From csullo at gmail.com Mon Sep 6 09:18:22 2010 From: csullo at gmail.com (Sullo) Date: Mon, 6 Sep 2010 10:18:22 -0400 Subject: [Nikto-discuss] Nikto 2.1.3 released Message-ID: We're happy to announce the immediate availability of Nikto 2.1.3! Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers. In addition to the usual list of minor bug fixes, 2.1.3 contains some new functionality and improvements, including: * Interactive scan pause feature * Metasploit logging (courtesy Ryan Linn) * Updated manual * Command line proxy specification * Scan status reports guesstimate of time remaining * Many updated software versions For a full list of updates, see http://trac2.assembla.com/Nikto_2/query?status=closed&milestone=Nikto+2.1.3 MD5 Checksums: * nikto-2.1.3.tar.bz2 2d4badc2dc649e4d7c9510e58b1fb6ad * nikto-2.1.3.tar.gz 69384f38da8c71ca316fe727296e53e9 Download: * http://cirt.net/nikto/nikto-2.1.3.tar.bz2 * http://cirt.net/nikto/nikto-2.1.3.tar.gz -- http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ From jonnie_wu at hotmail.com Tue Sep 7 06:34:48 2010 From: jonnie_wu at hotmail.com (WuJonnie) Date: Tue, 7 Sep 2010 11:34:48 +0000 Subject: [Nikto-discuss] Error messages when running the nikto Message-ID: Hi, I just installed the Nikto by referring to an article, and no matter which version nikto I tried, always returns me the same error message. c:\Program Files\nikto-2.1.3>perl nikto.pl -h www.abc.com Can't locate nikto.pl/plugins/nikto_core.plugin in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .) at nikto.pl line 89. But When I directly input like below: c:\Program Files\nikto-2.1.3> nikto.pl -h www.abc.com It will scan the site?s vulnerabilities, but anyway will have some error messages at the beginning. c:\Program Files\nikto-2.1.3>nikto.pl -h www.abc.com Can't locate auto/Net/SSLeay/autosplit.ix in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .) at C:/Perl/lib/AutoLoader.pm line 173. at C:/Perl/lib/Net/SSLeay.pm line 61 - Nikto v2.1.2 --------------------------------------------------------------------------- + Target IP: 199.181.132.250 + Target Hostname: www.abc.com + Target Port: 80 + Start Time: 2010-09-08 19:30:33 --------------------------------------------------------------------------- + Server: Apache?.. ??????????. ??????????.. Any ideas you think here so that I can run it correctly? -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Tue Sep 7 07:52:44 2010 From: csullo at gmail.com (Sullo) Date: Tue, 7 Sep 2010 08:52:44 -0400 Subject: [Nikto-discuss] Error messages when running the nikto In-Reply-To: References: Message-ID: 2010/9/7 WuJonnie : > I just installed the Nikto by referring to an article, and no matter which > version nikto I tried, always returns me the same error message. > > c:\Program Files\nikto-2.1.3>perl nikto.pl -h www.abc.com > > Can't locate nikto.pl/plugins/nikto_core.plugin in @INC (@INC contains: > C:/Perl/site/lib C:/Perl/lib .) at nikto.pl line 89. Try editing nikto.pl and changing this line to point to your nikto.conf file: $NIKTO{'configfile'} = "/etc/nikto.conf"; ### Change this line if it's having trouble finding it I think the path would be c:\Program Files\nikto-2.1.3\nikto.conf based on what you have in your email. > But When I directly input like below: > > c:\Program Files\nikto-2.1.3> nikto.pl -h www.abc.com > > It will scan the site?s vulnerabilities, but anyway will have some error > messages at the beginning. > > c:\Program Files\nikto-2.1.3>nikto.pl -h www.abc.com > > Can't locate auto/Net/SSLeay/autosplit.ix in @INC (@INC contains: > C:/Perl/site/lib C:/Perl/lib .) at C:/Perl/lib/AutoLoader.pm line 173. at > C:/Perl/lib/Net/SSLeay.pm line 61 Is this a new perl installation--did it work before? This looks like an internal perl/net::ssleay module error. If this is a new install, I'd recommend reinstalling that module and trying again. You may also try Net::SSL to see if that works better. Without SSL it seems to be working correctly--you just won't be able to test encrypted resources. -- http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ From FBreedijk at schubergphilis.com Tue Sep 7 09:24:55 2010 From: FBreedijk at schubergphilis.com (Frank Breedijk) Date: Tue, 7 Sep 2010 16:24:55 +0200 Subject: [Nikto-discuss] Disabling interactive question Message-ID: When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. ????? ********************************************************************* ????? Portions of the server's ident string (Apache/2.2.9) are not in ????? the Nikto database or is newer than the known string. Would you like ????? to submit this information (*no server specific data*) to CIRT.net ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? Kind regards, Frank Breedijk Schuberg Philis Boeing Avenue 271 1119 PD Schiphol-Rijk schubergphilis.com +31 20 750 65 38 +31 6 4382 2637 From jabra at spl0it.org Tue Sep 7 09:28:30 2010 From: jabra at spl0it.org (Jabra) Date: Tue, 7 Sep 2010 10:28:30 -0400 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: Message-ID: <20100907142830.GA9609@navi.v2s.org> There is an option in the nikto.conf to not ask the user if they want to send updates to cirt.net Regards, Josh On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. > > ????? ********************************************************************* > ????? Portions of the server's ident string (Apache/2.2.9) are not in > ????? the Nikto database or is newer than the known string. Would you like > ????? to submit this information (*no server specific data*) to CIRT.net > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? > > Kind regards, > Frank Breedijk > > > Schuberg Philis > Boeing Avenue 271 > 1119 PD Schiphol-Rijk > schubergphilis.com > > +31 20 750 65 38 > +31 6 4382 2637 > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss -- Jabra < jabra at spl0it.org > http://www.spl0it.org From FBreedijk at schubergphilis.com Tue Sep 7 09:30:26 2010 From: FBreedijk at schubergphilis.com (Frank Breedijk) Date: Tue, 7 Sep 2010 16:30:26 +0200 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: <20100907142830.GA9609@navi.v2s.org> References: <20100907142830.GA9609@navi.v2s.org> Message-ID: I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? The following will do the trick, but feels like cheating: echo y | nikto ..... Frank Breedijk ..-. .-. .- -. -.