From gau.29486 at gmail.com Wed Jul 1 14:09:32 2009 From: gau.29486 at gmail.com (Gaurang Shukla) Date: Wed, 1 Jul 2009 09:09:32 -0500 Subject: [Nikto-discuss] User Defined DB Message-ID: I did all the steps mentioned in the chapter 7. I saved a copy of db_tests, made changes to the copy to include my tests in the following format: "429402","0","b","mygallery/myfunctions/mygallerybrowser.php?myPath=","GET","Wordpress > Vulnerability","","","","","Exloitable file mygallerybrowser.php file in > mygallery.","","" I saved the file as udb_tests in plugins directory. But I cannot get any results from Nikto. How do I make sure that all the tests are loading properly? Is there anything that I might have forgotten? -- -Gaurang Shukla -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090701/e078e943/attachment.html From ryandewhurst at gmail.com Wed Jul 1 14:21:01 2009 From: ryandewhurst at gmail.com (Ryan Dewhurst) Date: Wed, 1 Jul 2009 15:21:01 +0100 Subject: [Nikto-discuss] User Defined DB In-Reply-To: References: Message-ID: >From first glance everything looks fine. You could try this: "These files will also be checked for syntax when -dbcheck is used." If I remember correctly there may be an option in the config file that needs enabling?! 2009/7/1 Gaurang Shukla : > ?I did all the steps mentioned in the chapter 7. > ?I saved a copy of db_tests, made changes to the copy to include my tests in > the following format: >> >> >> >> >> "429402","0","b","mygallery/myfunctions/mygallerybrowser.php?myPath=","GET","Wordpress >> Vulnerability","","","","","Exloitable file mygallerybrowser.php file in >> mygallery.","","" > > I saved the file as udb_tests in plugins directory. But I cannot get any > results from Nikto. How do I make sure that all the tests are loading > properly? Is there anything that I might have forgotten? > -- > -Gaurang Shukla > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > From resident.deity at gmail.com Thu Jul 2 11:36:23 2009 From: resident.deity at gmail.com (david lodge) Date: Thu, 2 Jul 2009 12:36:23 +0100 Subject: [Nikto-discuss] User Defined DB Message-ID: > I did all the steps mentioned in the chapter 7. > I saved a copy of db_tests, made changes to the copy to include my tests in > the following format: Don't use copy of db_tests - this'll duplicate all tests in db_tests! The way the user defined database loader works is to do the following: * load db_tests * load udb_tests They both load into the same ID, and there isn't much intelligence to prevent duplication! > "429402","0","b","mygallery/myfunctions/mygallerybrowser.php?myPath=","GET","Wordpress > Vulnerability","","","","","Exloitable file mygallerybrowser.php file in > mygallery.","","" It looks okay initially, but some points that may stop it working: * The URI field (4th field) should start with a /; making this /mygallery/myfunctions/mygallerybrowser.php?myPath= * The match 1 field (6th field) is either a HTTP code, or something that'll match in the resulting data; are you expecting the words "Wordpress Vulnerability" in the output? * DO you really want tuning "b" (software identification); if this is exploitable I'd suggest something like 5 (Remote File retrievable) I'd normally advise putting the HTTP code in the match 1 field (e.g. 200) and the contents in the match 1 and field (7th field), so I'd put this as: "429402","0","b","/mygallery/myfunctions/mygallerybrowser.php?myPath=","GET","200","Wordpress Vulnerability","","","","Exloitable file mygallerybrowser.php file in mygallery.","","" This would expect for a uri of /mygallery/myfunctions/mygallerybrowser.php?myPath= a HTTP response of 200, with the data containing "Wordpress Vulnerability". The way I normally test this is by using wget to get the url and then build it round there. Also, what version of nikto are you using; I've just (looking at this) discovered an error in db_tests on version 2.1.0, which shouldn't cause a problem but may. I've also just noticed that -dbcheck barfs on a lot of the standard databases; so we can't depend on that! > I saved the file as udb_tests in plugins directory. But I cannot get any > results from Nikto. How do I make sure that all the tests are loading > properly? Is there anything that I might have forgotten? Probably the best test is to use the verbose flag (-D v) and pipe the output to a file, you should see something like: V:Thu Jul 2 12:32:31 2009 - 403 for GET: /cgi/download.cgi (Apologies