قالب وردپرس درنا توس
Home / Tips and Tricks / Finding Web Site Vulnerabilities with Nikto «Null Byte :: WonderHowTo

Finding Web Site Vulnerabilities with Nikto «Null Byte :: WonderHowTo



Before an attacker attacks a Web site, it first creates a list of target surfaces. After using some good reconstructions and finding the right places to identify themselves, they will use a web server scanning tool like Nikto to detect vulnerabilities that could pose potential attack vectors.

Nikto is a simple, open source web server scanner that examines a Web site and reports back the vulnerabilities that could be found to exploit or hack the Web site. It is also one of the most widely used industry vulnerability tools and is considered by many to be the industry standard.

Although this tool is extremely effective, it is not stealthy at all . Each location with an intrusion detection system or other security measures detects that it is being scanned. Originally designed for safety testing, stealth was never a problem.

The Right Way to Use Nikto

If you run Nikto only on a destination site, you might not know what to do with the information from the scan. Nikto is actually more of a laser pointer to make a much bigger punch, and you'll see how that works out a bit.

Let's talk about the target surface first. This is virtually anywhere a hacker tries to attack. These include, for example, network printers and a web server. When we work with Nikto later, we need to specify three types of information: an IP address for a local service, an accessing web domain, or an SSL / HTTPS Web site.

Before Diving Right into a scan with Nikto, it's better to do extra enlightenment with an open source intelligence tool like Maltego . Tools like this can help to create a profile and a more focused list of available targets to focus on. Once this is done, Nikto can be used to sharpen potential vulnerabilities for targets on the list.

If you're lucky, you'll find a vulnerability with an armed exploit, which means there's already a tool to exploit the weakness. With the appropriate tool that automatically exploits the vulnerability, a hacker can access the target to perform any number of behind-the-scenes attacks, such as adding code to perform malicious activity.

Step 1: Install Nikto [19659005] If you're running Kali Linux, Nikto is preinstalled so you do not have to download or install anything. It is in the Vulnerability Analysis category. If you do not have it for some reason, you can get Nikto from (GitHub) or simply use the command apt install .

  apt install nikto 

If you do this On a Mac, you can use Homebrew to install Nikto.

  brew install nikto 

Step 2: Meet Nikto

Before you go into Nikto on web servers, you can use the Help option to see everything in Nikto is.

  nikto Help 
  Options:
-ask + Specifies whether you want to ask for updates
yes Ask for any questions (default)
no Do not ask, do not send
car Do not ask, just send
-Cgidirs + Scan these CGI directories: "none", "all" or values ​​like "/ cgi / / cgi-a /"
-config + Use this configuration file
Display + switch display outputs on / off:
Show 1 redirects
2 View the cookies you have received
3 Display all 200 / OK answers
4 View URLs that require authentication
D debug output
E Display all HTTP errors
P progress bar to STDOUT
S Scrub output of IPs and hostnames
V Detailed Edition
-dbcheck Checks the database and other key files for syntax errors
-evasion + encoding technique:
1 Random URI encoding (not UTF8)
2 directory self-reference (/./)
3 Premature URL extension
4 Prefix long random string
5 fake parameter
6 TAB as request spacer
7 Change the case of the URL
8 Use the Windows directory separator ().
A Use a carriage return (0x0d) as the request spacer
B Use the binary value 0x0b as request spacer
Format + save file format (-o):
csv Comma separated value
HTML format
nes Nessus NBE format
sql Generic SQL (see schema for the schema)
txt text only
XML XML format
(If not specified, the format is inherited from the file extension passed to -output.)
Help Advanced Help Information
-host + destination host
-404code Ignore these HTTP codes as negative answers (always). The format is "302,301".
-404string Ignore this string in the response text as a negative answer (always). May be a regular expression.
-id + Host authentication to use, format is id: pass or id: pass: realm
-key + client certificate key file
-list-plugins Lists all available plugins and does not run any tests
-maxxtime + maximum test time per host (eg 1h, 60m, 3600s)
mutants + guess additional filenames:
1 Test all files with all root directories
2 Guess the names of the password files
3 List Username Via Apache (/ ~ User Type Inquiries)
4 enumerating usernames via cgiwrap (/ cgi-bin / cgiwrap / ~ user-type-requirements)
5 Try to force subdomain names to be brutal. Suppose the hostname is the parent domain
6 Try to guess directory names from the supplied dictionary file
-mutate-options Provides information for mutates
-nointeractive Disables interactive features
-nolookup Disables DNS lookup
-nossl Disables the use of SSL
-no404 Disables an attempt to guess a 404 page
Option Override an option in nikto.conf, can be output several times
-output + write output to this file (& # 39; for automatic names)
Break + pause between tests (seconds, integer or float)
-Plugins + list of plugins to execute (default: ALL)
-port + port to use (default 80)
-RSAcert + client certificate file
-root + specify root value for all requests, format is / directory
Save Save positive answers in this directory (& # 39; for car name)
-ssl Forces the SSL mode for the port
Tuning + Scan Tuning:
1 Interesting File / Seen in logs
2 misconfiguration / default file
3 disclosure of information
4 injection (XSS / script / HTML)
5 Remote File Retrieval - In the Web Root
6 Denial of Service
7 Remote File Retrieval - Server-wide
8 Command Execution / Remote Shell
9 SQL injection
0 Upload file
an authentication bypass
b Software identification
c Recording from remote sources
d web service
e Management Console
x Reverse tuning options (that is, include all but the ones specified)
-timeout + request timeout (default 10 seconds)
-Userdbs Loads only user databases, not the default databases
all Deactivate standard DBs and load only user DBs
Tests Disable only db_tests and load udb_tests
-useragent Overrides the default useragent
-until the specified time or duration
-update Update databases and plugins from CIRT.net
-useproxy Use the proxy defined in nikto.conf or the argument http: // server: port
Version Print Plugin and Database Versions
-vhost + virtual host (for host header)
+ requires a value 