- T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com -----Original Message----- From: Jabra [mailto:jabra at spl0it.org] Sent: 07 September 2010 16:29 To: Frank Breedijk Cc: nikto-discuss at attrition.org Subject: Re: [Nikto-discuss] Disabling interactive question There is an option in the nikto.conf to not ask the user if they want to send updates to cirt.net Regards, Josh On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. > > ????? > ********************************************************************* > ????? Portions of the server's ident string (Apache/2.2.9) are not in > ????? the Nikto database or is newer than the known string. Would you > like > ????? to submit this information (*no server specific data*) to > CIRT.net > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? > > Kind regards, > Frank Breedijk > > > Schuberg Philis > Boeing Avenue 271 > 1119 PD Schiphol-Rijk > schubergphilis.com > > +31 20 750 65 38 > +31 6 4382 2637 > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss -- Jabra < jabra at spl0it.org > http://www.spl0it.org From jabra at spl0it.org Tue Sep 7 09:38:17 2010 From: jabra at spl0it.org (Jabra) Date: Tue, 7 Sep 2010 10:38:17 -0400 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> Message-ID: <20100907143817.GB9609@navi.v2s.org> I'm not seeing such an option... Not to be too picky shouldn't it be 'yes yes |nikto' ? Regards, Jabra On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? > > The following will do the trick, but feels like cheating: > echo y | nikto ..... > > Frank Breedijk > ..-. .-. .- -. -.- > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com > > -----Original Message----- > From: Jabra [mailto:jabra at spl0it.org] > Sent: 07 September 2010 16:29 > To: Frank Breedijk > Cc: nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Disabling interactive question > > There is an option in the nikto.conf to not ask the user if they want to send updates to cirt.net > > Regards, > Josh > > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. > > > > ????? > > ********************************************************************* > > ????? Portions of the server's ident string (Apache/2.2.9) are not in > > ????? the Nikto database or is newer than the known string. Would you > > like > > ????? to submit this information (*no server specific data*) to > > CIRT.net > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? > > > > Kind regards, > > Frank Breedijk > > > > > > Schuberg Philis > > Boeing Avenue 271 > > 1119 PD Schiphol-Rijk > > schubergphilis.com > > > > +31 20 750 65 38 > > +31 6 4382 2637 > > _______________________________________________ > > Nikto-discuss mailing list > > Nikto-discuss at attrition.org > > https://attrition.org/mailman/listinfo/nikto-discuss > > -- > Jabra < jabra at spl0it.org > > http://www.spl0it.org -- Jabra < jabra at spl0it.org > http://www.spl0it.org From FBreedijk at schubergphilis.com Tue Sep 7 09:40:27 2010 From: FBreedijk at schubergphilis.com (Frank Breedijk) Date: Tue, 7 Sep 2010 16:40:27 +0200 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: <20100907143817.GB9609@navi.v2s.org> References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> Message-ID: I can see it is still morning there and end of workday here ;) Yes|nikto ... will work. Nikto does take y for an answer. Frank Breedijk ..-. .-. .- -. -.- T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com -----Original Message----- From: Jabra [mailto:jabra at spl0it.org] Sent: 07 September 2010 16:38 To: Frank Breedijk Cc: Jabra; nikto-discuss at attrition.org Subject: Re: [Nikto-discuss] Disabling interactive question I'm not seeing such an option... Not to be too picky shouldn't it be 'yes yes |nikto' ? Regards, Jabra On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? > > The following will do the trick, but feels like cheating: > echo y | nikto ..... > > Frank Breedijk > ..-. .-. .- -. -.- > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: > www.schubergphilis.com > > -----Original Message----- > From: Jabra [mailto:jabra at spl0it.org] > Sent: 07 September 2010 16:29 > To: Frank Breedijk > Cc: nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Disabling interactive question > > There is an option in the nikto.conf to not ask the user if they want > to send updates to cirt.net > > Regards, > Josh > > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. > > > > ????? > > ******************************************************************** > > * > > ????? Portions of the server's ident string (Apache/2.2.9) are not > > in > > ????? the Nikto database or is newer than the known string. Would > > you like > > ????? to submit this information (*no server specific data*) to > > CIRT.net > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? > > > > Kind regards, > > Frank Breedijk > > > > > > Schuberg Philis > > Boeing Avenue 271 > > 1119 PD Schiphol-Rijk > > schubergphilis.com > > > > +31 20 750 65 38 > > +31 6 4382 2637 > > _______________________________________________ > > Nikto-discuss mailing list > > Nikto-discuss at attrition.org > > https://attrition.org/mailman/listinfo/nikto-discuss > > -- > Jabra < jabra at spl0it.org > > http://www.spl0it.org -- Jabra < jabra at spl0it.org > http://www.spl0it.org From jabra at spl0it.org Tue Sep 7 09:44:38 2010 From: jabra at spl0it.org (Jabra) Date: Tue, 7 Sep 2010 10:44:38 -0400 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> Message-ID: <20100907144438.GC9609@navi.v2s.org> Using: echo "yes" will only pass one instance of "yes" to nikto if it asks for user input. Using: yes | nikto would pass as many "yes" inputs until nikto completes. Regards, Jabra On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote: > I can see it is still morning there and end of workday here ;) > Yes|nikto ... will work. Nikto does take y for an answer. > > Frank Breedijk > ..-. .-. .- -. -.- > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com > > > -----Original Message----- > From: Jabra [mailto:jabra at spl0it.org] > Sent: 07 September 2010 16:38 > To: Frank Breedijk > Cc: Jabra; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Disabling interactive question > > I'm not seeing such an option... > > > Not to be too picky shouldn't it be 'yes yes |nikto' ? > > > Regards, > Jabra > > > > On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: > > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? > > > > The following will do the trick, but feels like cheating: > > echo y | nikto ..... > > > > Frank Breedijk > > ..-. .-. .- -. -.- > > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: > > www.schubergphilis.com > > > > -----Original Message----- > > From: Jabra [mailto:jabra at spl0it.org] > > Sent: 07 September 2010 16:29 > > To: Frank Breedijk > > Cc: nikto-discuss at attrition.org > > Subject: Re: [Nikto-discuss] Disabling interactive question > > > > There is an option in the nikto.conf to not ask the user if they want > > to send updates to cirt.net > > > > Regards, > > Josh > > > > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: > > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. > > > > > > ????? > > > ******************************************************************** > > > * > > > ????? Portions of the server's ident string (Apache/2.2.9) are not > > > in > > > ????? the Nikto database or is newer than the known string. Would > > > you like > > > ????? to submit this information (*no server specific data*) to > > > CIRT.net > > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? > > > > > > Kind regards, > > > Frank Breedijk > > > > > > > > > Schuberg Philis > > > Boeing Avenue 271 > > > 1119 PD Schiphol-Rijk > > > schubergphilis.com > > > > > > +31 20 750 65 38 > > > +31 6 4382 2637 > > > _______________________________________________ > > > Nikto-discuss mailing list > > > Nikto-discuss at attrition.org > > > https://attrition.org/mailman/listinfo/nikto-discuss > > > > -- > > Jabra < jabra at spl0it.org > > > http://www.spl0it.org > > -- > Jabra < jabra at spl0it.org > > http://www.spl0it.org -- Jabra < jabra at spl0it.org > http://www.spl0it.org From FBreedijk at schubergphilis.com Tue Sep 7 09:53:13 2010 From: FBreedijk at schubergphilis.com (Frank Breedijk) Date: Tue, 7 Sep 2010 16:53:13 +0200 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: <20100907144438.GC9609@navi.v2s.org> References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> Message-ID: Indeed, I'm just a little afraid of the performance impact since the latest nikto is listening to keystrokes during scanning. Frank Breedijk ..-. .-. .- -. -.- T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com -----Original Message----- From: Jabra [mailto:jabra at spl0it.org] Sent: 07 September 2010 16:45 To: Frank Breedijk Cc: Jabra; nikto-discuss at attrition.org Subject: Re: [Nikto-discuss] Disabling interactive question Using: echo "yes" will only pass one instance of "yes" to nikto if it asks for user input. Using: yes | nikto would pass as many "yes" inputs until nikto completes. Regards, Jabra On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote: > I can see it is still morning there and end of workday here ;) > Yes|nikto ... will work. Nikto does take y for an answer. > > Frank Breedijk > ..-. .-. .- -. -.- > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: > www.schubergphilis.com > > > -----Original Message----- > From: Jabra [mailto:jabra at spl0it.org] > Sent: 07 September 2010 16:38 > To: Frank Breedijk > Cc: Jabra; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Disabling interactive question > > I'm not seeing such an option... > > > Not to be too picky shouldn't it be 'yes yes |nikto' ? > > > Regards, > Jabra > > > > On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: > > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? > > > > The following will do the trick, but feels like cheating: > > echo y | nikto ..... > > > > Frank Breedijk > > ..-. .-. .- -. -.- > > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: > > www.schubergphilis.com > > > > -----Original Message----- > > From: Jabra [mailto:jabra at spl0it.org] > > Sent: 07 September 2010 16:29 > > To: Frank Breedijk > > Cc: nikto-discuss at attrition.org > > Subject: Re: [Nikto-discuss] Disabling interactive question > > > > There is an option in the nikto.conf to not ask the user if they > > want to send updates to cirt.net > > > > Regards, > > Josh > > > > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: > > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. > > > > > > ????? > > > ****************************************************************** > > > ** > > > * > > > ????? Portions of the server's ident string (Apache/2.2.9) are not > > > in > > > ????? the Nikto database or is newer than the known string. Would > > > you like > > > ????? to submit this information (*no server specific data*) to > > > CIRT.net > > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? > > > > > > Kind regards, > > > Frank Breedijk > > > > > > > > > Schuberg Philis > > > Boeing Avenue 271 > > > 1119 PD Schiphol-Rijk > > > schubergphilis.com > > > > > > +31 20 750 65 38 > > > +31 6 4382 2637 > > > _______________________________________________ > > > Nikto-discuss mailing list > > > Nikto-discuss at attrition.org > > > https://attrition.org/mailman/listinfo/nikto-discuss > > > > -- > > Jabra < jabra at spl0it.org > > > http://www.spl0it.org > > -- > Jabra < jabra at spl0it.org > > http://www.spl0it.org -- Jabra < jabra at spl0it.org > http://www.spl0it.org From csullo at gmail.com Tue Sep 7 09:51:32 2010 From: csullo at gmail.com (Sullo) Date: Tue, 7 Sep 2010 10:51:32 -0400 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: <20100907144438.GC9609@navi.v2s.org> References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> Message-ID: Or you could just use '-ask no' (or yes/auto)... :-) On Tue, Sep 7, 2010 at 10:44 AM, Jabra wrote: > Using: echo "yes" will only pass one instance of "yes" to nikto if it asks for > user input. > > Using: yes | nikto would pass as many "yes" inputs until nikto > completes. > > Regards, > Jabra > > On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote: >> I can see it is still morning there and end of workday here ;) >> Yes|nikto ... will work. Nikto does take y for an answer. >> >> Frank Breedijk >> ..-. .-. .- -. -.- >> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com >> >> >> -----Original Message----- >> From: Jabra [mailto:jabra at spl0it.org] >> Sent: 07 September 2010 16:38 >> To: Frank Breedijk >> Cc: Jabra; nikto-discuss at attrition.org >> Subject: Re: [Nikto-discuss] Disabling interactive question >> >> I'm not seeing such an option... >> >> >> Not to be too picky shouldn't it be 'yes yes |nikto' ? >> >> >> Regards, >> Jabra >> >> >> >> On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: >> > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? >> > >> > The following will do the trick, but feels like cheating: >> > echo y | nikto ..... >> > >> > Frank Breedijk >> > ..-. .-. .- -. -.