REVEAL
THE HOLES IN YOUR WEBSERVER: NIKTO 1.35
Revealing The Holes In Your Webserver With Nikto v1.35
Nikto is an advanced web vulnerability scanner, which can help you
expose the potential holes in your webserver (and thus allow you to fix
them before malicious users attempt to exploit them). It is written in
Perl and uses the LibWhisker library, which means that it can be
expanded upon fairly easily (it also means that it depends on Perl and
the LibWhisker library!)
What does Nikto do, exactly? Well, not only does it search for
potentially vulnerable files, but also for directories which may
contain "interesting" information, and a myriad of other things. It
supports proxies, SSL, character encoding, portscanning (it can use
nmap if you have it installed), and much more. That is not all – it
gives a lot of detail on each 'hole,' its output format is perfect
(and, even then, it allows you to save the output as txt, CSV or HTML),
and it is very easy to use. All in all, it is an excellent tool to test
your webserver and help you spot and fix any holes – and that is why I
have written this tutorial, to help you get as much as you can out of
it in the shortest amount of time.
Installing Nikto
Using your favourite web browser, navigate to Nikto's homepage and
download the latest version. Save it to your home directory. If you
want SSL support (so that Nikto may scan files and directories only
accessible via HTTPS), you will need to have OpenSSH installed (it
comes installed on most major distributions) and also the Perl
Net_SSLeay module. Download the module from this website and save it to
your home directory. Once you have downloaded Nikto and Net_SSLeay,
open a terminal emulator (like konsole, gnome-terminal or xterm) and
enter the following commands (replace Nikto's and Net_SSLeay's version
numbers with the latest versions'):
Code:
$ cd ~
$ tar xzf Net_SSLeay.pm-1.30.tar.gz
$ cd Net_SSLeay.pm-1.30/
$ perl Makefile.pl
$ make
$ make install
$ cd ~
$ tar xzf nikto-current.tar.gz
$ cd nikto-1.35/
You have just extracted and installed the Net_SSLeay module, and
extracted and changed into Nikto's directory. To run Nikto, type:
Code:
$ ./nikto.pl
If you want nmap support (Nikto can use nmap to portscan target
webservers), you will have to install it. On Ubuntu, type sudo apt-get
install nmap in a terminal window. If nmap is not in your
distribution's repositories, you will have to compile it manually.
Updating Nikto
You can update Nikto like so:
Code:
$ ./nikto.pl -update
Simple.
Nikto's Parameters
Here is a concise list of Nikto's parameters (add a space after each
one, followed by the value). You will need to learn these first – the
juicy stuff comes later, and only once you know how to apply these
appropriately to your own situation.
Code:
Parameter Usage/Description
-host Add the IP
address or hostname of the webserver you want to scan
-port Add the port(s)
of the host you wish to scan (note: specifying port 443
does
NOT enable HTTPS scanning. See the -ssl option below).
To
specify multiple ports separate them with commas, and port ranges
with
hyphens. For example, to scan ports 80, 440-443 and 8080, use:
-port 80,440-443,8080
-ssl Enable SSL support
(HTTPS scanning)
-verbose Verbose mode adds more detail to
the scan's output (not always
helpful – enable this if you want to see what Nikto is doing, and how
the
webserver is responding)
-id Allows you to
specify login details for both HTTP Basic Authentication
and
NTLM realms.
For
HTTP Basic Auth realms, the format is: -id username:password
For
NTLM realms, the format is: -id username:password:realm
-Cgidirs Allows you to choose which CGI
directories to scan. For example,
“-Cgidirs none” will not scan for possible CGI directories, whereas
“-Cgidirs all” will scan for all known ones. You can also scan specific
directories, using (for example) -Cgidirs /cgi/. For more
information, see
the
following section of this tutorial
-evasion If the host has an IDS
installed, this allows you to attempt to evade it
by
encoding URLs in different ways. More on this later (although this
will
probably not get past advanced IDSs, like
[url=http://snort.org]Snort[/url])
-Format Choose which format in which to
save the output. CSV, HTML and
text
(default) formats are available. Usage: -F htm, -F csv, or -F txt.
