From ryandewhurst at gmail.com Mon May 4 16:54:19 2009 From: ryandewhurst at gmail.com (Ryan Dewhurst) Date: Mon, 4 May 2009 17:54:19 +0100 Subject: [Nikto-discuss] Subdomain scanner Message-ID: Hello, I have been trying to develop a subdomain scanner for nikto however Ive never coded in Perl and have now come to a dead end. Here is the code which is in the Plugins directory in a file called "nikto_subdomain.plugin": sub nikto_subdomain { my @subdomain = ("ftp", "mail", "email", "webmail", "mailboxes", "ns", "ns1", "ns2", "ns3", "forum", "forums", "admin", "login", "secret", "dev", "demo", "apps", "iphone", "test", "testing", "testing123", "backup", "adm", "intranet", "extranet", "net", "cust", "customer", "wap", "www", "blog", "images", "news", "desktop", "local", "directory", "print", "printer", "services", "code", "finance", "mobile", "download", "downloads", "upload", "uploads", "dir", "support", "vpn", "stats", "shop", "web", "db"); foreach $subdomain (@subdomain) { LW2::http_close(\%request); # force-close any old connections LW2::http_reset(); my $wh = $request{'whisker'}{'Host'}; my $h = $request{'Host'}; delete $request{'whisker'}{'Host'}; delete $request{'Host'}; $request{'whisker'}->{'uri_prefix'} = $subdomain; $request{'whisker'}->{'method'} = HEAD; $request{'whisker'}{'version'} = 1.0; $request{'whisker'}->{'http_eol'}; LW2::http_do_request(\%request, \%result); if (($result{'whisker'}->{'code'} == 200) || ($result{'whisker'}->{'code'} == 302)) { $TESTS{999999}{message} = "Subdomain $subdomain found"; $TESTS{999999}{osvdb} = 0; nprint("+ OSVDB-$TESTS{999999}{osvdb}: $TESTS{999999}{message}"); } # End if } # End foreach } # End sub Thanks in adavance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090504/35f2cd9b/attachment.html From titansteamadmin at gmail.com Mon May 4 18:48:52 2009 From: titansteamadmin at gmail.com (titans team) Date: Mon, 4 May 2009 20:48:52 +0200 Subject: [Nikto-discuss] The basics of Nikto Message-ID: <5b3ba23c0905041148n33c2484do60f010ea91b71427@mail.gmail.com> Hi there, I am just starting to try and use Nikto and I am facing a big issue right away. When I run : ./nikto.pl -h 10.0.0.1 -p 80 I get this feedback from the script : - Nikto v2.03/2.04 --------------------------------------------------------------------------- + No web server found on 10.0.0.1:80 --------------------------------------------------------------------------- + 1 host(s) tested Test Options: -h 10.0.0.1 -p 80 --------------------------------------------------------------------------- Needless to say that I have a web server running at this address. I've been trying with 2 other addresses as well and get the same script output. Any hint would be welcome. Thanks guys. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090504/1eb52613/attachment.html From titansteamadmin at gmail.com Mon May 4 19:57:56 2009 From: titansteamadmin at gmail.com (titans team) Date: Mon, 4 May 2009 21:57:56 +0200 Subject: [Nikto-discuss] The basics of Nikto In-Reply-To: <5b3ba23c0905041249v5aec42bdoe7c7497f112af7fc@mail.gmail.com> References: <5b3ba23c0905041148n33c2484do60f010ea91b71427@mail.gmail.com> <5b3ba23c0905041220kae8f183x2c15ec6989bbe24b@mail.gmail.com> <5b3ba23c0905041249v5aec42bdoe7c7497f112af7fc@mail.gmail.com> Message-ID: <5b3ba23c0905041257s27b2081r3b67bc0b57eb41f2@mail.gmail.com> Sorry...yes the ping works, here is the trace for www.example.com > > PING www.example.com (208.77.188.166) 56(84) bytes of data. > 64 bytes from www.example.com (208.77.188.166): icmp_seq=1 ttl=56 time=155 > ms > 64 bytes from www.example.com (208.77.188.166): icmp_seq=2 ttl=56 time=156 > ms > 64 bytes from www.example.com (208.77.188.166): icmp_seq=3 ttl=56 time=156 > ms > 64 bytes from www.example.com (208.77.188.166): icmp_seq=4 ttl=56 time=155 > ms > 64 bytes from www.example.com (208.77.188.166): icmp_seq=5 ttl=56 time=155 > ms > 64 bytes from www.example.com (208.77.188.166): icmp_seq=6 ttl=56 time=156 > ms > 64 bytes from www.example.com (208.77.188.166): icmp_seq=7 ttl=56 