- >> > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >> > www.schubergphilis.com >> > >> > -----Original Message----- >> > From: Jabra [mailto:jabra at spl0it.org] >> > Sent: 07 September 2010 16:29 >> > To: Frank Breedijk >> > Cc: nikto-discuss at attrition.org >> > Subject: Re: [Nikto-discuss] Disabling interactive question >> > >> > There is an option in the nikto.conf to not ask the user if they want >> > to send updates to cirt.net >> > >> > Regards, >> > Josh >> > >> > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: >> > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. >> > > >> > > >> > > ******************************************************************** >> > > * >> > > ????? Portions of the server's ident string (Apache/2.2.9) are not >> > > in >> > > ????? the Nikto database or is newer than the known string. Would >> > > you like >> > > ????? to submit this information (*no server specific data*) to >> > > CIRT.net >> > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? >> > > >> > > Kind regards, >> > > Frank Breedijk >> > > >> > > >> > > Schuberg Philis >> > > Boeing Avenue 271 >> > > 1119 PD Schiphol-Rijk >> > > schubergphilis.com >> > > >> > > +31 20 750 65 38 >> > > +31 6 4382 2637 >> > > _______________________________________________ >> > > Nikto-discuss mailing list >> > > Nikto-discuss at attrition.org >> > > https://attrition.org/mailman/listinfo/nikto-discuss >> > >> > -- >> > Jabra < jabra at spl0it.org > >> > http://www.spl0it.org >> >> -- >> Jabra < jabra at spl0it.org > >> http://www.spl0it.org > > -- > Jabra < jabra at spl0it.org > > http://www.spl0it.org > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ From FBreedijk at schubergphilis.com Tue Sep 7 10:06:38 2010 From: FBreedijk at schubergphilis.com (Frank Breedijk) Date: Tue, 7 Sep 2010 17:06:38 +0200 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> Message-ID: Shoot, first line of nikto -Help output (I typed -help again). I should have looked at the code... Will make it part of the code. Thanks Jabra! Frank Breedijk ..-. .-. .- -. -.- T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com -----Original Message----- From: Sullo [mailto:csullo at gmail.com] Sent: 07 September 2010 16:52 To: Jabra Cc: Frank Breedijk; nikto-discuss at attrition.org Subject: Re: [Nikto-discuss] Disabling interactive question Or you could just use '-ask no' (or yes/auto)... :-) On Tue, Sep 7, 2010 at 10:44 AM, Jabra wrote: > Using: echo "yes" will only pass one instance of "yes" to nikto if it > asks for user input. > > Using: yes | nikto would pass as many "yes" inputs until nikto > completes. > > Regards, > Jabra > > On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote: >> I can see it is still morning there and end of workday here ;) >> Yes|nikto ... will work. Nikto does take y for an answer. >> >> Frank Breedijk >> ..-. .-. .- -. -.- >> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >> www.schubergphilis.com >> >> >> -----Original Message----- >> From: Jabra [mailto:jabra at spl0it.org] >> Sent: 07 September 2010 16:38 >> To: Frank Breedijk >> Cc: Jabra; nikto-discuss at attrition.org >> Subject: Re: [Nikto-discuss] Disabling interactive question >> >> I'm not seeing such an option... >> >> >> Not to be too picky shouldn't it be 'yes yes |nikto' ? >> >> >> Regards, >> Jabra >> >> >> >> On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: >> > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? >> > >> > The following will do the trick, but feels like cheating: >> > echo y | nikto ..... >> > >> > Frank Breedijk >> > ..-. .-. .- -. -.- >> > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >> > www.schubergphilis.com >> > >> > -----Original Message----- >> > From: Jabra [mailto:jabra at spl0it.org] >> > Sent: 07 September 2010 16:29 >> > To: Frank Breedijk >> > Cc: nikto-discuss at attrition.org >> > Subject: Re: [Nikto-discuss] Disabling interactive question >> > >> > There is an option in the nikto.conf to not ask the user if they >> > want to send updates to cirt.net >> > >> > Regards, >> > Josh >> > >> > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: >> > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. >> > > >> > > >> > > ***************************************************************** >> > > *** >> > > * >> > > ????? Portions of the server's ident string (Apache/2.2.9) are >> > > not in >> > > ????? the Nikto database or is newer than the known string. Would >> > > you like >> > > ????? to submit this information (*no server specific data*) to >> > > CIRT.net >> > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? >> > > >> > > Kind regards, >> > > Frank Breedijk >> > > >> > > >> > > Schuberg Philis >> > > Boeing Avenue 271 >> > > 1119 PD Schiphol-Rijk >> > > schubergphilis.com >> > > >> > > +31 20 750 65 38 >> > > +31 6 4382 2637 >> > > _______________________________________________ >> > > Nikto-discuss mailing list >> > > Nikto-discuss at attrition.org >> > > https://attrition.org/mailman/listinfo/nikto-discuss >> > >> > -- >> > Jabra < jabra at spl0it.org > >> > http://www.spl0it.org >> >> -- >> Jabra < jabra at spl0it.org > >> http://www.spl0it.org > > -- > Jabra < jabra at spl0it.org > > http://www.spl0it.org > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ From csullo at gmail.com Tue Sep 7 10:09:18 2010 From: csullo at gmail.com (Sullo) Date: Tue, 7 Sep 2010 11:09:18 -0400 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> Message-ID: I added a line to the short help output to say it's short and use -H... On Tue, Sep 7, 2010 at 11:06 AM, Frank Breedijk wrote: > Shoot, first line of nikto -Help output (I typed -help again). > > I should have looked at the code... Will make it part of the code. > > Thanks Jabra! > > Frank Breedijk > ..-. .-. .- -. -.- > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com > > > -----Original Message----- > From: Sullo [mailto:csullo at gmail.com] > Sent: 07 September 2010 16:52 > To: Jabra > Cc: Frank Breedijk; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Disabling interactive question > > Or you could just use '-ask no' (or yes/auto)... :-) > > > On Tue, Sep 7, 2010 at 10:44 AM, Jabra wrote: >> Using: echo "yes" will only pass one instance of "yes" to nikto if it >> asks for user input. >> >> Using: yes | nikto would pass as many "yes" inputs until nikto >> completes. >> >> Regards, >> Jabra >> >> On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote: >>> I can see it is still morning there and end of workday here ;) >>> Yes|nikto ... will work. Nikto does take y for an answer. >>> >>> Frank Breedijk >>> ..-. .-. .- -. -.- >>> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >>> www.schubergphilis.com >>> >>> >>> -----Original Message----- >>> From: Jabra [mailto:jabra at spl0it.org] >>> Sent: 07 September 2010 16:38 >>> To: Frank Breedijk >>> Cc: Jabra; nikto-discuss at attrition.org >>> Subject: Re: [Nikto-discuss] Disabling interactive question >>> >>> I'm not seeing such an option... >>> >>> >>> Not to be too picky shouldn't it be 'yes yes |nikto' ? >>> >>> >>> Regards, >>> Jabra >>> >>> >>> >>> On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: >>> > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? >>> > >>> > The following will do the trick, but feels like cheating: >>> > echo y | nikto ..... >>> > >>> > Frank Breedijk >>> > ..-. .-. .- -. -.