This
must be used with the -output parameter (see below)
-generic This parameter tells Nikto not
to use banner grabbing techniques, and
to
run a scan using all the methods and for all the potentially vulnerable
objects it 'knows' of (stored in a database in its installation
directory)
-mutate Mutated checks are described in
the following section – please refer to those
-output Stores nikto's
scan output in a file. To be used in conjunction with the
-F
parameter. Example usage: -output my_scan.csv -F csv
-vhost This is one of
the most important parameters – it allows you to specify
which virtual host on the target webserver to scan. This is very useful
when
scanning a shared server, on which many virtual hosts may reside,
as
it allows you to scan just the one server you are interested in
There are also a few lesser used ones (I, personally, have only ever
used the -cookies, -root and -update ones, but you may find that you
might need one of these in the future, so it's best to be aware of
them):
Code:
Parameter Usage/Description
-dbcheck This tells Nikto to check its
database files to ensure that their syntax is correct.
This parameter should only be used if you have modified one or more
of
the database files, which you should not do unless you are experienced
and
would like to add your own tests
-debug Outputs debug
messages. These will let you know almost exactly what
Nikto is doing, but is almost like verbal diarrhoea – it gives TOO much
information, most of which is hardly helpful (unless you want to
discover
how
Nikto works without having to browse through its and LibWhisker's
source codes). Try -verbose before this option
-cookies Echoes (outputs) the cookies
returned by the target webserver for an
unauthenticated user (unless you have used the -id parameter), if any.
This
can sometime produce 'interesting' information, so try it out,
although it can equally produce a lot of garbage. This is entirely
dependent on how the pages/scripts on the webserver are coded.
-findonly This tells Nikto to portscan
the target webserver to find the HTTP and
HTTPS ports only, but not scan them
-nolookup This tells Nikto not to resolve
hostnames to IP address. For example,
if
there is a domain on the internet called http://examplewebsite2006.com,
and
you try to scan it using "./nikto.pl -nolookup -host
examplewebsite2.com",
this
will not work, as Nikto does not resolve ("find out") the IP address
for
that hostname
-root Allows you to
specify from which point Nikto should begin scanning.
For
example, if I had the website http://examplewebsite2006.com, and
I
wanted Nikto to scan just the http://examplewebsite2006.com/files/
directory, I would run Nikto with the "-root /files" option
-timeout X If Nikto is scanning
http://examplewebsite2006.com, and it is not receiving
any
data, it will (by default) wait for 10 seconds before stopping the scan.
You
can change this value to, for example, five, by using the following
option: -timeout 5
-update Tells Nikto to update its
database. This parameter should be used by
itself (with no other parameters). See the previous section for the
correct usage
-useproxy This tells Nikto to use the
proxy specified in the "Config.txt" file for all connections
(only use this if you are behind a proxy)
Quick Tip: Most of these parameters can be shortened to just the first
letter. For example, instead of typing -host 192.168.1.102, you could
type -h 192.168.1.102
All of the parameters except the following can be shortened (these
cannot because they begin with the same letter as other, more popular
parameters, and so they cannot be abbreviated): -dbcheck, -update,
-verbose
Understanding Nikto's Configuration File
Right – now that you know (and hopefully understand) Nikto's
parameters, I shall explain Nikto's configuration file (located in the
same directory as nikto.pl): Config.txt. This file is not only used for
some scanning configurations, but also for user options which should be
used every scan (such as a proxy, or the -generic parameter). An
example Config.txt file is shown below (I have removed some comments to
make it shorter):
Quote:
# CLIOPTS=-g -a
#NMAP=/usr/bin/nmap
#NMAPOPTS=
SKIPPORTS=21 111
DEFAULTHTTPVER=1.1
UPDATES=yes
MAX_WARN=20
# Prompt... if set to 'no' you'll never be asked for anything. Good for
automation.
