24 December 2007 | 9,456 views

Nikto 2 Released – Web Server Scanning Tool

Check For Vulnerabilities with Acunetix

Another one that has been a long time coming, but finally here it is! Nikto 2.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Version 2 adds a ton of enhancements, including:

  • Fingerprinting web servers via favicon.ico files
  • 404 error checking for each file type
  • Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
  • Scan tuning to include or exclude entire classes of vulnerability checks
  • Uses LibWhisker 2, which has its own long list of enhancements
  • A “single” scan mode that allows you to craft an HTTP request manually
  • Basic template engine so that HTML reports can be easily customized
  • An experimental knowledge base for scans, which will allow regenerated reports and retests (future)
  • Optimizations, bug fixes and more…

You can download Nikto 2 here:

nikto-current.tar.gz

Or read more here.



Recent in Exploits/Vulnerabilities:
- Twitter Bug Bounty Official – Started Paying For Bugs
- Heartbleed Implicated In US Hospital Leak
- XML Quadratic Blowup Attack Blows Up WordPress & Drupal

Related Posts:
- Nikto 2.1.0 Released – Web Server Security Scanning Tool
- Web-Sorrow v1.48 – Version Detection, CMS Identification, Enumeration & Server Scanning Tool
- GoLISMERO – Web Application Mapping Tool

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 227,486 views
- AJAX: Is your application secure enough? - 119,107 views
- eEye Launches 0-Day Exploit Tracker - 85,057 views

Low-cost VPS Hosting

25 Responses to “Nikto 2 Released – Web Server Scanning Tool”

  1. Sir Henry 24 December 2007 at 2:12 pm Permalink

    I think it is time to request a scan or two on my web host to keep them honest. Wonder how they will respond to that. If they refuse, then what do they have to hide, right? And if they don’t and something gets pwnd, perhaps I shall have to find another home? We shall see.

  2. mumble 24 December 2007 at 4:39 pm Permalink

    @Sir Henry: I’m surprised, given your background, that you’re not running on a virtual server rather than shared hosting. The costs have dropped to the point where there’s no practical difference – and an order of magnitude more control.

    BTW — mumble (symbol) fruck (punctuation) org

  3. Sir Henry 24 December 2007 at 4:43 pm Permalink

    I know, I know…shame on me. ;P My host does not provide VPS at a price point comparable to that which I am spending upon a shared hosting environment. Indeed, though, I know the advantages of running on a VPS and would love to, but right now, just do not have the $$ to justify it.

  4. goodpeople 28 December 2007 at 8:02 am Permalink

    Nikto rocks! I love it. I also do lectures. Nikto is one of my favorites. Just ask someone in te audience if they have their own webserver and run Nikto against it.

  5. goodpeople 28 December 2007 at 8:06 am Permalink

    @sir henry,

    Check your contract and look for something that says that you are not allowed to scan.

    When unsure, send them an email (on friday evening) that you will be performing a scan and start the scan 5 minutes later.

  6. Sir Henry 28 December 2007 at 2:41 pm Permalink

    @goodpeople

    I contacted them to ask about scans and audits on shared servers and their response was, “The more attention to security by our customers, the better.”. That included all the normal caveats of not pwning the server in any way and if there is something serious, to simply let them know.

  7. mumble 28 December 2007 at 4:01 pm Permalink

    The main problem with not pwning the box is that often, the only reliable way of knowing whether the box is vulnerable is to bang on it and find out. Of course, once you have a shell on a box, it’s pwned.

  8. Sir Henry 28 December 2007 at 4:15 pm Permalink

    So far, I have not seen much that really gives me worry. Although, if you have access to the box, you can cat any of the log files and gain username information based upon ssh auth and whatnot. I am not sure that is anything to worry about from my perspective, but I will bring it up, anyway. I do not know that they would want their customers to have that type of information about one another. I am taking an iterative approach, however and seeing what I can leverage from each type of assessment I make.

  9. goodpeople 3 January 2008 at 11:08 am Permalink

    @Sir Henry,

    If I were you, I’d let Nikto and Nessus loose on their server and see where it leads to. Combined with the info you get when you actually do have an account on the box, it could get very interresting..