- >>> > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >>> > www.schubergphilis.com >>> > >>> > -----Original Message----- >>> > From: Jabra [mailto:jabra at spl0it.org] >>> > Sent: 07 September 2010 16:29 >>> > To: Frank Breedijk >>> > Cc: nikto-discuss at attrition.org >>> > Subject: Re: [Nikto-discuss] Disabling interactive question >>> > >>> > There is an option in the nikto.conf to not ask the user if they >>> > want to send updates to cirt.net >>> > >>> > Regards, >>> > Josh >>> > >>> > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: >>> > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. >>> > > >>> > > >>> > > ***************************************************************** >>> > > *** >>> > > * >>> > > ????? Portions of the server's ident string (Apache/2.2.9) are >>> > > not in >>> > > ????? the Nikto database or is newer than the known string. Would >>> > > you like >>> > > ????? to submit this information (*no server specific data*) to >>> > > CIRT.net >>> > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? >>> > > >>> > > Kind regards, >>> > > Frank Breedijk >>> > > >>> > > >>> > > Schuberg Philis >>> > > Boeing Avenue 271 >>> > > 1119 PD Schiphol-Rijk >>> > > schubergphilis.com >>> > > >>> > > +31 20 750 65 38 >>> > > +31 6 4382 2637 >>> > > _______________________________________________ >>> > > Nikto-discuss mailing list >>> > > Nikto-discuss at attrition.org >>> > > https://attrition.org/mailman/listinfo/nikto-discuss >>> > >>> > -- >>> > Jabra < jabra at spl0it.org > >>> > http://www.spl0it.org >>> >>> -- >>> Jabra < jabra at spl0it.org > >>> http://www.spl0it.org >> >> -- >> Jabra < jabra at spl0it.org > >> http://www.spl0it.org >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> > > > > -- > > http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ > -- http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ From csullo at gmail.com Tue Sep 7 09:57:09 2010 From: csullo at gmail.com (Sullo) Date: Tue, 7 Sep 2010 10:57:09 -0400 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> Message-ID: There is no direct relationship between the prompting (which is the 'send updates' bit) and the interactivity. To try and keep any slowdown due to listening for keystrokes, it will only poll for input every 10 requests. I suppose a CLI/config to disable it entirely would be worthwhile for anyone running fully automated or in the background... If you want to do any speed tests, just hack nikto_core.plugin line ~1965 to not check for input... if (($NIKTO{'totalrequests'} % 10) == 0) { check_input(); } I'll open a ticket to create a way to manually disable it. On Tue, Sep 7, 2010 at 10:53 AM, Frank Breedijk wrote: > Indeed, I'm just a little afraid of the performance impact since the latest nikto is listening to keystrokes during scanning. > > Frank Breedijk > ..-. .-. .- -. -.- > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com > > > -----Original Message----- > From: Jabra [mailto:jabra at spl0it.org] > Sent: 07 September 2010 16:45 > To: Frank Breedijk > Cc: Jabra; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Disabling interactive question > > Using: echo "yes" will only pass one instance of "yes" to nikto if it asks for user input. > > Using: yes | nikto would pass as many "yes" inputs until nikto completes. > > Regards, > Jabra > > On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote: >> I can see it is still morning there and end of workday here ;) >> Yes|nikto ... will work. Nikto does take y for an answer. >> >> Frank Breedijk >> ..-. .-. .- -. -.- >> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >> www.schubergphilis.com >> >> >> -----Original Message----- >> From: Jabra [mailto:jabra at spl0it.org] >> Sent: 07 September 2010 16:38 >> To: Frank Breedijk >> Cc: Jabra; nikto-discuss at attrition.org >> Subject: Re: [Nikto-discuss] Disabling interactive question >> >> I'm not seeing such an option... >> >> >> Not to be too picky shouldn't it be 'yes yes |nikto' ? >> >> >> Regards, >> Jabra >> >> >> >> On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: >> > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? >> > >> > The following will do the trick, but feels like cheating: >> > echo y | nikto ..... >> > >> > Frank Breedijk >> > ..-. .-. .- -. -.- >> > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >> > www.schubergphilis.com >> > >> > -----Original Message----- >> > From: Jabra [mailto:jabra at spl0it.org] >> > Sent: 07 September 2010 16:29 >> > To: Frank Breedijk >> > Cc: nikto-discuss at attrition.org >> > Subject: Re: [Nikto-discuss] Disabling interactive question >> > >> > There is an option in the nikto.conf to not ask the user if they >> > want to send updates to cirt.net >> > >> > Regards, >> > Josh >> > >> > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: >> > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. >> > > >> > > >> > > ****************************************************************** >> > > ** >> > > * >> > > ????? Portions of the server's ident string (Apache/2.2.9) are not >> > > in >> > > ????? the Nikto database or is newer than the known string. Would >> > > you like >> > > ????? to submit this information (*no server specific data*) to >> > > CIRT.net >> > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? >> > > >> > > Kind regards, >> > > Frank Breedijk >> > > >> > > >> > > Schuberg Philis >> > > Boeing Avenue 271 >> > > 1119 PD Schiphol-Rijk >> > > schubergphilis.com >> > > >> > > +31 20 750 65 38 >> > > +31 6 4382 2637 >> > > _______________________________________________ >> > > Nikto-discuss mailing list >> > > Nikto-discuss at attrition.org >> > > https://attrition.org/mailman/listinfo/nikto-discuss >> > >> > -- >> > Jabra < jabra at spl0it.org > >> > http://www.spl0it.org >> >> -- >> Jabra < jabra at spl0it.org > >> http://www.spl0it.org > > -- > Jabra < jabra at spl0it.org > > http://www.spl0it.org > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ From kost at linux.hr Tue Sep 7 10:42:49 2010 From: kost at linux.hr (Vlatko Kosturjak) Date: Tue, 07 Sep 2010 17:42:49 +0200 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> Message-ID: <4C865D79.60306@linux.hr> I think "-ask no" should be default option for nikto. It breaks any other utility which calls nikto as well (for example, OpenVAS) or any automatic script which somebody made to automatize his/their scans. Problem is also to put "-ask no" in code which calls nikto as someone might have older nikto (as part of Linux distribution). My $0.02, On 09/07/2010 05:06 PM, Frank Breedijk wrote: > Shoot, first line of nikto -Help output (I typed -help again). > > I should have looked at the code... Will make it part of the code. > > Thanks Jabra! > > Frank Breedijk > ..-. .-. .- -. -.- > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com > > > -----Original Message----- > From: Sullo [mailto:csullo at gmail.com] > Sent: 07 September 2010 16:52 > To: Jabra > Cc: Frank Breedijk; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Disabling interactive question > > Or you could just use '-ask no' (or yes/auto)... :-) > > > On Tue, Sep 7, 2010 at 10:44 AM, Jabra wrote: >> Using: echo "yes" will only pass one instance of "yes" to nikto if it >> asks for user input. >> >> Using: yes | nikto would pass as many "yes" inputs until nikto >> completes. >> >> Regards, >> Jabra >> >> On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote: >>> I can see it is still morning there and end of workday here ;) >>> Yes|nikto ... will work. Nikto does take y for an answer. >>> >>> Frank Breedijk >>> ..-. .-. .- -. -.- >>> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >>> www.schubergphilis.com >>> >>> >>> -----Original Message----- >>> From: Jabra [mailto:jabra at spl0it.org] >>> Sent: 07 September 2010 16:38 >>> To: Frank Breedijk >>> Cc: Jabra; nikto-discuss at attrition.org >>> Subject: Re: [Nikto-discuss] Disabling interactive question >>> >>> I'm not seeing such an option... >>> >>> >>> Not to be too picky shouldn't it be 'yes yes |nikto' ? >>> >>> >>> Regards, >>> Jabra >>> >>> >>> >>> On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: >>>> I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? >>>> >>>> The following will do the trick, but feels like cheating: >>>> echo y | nikto ..... >>>> >>>> Frank Breedijk >>>> ..-. .-. .- -. -.- >>>> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >>>> www.schubergphilis.com >>>> >>>> -----Original Message----- >>>> From: Jabra [mailto:jabra at spl0it.org] >>>> Sent: 07 September 2010 16:29 >>>> To: Frank Breedijk >>>> Cc: nikto-discuss at attrition.org >>>> Subject: Re: [Nikto-discuss] Disabling interactive question >>>> >>>> There is an option in the nikto.conf to not ask the user if they >>>> want to send updates to cirt.net >>>> >>>> Regards, >>>> Josh >>>> >>>> On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: >>>>> When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. >>>>> >>>>> >>>>> ***************************************************************** >>>>> *** >>>>> * >>>>> Portions of the server's ident string (Apache/2.2.9) are >>>>> not in >>>>> the Nikto database or is newer than the known string. Would >>>>> you like >>>>> to submit this information (*no server specific data*) to >>>>> CIRT.net >>>>> for a Nikto update (or you may email to sullo at cirt.net) (y/n)? >>>>> >>>>> Kind regards, >>>>> Frank Breedijk >>>>> >>>>> >>>>> Schuberg Philis >>>>> Boeing Avenue 271 >>>>> 1119 PD Schiphol-Rijk >>>>> schubergphilis.com >>>>> >>>>> +31 20 750 65 38 >>>>> +31 6 4382 2637 >>>>> _______________________________________________ >>>>> Nikto-discuss mailing list >>>>> Nikto-discuss at attrition.org >>>>> https://attrition.org/mailman/listinfo/nikto-discuss >>>> >>>> -- >>>> Jabra < jabra at spl0it.org > >>>> http://www.spl0it.org >>> >>> -- >>> Jabra < jabra at spl0it.org > >>> http://www.spl0it.org >> >> -- >> Jabra < jabra at spl0it.org > >> http://www.spl0it.org >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> > > > From csullo at gmail.com Tue Sep 7 10:54:21 2010 From: csullo at gmail.com (Sullo) Date: Tue, 7 Sep 2010 11:54:21 -0400 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: <4C865D79.60306@linux.hr> References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> <4C865D79.60306@linux.hr> Message-ID: On Tue, Sep 7, 2010 at 11:42 AM, Vlatko Kosturjak wrote: > I think "-ask no" should be default option for nikto. It breaks any > other utility which calls nikto as well (for example, OpenVAS) or any > automatic script which somebody made to automatize his/their scans. My concern with that is because we get a lot of updated versions for db_outdated this way. I'm not sure what setting it to 'no' would do to that, but in the end all the users would suffer (I think) from less data being submitted. I'd be curious to see what others think about this. > Problem is also to put "-ask no" in code which calls nikto as someone > might have older nikto (as part of Linux distribution). nikto-2.1.2 is the first to include the -ask option (previously it was just PROMPTS in the config file). I tested 2.00 (2.0.0) and if you supply -ask it just prints an error about it being unknown but continues execution, so I don't think this should be a problem. > > My $0.02, Much appreciated. I wonder if when it prompts it should include a quick note as to how to disable prompting? Would that be a help, at least? ---- http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ From FBreedijk at schubergphilis.com Tue Sep 7 12:15:53 2010 From: FBreedijk at schubergphilis.com (Frank Breedijk) Date: Tue, 7 Sep 2010 19:15:53 +0200 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> <4C865D79.60306@linux.hr> Message-ID: For me -ask auto as a default wouldn't hurt if you are very clear in what is submitted. --- Sent from my iPhone On 7 sep. 2010, at 18:16, Sullo wrote: > On Tue, Sep 7, 2010 at 11:42 AM, Vlatko Kosturjak wrote: >> I think "-ask no" should be default option for nikto. It breaks any >> other utility which calls nikto as well (for example, OpenVAS) or any >> automatic script which somebody made to automatize his/their scans. > > My concern with that is because we get a lot of updated versions for > db_outdated this way. I'm not sure what setting it to 'no' would do to > that, but in the end all the users would suffer (I think) from less > data being submitted. I'd be curious to see what others think about > this. > >> Problem is also to put "-ask no" in code which calls nikto as someone >> might have older nikto (as part of Linux distribution). > > nikto-2.1.2 is the first to include the -ask option (previously it was > just PROMPTS in the config file). I tested 2.00 (2.0.0) and if you > supply -ask it just prints an error about it being unknown but > continues execution, so I don't think this should be a problem. > >> >> My $0.02, > > Much appreciated. > > I wonder if when it prompts it should include a quick note as to how > to disable prompting? Would that be a help, at least? > > > ---- > http://www.cirt.net | http://www.osvdb.org/ From resident.deity at gmail.com Tue Sep 7 17:38:05 2010 From: resident.deity at gmail.com (david lodge) Date: Tue, 7 Sep 2010 23:38:05 +0100 Subject: [Nikto-discuss] Error messages when running the nikto In-Reply-To: References: Message-ID: > c:\Program Files\nikto-2.1.3>perl nikto.pl -h www.abc.com > > Can't locate nikto.pl/plugins/nikto_core.plugin in @INC (@INC contains: > C:/Perl/site/lib C:/Perl/lib .) at nikto.pl line 89. It looks like you're using strawberry perl. This sort of messes around with the path, fortunately there's an easy way around this: prefix