== Basic scanning ==
manual
The most basic Nikto scan requires a simply host to target, since port 80 is assumed if none is specified. The host can either be an Ip or a host name of a machine, and is specified using the -h (-host) option. The following will scan the IP 192.168.01 on TCP port 90
perl nikto.pl -h 192.168.0.1
To check on a different port, specifiy the port number with the -p (-port) option
perl nikto.pl -h 192.168.0.1 -p 443
Host, ports, and protocols may also be specified by using a full URL syntax
perl nikto.pl -h https://192.168.0.1:443/
== Multiple Port Testing ==
Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p option. Ports can be specified as range (ie: 80-90), or as a comma-delimited list, (i.e, 80,88,90)
perl nikto.pl -h 192.168.0.1 -p 80,88,443
== Multiple Host Testing ==
Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Portss can be seperated from the host and other ports via colon or a comma. If no ports specified, port 80 will be assumed.
Example of a valid hosts file
192.168.1.1:80
https://192.168.2.2:8080
192.168.2.2
nikto.pl 192.168.1.1 -e 1 -Display V
A host file may also be an nmap output in "greppable" format (i.e from the output from -oG)
A file may be passed to Nikto through stdout/stdin using "-" as the filename. for example
nmap -p80 192.168.1.1/24 -oG | nikto.pl -h -
== Using a Proxy ==
If the machine running Nikto only has access to the target host (or update server) via an HTTP proxy, the test still can be performed. Set the proxy variable, then execute Nikto with -u (-useproxy) command. All connections will be relayed through the HTTP proxy specified in the configuration file
perl nikto.pl -h 192.168.1.1 -p 80 -u
== Updating ==
Nikto can be automatically updated assuming you have internet connectivity from the host nikto is installed on. To update to the latest plugins and database, simply run the Nikto command with the -update command
perl nikto.pl -update
== All Options ==
Below are all the nikto command line options and explanations.
-Cgidirs
Scan these CGI directories. Special words "none" or "all" may be used to scan all CGI directories or none, (respectively). A literal value for a CGI directory such as "/cgi-test" may be specified (must include trailing slash). If this option is not specified, all CGI directories listed in config.txt will be tested
-config
Specify an alternative config file to use instead of the config.txt located in the install directory.
-dbcheck
Check the scan database for syntax errors
-Display
Control the output that Nikto shows. Use the reference number or letter to specify the type, multiple maybe used
1. Show redirects
2. Show cookies recieved
3. Show all 200/OK responses
4. Show URLs which require authentication
D. Debug output
V. Verbose Output
-evasion
Specify the LibWhisker IDS evasion technique to use. Use the reference number to specify the type, multiple may be used
1. Random URI encoding (non-URF8)
2. Directory self-reference (/./)
3. Premature URL ending
4. Prepend long random string
5. Fake parameter
6. TAB as request spacer
7. Change the case of the URL
8. Use Windows directory seperator (\)
perl nikto.pl -h 192.168.5.103 -evasion 1
-findonly
Only discover the HTTP(S) ports. do not perform a security scan. This will attempt to connect with HTTP or HTTPS, and report the server header.
-Format
Save the outpout file specified with -o(-output) option in this format. If not specified default is "txt". valid formats are
csv - a comma-seperated list
htm - an HTML report
txt - a text report
xml - an XML report
-host
Host(s) to target. can be an IP address, hsotname or text file of hosts.
-id
ID and password to use for host Basic host authentication. Format is "id:password".
-mutate
Specify mutation technique. A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be used:
1 - Test all files with all root directories
2 - Guess for password file names
3 - Enumerate user names via Apache (/~user type requests)
4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 - Attempt to brute force sub-domain names, assume that the host name is the parent domain
6 - Attempt to guess directory names from the supplied dictionary file
-mutate-options
Provide extra information for mutates, e.g. a dictionary file
-nolookup
Do not perform name lookups on IP addresses.
-nossl
Do not use SSL to connect to the server.
-no404
Disable 404 (file not found) checking. This will reduce the total number of requests made to the webserver and may be preferable when checking a server over a slow link, or an embedded device. This will generally lead to more false positives being discovered.
-output
Write output to the file specified. Format is defined in -F (-Format), default is text. Existing files will have new information appended.
-port
TCP port(s) to target. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). If not specified, port 80 is used.
-Pause
Seconds to delay between each test.
-root
Prepend the value specified to the beginning of every request. This is useful to test applications or web servers which have all of their files under a certain directory.
-ssl
Only test SSL on the ports specified. Using this option will dramatically speed up requests to HTTPS ports, since otherwise the HTTP request will have to timeout first.
-Single
Perform a single request to a target server. Nikto will prompt for all options which can be specified, and then report the detailed output. See Chapter 5 for detailed information.
-timeout
Seconds to wait before timing out a request. Default timeout is 10 seconds.
-useproxy
Use the HTTP proxy defined in the configuration file.
-update
Update the plugins and databases directly from cirt.net.
-Version
Display the Nikto software, plugin and database versions.
-vhost
Specify the Host header to be sent to the target
-Tuning
Tuning options will control the test that Nikto will use against a target. By default, if any options are specified, only those tests will be performed. If the "x" option is used, it will reverse the logic and exclude only those tests. Use the reference number or letter to specify the type, multiple may be used:
0 - File Upload
1 - Interesting File / Seen in logs
2 - Misconfiguration / Default File
3 - Information Disclosure
4 - Injection (XSS/Script/HTML)
5 - Remote File Retrieval - Inside Web Root
6 - Denial of Service
7 - Remote File Retrieval - Server Wide
8 - Command Execution / Remote Shell
9 - SQL Injection
a - Authentication Bypass
b - Software Identification
c - Remote Source Inclusion
x - Reverse Tuning Options (i.e., include all except specified)
The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character.
perl nikto.pl -h 192.168.1.1 -T 58
If an 'x' is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploits. For example
perl nikto.pl -h 192.168.1.1 -T 58xb
.
== Mutation Technique ==
A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be combined.
1. Test all files with all root directories. This takes each test and splits it into a list of files and directories. A scan list is then created by combining each file with each directory.
2. Guess for password file names. Takes a list of common password file names (such as "passwd", "pass", "password") and file extensions ("txt", "pwd", "bak", etc.) and builds a list of files to check for.
3. Enumerate user names via Apache (/~user type requests). Exploit a misconfiguration with Apache UserDir setups which allows valid user names to be discovered. This will attempt to brute-force guess user names. A file of known users can also be supplied by supplying the file name in the -mutate-options parameter.
4. Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests). Exploit a flaw in cgiwrap which allows valid user names to be discovered. This will attempt to brute-force guess user names. A file of known users can also be supplied by supplying the file name in the -mutate-options parameter.
5. Attempt to brute force sub-domain names. This will attempt to brute force know domain names, it will assume the given host (without a www) is the parent domain.
6. Attempt to brute directory names. This is the only mutate option that requires a file to be passed in the -mutate-options parameter. It will use the given file to attempt to guess directory names. Lists of common directories may be found in the OWASP DirBuster project.
Subscribe to:
Post Comments (Atom)
thanks man, u'r the best
ReplyDelete