time=156 > ms > 64 bytes from www.example.com (208.77.188.166): icmp_seq=8 ttl=56 time=155 > ms > 64 bytes from www.example.com (208.77.188.166): icmp_seq=9 ttl=56 time=156 > ms > > > > 2009/5/4 titans team > >> Guess what ? >> >> - Nikto v2.03/2.04 >> >> --------------------------------------------------------------------------- >> + No web server found on 208.77.188.166:80 >> >> --------------------------------------------------------------------------- >> + 1 host(s) tested >> >> Test Options: -host www.example.com >> >> --------------------------------------------------------------------------- >> >> >> 2009/5/4 Ryan Dewhurst >> >> You could try testing www.example.com: >>> ./nikto.pl -host www.example.com >>> >>> If the above works there may be something wrong with your web server >>> setup or network connection? >>> >>> Are you able to ping 10.0.0.1? >>> >>> 2009/5/4 titans team >>> >>>> Hi there, >>>> >>>> I am just starting to try and use Nikto and I am facing a big issue >>>> right away. >>>> >>>> When I run : >>>> >>>> ./nikto.pl -h 10.0.0.1 -p 80 >>>> >>>> I get this feedback from the script : >>>> >>>> >>>> - Nikto v2.03/2.04 >>>> >>>> --------------------------------------------------------------------------- >>>> + No web server found on 10.0.0.1:80 >>>> >>>> --------------------------------------------------------------------------- >>>> + 1 host(s) tested >>>> >>>> Test Options: -h 10.0.0.1 -p 80 >>>> >>>> --------------------------------------------------------------------------- >>>> >>>> >>>> Needless to say that I have a web server running at this address. I've >>>> been trying with 2 other addresses as well and get the same script output. >>>> >>>> Any hint would be welcome. >>>> >>>> Thanks guys. >>>> >>>> _______________________________________________ >>>> Nikto-discuss mailing list >>>> Nikto-discuss at attrition.org >>>> https://attrition.org/mailman/listinfo/nikto-discuss >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090504/cb54e9b4/attachment.html From csullo at gmail.com Mon May 4 20:08:15 2009 From: csullo at gmail.com (Sullo) Date: Mon, 4 May 2009 16:08:15 -0400 Subject: [Nikto-discuss] The basics of Nikto In-Reply-To: <5b3ba23c0905041257s27b2081r3b67bc0b57eb41f2@mail.gmail.com> References: <5b3ba23c0905041148n33c2484do60f010ea91b71427@mail.gmail.com> <5b3ba23c0905041220kae8f183x2c15ec6989bbe24b@mail.gmail.com> <5b3ba23c0905041249v5aec42bdoe7c7497f112af7fc@mail.gmail.com> <5b3ba23c0905041257s27b2081r3b67bc0b57eb41f2@mail.gmail.com> Message-ID: try.. ./nikto.pl -D DV -h 10.0.0.1 and see what it reports. hopefully it will show an error or give some other clue. On Mon, May 4, 2009 at 3:57 PM, titans team wrote: > > > Sorry...yes the ping works, here is the trace for www.example.com >> >> PING www.example.com (208.77.188.166) 56(84) bytes of data. >> 64 bytes from www.example.com (208.77.188.166): icmp_seq=1 ttl=56 >> time=155 ms >> 64 bytes from www.example.com (208.77.188.166): icmp_seq=2 ttl=56 >> time=156 ms >> 64 bytes from www.example.com (208.77.188.166): icmp_seq=3 ttl=56 >> time=156 ms >> 64 bytes from www.example.com (208.77.188.166): icmp_seq=4 ttl=56 >> time=155 ms >> 64 bytes from www.example.com (208.77.188.166): icmp_seq=5 ttl=56 >> time=155 ms >> 64 bytes from www.example.com (208.77.188.166): icmp_seq=6 ttl=56 >> time=156 ms >> 64 bytes from www.example.com (208.77.188.166): icmp_seq=7 ttl=56 >> time=156 ms >> 64 bytes from www.example.com (208.77.188.166): icmp_seq=8 ttl=56 >> time=155 ms >> 64 bytes from www.example.com (208.77.188.166): icmp_seq=9 ttl=56 >> time=156 ms >> >> >> >> 2009/5/4 titans team >> >>> Guess what ? >>> >>> - Nikto v2.03/2.04 >>> >>> --------------------------------------------------------------------------- >>> + No web server found on 208.77.188.166:80 >>> >>> --------------------------------------------------------------------------- >>> + 1 host(s) tested >>> >>> Test Options: -host www.example.com >>> >>> --------------------------------------------------------------------------- >>> >>> >>> 