nikto.pl with a ./, e.g.: perl ./nikto.pl -h www.abc.com As Sullo mentioned earlier - this is because nikto can't find the plugins directory, which it'll try and look in the directories configured in the conf file, or try the local directory. For some reason on Strawberry perl, the directory specification messes up a bit, unless you use perl ./nikto.pl > c:\Program Files\nikto-2.1.3>nikto.pl -h www.abc.com > > Can't locate auto/Net/SSLeay/autosplit.ix in @INC (@INC contains: > C:/Perl/site/lib C:/Perl/lib .) at C:/Perl/lib/AutoLoader.pm line 173. at > C:/Perl/lib/Net/SSLeay.pm line 61 You need to install the SSLeay perl module (through CPAN or through another package). Though you only need this if you're checking HTTPS connections, if you're just checking normal HTTP then you can safely ignore the message. From kost at linux.hr Tue Sep 7 19:11:54 2010 From: kost at linux.hr (Vlatko Kosturjak) Date: Wed, 08 Sep 2010 02:11:54 +0200 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> <4C865D79.60306@linux.hr> Message-ID: <4C86D4CA.40900@linux.hr> On 09/07/2010 05:54 PM, Sullo wrote: > My concern with that is because we get a lot of updated versions for > db_outdated this way. I'm not sure what setting it to 'no' would do to > that, but in the end all the users would suffer (I think) from less > data being submitted. I'd be curious to see what others think about > this. I understand. But such options (which breaks something), I would expect in major rewrite/releases (i.e. in 3.x). >> Problem is also to put "-ask no" in code which calls nikto as someone >> might have older nikto (as part of Linux distribution). > nikto-2.1.2 is the first to include the -ask option (previously it was > just PROMPTS in the config file). I tested 2.00 (2.0.0) and if you > supply -ask it just prints an error about it being unknown but > continues execution, so I don't think this should be a problem. I did not have time to test it myself, but thought to raise it up ASAP because of major breakage :) if previous nikto versions do not exit on unknown parameter - it's not big problem as I thought it will be. It's great you tested it already! > I wonder if when it prompts it should include a quick note as to how > to disable prompting? Would that be a help, at least? I guess that would help! Especially would help someone who upgraded nikto and now his automatic tools/scripts does not work any more. I guess having notice somewhere on the web would help as well. Kost From FBreedijk at schubergphilis.com Wed Sep 8 01:27:13 2010 From: FBreedijk at schubergphilis.com (Frank Breedijk) Date: Wed, 8 Sep 2010 08:27:13 +0200 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> Message-ID: Chris, The relation is indirect in the sense that I am worried what would happen to nikto if I piped the output of 'yes yes' to it. Some testing with version 2.1.3 date;./nikto.pl -host seccubus.com;date Tue Sep 7 17:27:38 CEST 2010 Tue Sep 7 17:35:47 CEST 2010 8.09 minutes date;yes yes|./nikto.pl -host seccubus.com;date Tue Sep 7 19:18:49 CEST 2010 Tue Sep 7 19:25:59 CEST 2010 7.10 minutes date;yes yes|./nikto.pl -host seccubus.com;date # Check_input disabled Tue Sep 7 19:27:30 CEST 2010 Tue Sep 7 19:34:26 CEST 2010 6.54 minutes Piping yes yes to nikto does not really seem to hurt, but still feels like a nasty hack. Since Seccubus only supports version 2.1.2 and up anyway I'm going to append -ask=auto to the options. Frank Breedijk ..-. .-. .- -. -.- T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com -----Original Message----- From: Sullo [mailto:csullo at gmail.com] Sent: 07 September 2010 16:57 To: Frank Breedijk Cc: Jabra; nikto-discuss at attrition.org Subject: Re: [Nikto-discuss] Disabling interactive question There is no direct relationship between the prompting (which is the 'send updates' bit) and the interactivity. To try and keep any slowdown due to listening for keystrokes, it will only poll for input every 10 requests. I suppose a CLI/config to disable it entirely would be worthwhile for anyone running fully automated or in the background... If you want to do any speed tests, just hack nikto_core.plugin line ~1965 to not check for input... if (($NIKTO{'totalrequests'} % 10) == 0) { check_input(); } I'll open a ticket to create a way to manually disable it. On Tue, Sep 7, 2010 at 10:53 AM, Frank Breedijk wrote: > Indeed, I'm just a little afraid of the performance impact since the latest nikto is listening to keystrokes during scanning. > > Frank Breedijk > ..-. .-. .- -. -.- > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: > www.schubergphilis.com > > > -----Original Message----- > From: Jabra [mailto:jabra at spl0it.org] > Sent: 07 September 2010 16:45 > To: Frank Breedijk > Cc: Jabra; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Disabling interactive question > > Using: echo "yes" will only pass one instance of "yes" to nikto if it asks for user input. > > Using: yes | nikto would pass as many "yes" inputs until nikto completes. > > Regards, > Jabra > > On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote: >> I can see it is still morning there and end of workday here ;) >> Yes|nikto ... will work. Nikto does take y for an answer. >> >> Frank Breedijk >> ..-. .-. .- -. -.- >> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >> www.schubergphilis.com >> >> >> -----Original Message----- >> From: Jabra [mailto:jabra at spl0it.org] >> Sent: 07 September 2010 16:38 >> To: Frank Breedijk >> Cc: Jabra; nikto-discuss at attrition.org >> Subject: Re: [Nikto-discuss] Disabling interactive question >> >> I'm not seeing such an option... >> >> >> Not to be too picky shouldn't it be 'yes yes |nikto' ? >> >> >> Regards, >> Jabra >> >> >> >> On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: >> > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? >> > >> > The following will do the trick, but feels like cheating: >> > echo y | nikto ..... >> > >> > Frank Breedijk >> > ..-. .-. .- -. -.