\u201d and uncomment the \u2018#<\/strong>\u2018 from the beginning of the lines as shown. Then add the\u00a0proxy host<\/strong>,\u00a0port<\/strong>,\u00a0proxy user<\/strong>\u00a0and\u00a0password<\/strong>. Save and close the file.<\/p>\n
    # Proxy settings -- still must be enabled by -useproxy\r\nPROXYHOST=172.16.16.37\r\nPROXYPORT=8080\r\nPROXYUSER=pg\r\nPROXYPASS=pg<\/pre>\n
    Now, execute the\u00a0Nikto<\/strong>\u00a0using \u201c-useproxy<\/strong>\u201d option. Please note all connections will be relayed via the\u00a0HTTP<\/strong>\u00a0proxy.<\/p>\n
    root@localhost nikto-2.1.5]# perl nikto.pl -h localhost -p 80 -useproxy<\/pre>\n
    Sample Output<\/h6>\n
    - Nikto v2.1.5\r\n---------------------------------------------------------------------------\r\n+ Target IP:          127.0.0.1\r\n+ Target Hostname:    localhost\r\n+ Target Port:        80\r\n+ Start Time:         2014-01-10 21:28:29 (GMT5.5)\r\n---------------------------------------------------------------------------\r\n+ Server: squid\/2.6.STABLE6\r\n+ Retrieved via header: 1.0 netserv:8080 (squid\/2.6.STABLE6)\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0\r\n+ Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080<\/pre>\n
    Using Command Line<\/h5>\n
    To run the\u00a0Nikto<\/strong>\u00a0directly from the command line using the \u201c-useproxy<\/strong>\u201d option by setting the proxy as the argument.<\/p>\n
    root@localhost nikto-2.1.5]# perl nikto.pl -h localhost -useproxy http:\/\/172.16.16.37:8080\/<\/pre>\n
    Sample Output<\/h6>\n
    - Nikto v2.1.5\r\n---------------------------------------------------------------------------\r\n+ Target IP:          127.0.0.1\r\n+ Target Hostname:    localhost\r\n+ Target Port:        80\r\n+ Start Time:         2014-01-10 21:34:51 (GMT5.5)\r\n---------------------------------------------------------------------------\r\n+ Server: squid\/2.6.STABLE6\r\n+ Retrieved via header: 1.0 netserv:8080 (squid\/2.6.STABLE6)\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0\r\n+ Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080<\/pre>\n
    Updating Nikto<\/h4>\n
    You can update\u00a0Nikto<\/strong>\u00a0to the latest\u00a0plugins<\/strong>\u00a0and\u00a0databases<\/strong>\u00a0automatically, simply run the \u201c-update<\/strong>\u201d command.<\/p>\n
    [root@localhost nikto-2.1.5]# perl nikto.pl -update<\/pre>\n
    If new updates are available, you will see a list of new updates downloaded.<\/p>\n
    + Retrieving 'nikto_report_csv.plugin'\r\n+ Retrieving 'nikto_headers.plugin'\r\n+ Retrieving 'nikto_cookies.plugin'\r\n+ Retrieving 'db_tests'\r\n+ Retrieving 'db_parked_strings'\r\n+ Retrieving 'CHANGES.txt'\r\n+ CIRT.net message: Please submit Nikto bugs to http:\/\/trac2.assembla.com\/Nikto_2\/report\/2<\/pre>\n
    You can also manually download and update Nikto plugins and databases from the\u00a0http:\/\/cirt.net\/nikto\/UPDATES\/<\/a>.<\/p>\n
    Reference Links<\/h3>\n
    Nikto Homepage<\/a><\/p>\n
    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Nikto Web Scanner\u00a0is an another good to have tool for any Linux administrator\u2019s arsenal. It\u2019s an Open source web scanner released under the GPL license, which is used to perform comprehensive tests on Web servers for multiple items including over\u00a06500\u00a0potentially dangerous\u00a0files\/CGIs. Suggested Read:\u00a0WPSeku \u2013 A Vulnerability Scanner to Find Security Issues in WordPress It\u2019s written … <\/p>\n
    Continue reading “Nikto \u2013 A Web Application Vulnerability and CGI Scanner for Web Servers”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-12843","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=12843"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12843\/revisions"}],"predecessor-version":[{"id":12845,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12843\/revisions\/12845"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=12843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=12843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=12843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}