in advance for the American date format, I'll fix this into something international one of these days) For your entry in the database, here you can see the response from the server and the URI it's going to. For further debugging you can use the debug switch (-D d); this will dump the whole libwhisker request and response hashes and tell exactly what's happening. Give me a shout if you're still having problems. Thanks dave From sammy.sossa20 at gmail.com Mon Jul 13 21:41:30 2009 From: sammy.sossa20 at gmail.com (Sammy Sossa) Date: Mon, 13 Jul 2009 16:41:30 -0500 Subject: [Nikto-discuss] Nikto tests Message-ID: <34eb63f10907131441s3fda9160tcf4835f68c50ce04@mail.gmail.com> How do I go about making Nikto run my User-defined tests only? Do I just delete the db files from plugin directory, and keep my udb files? Also, about changing nikto agent, can I put in anything I want in there? Like "this is a research project"? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090713/59dd6ce0/attachment-0001.html From dave at cirt.net Mon Jul 13 22:02:11 2009 From: dave at cirt.net (David Lodge) Date: Mon, 13 Jul 2009 23:02:11 +0100 Subject: [Nikto-discuss] Nikto tests In-Reply-To: <34eb63f10907131441s3fda9160tcf4835f68c50ce04@mail.gmail.com> References: <34eb63f10907131441s3fda9160tcf4835f68c50ce04@mail.gmail.com> Message-ID: On Mon, 13 Jul 2009 22:41:30 +0100, Sammy Sossa wrote: > How do I go about making Nikto run my User-defined tests only? Do I just > delete the db files from plugin directory, and keep my udb files? There's no current support for doing this, I could add it as a tuning option for Nikto 2.1.0 if required (as it would be quite easy). Possibly the easiest way would be to edit the db_ files and replace them with your tests. Deleting them will cause nikto to bring up errors. The plugins will always run if present, this depends on which version of nikto you run. In nikto 2.03 you can edit nikto_plugin_order.txt and delete those you don't want run. One nikto 2.1.0 you will need to remove plugins you don't want to run. I do plan eventually to allow this through the command line. > Also, about changing nikto agent, can I put in anything I want in there? > Like "this is a research project"? There's no default option to change this - though one should probably be added and would be trivial). But, you can hack this by editing plugins/nikto_core.plugin and search for Mozilla and you should get a line like this: $NIKTO{useragent}="Mozilla/4.75 ($NIKTO{name}/$NIKTO{version})"; Edit this to have whatever you want, e.g.: $NIKTO{useragent}="Mozilla/4.75 (Research Project)"; It's advised to keep the Mozilla string in as some web servers may do filtering on the user agent string to remove bots. Ta dave From snow at cyber-dolphin.net Wed Jul 15 15:04:43 2009 From: snow at cyber-dolphin.net (snow) Date: Thu, 16 Jul 2009 00:04:43 +0900 Subject: [Nikto-discuss] A suggestion for Nikto [shows vhost in report] Message-ID: <200907151504.AA02768@DEFAULTMACHINE.cyber-dolphin.net> Hello. I have a suggestion for Nikto 2.03. Please test it. ========================================================= Show links using "vhost" on html report ========================================================= I want the links for scanned item which using "vhost" as a hostname in Nikto's html reports. So I tried it. I think I haven't test it completely, but I could get some result that I wanted. for example, here are samples using Nikto; $ ./nikto.pl -h 172.20.60.200 -F htm -o logs/nikto-with-ip.html $ ./nikto.pl -h www.localdomain -F htm -o logs/nikto-with-hostname.html $ ./nikto.pl -h 172.20.60.200 -vhost virtual.localdomain -F htm \ -o logs/nikto-with-hostname.html Then, the attachment htmls are generated by Nikto. 1) nikto-with-ip.html 2) nikto-with-hostname.html 3) nikto-with-hostname.html Please see the source code's diff below. 