2009/5/4 Ryan Dewhurst >>> >>> You could try testing www.example.com: >>>> ./nikto.pl -host www.example.com >>>> >>>> If the above works there may be something wrong with your web server >>>> setup or network connection? >>>> >>>> Are you able to ping 10.0.0.1? >>>> >>>> 2009/5/4 titans team >>>> >>>>> Hi there, >>>>> >>>>> I am just starting to try and use Nikto and I am facing a big issue >>>>> right away. >>>>> >>>>> When I run : >>>>> >>>>> ./nikto.pl -h 10.0.0.1 -p 80 >>>>> >>>>> I get this feedback from the script : >>>>> >>>>> >>>>> - Nikto v2.03/2.04 >>>>> >>>>> --------------------------------------------------------------------------- >>>>> + No web server found on 10.0.0.1:80 >>>>> >>>>> --------------------------------------------------------------------------- >>>>> + 1 host(s) tested >>>>> >>>>> Test Options: -h 10.0.0.1 -p 80 >>>>> >>>>> --------------------------------------------------------------------------- >>>>> >>>>> >>>>> Needless to say that I have a web server running at this address. I've >>>>> been trying with 2 other addresses as well and get the same script output. >>>>> >>>>> Any hint would be welcome. >>>>> >>>>> Thanks guys. >>>>> >>>>> _______________________________________________ >>>>> Nikto-discuss mailing list >>>>> Nikto-discuss at attrition.org >>>>> https://attrition.org/mailman/listinfo/nikto-discuss >>>>> >>>>> >>>> >>> >> > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090504/64a7dcf5/attachment-0001.html From titansteamadmin at gmail.com Mon May 4 20:40:09 2009 From: titansteamadmin at gmail.com (titans team) Date: Mon, 4 May 2009 22:40:09 +0200 Subject: [Nikto-discuss] The basics of Nikto In-Reply-To: References: <5b3ba23c0905041148n33c2484do60f010ea91b71427@mail.gmail.com> <5b3ba23c0905041220kae8f183x2c15ec6989bbe24b@mail.gmail.com> <5b3ba23c0905041249v5aec42bdoe7c7497f112af7fc@mail.gmail.com> <5b3ba23c0905041257s27b2081r3b67bc0b57eb41f2@mail.gmail.com> Message-ID: <5b3ba23c0905041340o388d5c39j18070563b1651a57@mail.gmail.com> Oki Sullo, I'll try it out and keep you posted. Cheers, 2009/5/4 Sullo > try.. > > ./nikto.pl -D DV -h 10.0.0.1 > > and see what it reports. hopefully it will show an error or give some other > clue. > > On Mon, May 4, 2009 at 3:57 PM, titans team wrote: > >> >> >> Sorry...yes the ping works, here is the trace for www.example.com >>> >>> PING www.example.com (208.77.188.166) 56(84) bytes of data. >>> 64 bytes from www.example.com (208.77.188.166): icmp_seq=1 ttl=56 >>> time=155 ms >>> 64 bytes from www.example.com (208.77.188.166): icmp_seq=2 ttl=56 >>> time=156 ms >>> 64 bytes from www.example.com (208.77.188.166): icmp_seq=3 ttl=56 >>> time=156 ms >>> 64 bytes from www.example.com (208.77.188.166): icmp_seq=4 ttl=56 >>> time=155 ms >>> 64 bytes from www.example.com (208.77.188.166): icmp_seq=5 ttl=56 >>> time=155 ms >>> 64 bytes from www.example.com (208.77.188.166): icmp_seq=6 ttl=56 >>> time=156 ms >>> 64 bytes from www.example.com (208.77.188.166): icmp_seq=7 ttl=56 >>> time=156 ms >>> 64 bytes from www.example.com (208.77.188.166): icmp_seq=8 ttl=56 >>> time=155 ms >>> 64 bytes from www.example.com (208.77.188.166): icmp_seq=9 ttl=56 >>> time=156 ms >>> >>> >>> >>> 2009/5/4 titans team >>> >>>> Guess what ? >>>> >>>> - Nikto v2.03/2.04 >>>> >>>> --------------------------------------------------------------------------- >>>> + No web server found on 208.77.188.166:80 >>>> >>>> --------------------------------------------------------------------------- >>>> + 1 host(s) tested >>>> >>>> Test Options: -host www.example.com >>>> >>>> --------------------------------------------------------------------------- >>>> >>>> >>>> 2009/5/4 Ryan Dewhurst >>>> >>>> You could try testing www.example.com: >>>>> ./nikto.pl -host www.example.com >>>>> >>>>> If the above works there may be something wrong with your web server >>>>> setup or network connection? >>>>> >>>>> Are you able to ping 10.0.0.1? >>>>> >>>>> 2009/5/4 titans team >>>>> >>>>>> Hi there, >>>>>> >>>>>> I am just starting to