  10. Sir Henry 3 January 2008 at 12:48 pm Permalink

    @goodpeople:

    I have been using Nikto thus far and am considering other apps, as well. I once worked for Qualys, so I still have the availability of an account there to use for scanning the server. I might use Nessus to simply compare and contrast the two.

  11. James Cooper 4 January 2008 at 10:18 am Permalink

    Nikto’s design seems fundamentally flawed. I know companies like Qualys, Tenable (nessus) and Outpost24 who used to use nikto were putting out really long and misleading reports when they were using nikto against sites that didn’t return 404 error codes. My latest reports from Outpost24 have been much better, but it seems like they dropped nikto.

    I’m interested in playing with this new version to see if it has gotten any better about false positives.

  12. Sir Henry 4 January 2008 at 3:33 pm Permalink

    @James

    So far, I am pleased with the new version of Nikto, but, being of skeptical nature, I always use many tools and see where the differences lie to weed out the false positives. I am not familiar with Outpost24, however and shall add that to my list of things to investigate. Thanks for the tip.

  13. goodpeople 6 January 2008 at 8:15 am Permalink

    @Sir Henry,

    Will you keep us posted?

  14. eM3rC 6 January 2008 at 9:41 pm Permalink

    @Sir Henry

    Ditto what goodpeople said

    Great program! Thanks darknet!

  15. Sir Henry 8 January 2008 at 11:05 pm Permalink

    @goodpeople and eM3rC

    I have sent off my Nikto results to my web host for consultation before I make any changes. In addition to that, I ran a QG map and scan against the server IP. I am thinking that they are still going through all the results. The good thing is that there were not and sev4 and sev5 vulns. As for the sev3’s, I await their response.

  16. goodpeople 9 January 2008 at 12:09 am Permalink

    You do realize that you have just become “that annoying guy who thinks he understands the wonderful Internet”. Right?

  17. Sir Henry 9 January 2008 at 12:51 am Permalink

    For my web host? lol…yeah, I believe I have become that guy. But, I think they appreciate it. I once submitted with the following lines to show them that they needed to restart httpd:

    ps -ef | grep httpd
    userx 25159 25142 0 16:52 pts/2 00:00:00 grep httpd

    I believe they laughed, but thanked me for being attentive.

  18. goodpeople 9 January 2008 at 12:55 am Permalink

    hahaha,

    Well, I guess everybody here knows the frustration of knowing more than the people who are supposed to give support.

  19. eM3rC 9 January 2008 at 3:05 am Permalink

    @ Sir Henry

    Its nice that you would be nice enough to contact your host about their vulnerabilities and let them know about what you were going to try to do. Many people I know seem to just do what they want and if someone doesn’t like it, down go the servers and/or website and/or computer.

  20. ivan 9 January 2008 at 2:07 pm Permalink

    hi….

    i am a total newbie on computer security, so please be patient Smile

    so, nikto 2 contains many enhancements over the first version. one of the major new features is fingerprinting web servers via favicon.ico files.

    because i’m a newbie i don’t know how nikto finding a webserver bug through *.ico file? so please tell me.

    any answer would be appreciated !

  21. Sir Henry 9 January 2008 at 2:59 pm Permalink

    @Ivan

    This is simple enough. They are speaking specifically about the favicon .ico file for popular webservers. If you do a search for favicon.ico on a server, there is information there that can disclose the type of webserver, thus providing the fingerprint.

  22. ivan 9 January 2008 at 7:39 pm Permalink

    Sir Henry,

    Thanks a bunch for your explanation, but there’s a thing that i’m not uderstand yet. So, can you give examples about like you’re talking about favicon .ico of some webservers?

  23. Sir Henry 9 January 2008 at 7:43 pm Permalink

    Look at the following link to see how one would check a favicon to enumerate the fingerprint of a web server:

    http://list.nessus.org/pipermail/plugins-writers/2005-October/msg00033.html

  24. ivan 9 January 2008 at 7:57 pm Permalink

    oh my god, again, thanks a bunch for your absolutely ultra fast reply, i have understood now :)

  25. Sir Henry 9 January 2008 at 7:58 pm Permalink

    Anything to spread the word on security.