{"id":9365,"date":"2019-02-10T00:43:11","date_gmt":"2019-02-10T00:43:11","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw92\/?p=9365"},"modified":"2019-02-10T02:20:23","modified_gmt":"2019-02-10T02:20:23","slug":"getting-started-with-nikto-vulnerability-scanner-linux-hint","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/02\/10\/getting-started-with-nikto-vulnerability-scanner-linux-hint\/","title":{"rendered":"Getting started with Nikto vulnerability scanner \u2013 Linux Hint"},"content":{"rendered":"

Installing Nikto:<\/strong><\/h3>\n

In this case I\u2019m using a Debian system, you can download Nikto for Debian at\u00a0https:\/\/packages.debian.org\/jessie\/all\/nikto\/download<\/a>\u00a0. In case your system returns dependency errors\u00a0 when executing \u201cdpkg -i <packagename><\/strong>\u201d (as explained at\u00a0https:\/\/linuxhint.com\/uninstall-debian-packages\/<\/a>) execute the command \u201capt \u2013fix-broken install<\/strong>\u201d and you\u2019ll get it installed.<\/p>\n

<\/div>\n

Getting started with Nikto:<\/strong><\/span><\/h3>\n

Like with any Linux package you can always throw a \u201cman nikto\u201d to learn all parameters. The first parameter we\u2019ll use, and which is mandatory, is\u00a0-host\u00a0<\/strong>(or\u00a0-h<\/strong>)to specify the target. In this case I decided to use as target a very old unmaintained website which may throw interesting results:<\/p>\n

<\/div>\n

\"\"<\/p>\n

As with any scanner we receive basic information useful in a footprinting process but additionally we can see within the first results Nikto already discovered a possible vulnerability exposing the website to Clickjacking attacks.<\/p>\n

<\/p>\n

The website has no redirection to www so I launched the scan again.<\/p>\n

You can see they are using an old Apache version under CentOS and several possible vulnerabilities like OSVDB-877, OSVDB-3092, OSVDB-3268, OSVDB-3233, in the past we could search in the\u00a0http:\/\/www.osvdb.org<\/a>\u00a0database but it is offline now, therefore we\u2019ll need to base the vulnerability on the information Nikto provides or to google it, in this case we would google Cross Site Tracing attacks.<\/p>\n

Let\u2019s combine Nikto with Nmap, so we can see what ports a Webserver has open before using Nikto, ill throw a basic Nmap scan against the same target to check if it has additional ports open.<\/p>\n

\"\"<\/p>\n

The interesting here may be the port 5060 used for VOIP, the port seems associated with known vulnerabilities\u00a0according to this source<\/a>, through Nikto it is unlikely to give important results but let\u2019s try it.<\/span><\/p>\n

\"\"<\/p>\n

Where<\/p>\n

-p =\u00a0 specifies the port.<\/p>\n

-h = specifies the host<\/p>\n

-useproxy = to scan using a proxy and avoid the target to see our IP.<\/p>\n

In contrast with the scan we launched before now Nikto found a XML file linking us to a blog article explaining the vulnerability the file may represent. It is recommendable to run Nmap against a target before using Nikto to target open ports.<\/p>\n

It is important to highlight Nikto results will differ according to the parameters and data we use, even against the same target, for example, if you use the target\u2019s domain name or the target\u2019s IP or change the port. Let\u2019s see if we can find a third different result on the same target:<\/p>\n

\"\"<\/p>\n

The result is very similar in this case, despite more errors were reported (21 vs 18 the first scan), possibly due redirection issues.<\/p>\n

Multiple port scanning with Nikto:<\/strong><\/h3>\n

If we run Nmap to discover a site has multiple ports open we can scan all them in a single Nikto session by separating ports with coma as shown below:<\/p>\n

I run:<\/p>\n

\n
nmap<\/span>\u00a0proz.com
\nnikto\u00a0-h<\/span>\u00a0proz.com\u00a0-p<\/span>\u00a080<\/span>,111<\/span>,443<\/span>,5666<\/span><\/div>\n<\/div>\n

\"\"<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\"\"<\/span><\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

As you see after getting all open ports by Nmap I threw a Nikto scan, it automatically discards ports which are not running web applications. By adding all ports Nikto discovered multiple vulnerabilities including very sensitive directories holding possible credentials, SQL Injection and XSS vulnerabilities, brute force possibilities among a lot more of opportunities to exploit the server.<\/p>\n

To reproduce Nikto results with complete results just run:<\/p>\n

\n
“nikto -h proz.com -p 80,111,443,5666”<\/span><\/div>\n<\/div>\n

Using Nikto plugins:<\/strong><\/h3>\n

\u201cNikto\u00a0 -list-plugins<\/strong>\u201d will display a list of additional plugins which may help to scan a target or confirm a vulnerability reported by Nikto.<\/p>\n

\"\"<\/p>\n

Let\u2019s verify if the results above showing XSS vulnerabilities are not a false positive.
\nRun:<\/p>\n

\n
nikto\u00a0-h<\/span>\u00a0proz.com\u00a0-Plugins<\/span>\u00a0“apache_expect_xss(verbose,debug)”<\/span><\/div>\n<\/div>\n

\"\"<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

<\/span><\/p>\n

As we see in this case Nikto informs \u201c\u2018message\u2019 => \u2018Expectation Failed\u201d discarding the XSS vulnerability, if it was your server you could use different plugins to discard or confirm the rest of vulnerabilities.<\/span><\/p>\n

Conclusion:<\/strong><\/h4>\n

Nikto is a very light vulnerabilities scanner for web servers, it is useful if you have no time to deal with heavy scanners like Nexpose or Nessus, despite this, if you have time to analyze your target I would recommend a more complete scanner like Nexpose, Nessus, OpenVAS or Nmap, some of which we already analyzed at LinuxHint simply because they are not limited to web servers and all aspects deserve to be deeply checked in order to protect a server.<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Installing Nikto: In this case I\u2019m using a Debian system, you can download Nikto for Debian at\u00a0https:\/\/packages.debian.org\/jessie\/all\/nikto\/download\u00a0. In case your system returns dependency errors\u00a0 when executing \u201cdpkg -i <packagename>\u201d (as explained at\u00a0https:\/\/linuxhint.com\/uninstall-debian-packages\/) execute the command \u201capt \u2013fix-broken install\u201d and you\u2019ll get it installed. Getting started with Nikto: Like with any Linux package you can always … <\/p>\n

Continue reading “Getting started with Nikto vulnerability scanner \u2013 Linux Hint”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9365","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/9365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=9365"}],"version-history":[{"count":2,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/9365\/revisions"}],"predecessor-version":[{"id":9367,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/9365\/revisions\/9367"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=9365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=9365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=9365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}