From greencm at gmail.com Tue Apr 1 21:41:12 2008 From: greencm at gmail.com (Chris Green) Date: Tue, 1 Apr 2008 16:41:12 -0500 Subject: [Nikto-discuss] Multiple roots from a single scan? Message-ID: Good day, I'd love a method for giving multiple starting roots, perhaps from a file. Right now, I've just got a shell script that iterates the loop. Does anyone have a better approach than the following? cat dirs.txt | while read line; do nikto -host server -root ${line} do Thanks, Chris -- Chris Green From jericho at attrition.org Tue Apr 1 23:19:17 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 1 Apr 2008 23:19:17 +0000 (UTC) Subject: [Nikto-discuss] Multiple roots from a single scan? In-Reply-To: References: Message-ID: : I'd love a method for giving multiple starting roots, perhaps from a : file. Right now, I've just got a shell script that iterates the loop. : Does anyone have a better approach than the following? : : cat dirs.txt | while read line; do : nikto -host server -root ${line} : do I don't have a better solution, but this seems like a great enhancement to the multiple host scanning functionality. As it stands, you can put in an IP and list of ports (e.g. 1.2.3.4,80,443). Having the ability to also specify a path in that would be nice. From sullo at cirt.net Tue Apr 1 23:41:19 2008 From: sullo at cirt.net (Sullo) Date: Tue, 01 Apr 2008 19:41:19 -0400 Subject: [Nikto-discuss] Multiple roots from a single scan? In-Reply-To: References: Message-ID: <47F2C81F.2000302@cirt.net> at the current time, that's the best solution. It would be fairly trivial to allow a file of hosts to have notation like: http://example.com/root1/ http://example.com/root2/ and/or: http://example.com/ /root1/ /root2/ /root3/ To specify multiple values to the -root option is do-able, but will require a bit of extra looping/host population in %TARGETS. Reminder: all the code, tickets, etc., available via SVN/Trac: https://trac2.assembla.com/Nikto_2 security curmudgeon wrote: > : I'd love a method for giving multiple starting roots, perhaps from a > : file. Right now, I've just got a shell script that iterates the loop. > : Does anyone have a better approach than the following? > : > : cat dirs.txt | while read line; do > : nikto -host server -root ${line} > : do > > I don't have a better solution, but this seems like a great enhancement to > the multiple host scanning functionality. As it stands, you can put in an > IP and list of ports (e.g. 1.2.3.4,80,443). Having the ability to also > specify a path in that would be nice. > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > From sullo at cirt.net Tue Apr 1 23:45:16 2008 From: sullo at cirt.net (Sullo) Date: Tue, 01 Apr 2008 19:45:16 -0400 Subject: [Nikto-discuss] Nikto 2.02 SSL Scan won't work In-Reply-To: References: <000901c8928e$23a77ed0$6af67c70$@com> <47EFDAEA.8010907@cirt.net> <000001c8929d$f54e2880$dfea7980$@com> Message-ID: <47F2C90C.4090603@cirt.net> Has this happened on multiple targets from the same scanning machine? Has it happened from the same scanning machine against multiple targets? Do IPs vs names make any difference? what if you force the vhost with -v? Frank could be on to something here, but I would think the problem would be more widely seen if that line is the problem... Frank Breedijk wrote: > It would not be the first time that the reverse hostname does not resolve back to the right IP address? > > Is seems to happen in line 117 of nikto.pl > > $request{'whisker'}->{'host'} = $TARGETS{$CURRENT_HOST_ID}{hostname} || $TARGETS{$CURRENT_HOST_ID}{ip}; > > > Kurt Keiser wrote: > >> I'm currently running Fedora Core 7 with the latest version of OpenSSL >> and have the NET::SSLEAY perl module installed. I cannot get Nikto >> 2.02 to scan https sites. >> >> I had the same issue with 1.36. Luckily the FC7 rpm for it worked. >> For some reason the source files will not work. Does anyone have any >> advice? >> >> >> >> I get the error on sites that have ssl. "No HTTP(s) ports found on >> x.x.x.x" when running the following command. Nikto -h x.x.x.x -port >> 443 -ssl >> >> > From jhart at spoofed.org Wed Apr 2 08:02:43 2008 From: jhart