Step 3: Using Basic Syntax

As you can see in the previous step, Nikto has many options. For our purposes, however, we stick to the basic syntax as follows. we replace with the actual IP address or hostname without angle brackets.

  nikto -h  

However, Nikto is able to perform a scan using SSL and port 443, the port that HTTPS Web sites use (HTTP uses port 80 by default). So, not only are we limited to scanning old sites, but we can also run vulnerability analysis on sites that use SSL, which is a pretty basic requirement these days for indexing in search results.

If we know it's an SSL site Targeting, we can specify it in Nikto to save some time scanning by adding -ssl at the end of the command.

  nikto -h  -ssl 

Step 4: Scanning an SSL-enabled Website

Let's start by scanning pbs.org, for example, to see some of the information that a nikto scan does displays. After connecting to port 443, we'll see some useful information about the cipher and a list of other details, such as: For example, the server is nginx, but there is not much interesting data for us here.

  nikto -h pbs .org -ssl 
  - Nikto v2.1.6
-------------------------------------------------- ----------------------------
- STATUS: Start!
+ Destination IP: 54,225,198,196
+ Destination hostname: pbs.org
+ Carrying port: 443
-------------------------------------------------- ----------------------------
+ SSl Info: Subject: /CN=www.pbs.org
Altnames: account.pbs.org, admin.pgs.org, dipsy-tc.pbs.org, docs.pbs.org, ga.video.cdn.pbs.org, git.pbs.org, heart.ops.pbs. org, hub-dev.pbs.org, image.pbs.org,
jaws..pbs.org, kids.pbs.org, koth-qa.svp.pbs.org, login.pbs.org, ops.pbs.org, pbs.org, player.pbs.org, projects.pbs.org , sentry.pbs.org, teacherline.pbs.org,
urs.pbs.org, video.pbs.org, weta-qa.svp.pbs.org, whut-qa.svp.pbs.org, wnet.video-qa.pbs.org, wnet.video-staging.pbs. org, www-cache.pbs.org, www.pbs.org
Encryption codes: ECDHE-RSA-AES128-GCM-SHA256
Publisher: / C-US / 0 = Let's Encrypt / CN = Let's Encrypt Authority X3
+ Start time: 2018-12-05 23:34:06 (GMT-8)
-------------------------------------------------- ----------------------------
+ Server: nginx
+ The x-frame option header with anti-clickjacking does not exist.
+ The X-XSS protection header is undefined. This header can give hints to the user agent to protect against some XSS shapes
+ Unusual header & # 39; x-pbs-fwsrvname & # 39; found with content: fwcacheproxy1
+ The site uses SSL and the HTTP header Strict-Transport-Security is undefined.
+ The X-Content-Type-Options header is not set. This allows the user agent to present the content of the site in a manner other than the MIME type
+ Home page / redirects to: https://www.pbs.org/
+ No CGI directories found (use "-C All" to check all possible directories)
+ RC-1918 IP address in the header & # 39; x-pbs-appsvrip & # 39; Found: The IP address is "10.137.181.52".
+ Unusual header & xx; cache-fs-status & # 39; found with content: EXPIRED
+ Unusual header & # 39; x-pbs-appsvrname & # 39; found with the following content: fwcacheproxy1
+ Unusual header & # 39; x-pbs-appsvrip & # 39; found, with content: 10,137,181.52
+ Server loses inodes via ETags, header found with file /pbs.org.zip, fields: 0x5b96537e 0x1678
+ 7446 requests: 0 errors and 10 items reported on remote host
+ End Times: 2018-12-06 00:30:29 (GMT-8) (3383 seconds)
-------------------------------------------------- ----------------------------
+ 1 Hosts Tested 

