[ad]
Another one that has been a long time coming, but finally here it is! Nikto 2.
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).
Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.
Version 2 adds a ton of enhancements, including:
- Fingerprinting web servers via favicon.ico files
- 404 error checking for each file type
- Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
- Scan tuning to include or exclude entire classes of vulnerability checks
- Uses LibWhisker 2, which has its own long list of enhancements
- A “single” scan mode that allows you to craft an HTTP request manually
- Basic template engine so that HTML reports can be easily customized
- An experimental knowledge base for scans, which will allow regenerated reports and retests (future)
- Optimizations, bug fixes and more…
You can download Nikto 2 here:
Or read more here.
Sir Henry says
I think it is time to request a scan or two on my web host to keep them honest. Wonder how they will respond to that. If they refuse, then what do they have to hide, right? And if they don’t and something gets pwnd, perhaps I shall have to find another home? We shall see.
mumble says
@Sir Henry: I’m surprised, given your background, that you’re not running on a virtual server rather than shared hosting. The costs have dropped to the point where there’s no practical difference – and an order of magnitude more control.
BTW — mumble (symbol) fruck (punctuation) org
Sir Henry says
I know, I know…shame on me. ;P My host does not provide VPS at a price point comparable to that which I am spending upon a shared hosting environment. Indeed, though, I know the advantages of running on a VPS and would love to, but right now, just do not have the $$ to justify it.
goodpeople says
Nikto rocks! I love it. I also do lectures. Nikto is one of my favorites. Just ask someone in te audience if they have their own webserver and run Nikto against it.
goodpeople says
@sir henry,
Check your contract and look for something that says that you are not allowed to scan.
When unsure, send them an email (on friday evening) that you will be performing a scan and start the scan 5 minutes later.
Sir Henry says
@goodpeople
I contacted them to ask about scans and audits on shared servers and their response was, “The more attention to security by our customers, the better.”. That included all the normal caveats of not pwning the server in any way and if there is something serious, to simply let them know.
mumble says
The main problem with not pwning the box is that often, the only reliable way of knowing whether the box is vulnerable is to bang on it and find out. Of course, once you have a shell on a box, it’s pwned.
Sir Henry says
So far, I have not seen much that really gives me worry. Although, if you have access to the box, you can cat any of the log files and gain username information based upon ssh auth and whatnot. I am not sure that is anything to worry about from my perspective, but I will bring it up, anyway. I do not know that they would want their customers to have that type of information about one another. I am taking an iterative approach, however and seeing what I can leverage from each type of assessment I make.
goodpeople says
@Sir Henry,
If I were you, I’d let Nikto and Nessus loose on their server and see where it leads to. Combined with the info you get when you actually do have an account on the box, it could get very interresting..
Sir Henry says
@goodpeople:
I have been using Nikto thus far and am considering other apps, as well. I once worked for Qualys, so I still have the availability of an account there to use for scanning the server. I might use Nessus to simply compare and contrast the two.
James Cooper says
Nikto’s design seems fundamentally flawed. I know companies like Qualys, Tenable (nessus) and Outpost24 who used to use nikto were putting out really long and misleading reports when they were using nikto against sites that didn’t return 404 error codes. My latest reports from Outpost24 have been much better, but it seems like they dropped nikto.
I’m interested in playing with this new version to see if it has gotten any better about false positives.
Sir Henry says
@James
So far, I am pleased with the new version of Nikto, but, being of skeptical nature, I always use many tools and see where the differences lie to weed out the false positives. I am not familiar with Outpost24, however and shall add that to my list of things to investigate. Thanks for the tip.
goodpeople says
@Sir Henry,
Will you keep us posted?
eM3rC says
@Sir Henry
Ditto what goodpeople said
Great program! Thanks darknet!
Sir Henry says
@goodpeople and eM3rC
I have sent off my Nikto results to my web host for consultation before I make any changes. In addition to that, I ran a QG map and scan against the server IP. I am thinking that they are still going through all the results. The good thing is that there were not and sev4 and sev5 vulns. As for the sev3’s, I await their response.
goodpeople says
You do realize that you have just become “that annoying guy who thinks he understands the wonderful Internet”. Right?
Sir Henry says
For my web host? lol…yeah, I believe I have become that guy. But, I think they appreciate it. I once submitted with the following lines to show them that they needed to restart httpd:
ps -ef | grep httpd
userx 25159 25142 0 16:52 pts/2 00:00:00 grep httpd
I believe they laughed, but thanked me for being attentive.
goodpeople says
hahaha,
Well, I guess everybody here knows the frustration of knowing more than the people who are supposed to give support.
eM3rC says
@ Sir Henry
Its nice that you would be nice enough to contact your host about their vulnerabilities and let them know about what you were going to try to do. Many people I know seem to just do what they want and if someone doesn’t like it, down go the servers and/or website and/or computer.
ivan says
hi….
i am a total newbie on computer security, so please be patient Smile
so, nikto 2 contains many enhancements over the first version. one of the major new features is fingerprinting web servers via favicon.ico files.
because i’m a newbie i don’t know how nikto finding a webserver bug through *.ico file? so please tell me.
any answer would be appreciated !
Sir Henry says
@Ivan
This is simple enough. They are speaking specifically about the favicon .ico file for popular webservers. If you do a search for favicon.ico on a server, there is information there that can disclose the type of webserver, thus providing the fingerprint.
ivan says
Sir Henry,
Thanks a bunch for your explanation, but there’s a thing that i’m not uderstand yet. So, can you give examples about like you’re talking about favicon .ico of some webservers?
Sir Henry says
Look at the following link to see how one would check a favicon to enumerate the fingerprint of a web server:
http://list.nessus.org/pipermail/plugins-writers/2005-October/msg00033.html
ivan says
oh my god, again, thanks a bunch for your absolutely ultra fast reply, i have understood now :)
Sir Henry says
Anything to spread the word on security.