try and use Nikto and I am facing a big issue >>>>>> right away. >>>>>> >>>>>> When I run : >>>>>> >>>>>> ./nikto.pl -h 10.0.0.1 -p 80 >>>>>> >>>>>> I get this feedback from the script : >>>>>> >>>>>> >>>>>> - Nikto v2.03/2.04 >>>>>> >>>>>> --------------------------------------------------------------------------- >>>>>> + No web server found on 10.0.0.1:80 >>>>>> >>>>>> --------------------------------------------------------------------------- >>>>>> + 1 host(s) tested >>>>>> >>>>>> Test Options: -h 10.0.0.1 -p 80 >>>>>> >>>>>> --------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> Needless to say that I have a web server running at this address. I've >>>>>> been trying with 2 other addresses as well and get the same script output. >>>>>> >>>>>> Any hint would be welcome. >>>>>> >>>>>> Thanks guys. >>>>>> >>>>>> _______________________________________________ >>>>>> Nikto-discuss mailing list >>>>>> Nikto-discuss at attrition.org >>>>>> https://attrition.org/mailman/listinfo/nikto-discuss >>>>>> >>>>>> >>>>> >>>> >>> >> >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090504/52f7ff14/attachment.html From titansteamadmin at gmail.com Tue May 5 19:10:16 2009 From: titansteamadmin at gmail.com (titans team) Date: Tue, 5 May 2009 21:10:16 +0200 Subject: [Nikto-discuss] Fwd: The basics of Nikto In-Reply-To: References: Message-ID: <5b3ba23c0905051210i1bfddfealfab9ed0d3d32f669@mail.gmail.com> FYI, in case others face the same issue. Here is the cure. Actually I have been using a config file from previous Nikto rlz, this is why I had the problem. Rgds, ---------- Forwarded message ---------- From: david lodge Date: 2009/5/5 Subject: Re: [Nikto-discuss] The basics of Nikto To: titansteamadmin at gmail.com Cc: dave at cirt.net [From my gmail account as I can't access my cirt account from work] There is a known bug in 2.03 of nikto, where it fails to recognise a web server if a pre-2.03 configuration file is being used. You should be able to see this by running a scan with -D V and seeing what it's doing: D:\tools\nikto>nikto.pl -host 127.0.0.1:8081 -D V - Nikto v2.03/2.04 --------------------------------------------------------------------------- V:Tue May 5 13:41:59 2009 - Testing open ports for web servers V:Tue May 5 13:41:59 2009 - Checking for HTTP on port 127.0.0.1:8081, using HEA D + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 8081 + Start Time: 2009-05-06 13:42:00 --------------------------------------------------------------------------- If you run it with a -D V and you can't see the "Checking for HTTP" line then you have this problem. In this case, check your config.txt for the below line: CHECKMETHODS=HEAD GET If this is missing, add it and it should (hopefully) work. This is a bug fixed in Nikto 2.10 (development version). If your configuration file has this, send me a redacted version of the -D DV output and I'll have a look at it (please make sure that you include dave at cirt.net in the email list - I normally only use this email address for mailing lists). Thanks dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090505/4b7e5244/attachment.html From titansteamadmin at gmail.com Tue May 5 19:23:58 2009 From: titansteamadmin at gmail.com (titans team) Date: Tue, 5 May 2009 21:23:58 +0200 Subject: [Nikto-discuss] Fwd: The basics of Nikto In-Reply-To: References: Message-ID: <5b3ba23c0905051223y5ceade57u33e6c702e26f70d6@mail.gmail.com> FYI, in case others face the same issue. Here is the cure. Actually I have been using a config file from previous Nikto rlz, this is why I had the problem. Rgds, ---------- Forwarded message ---------- From: david lodge Date: 2009/5/5 Subject: Re: [Nikto-discuss] The basics of Nikto To: titansteamadmin at gmail.com Cc: dave at cirt.net [From my gmail account as I can't access my cirt account from work] There is a known bug in 2.03 of nikto, where it fails to recognise a web server if a pre-2.03 configuration file is being used. You should be able to see this by running a scan with -D V and seeing what