Nikto

From Security Lab Wiki

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.

Contents 1 Description 2 History 3 Installation 3.1 Requirements 3.2 Install 4 Testing 4.1 Basic Testing 4.2 Multiple Port Testing 4.3 Multiple Host Testing 4.4 Using a Host Proxy 4.5 Updating 4.6 Integration With Nessus 5 Options 6 Nessus Plugins 7 Further Information 8 Resources

Description

Nikto is Perl software designed to find many types of web server problems, including:

• Server and software misconfigurations
• Default files and programs
• Insecure files and programs
• Outdated servers and programs

Nikto is built on LibWhisker and can run any platform which has a PERL runtime, and supports SSL, proxies, host authentication, IDS evasion and more. It can be updated automatically from the command-line, and supports the optional submission of updated version data back to the maintainers.

The name "Nikto" is taken from the movie "The Day the Earth Stood Still", and of course subsequent abuse by Bruce Campbell in "Army of Darkness". More information on the pop-culture popularity of Nikto can be found at http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html

History

The Nikto 1.00 Beta was released on December 27, 2001, (followed almost immediately by the 1.01 release). Over the course of two years Nikto's code evolved into the most popular freely available web vulnerability scanner. The 2.0 release, in November, 2007 represents several years of improvements.

Installation

Requirements

Any system which supports a basic PERL installation should allow Nikto to run. It has been extensively tested on:

• Windows (using ActiveState Perl)
• Mac OSX
• Various Linux and Unix installations (including RedHat, Solaris, Debian, Knoppix, etc.)

The only required PERL module that does not come standard is LibWhisker. Nikto comes with and is configured to use a local LW.pm file (in the plugins directory), but users may wish to change Nikto to use a version installed on the system. See Section 2 for further information.

For SSL support the Net::SSLeay PERL module must be installed (which in turn requires OpenSSL on the Unix platform). Windows support for SSL is dependent on the installation package, but is rumored to exist for ActiveState's Perl.

The nmap scanner can also be used, if desired. In some cases using nmap will slow down Nikto execution, as it must call an external program. For scanning many ports across one or more servers, using nmap will be faster than using Nikto's internal PERL scanning.

• PERL: http://www.cpan.org/
• LibWhisker: http://www.wiretrip.net/
• ActiveState Perl: http://www.activestate.com/
• OpenSSL: http://www.openssl.org/
• nmap: http://insecure.org/

Install

These instructions do not include information on installing PERL, PERL Modules, OpenSSL, LibWhisker or any of the utilities that may be needed during installation (such as gzip, tar, etc.). Please see the distributor's documentation for information on how to install and configure those software packages.

Unpack the download file:

  tar -xvf nikto-current.tar.gz 

  gzip -d nikto-current.tar 

Assuming a standard OS/PERL installation, Nikto should now be usable.

Testing

Basic Testing

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:

   perl nikto.pl -h 192.168.0.1

To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:

   perl nikto.pl -h 192.168.0.1 -p 443

Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:

   perl nikto.pl -h https://192.168.0.1:443/

There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.

   perl nikto.pl -h 192.168.0.1 -p 443 -ssl

Multiple Port Testing

Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.

   perl nikto.pl -h 192.168.0.1 -p 80,88,443

Multiple Host Testing

Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Ports can be separated from the host and other ports via a colon or a comma. If no port is specified, port 80 is assumed.

This is an example of a valid hosts file:

   192.168.0.1:80

   192.168.0.2,80

   192.168.0.3

   192.168.0.1,80,443

   192.168.0.1:80:443

   localhost:8888 

Using a Host Proxy

If the machine running Nikto only has access to the target host (or update server) via an HTTP proxy, the test can still be performed. Set the PROXY* variables (as described in section 4), then execute Nikto with the -u (-useproxy) command. All connections will be relayed through the HTTP proxy specified in the configuration file.

   perl nikto.pl -h 192.168.0.1 -p 80 -u

Updating

Nikto can be automatically updated, assuming you have Internet connectivity from the host Nikto is installed on. To update to the latest plugins and databases, simply run Nikto with the -update command.

   perl nikto.pl -update

Note:

The -update option cannot be abbreviated.

If updates are required, you will see a list of the files downloaded:

   perl nikto.pl -update

   + Retrieving 'nikto_core.plugin'

   + Retrieving 'CHANGES.txt'

Updates may also be manually downloaded from http://www.cirt.net/

Integration With Nessus

Nessus can be configured to automatically launch Nikto when it finds a web server. Ensure Nikto works properly, then place the directory containing nikto.pl in root's PATH environment variable. When nessusd starts, it should see the nikto.pl program and enable usage through the GUI.