at spoofed.org (Jon Hart) Date: Wed, 2 Apr 2008 01:02:43 -0700 Subject: [Nikto-discuss] Nikto 2.02 SSL Scan won't work In-Reply-To: <47F2C90C.4090603@cirt.net> References: <000901c8928e$23a77ed0$6af67c70$@com> <47EFDAEA.8010907@cirt.net> <000001c8929d$f54e2880$dfea7980$@com> <47F2C90C.4090603@cirt.net> Message-ID: <20080402080243.GG3238@spoofed.org> On Tue, Apr 01, 2008 at 07:45:16PM -0400, Sullo wrote: > Has this happened on multiple targets from the same scanning machine? > Has it happened from the same scanning machine against multiple targets? > Do IPs vs names make any difference? what if you force the vhost with -v? > > Frank could be on to something here, but I would think the problem would > be more widely seen if that line is the problem... When I've seen this happen, the vhost option and trying hostnames and IPs did not seem to have an effect. Similarly, SSL certs signed by a trusted, untrusted or self-signed don't seem to matter either. Run in debug mode, I get this: D: - $whisker->error Error sending request to server: Could not send entire data queue If you track that down, it is coming from LW.pm. Slap some debug code into LW.pm, and you'll instead see this: D: - $whisker->error Error sending request to server: Could not send entire data queue (err=SSL_write 1047: 1 - error:140D5042:SSL routines:SSL3_CTRL:called a function you should not call This seems to be a bug in LW, but not in LW2. See: http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/2006-May/000760.html And: http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/2006-May/000762.html This workaround is in there. -jon From kingthorin at gmail.com Tue Apr 8 19:05:29 2008 From: kingthorin at gmail.com (Thorin Oakenshield) Date: Tue, 8 Apr 2008 15:05:29 -0400 Subject: [Nikto-discuss] Port Range Scanning Broken? Message-ID: Has anyone experienced the following issue? Any ideas/insight? Dashed ranges appear to be broken, i.e.: $ perl nikto.pl -findonly -h host.com -p 80-82 --------------------------------------------------------------------------- - Nikto 2.02/2.03 - cirt.net + No HTTP(s) server found on host.com / 80-82 + 1 host(s) tested Comma separated ranges seem to work: $ perl nikto.pl -findonly -h host.com -p 80,81,82 --------------------------------------------------------------------------- - Nikto 2.02/2.03 - cirt.net + Server: http://host.com:80 Microsoft-IIS/6.0 + No HTTP(s) server found on host.com / 81 + No HTTP(s) server found on host.com / 82 + 1 host(s) tested Single ports seem to work: $ perl nikto.pl -findonly -h host.com -p 80 --------------------------------------------------------------------------- - Nikto 2.02/2.03 - cirt.net + Server: http://host.com:80 Microsoft-IIS/6.0 + 1 host(s) tested -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20080408/ad873b19/attachment.html From sullo at cirt.net Fri Apr 11 16:08:50 2008 From: sullo at cirt.net (Sullo) Date: Fri, 11 Apr 2008 12:08:50 -0400 Subject: [Nikto-discuss] Port Range Scanning Broken? In-Reply-To: References: Message-ID: <47FF8D12.70308@cirt.net> Since most of you aren't members of Assembla, and the update is going to require a new packaging of Nikto (since it's in a place that the auto-updater can't currently handle), I wanted to let you know that a patch from deity is available if this functionality is critical and not working for you: Trac bug info: https://trac2.assembla.com/Nikto_2/ticket/23 Patch info: https://trac2.assembla.com/Nikto_2/changeset/29 Much thanks to Thorin for reporting & deity for fixing. -Sullo Thorin Oakenshield wrote: > Has anyone experienced the following issue? Any ideas/insight? > > Dashed ranges appear to be broken, i.e.: > > $ perl nikto.pl -findonly -h host.com -p 80-82 > --------------------------------------------------------------------------- > - Nikto 2.02/2.03 - cirt.net > + No HTTP(s) server found on host.com / 80-82 > + 1 host(s) tested > > Comma separated ranges seem to work: > > $ perl nikto.pl -findonly -h host.com -p 80,81,82 > --------------------------------------------------------------------------- > - Nikto 2.02/2.03 - cirt.net > + Server: http://host.com:80 Microsoft-IIS/6.0 > + No HTTP(s) server found on host.com / 81 > + No HTTP(s) server found on host.com / 82 > + 1 host(s) tested > > Single ports seem to work: > > $ perl nikto.pl -findonly -h host.com -p 80 > --------------------------------------------------------------------------- > - Nikto 2.02/2.03 - cirt.net > + Server: http://host.com:80 Microsoft-IIS/6.0 > + 1 host(s) tested > > ------------------------------------------------------------------------ > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > From dave at cirt.net Mon Apr 14 16:40:10 2008 From: dave at cirt.net (dave at cirt.net) Date: Mon, 14 Apr 2008 12:40:10 -0400 Subject: [Nikto-discuss] Reporter plugin Message-ID: <20080414124010.2hzrpsc6qskw44gk@webmail.sullo.com> I'm going to be giving this plugin a bit of much needed attention, but, I want to check opinion first. The current plugin will output in csv, html, xml: what do people want? I personally just use nikto to detect issues and then mangle results into my own format for reporting - to this end the normal text and csv functions work perfectly for me, but, I know some people who want a fancy report, which they can pass straight on. So, do we want a fancy bit of HTML or PDF report, or are people happy with the low level text and csv? dave From falter+nikto at gmail.com Mon Apr 21 18:42:27 2008 From: falter+nikto at gmail.com (mike) Date: Mon, 21 Apr 2008 13:42:27 -0500 Subject: [Nikto-discuss] Nikto2 + Net::SSLeay memory leak? Message-ID: <595631610804211142p6ba2dac8ge96e7c000e6c10b5@mail.gmail.com> Hi guys, I know that libwhisker is the fella that bundles up all the SSL connectivity code, but Nikto2 is the only place where I use it, so it made sense to post here, first. I've observed that when running a nikto2 scan on an https connection, the memory utilization of perl steadily increases over time, until the end of the scan. When I run a nikto scan against a non-ssl service, watching the process in top, perl never goes beyond 20 megabytes of memory usage throughout the scan. With an ssl service, we go through the scan and memory eventually climbs up to ~90 meg before the scan ends normally. I run multiple nikto scans in paralell, so every bit of memory counts :) In my environment, I've got the following: -nikto 2.02 -Net::SSLeay 1.30 (I've seen it also on 1.25 in other environments) -Perl 5.8.5 -OpenSSL 0.9.7a (lots of backported fixes... this is on an essentially RHEL4 base, which we've customized a bit) -Net::SSL 2.84 / Crypt::SSLeay 0.57 I'm not doing anything special when launching nikto: ./nikto.pl -host IP -nolookup -port PORT -ssl -vhost HOSTNAME -Format xml -output out.xml Libwhisker will first look for Net::SSLeay, and failing that goes to Net::SSL. What I've found is that when we use Net::SSLeay, the amount of memory used by perl keeps increasing. When I removed Net::SSLeay and dropped in Net::SSL, memory usage never went about 20 megabytes, much like that of the non-ssl scans we've done. Like I said, this will probably have to get bounced over to the guys w/ libwhisker, but I'm wondering if anyone else running nikto2 has seen anything like this? Thanks, ~Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20080421/edf7687d/attachment.html From dave at cirt.net Wed Apr 23 12:12:05 2008 From: dave at cirt.net (David Lodge) Date: Wed, 23 Apr 2008 08:12:05 -0400 Subject: [Nikto-discuss] Nikto2 + Net::SSLeay memory leak? In-Reply-To: <595631610804211142p6ba2dac8ge96e7c000e6c10b5@mail.gmail.com> References: <595631610804211142p6ba2dac8ge96e7c000e6c10b5@mail.gmail.com> Message-ID: <20080423081205.tjazpoef400kc44g@webmail.sullo.com> Quoting mike : > Like I said, this will probably have to get bounced over to the guys w/ > libwhisker, but I'm wondering if anyone else running nikto2 has seen > anything like this? I can definately confirm that I'm seeing the same effect as you: multiple hosts got nikto to rise to about 1/4G of memory, but I'm not certain where. Nikto only uses one chunk of memory for all requests (whether http or https) so I strongly suspect that nikto is innocent in this! Having had a quick nosy through libwhisker, I'd suspect a leak in Net::SSLeay, as