Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Nikto allows penetration testers and ethical hackers to perform a full web server scan to discover security flaws and vulnerabilities. This security scan gathers results by detecting insecure file and app patterns, outdated server software and default file names as well as server and software misconfigurations.

It includes support for proxies, host-based authentication, SSL encryption and much more.

Main features include:

Features:

  • Here are some of the major features of Nikto. See the documentation for a full list of features and how to use them.
  • SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL)
  • Full HTTP proxy support
  • Checks for outdated server components
  • Save reports in plain text, XML, HTML, NBE or CSV
  • Template engine to easily customize reports
  • Scan multiple ports on a server, or multiple servers via input file (including nmap output)
  • LibWhisker’s IDS encoding techniques
  • Easily updated via command line
  • Identifies installed software via headers, favicons and files
  • Host authentication with Basic and NTLM
  • Subdomain guessing
  • Apache and cgiwrap username enumeration
  • Mutation techniques to “fish” for content on web servers
  • Scan tuning to include or exclude entire classes of vulnerability checks
  • Guess credentials for authorization realms (including many default id/pw combos)
  • Authorization guessing handles any directory, not just the root directory
  • Enhanced false positive reduction via multiple methods: headers,
  • page content, and content hashing
  • Reports “unusual” headers seen
  • Interactive status, pause and changes to verbosity settings
  • Save full request/response for positive tests
  • Replay saved positive requests
  • Maximum execution time per target
  • Auto-pause at a specified time
  • Checks for common “parking” sites
  • Logging to Metasploit
  • Thorough documentation

Source: https://www.cirt.net/Nikto2
Nikto Homepage | Nikto Documentation

Nikto Installation on Ubuntu

On a default installation of Ubuntu, launch a terminal and using a standard user account download the latest version of Nikto.

[email protected]:~$ wget https://github.com/sullo/nikto/archive/master.zip

You can unpack it with an archive manager tool or use tar and gzip together with this command.

[email protected]:~$ unzip master.zip
[email protected]:~$ cd nikto-master/program
[email protected]:~/nikto-master/program$ perl nikto.pl

You should see the following output after running nikto.plThis should be your results from a working installation:

[email protected]:~/nikto-master/program$ perl nikto.pl 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ ERROR: No host or URL specified

       -config+            Use this config file
       -Display+           Turn on/off display outputs
       -dbcheck            check database and other key files for syntax errors
       -Format+            save file (-o) format
       -Help               Extended help information
       -host+              target host/URL
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -output+            Write output to this file
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -Plugins+           List of plugins to run (default: ALL)
       -port+              Port to use (default 80)
       -root+              Prepend root value to all requests, format is /directory
       -ssl                Force ssl mode on port
       -Tuning+            Scan tuning
       -timeout+           Timeout for requests (default 10 seconds)
       -update             Update databases and plugins from CIRT.net
       -Version            Print plugin and database versions
       -vhost+             Virtual host (for Host header)
   		+ requires a value

	Note: This is the short help output. Use -H for full help text.

If there are any errors regarding SSL support it may be necessary to apt install libnet-ssleay-perl. Without SSL/TLS support you will not be able to test sites over HTTPS.

Starting a Nikto Web Scan

For a simple test we will use test a single host name. In the example below we are testing the virtual host (nikto-test.com) on 16x.2xx.2xx.1xx over HTTPS. The web server on the target responds to the Nikto tests as it would any request to the web server, we can see from the results that the target is a WordPress based site.

[email protected]:~/nikto-master/program$ perl nikto.pl -host https://nikto-test.com
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          16x.2xx.2xx.1xx
+ Target Hostname:    nikto-test.com
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /CN=nikto-test.com
                   Altnames: nikto-test.com
                   Ciphers:  ECDHE-RSA-AES128-GCM-SHA256
                   Issuer:   /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
+ Start Time:         2018-06-26 12:03:53 (GMT10)
---------------------------------------------------------------------------
+ Server: nginx/1.4.6 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with multiple values: (; rel="https://api.w.org/",; rel=shortlink,)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ 5567 items checked: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2018-06-25 11:14:46 (GMT0) (8129 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

In the output we can see the items that were detected as interesting by Nikto. As well as the time taken for the scan and total number of items tested. If we review the web server logs we will be able to see the different items that were tested by the scanner.

Nikto and the Web Server

Lets review the web server logs. An important thing to understand when testing a site with Nikto is the amount of noise that this creates in the web server log files. Essentially Nikto is testing for the presence of thousands of possible web paths, and checking the response from the web server – which for most items will be a 404 not found.

Here is a sample from an Nginx web server being tested by Nikto.

203.xxx.xxx.xxx - - [25/Jun/2018:23:09:08 -0400] "GET /iissamples/sdk/asp/docs/Winmsdp.exe?Source=/IISSAMPLES/%c0%ae%c0%ae/default.asp HTTP/1.1" 404 16611 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003021)"
203.xxx.xxx.xxx - - [25/Jun/2018:23:09:09 -0400] "GET /iissamples/exair/howitworks/Winmsdp.exe HTTP/1.1" 404 16611 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003022)"
203.xxx.xxx.xxx - - [25/Jun/2018:23:09:10 -0400] "GET /%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini HTTP/1.1" 404 16611 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003023)"
203.xxx.xxx.xxx - - [25/Jun/2018:23:09:12 -0400] "GET /%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini HTTP/1.1" 404 16611 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003024)"
203.xxx.xxx.xxx - - [25/Jun/2018:23:09:13 -0400] "GET /conspass.chl+ HTTP/1.1" 404 16611 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003025)"
203.xxx.xxx.xxx - - [25/Jun/2018:23:09:15 -0400] "GET /consport.chl+ HTTP/1.1" 404 16611 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003026)"
203.xxx.xxx.xxx - - [25/Jun/2018:23:09:16 -0400] "GET /general.chl+ HTTP/1.1" 404 16611 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003027)"
203.xxx.xxx.xxx - - [25/Jun/2018:23:09:18 -0400] "GET /srvstatus.chl+ HTTP/1.1" 404 16611 "-" "Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:003028)"

Now unless your intrusion detection or server monitoring is broken, over 5000 of these sorts of hits in the web log will probably trigger a few alarms. Now it is very unlikely that these will cause an impact on the server, but it is certainly easy to spot. We can see the Nikto User Agent is in the log entry.

Selecting the Target

Since the tool is checking for valid paths, it is important to remember that hitting a web server on different virtual host names, directly on the IP address and even on sub paths off the root of the site will give different results.

Lets take an example of PHPMyAdmin, this is a common tool for managing MySQL databases and can also be a good target for an attacker if it has not been patched or poorly managed. This application could be installed and available at https://2xx.xxx.xxx.xxx/phpmyadmin/ or https://mywebsite.com/phpmyadmin/ or http://mywebsite.com/admin/phpmyadmin/. So to find this application using Nikto we would have to target all three locations, and some of the servers might have hundreds of virtual hosts.

I am not suggesting running Nikto hundreds of times against every server, but consideration should be taken as where to target the scan most effectively. Similar considerations come into play when performing simple file / directory brute forcing using Burp Suite or other web application testing tools.

Conclusion

Nikto continues to be an excellent web server testing tool, finding all sorts of obscure issues whether its directory indexing, admin panels or remote code execution in a rare web application. Take the time to run it and be surprised.

Hope this article helpful for you. Thank You


If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider it with 2-3 coffee as a token of appreciation.


Let's be a part of Hackonology Community! Join our Hacking Team

We Are Indian We Are Great