From dave at cirt.net Fri Aug 1 02:16:08 2008 From: dave at cirt.net (David Lodge) Date: Fri, 01 Aug 2008 03:16:08 +0100 Subject: [Nikto-discuss] missing man page for Nikto-2.02 In-Reply-To: <20080523064058.GA22444@navi.v2s.org> References: <469201.96347.qm@web56809.mail.re3.yahoo.com> <20080523064058.GA22444@navi.v2s.org> Message-ID: On Fri, 23 May 2008 07:40:58 +0100, Jabra wrote: > Currently, there is no man page. Actually; there is now... I added a man page on the 4th July... It should be part of Nikto 2.03 when I release it (most likely tomorrow). >> I am trying to package Nikto-2.02 on HPUX . This source code does not >> contain the man page( nikto-2.02.man) for nikto-2.02. Can you please >> tell where can i get the man page for Nikto-2.02. That would be useful; to know - one of my goals for Nikto 2.04 is prepared packages for the most common OSs and I no longer have a HP-UX box since my better half made me throw it away :-( (and it's been about 7 years since I last built a HP-UX package). Could you do me a favour and register with assembla.com so that you can upload the spec file for the package once it's done. Thanks dave From dave at cirt.net Thu Aug 7 22:06:56 2008 From: dave at cirt.net (David Lodge) Date: Thu, 07 Aug 2008 23:06:56 +0100 Subject: [Nikto-discuss] Nikto databases Message-ID: I'm seeking for opinions here (and yes, I realise half of you are jollying at Defcon; please bear a though for those of us on the other side of the planet to it). As I want nikto to have a knowledgebase, reduce its memory consumption, allow scan histories and generally tweak it; what are people's opinion about using a SQLite database to store the contents of the db (rather than load it into memory) and output (rather than create fictitious tests to store them in). The big disadvantage is that it would require that SQLite is installed on the system. Thoughts? dave From ryandewhurst at gmail.com Mon Aug 11 17:23:26 2008 From: ryandewhurst at gmail.com (Ryan Dewhurst) Date: Mon, 11 Aug 2008 18:23:26 +0100 Subject: [Nikto-discuss] db_variables bug Message-ID: Hello, Been trying to add my own variables to nikto. Ive read in the manual that you should put these in the config.txt file if you do not want them to be over written when nikto is updated. When putthing the variable in config.txt, nikto does not pick up on them. I added my custom variables to db_variables, this does get picked up by nikto but it only uses the last variable in the list and does not try all of them. Maybe Ive got the syntax wrong or it may be a genuine bug, im not sure. Has any one else noticed this? This is the line of code that I am adding to the files: @COPPERMINE=/ /fotos/ /photos/ /gallery/ /galeria/ /galerie/ /album/ /coppermine/ /Coppermine/ Using nikto in verbose display, it shows that nikto only trys the last variable, in the case above this would be "/Coppermine/". It totally ignores the other variables. Any one have or know a fix? Maybe im using the wrong syntax? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20080811/8aee5fa3/attachment.html From ryandewhurst at gmail.com Mon Aug 11 19:02:04 2008 From: ryandewhurst at gmail.com (Ryan Dewhurst) Date: Mon, 11 Aug 2008 20:02:04 +0100 Subject: [Nikto-discuss] Proxy doesn't work Message-ID: Hello, It seems that the proxy is not being used when nikto is scanning. This is what the "proxy" part looks like in config.txt PROXYHOST=202.75.144.60 #PROXYPORT=8080 #PROXYUSER=proxyuserid #PROXYPASS=proxypassword If I change PROXYHOST to an invalid IP address, nikto still scans with no errors. Does nikto recognise that its invalid and automatically scans with no proxy and with out prompting? Or is the PROXYHOST just not working at all? I will download apache to test this myself, that way I will be able to check the logs for the IP address. Any one else encounter this? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20080811/c212f363/attachment.html From sullo at cirt.net Mon Aug 11 19:24:27 2008 From: sullo at cirt.net (Sullo) Date: Mon, 11 Aug 2008 15:24:27 -0400 Subject: [Nikto-discuss] Proxy doesn't work In-Reply-To: References: Message-ID: <48A091EB.6000608@cirt.net> Ryan Dewhurst wrote: > Hello, > It seems that the proxy is not being used when nikto is scanning. > This is what the "proxy" part looks like in config.txt > > PROXYHOST=202.75.144.60 > #PROXYPORT=8080 > #PROXYUSER=proxyuserid > #PROXYPASS=proxypassword You have to set the port--I don't believe there's a default. > If I change PROXYHOST to an invalid IP address, nikto still scans with no > errors. Does nikto recognise that its invalid and automatically scans with > no proxy and with out prompting? I think there's a bug filed for this... if not, please open one for Dave or someone to look at. http://cirt.net/Nikto2_Dev -Sullo From 0xc001d00d at gmail.com Mon Aug 11 19:48:13 2008 From: 0xc001d00d at gmail.com (Dan) Date: Mon, 11 Aug 2008 19:48:13 +0000 Subject: [Nikto-discuss] Proxy doesn't work In-Reply-To: <48A091EB.6000608@cirt.net> References: <48A091EB.6000608@cirt.net> Message-ID: 2008/8/11, Sullo : > Ryan Dewhurst wrote: >> Hello, >> It seems that the proxy is not being used when nikto is scanning. >> This is what the "proxy" part looks like in config.txt >> >> PROXYHOST=202.75.144.60 >> #PROXYPORT=8080 >> #PROXYUSER=proxyuserid >> #PROXYPASS=proxypassword > > You have to set the port--I don't believe there's a default. > >> If I change PROXYHOST to an invalid IP address, nikto still scans with no >> errors. Does nikto recognise that its invalid and automatically scans with >> no proxy and with out prompting? > > I think there's a bug filed for this... if not, please open one for Dave > or someone to look at. > > http://cirt.net/Nikto2_Dev > > -Sullo > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > Not a bug. Just the feature. You should specify PROXYHOST and PROXYPORT variables in config.txt and then run nikto with `-useproxy` option. For example: ./nikto -useproxy -host blablabla.com From sullo at cirt.net Mon Aug 11 19:54:29 2008 From: sullo at cirt.net (Sullo) Date: Mon, 11 Aug 2008 15:54:29 -0400 Subject: [Nikto-discuss] Proxy doesn't work In-Reply-To: References: <48A091EB.6000608@cirt.net> Message-ID: <48A098F5.7030806@cirt.net> Dan wrote: > Not a bug. Just the feature. > You should specify PROXYHOST and PROXYPORT variables in config.txt and > then run nikto with `-useproxy` option. For example: > ./nikto -useproxy -host blablabla.com Yes, that's true--you need the option. I forgot to mention that. However, it should generate an error and not scan if the proxy is un(reach|usable). -Sullo From ryandewhurst at gmail.com Mon Aug 11 19:58:12 2008 From: ryandewhurst at gmail.com (Ryan Dewhurst) Date: Mon, 11 Aug 2008 20:58:12 +0100 Subject: [Nikto-discuss] Proxy doesn't work In-Reply-To: <48A098F5.7030806@cirt.net> References: <48A091EB.6000608@cirt.net> <48A098F5.7030806@cirt.net> Message-ID: Thanks for pointing that out to me. I wasnt using the -useproxy argument. 2008/8/11 Sullo > Dan wrote: > > Not a bug. Just the feature. > > You should specify PROXYHOST and PROXYPORT variables in config.txt and > > then run nikto with `-useproxy` option. For example: > > ./nikto -useproxy -host blablabla.com > > Yes, that's true--you need the option. I forgot to mention that. > > However, it should generate an error and not scan if the proxy is > un(reach|usable). > > -Sullo > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20080811/bbe26d3c/attachment-0001.html From ryandewhurst at gmail.com Mon Aug 11 20:14:28 2008 From: ryandewhurst at gmail.com (Ryan Dewhurst) Date: Mon, 11 Aug 2008 21:14:28 +0100 Subject: [Nikto-discuss] Proxy doesn't work In-Reply-To: References: <48A091EB.6000608@cirt.net> <48A098F5.7030806@cirt.net> Message-ID: I got the proxy working by using the -useproxy argument and a working proxy. This is the output for a non working proxy: $ perl nikto.pl -useproxy -Display v -host website.com --------------------------------------------------------------------------- - Nikto 2.02/2.03 - cirt.net V:Mon Aug 11 21:10:07 2008 - Testing open ports for web servers V:Mon Aug 11 21:10:17 2008 - Checking for HTTP on port xx.xxx.xx.xx:80 V:Mon Aug 11 21:10:27 2008 - Checking for HTTPS on port xx.xxx.xx.xx:80 + No HTTP(s) ports found on iubra.com + 1 host(s) tested Would be better if the output was more specific. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20080811/6b1c5f31/attachment.html From neilryan at bellatlantic.net Tue Aug 12 10:18:19 2008 From: neilryan at bellatlantic.net (Neil Ryan) Date: Tue, 12 Aug 2008 06:18:19 -0400 Subject: [Nikto-discuss] Typo in the update file name? Message-ID: Hi, Nice package - thank you for all the work! I just downloaded version 2.02, and tried the "-update" option. It hiccuped. The error message said it's true, there's no such file there. But "nikto_plugin_order.txt" does exist. Is this a typo in the update section? Should that last "underscore" possibly be a "dot"? Thanks! - Neil Ryan From dave at cirt.net Tue Aug 12 08:27:30 2008 From: dave