the libwhisker code doesn't seem to have anything leaping out at me to cause the problem. Also your Good find, but we may need to raise this with the SSLeay guys. dave From sullo at cirt.net Wed Apr 23 12:48:52 2008 From: sullo at cirt.net (Sullo) Date: Wed, 23 Apr 2008 08:48:52 -0400 Subject: [Nikto-discuss] Nikto2 + Net::SSLeay memory leak? In-Reply-To: <20080423081205.tjazpoef400kc44g@webmail.sullo.com> References: <595631610804211142p6ba2dac8ge96e7c000e6c10b5@mail.gmail.com> <20080423081205.tjazpoef400kc44g@webmail.sullo.com> Message-ID: <20080423084852.i14h43xao8ggo880@webmail.sullo.com> Quoting David Lodge : > Having had a quick nosy through libwhisker, I'd suspect a leak in > Net::SSLeay, as the libwhisker code doesn't seem to have anything > leaping out at me to cause the problem. Also your > > Good find, but we may need to raise this with the SSLeay guys. I forwarded the initial report to rfp and we both suspect SSLeay as the culprit, but haven't had a chance to dig into it yet. The thing to do would be to write a test program which uses LWP+SSLeay and see if it suffers from a similar memory drain... at least then it would confirm the bug is not in Nikto/LW. From daem0nb0y at yahoo.com Wed Apr 23 13:07:44 2008 From: daem0nb0y at yahoo.com (Michael Alipio) Date: Wed, 23 Apr 2008 06:07:44 -0700 (PDT) Subject: [Nikto-discuss] nikto 2 against https + ntlm Message-ID: <426270.14931.qm@web58313.mail.re3.yahoo.com> Hi, I'm trying to run nikto against a webserver running https and ntlm authentication. perl nikto.pl -h example.com -p 443 -i 'myuser:mypass:' -D V + ERROR: 'myuser:mypass:domain' (-i option) syntax is 'user:password' or 'user:password:domain' for host authentication. After reading about how NTLM works, still it's not clear to me whether the server is sending that detail (domain) to the client. But as far as i can understand, the client has to know the domain in order to authenticate to the ntlm server. I suspect this is the reason why authentication is failing. I'm not sure how to get the server's domain so i just left the domain empty after "mypass" Also, i've read the manual of both 1.36 and 2 and only in 1.36 they mentioned about ntlm authentication. Could it be that in ntlm authentication is no longer supported in v2? also we have given valid login accounts and with the use of burpsuite i can successfully authenticate ntlm without providing the domain. So.. any idea where i should look into?? Thanks.. ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From falter+nikto at gmail.com Wed Apr 23 14:01:40 2008 From: falter+nikto at gmail.com (mike) Date: Wed, 23 Apr 2008 09:01:40 -0500 Subject: [Nikto-discuss] Nikto2 + Net::SSLeay memory leak? In-Reply-To: <595631610804230658w60fc9710rcbabc646abde2031@mail.gmail.com> References: <595631610804211142p6ba2dac8ge96e7c000e6c10b5@mail.gmail.com> <20080423081205.tjazpoef400kc44g@webmail.sullo.com> <20080423084852.i14h43xao8ggo880@webmail.sullo.com> <595631610804230658w60fc9710rcbabc646abde2031@mail.gmail.com> Message-ID: <595631610804230701k51d60fa6ie9e01a451534a4fc@mail.gmail.com> > On Wed, Apr 23, 2008 at 7:48 AM, Sullo wrote: > I forwarded the initial report to rfp and we both suspect SSLeay as > the culprit, but haven't had a chance to dig into it yet. The thing to > do would be to write a test program which uses LWP+SSLeay and see if > it suffers from a similar memory drain... at least then it would > confirm the bug is not in Nikto/LW. My gut tells me that it has something to do with either libwhisker's cleanup of the Net::SSLeay objects, or cleanup internal to Net::SSLeay. Nikto is a bit unique in that he initiates thousands of connections over a short period of time. So, a small leak is a far greater deal to Nikto than it is to most devs using Net:SSLeay. When I did a timing comparison between Net:SSLeay and Net:SSL, I couldn't see that significant of a difference. It'd be nice if libwhisker had the option to use one over the other. Given this leak, I get nervous having to rely on the lack of Net:SSLeay for libwhisker to move onto Net::SSL.. Perhaps if you guys have rfp's ear, you could drop that one in there :) ~Mike >