Options

Below are all of the Nikto command line options and explanations. A brief version of this text is available by running Nikto with the -h (-help) option.

  -Cgidirs

Scan these CGI directories. Special words "none" or "all" may be used to scan all CGI directories or none, (respectively). A literal value for a CGI directory such as "/cgi-test/" may be specified (must include trailing slash). If this is option is not specified, all CGI directories listed in config.txt will be tested.

  -config 

Specify an alternative config file to use instead of the config.txt located in the install directory.

  -dbcheck 

Check the scan databases for syntax errors. Also checks the plugins to ensure they are called properly and have an entry in the plugins_order.txt.

  -evasion 

Specify the LibWhisker IDS evasion technique to use (see the LibWhisker docs for detailed information on these). Use the reference number to specify the type, multiple may be used:

   1 - Random URI encoding (non-UTF8)

   2 - Directory self-reference (/./)

   3 - Premature URL ending

   4 - Prepend long random string

   5 - Fake parameter

   6 - TAB as request spacer

   7 - Change the case of the URL

   8 - Use Windows directory separator (\)

  -findonly 

Only discover the HTTP(S) ports, do not perform security scan. This will attempt to connect with HTTP or HTTPS, and report the Server header.

  -Format 

Save the output file specified with -o (-output) option in this format. If not specified, default is "txt". Valid formats are:

   csv - a comma-seperated list

   htm - an HTML report

   txt - a text report

   xml - an XML report

  -host 

Host(s) to target. Can be an IP address, hostname or text file of hosts.

  -Help 

Display extended help information.

  -id 

ID and password to use for host Basic host authentication. Format is "id:password".

  -mutate 

Specify mutation technique. A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be used:

   1 - Test all files with all root directories

   2 - Guess for password file names

   3 - Enumerate user names via Apache (/~user type requests)

   4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)

  -nolookup 

Do not perform name lookups on IP addresses.

  -output 

Write output to the file specified. Format is defined in -F (-Format), default is text. Existing files will have new information appended.

  -port 

TCP port(s) to target. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). If not specified, port 80 is used.

  -Pause 

Seconds to delay between each test.

  - Display 

Control the output that Nikto shows. See Chapter 5 for detailed information on these options. Use the reference number or letter to specify the type, multiple may be used:

   1 - Show redirects

   2 - Show cookies received

   3 - Show all 200/OK responses

   4 - Show URLs which require authentication

   D - Debug Output

   V - Verbose Output

  -root 

Prepend the value specified to the beginning of every request. This is useful to test applications or web servers which have all of their files under a certain directory.

  -ssl 

Only test SSL on the ports specified. Using this option will dramatically speed up requests to HTTPS ports, since otherwise the HTTP request will have to timeout first.

  -Single 

Perform a single request to a target server. Nikto will prompt for all options which can be specified, and then report the detailed output. See Chapter 5 for detailed information.

  -timeout 

Seconds to wait before timing out a request. Default timeout is 2 seconds.

  -Tuning 

Tuning options will control the test that Nikto will use against a target. By default, if any options are specified, only those tests will be performed. If the "x" option is used, it will reverse the logic and exclude only those tests. Use the reference number or letter to specify the type, multiple may be used:

   0 - File Upload

   1 - Interesting File / Seen in logs

   2 - Misconfiguration / Default File

   3 - Information Disclosure

   4 - Injection (XSS/Script/HTML)

   5 - Remote File Retrieval - Inside Web Root

   6 - Denial of Service

   7 - Remote File Retrieval - Server Wide

   8 - Command Execution / Remote Shell

   9 - SQL Injection

   a - Authentication Bypass

   b - Software Identification

   g - Generic (Don't rely on banner)

   x - Reverse Tuning Options (i.e., include all except specified)

  -useproxy 

Use the HTTP proxy defined in the config.txt file.

  -update 

Update the plugins and databases directly from cirt.net.

  -Version 

Display the Nikto software, plugin and database versions.

  -vhost 

Specify the Host header to be sent to the target.

Nessus Plugins

The Nessus scanner supports a plugin architecture that allows anyone to develop security checks in the NASL (Nessus Attack Scripting Language) language. The Nikto developers have contributed a few plugins here on their site.

Further Information

For further information on advanced techniques using Nikto visit the Nikto Documentation site.

Resources

http://www.cirt.net/nikto2

http://cirt.net/nikto2-docs/

http://sourceforge.net/projects/whisker/

http://www.cirt.net/Nessus%20Plugins