Step 5: Scanning an IP Address

Now that we've quickly scoured a website, we're trying to use Nikto on a local network to find embedded servers, such as: For example, a logon page for a router or an HTTP service on another computer that is just a server without a Web site. To begin, we search our IP address with ifconfig .

  ifconfig 
  de0: flags = 8863  mtu 1500
Inet 192.168.0.48 Netmask 0xffffff00 Broadcast 192.168.0.255
inet6 XXXX :: XXX: XXXX: XXXX: XXXX% en0 prefixing 64 secured area 0x8
Ether XX: XX: XX: XX: XX: XX txqueuelen 1000 (Ethernet)
inet6 XXXX :: XXX: XXXX: XXXX: XXXX% de0 prefixlen 64 autoconf saved
inet6 XXXX :: XXX: XXXX: XXXX: XXXX% en0 prefix 64 Autoconf temporary
nd6 options = 201 
Media: select automatically
Status: active

de2: flags = 8863  mtu 1500
Options = 60 
Ether XX: XX: XX: XX: XX: XX
Media: Autoselect 
Status: inactive 

The desired IP address is "inet". Then we can run ipcalc on it to get our network reach. If you do not have ipcalc you can install it with apt install ipcalc . Try again. In my case, the area will be next to "Network", 192.168.0.0/24.[19659011(ipcalc192168048

 Address: 192.168.0.48 11000000.10101000.0000000000. 00110000
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111
=>
Network: 192.168.0.0/24 11000000.10101000.00000000. 00000000
HostMin: 192.168.0.1 11000000.10101000.00000000. 00000001
HostMax: 192.168.0.254 11000000.10101000.00000000. 11111110
Transmission: 192.168.0.255 11000000.10101000.00000000. 11111111
Hosts / Net: 254 Class C, Private Internet 

Now we want to run Nmap to find services that are running in the network space. Let's scan Port 80 with our assortment and stick to -oG (grepable output) to extract only the hosts that are currently running, d. H. Those who answer that port 80 is open. Then we save everything in a file that I call nullbyte.txt but could be named arbitrarily.

  nmap -p 80 192.168.0.0/24 -oG nullbyte.txt 

Starting Nmap 7.60 (https://nmap.org) at 2018-12-06 00:43 PST
Nmap scan report for 192.168.0.1
Host is active (0.021s latency).

PORT STATE SERVICE
80 / tcp open http

Nmap scan report for 192.168.0.2
Host is active (0.088s latency).

PORT STATE SERVICE
80 / tcp open http

Nmap scan report for 192.168.0.4
Host is active (0.032s latency).

PORT STATE SERVICE
80 / tcp open http

Nmap scan report for 192.168.0.5
Host is active (0.020s latency).

PORT STATE SERVICE
80 / tcp open http

Nmap scan report for 192.168.0.11
Host is active (0.068s latency).

PORT STATE SERVICE
80 / tcp closed http

Nmap scan report for 192.168.0.24
Host is active (latency 0.023s).

PORT STATE SERVICE
80 / tcp closed http

Nmap scan report for 192.168.0.31
Host is active (0.059s latency).

PORT STATE SERVICE
80 / tcp closed http

Nmap scan report for 192.168.0.48
Host is active (0.030s latency).

PORT STATE SERVICE
80 / tcp closed http

Nmap scan report for 192.168.0.60
Host is active (0.092s latency).