it's doing: D:\tools\nikto>nikto.pl -host 127.0.0.1:8081 -D V - Nikto v2.03/2.04 --------------------------------------------------------------------------- V:Tue May 5 13:41:59 2009 - Testing open ports for web servers V:Tue May 5 13:41:59 2009 - Checking for HTTP on port 127.0.0.1:8081, using HEA D + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 8081 + Start Time: 2009-05-06 13:42:00 --------------------------------------------------------------------------- If you run it with a -D V and you can't see the "Checking for HTTP" line then you have this problem. In this case, check your config.txt for the below line: CHECKMETHODS=HEAD GET If this is missing, add it and it should (hopefully) work. This is a bug fixed in Nikto 2.10 (development version). If your configuration file has this, send me a redacted version of the -D DV output and I'll have a look at it (please make sure that you include dave at cirt.net in the email list - I normally only use this email address for mailing lists). Thanks dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090505/0d4b2826/attachment.html From titansteamadmin at gmail.com Tue May 5 20:19:11 2009 From: titansteamadmin at gmail.com (titans team) Date: Tue, 5 May 2009 22:19:11 +0200 Subject: [Nikto-discuss] All options section Message-ID: <5b3ba23c0905051319m31a81715lf0331f3542a23a47@mail.gmail.com> Hi guys, in case you do not specify options in your command line, what are the default options assumed ? For instance, if I do not specify any -Cgidirs option or any -evasion option, how will the scan behave ? Also, about the -mutate option how does it work ? Are there dictionnaries for guessing values ? Does it make sense to run a scan like -mutate 123 ? I am a bit lost on this one. And finally, the -dbcehck option what does it check ? Rgds, Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090505/14fdb5ff/attachment.html From csullo at gmail.com Wed May 6 02:38:11 2009 From: csullo at gmail.com (Sullo) Date: Tue, 5 May 2009 22:38:11 -0400 Subject: [Nikto-discuss] All options section In-Reply-To: <5b3ba23c0905051319m31a81715lf0331f3542a23a47@mail.gmail.com> References: <5b3ba23c0905051319m31a81715lf0331f3542a23a47@mail.gmail.com> Message-ID: I would recommend checking out the documentation to get some of your answers, specifically about defaults and the mutation techniques. http://cirt.net/nikto2-docs/ The mutation techniques can generate a *lot* of tests, so you may want to try them out to see how they perform before trying them all and expecting it to finish any time soon. On Tue, May 5, 2009 at 4:19 PM, titans team wrote: > Hi guys, > > in case you do not specify options in your command line, what are the > default options assumed ? > For instance, if I do not specify any -Cgidirs option or any -evasion > option, how will the scan behave ? > > Also, about the -mutate option how does it work ? Are there dictionnaries > for guessing values ? Does it make sense to run a scan like -mutate 123 ? I > am a bit lost on this one. > > And finally, the -dbcehck option what does it check ? > > Rgds, > Nick > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090505/9e622a18/attachment-0001.html From titansteamadmin at gmail.com Wed May 6 06:53:20 2009 From: titansteamadmin at gmail.com (titans team) Date: Wed, 6 May 2009 08:53:20 +0200 Subject: [Nikto-discuss] All options section In-Reply-To: References: <5b3ba23c0905051319m31a81715lf0331f3542a23a47@mail.gmail.com> Message-ID: <5b3ba23c0905052353v7f9b9344m929a37f90bf4f5bb@mail.gmail.com> Hi Sullo and Al, thanks for the advice, but I've actually read the whole doc before posting my message and the questions I am asking are related to points which are still not clear (enough) to me after the reading. 