My Experience With Nikto 2

Nikto version 2 has just been released on November 10, 2007. It has many new features over its predecessor.

Here are some of them (taken from the CHANGELOG file) :

 

• Rewrite of nikto_httpoptions.plugin to read the Public header
• Add some normalizations to the -root option variable
• Added -Display with options for suppressing redirects & cookies from being included in output
• Added -Tuning options to let users specify what they would like to test, or exclude certain categories
• All new HTML report
• Use libwhisker version 2
• Changed scan_database.db format significantly (and name), (and all the code to deal with tests)
• Completely new 404 engine which causes less false-positives
• Created dump_lw_hash instead of dump_request_hash & dump_result_hash
• Implemented a knowledge base which (should) store all the gory details of scans
• Moved pre-defined variables from config.txt to variables.db so they can be automagically updated

As far as I can see, now the help message is easier to read than in the previous version (1.3.6).

./nikto.pl -h
Option host requires an argument
—————————————————————————
– Nikto 1.36/1.37 – http://www.cirt.net
+ ERROR: No host specified

Options:
-Cgidirs+ Scan these CGI dirs: ‘none’, ‘all’, or a value like ‘/cgi/’
-cookies print cookies found
-evasion+ ids evasion technique (1-9, see below)
-findonly find http(s) ports only, don’t perform a full scan
-Format save file (-o) Format: htm, csv or txt (assumed)
-generic force full (generic) scan
-host+ target host
-id+ host authentication to use, format is userid:password
-mutate+ mutate checks (see below)
-nolookup skip name lookup
-output+ write output to this file
-port+ port to use (default 80)
-root+ prepend root value to all requests, format is /directory
-ssl force ssl mode on port
-timeout timeout (default 10 seconds)
-useproxy use the proxy defined in config.txt
-Version print plugin and database versions
-vhost+ virtual host (for Host header)
-404+ treat pages with this content as 404
+ requires a value

These options cannot be abbreviated:
-config+ use this config file
-debug debug mode
-dbcheck syntax check scan_database.db and user_scan_database.db
-update update databases and plugins from cirt.net
-verbose verbose mode

IDS Evasion Techniques:
1 Random URI encoding (non-UTF8)
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Random case sensitivity
8 Use Windows directory separator (\)
9 Session splicing

Mutation Techniques:
1 Test all files with all root directories
2 Guess for password file names
3 Enumerate user names via Apache (/~user type requests)
4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)

./nikto.pl -h
Option host requires an argument
—————————————————————————
– Nikto 2.00/2.00 – http://www.cirt.net
+ ERROR: No host specified

-Cgidirs+ scan these CGI dirs: ‘none’, ‘all’, or values like “/cgi/ /cgi-a/”
-dbcheck check database and other key files for syntax errors (cannot be abbreviated)
-evasion+ ids evasion technique
-Format+ save file (-o) format
-host+ target host
-Help Extended help information
-id+ host authentication to use, format is userid:password
-mutate+ Guess additional file names
-output+ write output to this file
-port+ port to use (default 80)
-Display+ turn on/off display outputs
-ssl force ssl mode on port
-Single Single request mode
-timeout+ timeout (default 2 seconds)
-Tuning+ scan tuning
-update update databases and plugins from cirt.net (cannot be abbreviated)
-Version print plugin and database versions
-vhost+ virtual host (for Host header)
+ requires a value

Next I will compare the scan result between version 1.3.6 and 2.0 :

./nikto.pl -host localhost
—————————————————————————
– Nikto 1.36/1.37 – http://www.cirt.net
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: Thu Nov 15 00:12:17 2007
—————————————————————————
– Scan is dependent on “Server” string which can be faked, use -g to override
+ Server: My Web Server/7.0
+ /robots.txt – contains 1 ‘disallow’ entry which should be manually viewed (added to mutation file lists) (GET).
+ Allowed HTTP Methods: GET,HEAD,POST,OPTIONS,TRACE
+ /cgi-bin//htsearch?exclude=%60/etc/passwd%60 – htsearch may reveal file system paths. (GET)
+ / – TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
+ 2549 items checked – 3 item(s) found on remote host(s)
+ End Time: Thu Nov 15 00:12:24 2007 (7 seconds)
—————————————————————————
+ 1 host(s) tested

./nikto.pl -host localhost
—————————————————————————
– Nikto 2.00/2.00 – http://www.cirt.net
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: 2007-11-16 0:13:00
—————————————————————————
+ Server: My Web Server/7.0
+ /robots.txt – contains 1 ‘disallow’ entry which should be manually viewed (added to mutation file lists) (GET).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method (‘Allow’ Header): ‘TRACE’ is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-0: GET /test.php%20 : The OmniHTTP install may allow php/shtml/pl script disclosure. Upgrade to the latest version.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ 4342 items checked: 4 item(s) found on remote host
+ End Time: 2007-11-16 0:13:00 (11 seconds)
—————————————————————————
+ 1 host(s) tested

***** Portions of the server’s ident string (MyWebServer/7.0)
are not in the Nikto database or is newer than the known string.
Would you like to submit this information (*no server specific data*)
to CIRT.net for a Nikto update (or you may email to sullo@cirt.net)
(y/n)? n

From the results above, we can see that the new version check more itemsi, so it found more items. The items checked are numbered according to OSVDB (Open Source Vulnerabilities Database). And also it will allow us to update Nikto database from our server information.

If you want to see how Nikto check the items use the following command, beware your eyes will weary real soon :D :

./nikto.pl -Display V -host localhost

You can read the manual page included with the tarball to have more thorough information.

BTW, I can’t give you statements whether both results are correct.

Please don’t use this tool against other people webserver if you haven’t got any written permission or you may end up in jail. :D