PORT STATE SERVICE
80 / tcp closed http

Nmap finished: 256 IP addresses (9 hosts up) were scanned in 8.92 seconds. We use cat to read the output stored in our nullbyte.txt document (or what you called it). Then there is awk a linux tool that will help in finding the following pattern, where Up means that the host is active, and $ 2 means to print the second word in this line for each, ie only the IP address. Then we send that data to a new file called targetIP.txt (or whatever you want to call it).

  cat nullbyte.txt | awk & # 39; / Up $ / {print $ 2} & # 39; | cat >> targetIP.txt 

We can now view the contents of our new file with cat to display all IP addresses that have port 80 open.

  cat targetIP.txt 
  192.168 .0.1
192.168.0.2
192.168.0.4
192.168.0.5
192.168.0.11
192.168.0.24
192.168.0.31
192.168.0.48
192.168.0.60 

This is perfect for Nikto, as it can easily interpret files like this. So we can send this output to Nikto with the following command:

  nikto -h targetIP.txt 

The results are similar to when performing the SSL scan.

Step 6: Scan an HTTP Website

We scanned a secure website and an IP address on a local network. Now it's time to search for an unsecured web domain using port 80. In this example, I'm using " afl.com.au", which did not use SSL at the time I did this scan.

  nikto -h www.afl.com.au 
  - Nikto v2.1.6
-------------------------------------------------- -------------------------
+ Destination IP: 159.180.84.10
+ Destination hostname: www.afl.com.au
+ Destination port: 80
+ Start time: 2018-12-05 21:48:32 (GMT-8)
-------------------------------------------------- -------------------------
+ Server: instart / nginx
+ Repeated overhead: 1.1 Paint (Varnish / 6.1), 1.1 e9ba0a9a729ff2960a04323bf1833df8.cloudfront.net (CloudFront)
+ The x-frame option header with anti-clickjacking does not exist.
+ The X-XSS protection header is undefined. This header can give hints to the user agent to protect against some XSS shapes
+ Unusual Header & xx cache & # 39; found, with content: Miss from cloudfront
+ Unusual header & x86; instart-cache-id & # 39; found with content: 17: 12768802731504004780 :: 1544075250
+ Unusual header & # 39; v-cache-hit & # 39; found with content: hit
+ Unusual header & # 39; x-amz-cf-id & # 39; found. Contents: Dr-r6OwO5kk9ABt4ejzpc7R7AIF6SuH6kfJHQgP0v6xZoHwMLE55rQ ==
+ Unusual Header & xx; instart-request-id & # 39; found with content: 12814413144077601501: BEQ01-CPVNPPRY18: 1552504721: 0
+ Unusual Header & x39; on-agent-js-injection & # 39; found with content: true
+ There was an unusual header & # 39; grace & # 39; found with content: Cache
+ The X-Content-Type-Options header is not set. This allows the user agent to present the content of the site in a manner other than the MIME type
+ Unusual header & # x; x-ruxit-js-agent & # 39; found with content: true
+ Cookie dtCookie created without the httponly flag
+ The server banner was from & # 39; instart / nginx & # 39; in # nginx & # 39; which indicates that a WAF, load balancer or proxy exists
+ No CGI directories found (use "-C All" to check all possible directories)
+ Entry & # 39; / sites / & # 39; in robots.txt returned a non-forbidden or redirected HTTP code (200)
+ Entry & # 39; / search / & # 39; in robots.txt returned a non-forbidden or redirected HTTP code (200)
+ Entry & # 39; * .mobileapp & # 39; in robots.txt returned a non-forbidden or redirected HTTP code (400)
+ Entry & # 39; * .liveradio & # 39; in robots.txt returned a non-forbidden or redirected HTTP code (400)
+ Entry & # 39; * .smartmobile & # 39; in robots.txt returned a non-forbidden or redirected HTTP code (400).
+ Entry & # 39; * responsive & # 39; in robots.txt returned a non-forbidden or redirected HTTP code (400).
Entry? / Stats? * / & # 39; In robots.txt returned a non-forbidden or redirected HTTP (200) code.
+ "robots.txt" contains 8 entries that should be displayed manually.
+ OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content.
+ OSVDB-3092: / psql_history: That might be interesting ...
+ OSVDB-3092: / global /: That could be interesting ...
+ OSVDB-3092: / home /: That could be interesting ...
+ OSVDB-3092: / news: That could be interesting ...
+ OSVDB-3092: /search.vts: That could be interesting ...
+ OSVDB-3092: /stats.htm: That could be interesting ...
+ OSVDB-3092: /stats.txt: That could be interesting ...
+ OSVDB-3092: / stats /: That could be interesting ...
+ OSVDB-3092: / Stats /: That could be interesting ...
+ OSVDB-3093: /.wwwacl: Contains authorization information
+ OSVDB-3093: /.www_acl: Contains authorization information
+ OSVDB-3093: /.htpasswd: Contains authorization information
+ OSVDB-3093: /.access: Contains authorization information
+ OSVDB-3093: /. Address Book: PINE Address Book, can store sensitive e-mail address information and notes
+ OSVDB-3093: /.bashrc: The user directory was found with a shell RC file. This can include file and path information.
+ OSVDB-3093: /.bash_history: A user's home directory can be set to the web root. The shell history was obtained. This should not be accessible via the web.
+ OSVDB-3093: /.forward: The user's home directory was found with an e-mail forwarding file. Can reveal where the user's emails go.
+ OSVDB-3093: /.history: The home directory of a user can be set to the web root directory. The shell history was obtained. This should not be accessible via the web.
+ OSVDB-3093: /.htaccess: Contains configuration and / or permission information
+ OSVDB-3093: /.lynx_cookies: The user home directory was found with the LYNX cookie file. May contain cookies from any websites.
+ OSVDB-3093: /.mysql_history: Database SQL?
+ OSVDB-3093: /.passwd: Contains authorization information
+ OSVDB-3093: /.pinerc: User home directory found with a PINE RC file. Can contain system information, directories and more.
+ OSVDB-3093: /.plan: User home directory with a .plan, a mostly outdated file for passing fingerprint protocol information
+ OSVDB-3093: /.proclog: Home directory of the user with a Procmail RC file. Can display the mail traffic, directories and more.
+ OSVDB-3093: /.procmailrc: Home directory of the user with a Procmail RC file. Can display subdirectories, e-mail contacts, and more.
+ OSVDB-3093: /.profile: User home directory with a shell profile was found. Can display directory information and system configuration.
+ OSVDB-3093: /.rhosts: A user's home directory can be set to the Web root directory. A .rhosts file was retrieved. This should not be accessible via the web.
+ OSVDB-3093: /.sh_history: The home directory of a user can be set to the web root directory. The shell history was obtained. This should not be accessible via the web.
+ OSVDB-3093: /.ssh: A user's home directory can be set to the Web root directory. An ssh file was retrieved. This should not be accessible via the web.
+ OSVDB-5709: /.nsconfig: Contains authorization information
+ / portal / changelog: vignette richtext html editor changelog found.
+ 7587 requirements: 4 errors and 55 item (s) reported on remote host
+ End Time: 2018-12-05 22:42:41 (GMT-8) (3249 seconds)
-------------------------------------------------- -------------------------
+ 1 tested hosts 

