REVEAL
THE HOLES IN YOUR WEBSERVER: NIKTO 1.35 CONT...
IDS Evasion
There are nine different Techniques you can use to try to evade the
IDS. Here's a list of them (taken from nikto_usage.txt):
1 Random URI encoding (non-UTF8)
2 Add directory self-reference /./
3 Premature URL ending
4 Prepend long random string to request
5 Fake parameters to files
6 TAB as request spacer instead of spaces
7 Random case sensitivity
8 Use Windows directory separator \ instead of /
9 Session splicing
To use a Technique (eg. Technique 3), add the parameter and value to
the scan: -e 3
You can also use multiple Techniques by stringing the values together:
-e 13468
The Wonders Of Mutation
It's not often that you get to say that, eh?
Back to Nikto. If you do not know what mutation is (in this context),
please read the MUTATE point in the last section, as that describes
what it does (well, actually, it is a very simple description of what
it does). There are four different mutation techniques, all of which
are described below.
Technique 1 tests all files with all root directories. This means that
it looks in all directories for the files in the @MUTATEFILES line in
Config.txt and for the files in the databases.
Technique 2 guesses for password filenames, so, if you're in luck, you
might find a passwd.txt file which the webmaster has innocently put
there to remind himself of the admin panel's login details.
Technique 3 performs user enumeration against Apache webservers by
checking /~user directories. What I mean by this is that some
webservers are set to allow users to create their own sort of
"subwebsites," such as the following real-world (and well-known)
example: http://catb.org/~esr/. This Technique abuses the incorrect
configuration of public_html (used by mod_userdir) in Apache's
configuration file, httpd.conf, to enumerate users.
Technique 4 is similar to Technique 3, however, it uses the
/cgi-bin/cgiwrap/~ method instead.
If, for example, you wanted to use Technique 2, you would add the
following parameter to the scan: -mutate 2. It's as easy as that.
That's all you need to know about the -mutate parameter!
Real-World Examples
Here are some real scans that I have performed on public webservers.
Yes, I should be doing this on my own webserver, and no, I am not going
to use this information to exploit the webservers – gathering this
information is, as far as I know, not at all illegal.
Click on the screenshot below (Figure 1) to see a default scan of
Google in action.
The output has been sanitized to protect the websites, but it is very
much real. Consider this output for learning and demonstration purposes
only. To begin with, here is a standard scan of a virtual host on a
shared server:
Quote:
max@rocks0lid:~/nikto-1.35$ ./nikto.pl -h 66.57.185.54 -vhost
isntthisnicee.com
---------------------------------------------------------------------------
- Nikto 1.35/1.34 - www.cirt.net
+ Target IP: 66.57.185.54
+ Target Hostname: protected.1n1.com
+ Target Port: 80
+ Virtual Host: isntthisnice.com
+ Start Time: Tue Aug 22 02:56:57 2006
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to
override
+ Server: Apache/1.3.37 (Unix) mod_fastcgi/2.4.2
mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4
FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
- Retrieved X-Powered-By header: PHP/4.4.3
+ PHP/4.4.3 appears to be outdated (current is at least 5.0.3)
+ Apache/1.3.37 appears to be outdated (current is at least
Apache/2.0.54). Apache 1.3.33 is still maintained and considered secure.
+ FrontPage/5.0.2.2635.SR1.2 appears to be outdated (current is at
least 5.0.4.3) (may depend on server version)
+ OpenSSL/0.9.7a appears to be outdated (current is at least 0.9.7e)
(may depend on server version)
+ 2.4.2 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4
FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b -
TelCondex Simpleserver 2.13.31027 Build 3289 and below allow directory
traversal with '/.../' entries.
+ mod_ssl/2.8.2 - mod_ssl 2.8.7 and lower are vulnerable to a remote
buffer overflow which may allow a remote shell (difficult to exploit).
CAN-2002-0082.