at cirt.net (David Lodge) Date: Tue, 12 Aug 2008 09:27:30 +0100 Subject: [Nikto-discuss] db_variables bug In-Reply-To: References: Message-ID: On Mon, 11 Aug 2008 18:23:26 +0100, Ryan Dewhurst wrote: > Hello, > Been trying to add my own variables to nikto. Ive read in the manual that > you should put these in the config.txt file if you do not want them to be > over written when nikto is updated. When putthing the variable in > config.txt, nikto does not pick up on them. I added my custom variables > to > db_variables, this does get picked up by nikto but it only uses the last > variable in the list and does not try all of them. Okay; this looks like a bug in the documentation - config.txt is really a config file for nikto to find the databases and plugins; not for the actual tests. I'll fix this as part of the updates to documentation I'm planning... > This is the line of code that I am adding to the files: > @COPPERMINE=/ /fotos/ /photos/ /gallery/ /galeria/ /galerie/ /album/ > /coppermine/ /Coppermine/ > > Using nikto in verbose display, it shows that nikto only trys the last > variable, in the case above this would be "/Coppermine/". It totally > ignores > the other variables. Which version of nikto did you do this one? There was a bug in nikto 2.02 related to variables where it would only use the last element of a variable and ignore the rest; this is fixed in svn (and 2.03, when I can actually get www.cirt.net to update to the new version). So it may be that this bug is already fixed! dave From dave at cirt.net Tue Aug 12 11:17:45 2008 From: dave at cirt.net (David Lodge) Date: Tue, 12 Aug 2008 12:17:45 +0100 Subject: [Nikto-discuss] Typo in the update file name? In-Reply-To: References: Message-ID: On Tue, 12 Aug 2008 11:18:19 +0100, Neil Ryan wrote: > I just downloaded version 2.02, and tried the "-update" option. It > hiccuped. > > The error message said www.cirt.net/nikto/UPDATES/2.02/nikto_plugin_order_txt > > > > it's true, there's no such file there. But "nikto_plugin_order.txt" > does exist. > > Is this a typo in the update section? Should that last "underscore" > possibly be a "dot"? Good catch! It looks like there's a typo in the version.txt file on cirt.net; I personally blame Mr Sullo for this one. I've amended it on cirt.net so it should work now... dave From mathijssch at gmail.com Tue Aug 12 11:33:15 2008 From: mathijssch at gmail.com (Mathijs) Date: Tue, 12 Aug 2008 13:33:15 +0200 Subject: [Nikto-discuss] Bug in db_outdated Message-ID: Hi all, Not sure if this is a bug and if it should be sent to this list but here it goes: -- plugins/db_outdated:"600930","Jetty/(","6.1.0","@RUNNING_VER appears to be outdated (current is at least @CURRENT_VER)" ++ plugins/db_outdated:"600930","Jetty/","6.1.0","@RUNNING_VER appears to be outdated (current is at least @CURRENT_VER)" This '(' causes an error: Unmatched ( in regex; marked by <-- HERE in m/^Jetty/( <-- HERE / at /home/mathijs/nikto-2.02/plugins/nikto_outdated.plugin line 81. This char should either be escaped correctly to \( or removed. -- Gr, Mathijs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20080812/e5c69a60/attachment.html From sullo at cirt.net Tue Aug 12 13:33:03 2008 From: sullo at cirt.net (Sullo) Date: Tue, 12 Aug 2008 09:33:03 -0400 Subject: [Nikto-discuss] Bug in db_outdated In-Reply-To: References: Message-ID: <48A1910F.8070900@cirt.net> Mathijs wrote: > Hi all, > > Not sure if this is a bug and if it should be sent to this list but here it > goes: > > -- plugins/db_outdated:"600930","Jetty/(","6.1.0","@RUNNING_VER appears to > be outdated (current is at least @CURRENT_VER)" > ++ plugins/db_outdated:"600930","Jetty/","6.1.0","@RUNNING_VER appears to be > outdated (current is at least @CURRENT_VER)" > > This '(' causes an error: > Unmatched ( in regex; marked by <-- HERE in m/^Jetty/( <-- HERE / at > /home/mathijs/nikto-2.02/plugins/nikto_outdated.plugin line 81. > > This char should either be escaped correctly to \( or removed. Whoops! These were user-submitted updates but you are correct... it should have been escaped. From sullo at cirt.net Tue Aug 12 13:40:12 2008 From: sullo at cirt.net (Sullo) Date: Tue, 12 Aug 2008 09:40:12 -0400 Subject: [Nikto-discuss] db_variables bug In-Reply-To: References: Message-ID: <48A192BC.5060104@cirt.net> David Lodge wrote: > On Mon, 11 Aug 2008 18:23:26 +0100, Ryan Dewhurst > wrote: >> Hello, >> Been trying to add my own variables to nikto. Ive read in the manual that >> you should put these in the config.txt file if you do