2009/5/6 Sullo > I would recommend checking out the documentation to get some of your > answers, specifically about defaults and the mutation techniques. > > http://cirt.net/nikto2-docs/ > > The mutation techniques can generate a *lot* of tests, so you may want to > try them out to see how they perform before trying them all and expecting it > to finish any time soon. > > On Tue, May 5, 2009 at 4:19 PM, titans team wrote: > >> Hi guys, >> >> in case you do not specify options in your command line, what are the >> default options assumed ? >> For instance, if I do not specify any -Cgidirs option or any -evasion >> option, how will the scan behave ? >> >> Also, about the -mutate option how does it work ? Are there dictionnaries >> for guessing values ? Does it make sense to run a scan like -mutate 123 ? I >> am a bit lost on this one. >> >> And finally, the -dbcehck option what does it check ? >> >> Rgds, >> Nick >> >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> >> > > > -- > > http://www.cirt.net | http://www.osvdb.org/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090506/1e9be7fb/attachment.html From dave at cirt.net Wed May 6 15:29:29 2009 From: dave at cirt.net (David Lodge) Date: Wed, 06 May 2009 16:29:29 +0100 Subject: [Nikto-discuss] All options section In-Reply-To: <5b3ba23c0905051319m31a81715lf0331f3542a23a47@mail.gmail.com> References: <5b3ba23c0905051319m31a81715lf0331f3542a23a47@mail.gmail.com> Message-ID: On Tue, 05 May 2009 21:19:11 +0100, titans team wrote: > in case you do not specify options in your command line, what are the > default options assumed ? > For instance, if I do not specify any -Cgidirs option or any -evasion > option, how will the scan behave ? Erm... You have to guess :-) In reality it's not that difficult; the default is for a quick, nearly complete scan, so Cgidirs is set to "all" and evasion is "0" i.e. no evasion, no mutators, standard out output (text in nikto 2.03, no output file in nikto 2.10) and no tuning. > Also, about the -mutate option how does it work ? Are there dictionnaries > for guessing values ? Does it make sense to run a scan like -mutate 123 > ? I > am a bit lost on this one. If you do a nikto.pl -Help (note the capital letter) it will list more details on the mutate, evasion and tuning options: [dave at yggdrasil nikto-2.03]$ ./nikto.pl --Help [snip] -mutate+ Guess additional file names: 1 Test all files with all root directories 2 Guess for password file names 3 Enumerate user names via Apache (/~user type requests) 4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests) I'm planning to expand these a wee bit - adding a 5 to attempt to brute force domains, and to expand it so that 3 and 4 can use a dictionary file. > And finally, the -dbcehck option what does it check ? This performs a consistency check on the internal databases to make sure that all tids (the unique nikto code) are unique and the databases are malformed. It's more useful for the nikto developers than the users. Thanks dave From titansteamadmin at gmail.com Mon May 11 13:41:30 2009 From: titansteamadmin at gmail.com (titans team) Date: Mon, 11 May 2009 15:41:30 +0200 Subject: [Nikto-discuss] False positives ? Message-ID: <5b3ba23c0905110641j7d0c7fbat1e65a04e3ed42a5c@mail.gmail.com> Hi guys, running a scan against my apache web server shows that. + OSVDB-0: GET /scripts/banner.cgi : This CGI may allow attackers to read any file on the system. + OSVDB-0: GET /scripts/bannereditor.cgi : This CGI may allow attackers to read any file on the system. + OSVDB-0: GET /sips/sipssys/users/a/admin/user : SIPS v0.2.2 allows user account info (including password) to be retrieved remotely. + OSVDB-0: GET /scripts/addbanner.cgi : This CGI may allow attackers to read any file on the system. + OSVDB-0: GET /scripts/ans.pl?p=../../../../../usr/bin/id|&blah : Avenger's News System allows commands to be issued remotely. + OSVDB-0: GET /scripts/ans/ans.pl?p=../../../../../usr/bin/id|&blah : Avenger's News System allows commands to be issued remotely. + OSVDB-0: GET /admentor/adminadmin.asp : Version 2.11 of AdMentor is vulnerable to SQL injection during login, in the style of: ' or = + OSVDB-0: GET /index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. + OSVDB-0: GET /scripts/Count.cgi : This may allow attackers to