+ FrontPage -
http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
+ /cgi-bin/main_menu.pl - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/printenv - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/printenv - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/search - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/test-cgi - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/test-cgi - Needs Auth: (realm "cgi-bin")
+ /icons/ - Directory indexing is enabled, it should only be enabled
for specific directories (if required). If indexing is not used all,
the /icons directory should be removed. (GET)
+ /manual/images/ - Apache 2.0 directory indexing is enabled, it should
only be enabled for specific directories (if required). Apache's manual
should be removed and directory indexing disabled. (GET)
+ /test - Redirects to http://isntthisnice.com/test/ , Apache Tomcat
default file found. All default files should be removed.
+ /cgi-sys/Count.cgi - This may allow attackers to execute arbitrary
commands on the server (GET)
+ /cgi-sys/formmail.pl - Many versions of FormMail have remote
vulnerabilities, including file access, information disclosure and
email abuse. FormMail access should be restricted as much as possible
or a more secure solution found. (GET)
+ /cgi-sys/guestbook.cgi - May allow attackers to execute commands as
the web daemon. (GET)
+
/?mod=<script>alert(document.cookie)</script>&op=browse
- Sage 1.0b3 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
(GET)
+ / - TRACE option appears to allow XSS or credential theft. See
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for
details (TRACE)
+
/cgi-bin/.cobalt/message/message.cgi?info=%3Cscript%3Ealert%28%27alert%27%29%3B%3C/script%3E
- Needs Auth: (realm "cgi-bin")
+ /cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi - Needs Auth: (realm
"cgi-bin")
+ /cgi-bin/admin/admin.cgi - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/admin/setup.cgi - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/bigconf.cgi - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/common/listrec.pl - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/csv_db.cgi?file=|id| - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/handler - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/jammail.pl?job=showoldmail&mail=|id| - Needs Auth:
(realm "cgi-bin")
+ /cgi-bin/MachineInfo - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/pfdisplay.cgi - Needs Auth: (realm "cgi-bin")
+
/cgi-bin/test2.pl?<script>alert('Vulnerable');</script>
- Needs Auth: (realm "cgi-bin")
+ /cgi-bin/webdist.cgi - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/wrap - Needs Auth: (realm "cgi-bin")
+ /cgi-sys/cgiecho - Redirects to
http://web.mit.edu/wwwdev/cgiemail/nopath.html , Default CGI, often
with a hosting manager of some sort. No known problems, but host
managers allow sys admin via web
+ /cgi-sys/cgiemail - Redirects to
http://web.mit.edu/wwwdev/cgiemail/nopath.html , Default CGI, often
with a hosting manager of some sort. No known problems, but host
managers allow sys admin via web
+ /cgi-sys/domainredirect.cgi - Redirects to
http://protected.1n1.com/domainunknown.html , Default CGI, often with a
hosting manager of some sort. No known problems, but host managers
allow sys admin via web
+ /cgi-sys/entropysearch.cgi - Default CGI, often with a hosting
manager of some sort. No known problems, but host managers allow sys
admin via web (GET)
+ /cgi-sys/FormMail-clone.cgi - Default CGI, often with a hosting
manager of some sort. No known problems, but host managers allow sys
admin via web (GET)
+ /cgi-sys/mchat.cgi - Default CGI, often with a hosting manager of
some sort. No known problems, but host managers allow sys admin via web
(GET)
+ /cgi-sys/scgiwrap - Default CGI, often with a hosting manager of some
sort. No known problems, but host managers allow sys admin via web (GET)
+ /cpanel/ - Redirects to http://isntthisnice.com:2082 , Web-based
control panel+ /img-sys/ - Default image directory should not allow
directory listing. (GET)
+ /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 - PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings. OSVDB-12184. (GET)
+ /index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 - PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings. OSVDB-12184. (GET)
+ /index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 - PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings. OSVDB-12184. (GET)
+ /index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 - PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings. OSVDB-12184. (GET)
+
/index.php?err=3&email=\"><script>alert(document.cookie)</script>
- MySQL Eventum is vulnerable to XSS. OSVDB-12606. (GET)
+ /index.php?module=My_eGallery - My_eGallery prior to 3.1.1.g are
vulnerable to a remote execution bug via SQL command injection. (GET)
+
/index.php?option=search&searchword=<script>alert(document.cookie);</script>
- Mambo Site Server 4.0 build 10 is vulnerable to Cross Site Scripting
(XSS). CA-2000-02. (GET)
+
/index.php?top_message=<script>alert(document.cookie)</script>
- Led-Forums allows any user to change the welcome message, and it is
vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)
+
/index.php/\"><script><script>alert(document.cookie)</script><
- eZ publish v3 and prior allow Cross Site Scripting (XSS). CA-2000-02.
