[Nikto-discuss] Disabling interactive question
Sullo
csullo at gmail.com
Wed Sep 8 08:07:48 CDT 2010
gotcha. i think it makes sense to have a way to disable the input poll
manually.
On Wed, Sep 8, 2010 at 2:27 AM, Frank Breedijk
<FBreedijk at schubergphilis.com> wrote:
> Chris,
>
> The relation is indirect in the sense that I am worried what would happen to nikto if I piped the output of 'yes yes' to it.
>
> Some testing with version 2.1.3
>
> date;./nikto.pl -host seccubus.com;date
> Tue Sep 7 17:27:38 CEST 2010
> Tue Sep 7 17:35:47 CEST 2010
> 8.09 minutes
>
> date;yes yes|./nikto.pl -host seccubus.com;date
> Tue Sep 7 19:18:49 CEST 2010
> Tue Sep 7 19:25:59 CEST 2010
> 7.10 minutes
>
> date;yes yes|./nikto.pl -host seccubus.com;date # Check_input disabled
> Tue Sep 7 19:27:30 CEST 2010
> Tue Sep 7 19:34:26 CEST 2010
> 6.54 minutes
>
> Piping yes yes to nikto does not really seem to hurt, but still feels like a nasty hack. Since Seccubus only supports version 2.1.2 and up anyway I'm going to append -ask=auto to the options.
>
> Frank Breedijk
> ..-. .-. .- -. -.-
> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W: www.schubergphilis.com
>
>
> -----Original Message-----
> From: Sullo [mailto:csullo at gmail.com]
> Sent: 07 September 2010 16:57
> To: Frank Breedijk
> Cc: Jabra; nikto-discuss at attrition.org
> Subject: Re: [Nikto-discuss] Disabling interactive question
>
> There is no direct relationship between the prompting (which is the 'send updates' bit) and the interactivity. To try and keep any slowdown due to listening for keystrokes, it will only poll for input every 10 requests. I suppose a CLI/config to disable it entirely would be worthwhile for anyone running fully automated or in the background...
>
> If you want to do any speed tests, just hack nikto_core.plugin line
> ~1965 to not check for input...
> if (($NIKTO{'totalrequests'} % 10) == 0) {
> check_input();
> }
>
> I'll open a ticket to create a way to manually disable it.
>
> On Tue, Sep 7, 2010 at 10:53 AM, Frank Breedijk <FBreedijk at schubergphilis.com> wrote:
>> Indeed, I'm just a little afraid of the performance impact since the latest nikto is listening to keystrokes during scanning.
>>
>> Frank Breedijk
>> ..-. .-. .- -. -.-
>> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W:
>> www.schubergphilis.com
>>
>>
>> -----Original Message-----
>> From: Jabra [mailto:jabra at spl0it.org]
>> Sent: 07 September 2010 16:45
>> To: Frank Breedijk
>> Cc: Jabra; nikto-discuss at attrition.org
>> Subject: Re: [Nikto-discuss] Disabling interactive question
>>
>> Using: echo "yes" will only pass one instance of "yes" to nikto if it asks for user input.
>>
>> Using: yes | nikto would pass as many "yes" inputs until nikto completes.
>>
>> Regards,
>> Jabra
>>
>> On 07.Sep.2010 04:40PM +0200, Frank Breedijk wrote:
>>> I can see it is still morning there and end of workday here ;)
>>> Yes|nikto ... will work. Nikto does take y for an answer.
>>>
>>> Frank Breedijk
>>> ..-. .-. .- -. -.-
>>> T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W:
>>> www.schubergphilis.com
>>>
>>>
>>> -----Original Message-----
>>> From: Jabra [mailto:jabra at spl0it.org]
>>> Sent: 07 September 2010 16:38
>>> To: Frank Breedijk
>>> Cc: Jabra; nikto-discuss at attrition.org
>>> Subject: Re: [Nikto-discuss] Disabling interactive question
>>>
>>> I'm not seeing such an option...
>>>
>>>
>>> Not to be too picky shouldn't it be 'yes yes |nikto' ?
>>>
>>>
>>> Regards,
>>> Jabra
>>>
>>>
>>>
>>> On 07.Sep.2010 04:30PM +0200, Frank Breedijk wrote:
>>> > I know, however, it is a bit impractical to have to check if this is present, especially as I don't know where the configuration file will be in the system. Is there a command line option to disable it?
>>> >
>>> > The following will do the trick, but feels like cheating:
>>> > echo y | nikto .....
>>> >
>>> > Frank Breedijk
>>> > ..-. .-. .- -. -.-
>>> > T: +31 (0)20-7506500 E: fbreedijk at schubergphilis.com W:
>>> > www.schubergphilis.com
>>> >
>>> > -----Original Message-----
>>> > From: Jabra [mailto:jabra at spl0it.org]
>>> > Sent: 07 September 2010 16:29
>>> > To: Frank Breedijk
>>> > Cc: nikto-discuss at attrition.org
>>> > Subject: Re: [Nikto-discuss] Disabling interactive question
>>> >
>>> > There is an option in the nikto.conf to not ask the user if they
>>> > want to send updates to cirt.net
>>> >
>>> > Regards,
>>> > Josh
>>> >
>>> > On 07.Sep.2010 04:24PM +0200, Frank Breedijk wrote:
>>> > > When there is a mismatch between the server signature and the signature on file, Nikto asks you to submit it. Is there a way to disable this prompt ? Since I run nikto from Seccubus I need to make sure it finishes and not spends forever waiting for user input.
>>> > >
>>> > >
>>> > > *****************************************************************
>>> > > *
>>> > > **
>>> > > *
>>> > > Portions of the server's ident string (Apache/2.2.9) are
>>> > > not in
>>> > > the Nikto database or is newer than the known string. Would
>>> > > you like
>>> > > to submit this information (*no server specific data*) to
>>> > > CIRT.net
>>> > > for a Nikto update (or you may email to sullo at cirt.net) (y/n)?
>>> > >
>>> > > Kind regards,
>>> > > Frank Breedijk
>>> > >
>>> > >
>>> > > Schuberg Philis
>>> > > Boeing Avenue 271
>>> > > 1119 PD Schiphol-Rijk
>>> > > schubergphilis.com
>>> > >
>>> > > +31 20 750 65 38
>>> > > +31 6 4382 2637
>>> > > _______________________________________________
>>> > > Nikto-discuss mailing list
>>> > > Nikto-discuss at attrition.org
>>> > > https://attrition.org/mailman/listinfo/nikto-discuss
>>> >
>>> > --
>>> > Jabra < jabra at spl0it.org >
>>> > http://www.spl0it.org
>>>
>>> --
>>> Jabra < jabra at spl0it.org >
>>> http://www.spl0it.org
>>
>> --
>> Jabra < jabra at spl0it.org >
>> http://www.spl0it.org
>> _______________________________________________
>> Nikto-discuss mailing list
>> Nikto-discuss at attrition.org
>> https://attrition.org/mailman/listinfo/nikto-discuss
>>
>
>
>
> --
>
> http://www.cirt.net | http://www.osvdb.org/
>
--
http://www.cirt.net | http://www.osvdb.org/
More information about the Nikto-discuss
mailing list