The Pen Tester's Framework: nikto

I have a confession: nikto is one of my favorite tools. It is a web server scanner that checks for near 7000 known vulnerabilities in software, and also for CGI applications with known vulnerabilities. Even if the developer of the application I am testing has no idea that the software in question is on the server the attacker can use the vulnerability to get a certain level of access on the server, and use that to get into the application.

What we are talking about is things like checking for known default credentials, looking for unprotected CGI files, fishing for hidden content, deep header enumeration, and even pushing for exceptional error messages. It's a neat package, and it is customizable as a new level - the underlying tests are all stored in a database. No code changes are needed to add new checks.

One thing you should know though is this: the version in the PTF is not the newest. nikto is constantly updated, and you should update the PTF file if it hasn't been recently.  After that, you should run sudo nikto -update to get the latest versions of the attacks in the database. 

And as it turns out, Nikto is stupid easy to use. If you have a new host or a new server, you can do a quick check with 

nikto -host https://domain.com -output domain.txt

That will find a load of stuff on anything other than Azure or EC2. Seriously, if you have an application that someone decided to 'put on that server over there' then you should run this check. Just takes a second.  Well, OK, a few minutes. Still.

Some of the important parameters that I have used in the past to solve particular problems include:
  • -ssl or -nossl is essential if the site doesn't support HTTPS or only supports HTTPS. This will cut 30 minutes from your scan time.
  • -id is super important if you have an authenticated site. Username:password is the parameter.
  • -no404 is so important if a misconfigured server returns 200 to everything.
  • -evasion will push past an intrusion detection system. If you are getting a ton of timeouts, try this. Parametes include:
    • 1     Random URI encoding (non-UTF8)
    • 2     Directory self-reference (/./)
    • 3     Premature URL ending
    • 4    Prepend long random string
    • 5     Fake parameter
    • 6     TAB as request spacer
    • 7     Change the case of the URL
    • 8     Use Windows directory separator (\)
    • A     Use a carriage return (0x0d) as a request spacer
    • B     Use binary value 0x0b as a request spacer
  • -nocache turns off the response cache. Oh goodness this is major sometimes.
Understand what you are testing, Watching responses form something like nikto and then tweaking the options until you get it working is key to a good scan.  
Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList