Debianhelp.co.uk


Apache Webserver Security testing Using nikto

What is nikto ?

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated

Nikto Requirements

PERL module NET::SSLeay

PERL module LibWhisker (LW.pm is included with source)

OpenSSL (only required if SSL scans are needed)

Download Nikto

http://www.cirt.net/code/nikto.shtml

Install nikto in Debian

#apt-get install nikto

This will complete the installation. Now you can see the nikto available options

---------------------------------------------------------------------------
- Nikto 1.34/1.31 - www.cirt.net

Options:
-Cgidirs+ Scan these CGI dirs: 'none', 'all', or a value like '/cgi/'
-cookies print cookies found
-evasion+ ids evasion technique (1-9, see below)
-findonly find http(s) ports only, don't perform a full scan
-Format save file (-o) Format: htm, csv or txt (assumed)
-generic force full (generic) scan
-host+ target host
-id+ host authentication to use, format is userid:password
-mutate+ mutate checks (see below)
-nolookup skip name lookup
-output+ write output to this file
-port+ port to use (default 80)
-root+ prepend root value to all requests, format is /directory
-ssl force ssl mode on port
-timeout timeout (default 10 seconds)
-useproxy use the proxy defined in config.txt
-Version print plugin and database versions
-vhost+ virtual host (for Host header)
+ requires a value

These options cannot be abbreviated:
-debug debug mode
-dbcheck syntax check scan_database.db and user_scan_database.db
-update update databases and plugins from cirt.net
-verbose verbose mode

IDS Evasion Techniques:
1 Random URI encoding (non-UTF8)
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Random case sensitivity
8 Use Windows directory separator (\)
9 Session splicing

Mutation Techniques:
1 Test all files with all root directories
2 Guess for password file names
3 Enumerate user names via Apache (/~user type requests)
4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)

Using nikto

The standard test (assuming you've installed Nikto directly on your server)

#nikto -h localhost

Output looks like below

---------------------------------------------------------------------------
- Nikto 1.34/1.31 - www.cirt.net
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: Mon Aug 14 17:34:34 2006
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-16
+ The root file (/) redirects to: http://localhost/apache2-default/
+ PHP/4.3.10-16 appears to be outdated (current is at least 5.0.1)
+ 2.0.54 (Debian GNU/Linux) PHP/4.3.10-16 - TelCondex Simpleserver 2.13.31027 Build 3289 and below allow directory traversal with '/.../' entries.
+ PHP/4.3.1 - PHP below 4.3.3 may allow local attackers to safe mode and gain access to unauthorized files. BID-8203.
+ / - Redirects to http://localhost/apache2-default/ , Default EMC Cellera manager server is running.
+ / - Redirects to http://localhost/apache2-default/ , Appears to be a default Apache Tomcat install.
+ / - Redirects to http://localhost/apache2-default/ , Appears to be a default Apache Tomcat install.
+ / - Redirects to http://localhost/apache2-default/ , Default EMC ControlCenter manager server is running.
+ / - Redirects to http://localhost/apache2-default/ , Appears to be a default Apache install.
+ / - Redirects to http://localhost/apache2-default/ , Appears to be a default Apache install.
+ / - Redirects to http://localhost/apache2-default/ , Default Jrun 2 server running.
+ / - Redirects to http://localhost/apache2-default/ , Cisco VoIP Phone deafult web server found.
+ / - Redirects to http://localhost/apache2-default/ , Default Sybase Jaguar CTS server running.
...........

If you want see IDS evasion techniques use the following command. This enables the intrusion detection evasion in LibWhisker. Multiple options can be used by stringing the numbers together, i.e. to enable methods 1 and 5, use "-e 15".

#nikto -h localhost -evasion 1

output looks like below

---------------------------------------------------------------------------
- Nikto 1.34/1.31 - www.cirt.net
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Using IDS Evasion: Random URI encoding (non-UTF8)
+ Start Time: Mon Aug 14 17:39:38 2006
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-16
+ The root file (/) redirects to: http://localhost/apache2-default/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ PHP/4.3.10-16 appears to be outdated (current is at least 5.0.1)
+ 2.0.54 (Debian GNU/Linux) PHP/4.3.10-16 - TelCondex Simpleserver 2.13.31027 Build 3289 and below allow directory traversal with '/.../' entries.
+ PHP/4.3.1 - PHP below 4.3.3 may allow local attackers to safe mode and gain access to unauthorized files. BID-8203.
+ / - Redirects to http://localhost/apache2-default/ , Default EMC Cellera manager server is running.
+ / - Redirects to http://localhost/apache2-default/ , Appears to be a default Apache Tomcat install.
+ / - Redirects to http://localhost/apache2-default/ , Appears to be a default Apache Tomcat install.
+ / - Redirects to http://localhost/apache2-default/ , Default EMC ControlCenter manager server is running.
+ / - Redirects to http://localhost/apache2-default/ , Default Jrun 2 server running.
+ / - Redirects to http://localhost/apache2-default/ , Cisco VoIP Phone deafult web server found.
+ / - Redirects to http://localhost/apache2-default/ , Default Sybase Jaguar CTS server running.
+ / - Redirects to http://localhost/apache2-default/ , Default IBM Tivoli Server Administration server is running.
+ / - Redirects to http://localhost/apache2-default/ , Default Jrun 4 server running.
+ /?D=A - Redirects to http://localhost/apache2-default/?%44%3dA , Apache allows directory listings by requesting. Upgrade Apache or disable directory indexing.
+ / - Redirects to http://localhost/apache2-default/ , Samba-swat web server. Used to administer Samba.
...............

If you want to know more option and how to use nikto check here