Above we can see that there is a Varnish server and some headers that indicate how the website is configured. The juicier stuff, however, are the directories found, which can intercept configuration files that contain credentials or other things that have been misconfigured and inadvertently accessed.

a website that was closed in 2016). This is similar to other vulnerability databases such as SecurityFocus, Microsoft Technet, and common security vulnerabilities. I prefer to review the National Vulnerability Database.

While there are no significant things that can be exploited by this scan, if you have one, you can use the CVE reference tool to translate the OSVDB identifier into a CVE entry. So you can use one of the other sites to learn more about the vulnerability.

Let's say we've found some interesting points, such as CVE-2018-10933, a vulnerability in Libssh that we discussed earlier. The CVE contains information about what can be exploited, what its severity is (eg, critical), and some other information that can help determine an attack vector. If it makes sense to use something, you can search Metasploit, since someone has probably developed a weapon module to make it easier to exploit.

Step 7: Pair Scans with Metasploit

The best thing about Nikto is that you can actually export information into a format Metasploit can read when scanning. Simply use the commands above to run the scan and append format msf + to the end. The format can help us quickly associate data retrieved with a weapon.

  nikto -h  format msf + 

In this guide, we have therefore dealt with the determination of the surface of the target and found a vulnerability It is with a weapon exploit, so we do not do all the work to have to do. Since Nikto is not a hidden tool, it is advisable to perform this type of scan over a VPN, through Tor or some other service so that your actual IP address is not flagged for suspicious behavior.

Cover Picture of Null Bytes

Source link