- >> > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >> > www.schubergphilis.com >> > >> > -----Original Message----- >> > From: Jabra [mailto:jabra at spl0it.org] >> > Sent: 07 September 2010 16:29 >> > To: Frank Breedijk >> > Cc: nikto-discuss at attrition.org >> > Subject: Re: [Nikto-discuss] Disabling interactive question >> > >> > There is an option in the nikto.conf to not ask the user if they >> > want to send updates to cirt.net >> > >> > Regards, >> > Josh >> > >> > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: >> > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. >> > > >> > > >> > > ***************************************************************** >> > > * >> > > ** >> > > * >> > > ????? Portions of the server's ident string (Apache/2.2.9) are >> > > not in >> > > ????? the Nikto database or is newer than the known string. Would >> > > you like >> > > ????? to submit this information (*no server specific data*) to >> > > CIRT.net >> > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? >> > > >> > > Kind regards, >> > > Frank Breedijk >> > > >> > > >> > > Schuberg Philis >> > > Boeing Avenue 271 >> > > 1119 PD Schiphol-Rijk >> > > schubergphilis.com >> > > >> > > +31 20 750 65 38 >> > > +31 6 4382 2637 >> > > _______________________________________________ >> > > Nikto-discuss mailing list >> > > Nikto-discuss at attrition.org >> > > https://attrition.org/mailman/listinfo/nikto-discuss >> > >> > -- >> > Jabra < jabra at spl0it.org > >> > http://www.spl0it.org >> >> -- >> Jabra < jabra at spl0it.org > >> http://www.spl0it.org > > -- > Jabra < jabra at spl0it.org > > http://www.spl0it.org > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ From csullo at gmail.com Wed Sep 8 08:07:48 2010 From: csullo at gmail.com (Sullo) Date: Wed, 8 Sep 2010 09:07:48 -0400 Subject: [Nikto-discuss] Disabling interactive question In-Reply-To: References: <20100907142830.GA9609@navi.v2s.org> <20100907143817.GB9609@navi.v2s.org> <20100907144438.GC9609@navi.v2s.org> Message-ID: gotcha. i think it makes sense to have a way to disable the input poll manually. On Wed, Sep 8, 2010 at 2:27 AM, Frank Breedijk wrote: > Chris, > > The relation is indirect in the sense that I am worried what would happen to nikto if I piped the output of 'yes yes' to it. > > Some testing with version 2.1.3 > > date;./nikto.pl -host seccubus.com;date > Tue Sep ?7 17:27:38 CEST 2010 > Tue Sep ?7 17:35:47 CEST 2010 > 8.09 minutes > > date;yes yes|./nikto.pl -host seccubus.com;date > Tue Sep ?7 19:18:49 CEST 2010 > Tue Sep ?7 19:25:59 CEST 2010 > 7.10 minutes > > date;yes yes|./nikto.pl -host seccubus.com;date # Check_input disabled > Tue Sep ?7 19:27:30 CEST 2010 > Tue Sep ?7 19:34:26 CEST 2010 > 6.54 minutes > > Piping yes yes to nikto does not really seem to hurt, but still feels like a nasty hack. Since Seccubus only supports version 2.1.2 and up anyway I'm going to append -ask=auto to the options. > > Frank Breedijk > ..-. .-. .- -. -.- > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com > > > -----Original Message----- > From: Sullo [mailto:csullo at gmail.com] > Sent: 07 September 2010 16:57 > To: Frank Breedijk > Cc: Jabra; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Disabling interactive question > > There is no direct relationship between the prompting (which is the 'send updates' bit) and the interactivity. To try and keep any slowdown due to listening for keystrokes, it will only poll for input every 10 requests. I suppose a CLI/config to disable it entirely would be worthwhile for anyone running fully automated or in the background... > > If you want to do any speed tests, just hack nikto_core.plugin line > ~1965 to not check for input... > ? ?if (($NIKTO{'totalrequests'} % 10) == 0) { > ? ? ? ?check_input(); > ? ?} > > I'll open a ticket to create a way to manually disable it. > > On Tue, Sep 7, 2010 at 10:53 AM, Frank Breedijk wrote: >> Indeed, I'm just a little afraid of the performance impact since the latest nikto is listening to keystrokes during scanning. >> >> Frank Breedijk >> ..-. .-. .- -. -.- >> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >> www.schubergphilis.com >> >> >> -----Original Message----- >> From: Jabra [mailto:jabra at spl0it.org] >> Sent: 07 September 2010 16:45 >> To: Frank Breedijk >> Cc: Jabra; nikto-discuss at attrition.org >> Subject: Re: [Nikto-discuss] Disabling interactive question >> >> Using: echo "yes" will only pass one instance of "yes" to nikto if it asks for user input. >> >> Using: yes | nikto would pass as many "yes" inputs until nikto completes. >> >> Regards, >> Jabra >> >> On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote: >>> I can see it is still morning there and end of workday here ;) >>> Yes|nikto ... will work. Nikto does take y for an answer. >>> >>> Frank Breedijk >>> ..-. .-. .- -. -.- >>> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >>> www.schubergphilis.com >>> >>> >>> -----Original Message----- >>> From: Jabra [mailto:jabra at spl0it.org] >>> Sent: 07 September 2010 16:38 >>> To: Frank Breedijk >>> Cc: Jabra; nikto-discuss at attrition.org >>> Subject: Re: [Nikto-discuss] Disabling interactive question >>> >>> I'm not seeing such an option... >>> >>> >>> Not to be too picky shouldn't it be 'yes yes |nikto' ? >>> >>> >>> Regards, >>> Jabra >>> >>> >>> >>> On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote: >>> > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it? >>> > >>> > The following will do the trick, but feels like cheating: >>> > echo y | nikto ..... >>> > >>> > Frank Breedijk >>> > ..-. .-. .- -. -.- >>> > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: >>> > www.schubergphilis.com >>> > >>> > -----Original Message----- >>> > From: Jabra [mailto:jabra at spl0it.org] >>> > Sent: 07 September 2010 16:29 >>> > To: Frank Breedijk >>> > Cc: nikto-discuss at attrition.org >>> > Subject: Re: [Nikto-discuss] Disabling interactive question >>> > >>> > There is an option in the nikto.conf to not ask the user if they >>> > want to send updates to cirt.net >>> > >>> > Regards, >>> > Josh >>> > >>> > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote: >>> > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input. >>> > > >>> > > >>> > > ***************************************************************** >>> > > * >>> > > ** >>> > > * >>> > > ????? Portions of the server's ident string (Apache/2.2.9) are >>> > > not in >>> > > ????? the Nikto database or is newer than the known string. Would >>> > > you like >>> > > ????? to submit this information (*no server specific data*) to >>> > > CIRT.net >>> > > ????? for a Nikto update (or you may email to sullo at cirt.net) (y/n)? >>> > > >>> > > Kind regards, >>> > > Frank Breedijk >>> > > >>> > > >>> > > Schuberg Philis >>> > > Boeing Avenue 271 >>> > > 1119 PD Schiphol-Rijk >>> > > schubergphilis.com >>> > > >>> > > +31 20 750 65 38 >>> > > +31 6 4382 2637 >>> > > _______________________________________________ >>> > > Nikto-discuss mailing list >>> > > Nikto-discuss at attrition.org >>> > > https://attrition.org/mailman/listinfo/nikto-discuss >>> > >>> > -- >>> > Jabra < jabra at spl0it.org > >>> > http://www.spl0it.org >>> >>> -- >>> Jabra < jabra at spl0it.org > >>> http://www.spl0it.org >> >> -- >> Jabra < jabra at spl0it.org > >> http://www.spl0it.org >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> > > > > -- > > http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ > -- http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/