1) plugin/nikto_reports.plugin 2) templates/htm_host_head.tmpl 3) tempaltes/htm_host_item.tmpl ------------------------------------------------------------- 1) plugin/nikto_reports.plugin ------------------------------------------------------------- $ diff beta/nikto_reports.plugin original/nikto_reports.plugin 119d118 < $variables{"#TEMPL_VHOST"} = simple_enc($CLI{vhost}); 142,149d140 < if ($CLI{vhost} ne "") < { < $variables{"#TEMPL_LINK_VHOST"} = "$protocol://$variables{\"#TEMPL_VHOST\"}:$CURRENT_PORT/"; < } else < { < $variables{"#TEMPL_LINK_VHOST"} = "N/A"; < } < 199,207d189 < if ($variables{"#TEMPL_VHOST"} ne "") < { < $variables{"#TEMPL_ITEM_VHOST_LINK"} = "$protocol://$variables{\"#TEMPL_VHOST\"}:$CURRENT_PORT$variables{\"#TEMPL_URI\"}"; < } < else < { < $variables{"#TEMPL_ITEM_VHOST_LINK"} = ""; < } < ------------------------------------------------------------- 2) templates/htm_host_head.tmpl ------------------------------------------------------------- $ diff beta/htm_host_head.tmpl original/htm_host_head.tmpl 12,15d11 < < Target vhost < #TEMPL_VHOST < 49,54d44 < Site Link (VHOST) < < #TEMPL_LINK_VHOST < < < ------------------------------------------------------------- 3) tempaltes/htm_host_item.tmpl ------------------------------------------------------------- $ diff beta/htm_host_item.tmpl original/htm_host_item.tmpl 18,19c18 < #TEMPL_ITEM_IP_LINK
< #TEMPL_ITEM_VHOST_LINK --- > #TEMPL_ITEM_IP_LINK Now, we can access the web server with "vhost" as a servername, just only click the link in Nikto's report. Thank you. ?????? ???????????????????? ?????? -------------- next part -------------- A non-text attachment was scrubbed... Name: nikto-with-ip.html Type: application/octet-stream Size: 5519 bytes Desc: not available Url : http://attrition.org/pipermail/nikto-discuss/attachments/20090715/387f9270/attachment-0003.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: nikto-with-ip-and-vhost.html Type: application/octet-stream Size: 5773 bytes Desc: not available Url : http://attrition.org/pipermail/nikto-discuss/attachments/20090715/387f9270/attachment-0004.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: nikto-with-hostname.html Type: application/octet-stream Size: 5527 bytes Desc: not available Url : http://attrition.org/pipermail/nikto-discuss/attachments/20090715/387f9270/attachment-0005.obj From csullo at gmail.com Wed Jul 15 15:25:35 2009 From: csullo at gmail.com (Sullo) Date: Wed, 15 Jul 2009 11:25:35 -0400 Subject: [Nikto-discuss] Nikto tests In-Reply-To: References: <34eb63f10907131441s3fda9160tcf4835f68c50ce04@mail.gmail.com> Message-ID: On Mon, Jul 13, 2009 at 6:02 PM, David Lodge wrote: > On Mon, 13 Jul 2009 22:41:30 +0100, Sammy Sossa > wrote: > > How do I go about making Nikto run my User-defined tests only? Do I just > > delete the db files from plugin directory, and keep my udb files? > > There's no current support for doing this, I could add it as a tuning > option for Nikto 2.1.0 if required (as it would be quite easy). Possibly > the easiest way would be to edit the db_ files and replace them with your > tests. Deleting them will cause nikto to bring up errors. > I was going to suggest options "-T 0123456789abcx" which should exclude ("x") every test class. You would then put your tests in the user database with a type of "d" or something, and they should be the only ones run... however, it doesn't work. Many tests still seem to run. I filed ticket #84 for this.. http://trac2.assembla.com/Nikto_2/ticket/84 Then I tried creating the user tests with a type of "d" and ran "-T d" which should only run class "d" tests, but that didn't work either. So the whole tuning include/exclude thing needs to be vetted to see what I screwed up there :-) -Sullo -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090715/47214af3/attachment.html From resident.deity at gmail.com Mon Jul 20 12:54:32 2009 From: resident.deity at gmail.com (david lodge) Date: Mon, 20 Jul 2009 13:54:32 +0100 Subject: [Nikto-discuss] Nikto tests In-Reply-To: References: <34eb63f10907131441s3fda9160tcf4835f68c50ce04@mail.gmail.com> Message-ID: > I was going to suggest options "-T 0123456789abcx" which should exclude > ("x") every test class. You would then put your tests in the user database > with a type of "d" or something, and they should be the only ones run... > however, it doesn't work. Many tests still seem to run. Actually type d tests already exist, these mostly seem to be coldfusion tests, e.g.: /cfide/administrator/index.cfm This looks like an error in the database to me. > I filed ticket #84 for this.. > ?? http://trac2.assembla.com/Nikto_2/ticket/84 I have a patch for this which I'll submit when I get a chance, there's a minor logic flaw in the current code. What may be an idea is to define a letter for user defined testing only (e.g. "u"). Thanks dave From tseyatnam at hotmail.com Mon Jul 27 03:24:36 2009 From: tseyatnam at hotmail.com (=?ks_c_5601-1987?B?VHNlIN+j+bvu3Pmm?