not want them to be >> over written when nikto is updated. When putthing the variable in >> config.txt, nikto does not pick up on them. I added my custom variables >> to >> db_variables, this does get picked up by nikto but it only uses the last >> variable in the list and does not try all of them. > > Okay; this looks like a bug in the documentation - config.txt is really a > config file for nikto to find the databases and plugins; not for the > actual tests. I'll fix this as part of the updates to documentation I'm > planning... For version 1.x these would go in config.txt, but 2.x they should be in a file called "udb_variables" so they get picked up at run-time (similar to any other user-defined database). Damn documentation! :-) -Sullo From dave at cirt.net Tue Aug 12 14:24:00 2008 From: dave at cirt.net (David Lodge) Date: Tue, 12 Aug 2008 15:24:00 +0100 Subject: [Nikto-discuss] Bug in db_outdated In-Reply-To: <48A1910F.8070900@cirt.net> References: <48A1910F.8070900@cirt.net> Message-ID: On Tue, 12 Aug 2008 14:33:03 +0100, Sullo wrote: >> Not sure if this is a bug and if it should be sent to this list but >> here it >> goes: >> >> -- plugins/db_outdated:"600930","Jetty/(","6.1.0","@RUNNING_VER appears >> to >> be outdated (current is at least @CURRENT_VER)" >> ++ plugins/db_outdated:"600930","Jetty/","6.1.0","@RUNNING_VER appears >> to be >> outdated (current is at least @CURRENT_VER)" >> >> This '(' causes an error: >> Unmatched ( in regex; marked by <-- HERE in m/^Jetty/( <-- HERE / at >> /home/mathijs/nikto-2.02/plugins/nikto_outdated.plugin line 81. >> >> This char should either be escaped correctly to \( or removed. > > Whoops! These were user-submitted updates but you are correct... it > should have been escaped. 'tis fixed in trunk - there was a bit of a delay as I'd actually had to install Jetty to see how it produced the server banner; and it's horrible and very very slow (now I remember why I don't use java ;-) dave From randy at procyonlabs.com Sun Aug 24 06:00:24 2008 From: randy at procyonlabs.com (Randal T. Rioux) Date: Sun, 24 Aug 2008 02:00:24 -0400 (EDT) Subject: [Nikto-discuss] Nikto databases In-Reply-To: References: Message-ID: <77a4945937c621be416735ef2ddbd660.squirrel@192.168.3.3> On Thu, August 7, 2008 6:06 pm, David Lodge wrote: > I'm seeking for opinions here (and yes, I realise half of you are > jollying at Defcon; please bear a though for those of us on the other > side of the planet to it). As I want nikto to have a knowledgebase, > reduce its memory consumption, allow scan histories and generally tweak > it; what are people's opinion about using a SQLite database to store the > contents of the db (rather than load it into memory) and output (rather > than create fictitious tests to store them in). > > The big disadvantage is that it would require that SQLite is installed on > the system. I like the idea. Especially if there were an option to use your own database too. For example, SQLite as default, PostgreSQL or MySQL as options. I could help with that, though I'm overextended on projects right now - though it does sound fun. Randy From dave at cirt.net Sun Aug 31 20:21:45 2008 From: dave at cirt.net (David Lodge) Date: Sun, 31 Aug 2008 21:21:45 +0100 Subject: [Nikto-discuss] Release of Nikto 2.03 Message-ID: Now, I've mangled my way through releasing Nikto, it has been release on www.cirt.net. No real bug fixes from a month back; but it is now officially there, please go to http://www.cirt.net/nikto2 to download it. Here's the bumf from cirt.net: Only a month late (personal life et al) and nikto 2.03 is now here. This is an important release as it is the first release of Nikto not under the benevolent gaze of Sullo. This is a point release to update the databases and fix a few bugs, many of which may be found under the CHANGES document (or you can check on Assembla). In essence, what has changed: * Nikto can now take greppable nmap input directly on the command line. * Nikto can take a range of ports (e.g. 80-82). * Ports that are not open are now reported. * Nikto can now read hosts from stdin, by specifying "-host -". * HTML and XML reports don't produce duplicates. * Allow multiple HTTP methods to work out whether the server is HTTP or not. * Fix for a nasty bug where defined variables (e.g. cgi-bin directories) are not read properly. * Updates to allow HTML output to validate properly as XHTML. The current roadmap can be seen on Assembla. Please, try out, break and report bugs and suggestions... Thanks dave