execute arbitrary commands on the server + OSVDB-0: GET /isapi/count.pl? : AN HTTPd default script may allow writing over arbitrary files with a new content of '1', which could allow a trivial DoS. Append /../../../../../ctr.dll to replac e this file's contents, for example. + OSVDB-376: GET /admin/contextAdmin/contextAdmin.html : Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin. + OSVDB-3092: GET /cgi-bin/textcounter.pl : This might be interesting... + OSVDB-13483: GET /adsamples/config/site.csc : Contains SQL username/password + OSVDB-3092: GET /advworks/equipment/catalog_type.asp : This might be interesting... + OSVDB-3092: GET /scripts/counter.exe : This might be interesting... + OSVDB-3233: GET /scripts/fpcount.exe : Default FrontPage CGI found. The thing is that none of these files exist on the server. Any idea why this shows up ? Best Regards, Nick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090511/1d7126ac/attachment.html From traef at ebasedsecurity.com Mon May 11 13:51:30 2009 From: traef at ebasedsecurity.com (Thomas Raef) Date: Mon, 11 May 2009 08:51:30 -0500 Subject: [Nikto-discuss] False positives ? Message-ID: I've noticed these false positives as well. If you have a default 404 page, you'll see these false positives as the URL issued with the GET command does return a page - your default 404 page so it assumes that since it issued a command and received a result the command must have worked. That's been my findings anyway. Anyone have more information? Thomas J. Raef www.ebasedsecurity.com "You're either hardened, or you're hacked!" www.wewatchyourwebsite.com "We Watch Your Website - so you don't have to!" ________________________________ From: nikto-discuss-bounces at attrition.org on behalf of titans team Sent: Mon 5/11/2009 8:41 AM To: nikto-discuss at attrition.org Subject: [Nikto-discuss] False positives ? Hi guys, running a scan against my apache web server shows that. + OSVDB-0: GET /scripts/banner.cgi : This CGI may allow attackers to read any file on the system. + OSVDB-0: GET /scripts/bannereditor.cgi : This CGI may allow attackers to read any file on the system. + OSVDB-0: GET /sips/sipssys/users/a/admin/user : SIPS v0.2.2 allows user account info (including password) to be retrieved remotely. + OSVDB-0: GET /scripts/addbanner.cgi : This CGI may allow attackers to read any file on the system. + OSVDB-0: GET /scripts/ans.pl?p=../../../../../usr/bin/id|&blah : Avenger's News System allows commands to be issued remotely. + OSVDB-0: GET /scripts/ans/ans.pl?p=../../../../../usr/bin/id|&blah : Avenger's News System allows commands to be issued remotely. + OSVDB-0: GET /admentor/adminadmin.asp : Version 2.11 of AdMentor is vulnerable to SQL injection during login, in the style of: ' or = + OSVDB-0: GET /index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. + OSVDB-0: GET /scripts/Count.cgi : This may allow attackers to execute arbitrary commands on the server + OSVDB-0: GET /isapi/count.pl? : AN HTTPd default script may allow writing over arbitrary files with a new content of '1', which could allow a trivial DoS. Append /../../../../../ctr.dll to replac e this file's contents, for example. + OSVDB-376: GET /admin/contextAdmin/contextAdmin.html : Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin. + OSVDB-3092: GET /cgi-bin/textcounter.pl : This might be interesting... + OSVDB-13483: GET /adsamples/config/site.csc : Contains SQL username/password + OSVDB-3092: GET /advworks/equipment/catalog_type.asp : This might be interesting... + OSVDB-3092: GET /scripts/counter.exe : This might be interesting... + OSVDB-3233: GET /scripts/fpcount.exe : Default FrontPage CGI found. The thing is that none of these files exist on the server. Any idea why this shows up ? Best Regards, Nick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090511/3eb3d889/attachment.html From dave at cirt.net Mon May 11 14:10:54 2009 From: dave at cirt.net (David Lodge) Date: Mon, 11 May 2009 15:10:54 +0100 Subject: [Nikto-discuss] False positives ? In-Reply-To: References: Message-ID: Nick, I sent you an email about this this morning. On Mon, 11 May 2009 14:51:30 +0100, Thomas Raef wrote: > I've noticed these false positives as well. > If you have a default 404 page, you'll see these false positives as the > URL issued with the GET command does return a page - your default 404 > page so it assumes that since it issued a command and received a result > the command must have worked. > That's been my findings anyway. Anyone have more information? In my experience it tends to happen when the web server returns a 200 and then returns a reader friendly page to say "file not found". Nikto does perform some checks to attempt to work out non-404 404 pages, but it can't always get them. If you can send me any examples of pages (either the output from a nikto.pl -D d or the page itself) then I can use this to improve the matching algorithms. Thanks dave From ryandewhurst at gmail.com Mon May 11 16:10:12 2009 From: ryandewhurst at gmail.com (Ryan Dewhurst) Date: Mon, 11 May 2009 17:10:12 +0100 Subject: [Nikto-discuss] False positives ? In-Reply-To: References: Message-ID: Could you not just find a unique word/sentencce on the custom 404 page that your having trouble with and then add it to db_404_strings? 2009/5/11 David Lodge > Nick, I sent you an email about this this morning. > > On Mon, 11 May 2009 14:51:30 +0100, Thomas Raef > wrote: > > I've noticed these false positives as well. > > If you have a default 404 page, you'll see these false positives as the > > URL issued with the GET command does return a page - your default 404 > > page so it assumes that since it issued a command and received a result > > the command must have worked. > > That's been my findings anyway. Anyone have more information? > > In my experience it tends to happen when the web server returns a 200 and > then returns a reader friendly page to say "file not found". Nikto does > perform some checks to attempt to work out non-404 404 pages, but it can't > always get them. > > If you can send me any examples of pages (either the output from a > nikto.pl -D d or the page itself) then I can use this to improve the > matching algorithms. > > Thanks > > dave > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090511/801b1210/attachment-0001.html From titansteamadmin at gmail.com Tue May 12 15:05:45 2009 From: titansteamadmin at gmail.com (titans team) Date: Tue, 12 May 2009 17:05:45 +0200 Subject: [Nikto-discuss] False positives ? In-Reply-To: References: Message-ID: <5b3ba23c0905120805s6dd9ddbaybeea100b4388f537@mail.gmail.com> Hi Dave and Al, Dave, I had not made the link between your morning's email and that cause in my previous message to you, the directories where indeed present on the server (that was the Nikto message I did not understand) The difference is that here, none of the directory (or files) metionned in my message are present on the server.. Thus I thought this was a different "issue" but seems to be the same, right ? BR, Nick 2009/5/11 David Lodge > Nick, I sent you an email about this this morning. > > On Mon, 11 May 2009 14:51:30 +0100, Thomas Raef > wrote: > > I've noticed these false positives as well. > > If you have a default 404 page, you'll see these false positives as the > > URL issued with the GET command does return a page - your default 404 > > page so it assumes that since it issued a command and received a result > > the command must have worked. > > That's been my findings anyway. Anyone have more information? > > In my experience it tends to happen when the web server returns a 200 and > then returns a reader friendly page to say "file not found". Nikto does > perform some checks to attempt to work out non-404 404 pages, but it can't > always get them. > > If you can send me any examples of pages (either the output from a > nikto.pl -D d or the page itself) then I can use this to improve the > matching algorithms. > > Thanks > > dave > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090512/feef334f/attachment.html