=) Date: Mon, 27 Jul 2009 11:24:36 +0800 Subject: [Nikto-discuss] Questions on Nikto Scanning on Injection Message-ID: Hello everyone! I am a newbie to Nikto. Please offer me some help. : ) I used Nikto to perform a scanning on Injection with command "perl nikto.pl -h 127.0.0.1 -T 4 ". Let's talk about my web application first. I created a textbox where user can input anything to submit the server and filtering will NOT be done on both the client and server. When I input ' ' , an alert appears. That means XSS can be performed, right? However, Nikto cannot find out the XSS in my web application. So, I would like to ask: Is Nikto capable of scanning XSS on user created web application? If yes, is there aything wrong with my Nikto scanning options so that Nikto cannot find out this (I aslo perform a default scanning, but nothing about XSS was shown)? If not, what exactly the meaning of "Injection (XSS/Script/HTML). Any manner of injection, including cross site scripting (XSS) or content (HTML)" from the manual? Thank you. _________________________________________________________________ ?????? - ????Windows Live????? http://www.microsoft.com/windows/windowslive/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090726/4e0d46b7/attachment.html From resident.deity at gmail.com Mon Jul 27 12:18:48 2009 From: resident.deity at gmail.com (david lodge) Date: Mon, 27 Jul 2009 13:18:48 +0100 Subject: [Nikto-discuss] Questions on Nikto Scanning on Injection In-Reply-To: References: Message-ID: > Is Nikto capable of scanning XSS on user created web application? No, Nikto was not designed to do user application scanning - it scans the webserver and known bugs in common applications (e.g. XSS, SQL injection, information disclosure). It is feasible that Nikto could be extended to do this, but it's a lot of work, and there are several good products out there that will do this testing already (e.g. Paros Proxy or sqlmap). > If yes, is there aything wrong with my Nikto scanning options so that Nikto > cannot find out this (I aslo perform a default scanning, but nothing about > XSS was shown)? The tuning (-T) option is used to filter down what nikto tests - so if you run the default tests you'll always run the XSS tests, but, these are or common applications only. > If not, what exactly the meaning of "Injection (XSS/Script/HTML). Any manner > of injection, including cross site scripting (XSS) or content (HTML)" from > the manual? As above this tests for known XSS vulnerabilities in common applications, for example, in Oracle application server. Hope that helps dave From tseyatnam at hotmail.com Tue Jul 28 16:12:34 2009 From: tseyatnam at hotmail.com (tseyatnam at hotmail.com) Date: Wed, 29 Jul 2009 00:12:34 +0800 Subject: [Nikto-discuss] Questions on Nikto Scanning on Injection In-Reply-To: BAY109-W23A1CC6B6A0782277D0D90A3140@phx.gbl Message-ID: Thanks both of you a lot!!! I really learnt a lot. : ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090728/930ab545/attachment.html From davidkl at ivision.com.au Fri Jul 31 00:41:24 2009 From: davidkl at ivision.com.au (David Klein) Date: Fri, 31 Jul 2009 10:41:24 +1000 Subject: [Nikto-discuss] NewLister Message-ID: <9156AD947C46864F88EAE1858D3DE90302024ED5@ivx2.ivision.com.au> Hello Nikto, I am new on this list, I would just like to convey my gratitude for a wonderful tool! How can we get involved in contributing to it? Regards, David Klein www.ivision.com.au Any opinions expressed herein are the opinion of the writer unless there is an express indication to the contrary. From dave at cirt.net Fri Jul 31 08:56:27 2009 From: dave at cirt.net (David Lodge) Date: Fri, 31 Jul 2009 09:56:27 +0100 Subject: [Nikto-discuss] NewLister In-Reply-To: <9156AD947C46864F88EAE1858D3DE90302024ED5@ivx2.ivision.com.au> References: <9156AD947C46864F88EAE1858D3DE90302024ED5@ivx2.ivision.com.au> Message-ID: On Fri, 31 Jul 2009 01:41:24 +0100, David Klein wrote: > How can we get involved in contributing to it? Ah; music to a maintainer's ears! Nikto is open source, so we're happy to have any corrections submitted, the development home is at: http://www.assembla.com/wiki/show/Nikto_2 For direct contributions, if you can code perl, then I have a list of things that need doing (including bug fixes). If you can't code in perl then there are still things that could be done: 1. Keep a look out for new things to add to the databases 2. Raise bugs 3. Raise enhancement requests 4. Put forward your opinions on what it could/should do Thanks dave