(GET)
+ Over 20 "OK" messages, this may be a by-product of the
+ server answering all requests with a "200 OK" message. You should
+ manually verify your results.
+ /java-sys/ - Default Java directory should not allow directory
listing. (GET)
+ /manual/ - Web server manual? tsk tsk. (GET)
+ /php.ini - This file should not be available through the web
interface. (GET)
+ /cgi-bin/dbmlparser.exe - Needs Auth: (realm "cgi-bin")
+ /cgi-bin/icat - Needs Auth: (realm "cgi-bin")
+ /forums/ - This might be interesting... (GET)
+ /bandwidth/index.cgi - Needs Auth: (realm "Bandmin")
+ /index.php?base=test%20 - This might be interesting... has been seen
in web logs from an unknown scanner. (GET)
+ /index.php?IDAdmin=test - This might be interesting... has been seen
in web logs from an unknown scanner. (GET)
+ /index.php?pymembs=admin - This might be interesting... has been seen
in web logs from an unknown scanner. (GET)
+ /index.php?SqlQuery=test%20 - This might be interesting... has been
seen in web logs from an unknown scanner. (GET)
+ /index.php?tampon=test%20 - This might be interesting... has been
seen in web logs from an unknown scanner. (GET)
+
/index.php?topic=&lt;script&gt;alert(document.cookie)&lt;/script&gt;%20
- This might be interesting... has been seen in web logs from an
unknown scanner. (GET)
+ Over 20 "OK" messages, this may be a by-product of the
+ server answering all requests with a "200 OK" message. You should
+ manually verify your results.
+ 2563 items checked - 32 item(s) found on remote host(s)
+ End Time: Tue Aug 22 03:23:27 2006 (1590 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
As you can see, the standard scan outputs a _LOT_ of information, so
you'll need to sit down and read every potential hole. As you should be
scanning your own server, you should then check those potential
vulnerabilities to see if Nikto has reported a false positive or if the
hole really is there.
Another thing you should know is that the lines that begin with a + are
output lines, and not errors – the signs are there to indicate that.
I am afraid that I do not have enough time to perform more scans, but,
as you can see, it is really just a matter of stringing a few
parameters together and scanning the server. The results are not
difficult to understand, so you should be able to check out anything
interesting.
To show you what I mean by "interesting," here's a line from the output
of a scan on a remote server:
Quote:
+ /~root - Enumeration of users is possible by requesting ~username
(responds with Forbidden for real users, not found for non-existent
users) (GET).
This is practically telling us to use the third and fourth mutation
Techniques!
One final thing that I would like to point out is that Nikto is not a
very stealthy tool. Its actions will usually be logged, whether by a
TCP wrapper, a module (such as Apache's mod_security), or an IDS (the
IDS evasion techniques do not work all the time).
Enjoy!
DISCLAIMER: I do NOT encourage you to use this tool for illegal
purposes, and I am not to be held responsible if it causes any damage
or gets you into any trouble.
References:
- nikto_usage.txt (included with Nikto in the relative /docs/ directory)
- Anti-Hacker Toolkit (book)
[edit] I'm sorry about the parameter description section - copying and
pasting from OpenOffice.org messed up the tabbed layout.
Original Tutorial by
j_k9 for TheTAZZone-TAZForum
Originally posted on August 21st, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.