#PROMPTS=no
# PROXYHOST=127.0.0.1
# PROXYPORT=8080
# PROXYUSER=proxyuserid
# PROXYPASS=proxypassword
# send a cookie with all requests, helpful if auth cookie is needed
#STATIC-COOKIE=cookiename=cookievalue
# this must be defined or just /cgi-bin/ will be tried
@CGIDIRS=/cgi.cgi/ /webcgi/ /cgi-914/ /cgi-915/ /bin/ /cgi/ /mpcgi/
/cgi-bin/ /ows-bin/ /cgi-sys/ /cgi-local/ /htbin/ /cgibin/ /cgis/
/scripts/ /cgi-win/ /fcgi-bin/ /cgi-exe/ /cgi-home/ /cgi-perl/
# These are for nikto_mutate.plugin. Each will be substituted with
*every* file and path!
# This can make for an insane number of checks.
@MUTATEDIRS=/....../ /members/ /porn/ /restricted/ /xxx/
@MUTATEFILES=xxx.htm xxx.html porn.htm porn.html
# Other variables that can be used in the scan DB
@ADMINDIRS=/admin/ /adm/
@USERS=adm bin daemon ftp guest listen lp mysql noaccess nobody nobody4
nuucp operator root smmsp smtp sshd sys test unknown uucp web www
@NUKE=/ /postnuke/ /postnuke/html/ /modules/ /phpBB/ /forum/
And a quick run down of this file:
1. # is a comment. Thus, any lines with a # in front of them will not
be used by Nikto.
2. The CLIOPTS line allows you to set the options to be used in every
scan. You can set your own (such as -g, or -generic) by uncommenting
the line and removing the -a from the end. You can add whatever other
parameters you wish, as long as they do not require a value.
3. NMAP line. Nikto's portscanning options are configured here. The
NMAP line allows you to point to nmap's location (and the following
line its options, such as -sV), and the SKIPPORTS line allows you to
choose which ports to avoid when portscanning the target webserver. If
these lines are commented, Nikto's inbuilt (and less powerful) scanner
is used instead.
4. The DEFAULTHTTPVER line allows you to choose which version of HTTP
to use. Version 1.1 (RFC 2616) is the most recent, and is used by
almost all webservers; however, you may come across a few which still
use HTTP Version 1.0, in which case you will have to change this value
to "1.0".
5. Proxy support for Nikto is available by uncommenting the PROXY lines
(remove the # in front of all of them) and replacing the details with
those of your proxy server.
6. The @CGIDIRS line sets all the default CGI directories' names (to
scan for). If you think there are any other popular ones, feel free to
add a space to the end of the line and add the name of the directory,
in the same format (eg. /cgiwin/).
7. The MUTATE settings are (quite logically) used by Nikto's -mutate
parameter, and this vastly increases the time taken to scan the
webserver, as it runs a full scan for all the MUTATE files and
directories specified. The @MUTATEDIRS line specifies which directories
to look for when "mutate" scanning the webserver, as well as the ones
in the databases. That is, as well as looking for the standard
/scripts/ directory in the webserver's root directory to see if it
exists, it will also check every subdirectory for that same directory's
existence; for example, it will check /files/scripts/,
/welcome/scripts/, etc (assuming that those directories exist). In this
case, we are checking for pornographic content on websites, which could
be used legally to track down child pornographers (for example).
Similarly, the @MUTATEFILES line specifies which files to look for in
every directory and subdirectory existing on the target webserver, as
well as the ones in the databases. There is more on the -mutate
parameter in the following section (that's right – it's so damn
complicated that it gets a section of its own Wink)
8. The @ADMINDIRS line allows you to set common names of administrator
directories, to help guess where the adminstrator panel is located in
web applications on the target webserver (if there are any).
9. The @USERS line is sometimes useful. For example, it could be used
to attempt to guess the names of public/user HTML directories on the
target webserver (with mod_userdir). Again, if there are any, as the
majority of webservers do not use this.
Original Tutorial by
j_k9 for TheTAZZone-TAZForum
Originally posted on August 21st, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.