From csullo at gmail.com Sun Sep 1 08:28:35 2013 From: csullo at gmail.com (csullo at gmail.com) Date: Sun, 1 Sep 2013 09:28:35 -0400 Subject: [Nikto-discuss] (no subject) In-Reply-To: References: Message-ID: I am not near a computer, sorry, but you want to use the -no404 option combined with -Plugins. It should be like: -Plugins "@@none;nikto_outdated;nikto_versions" Those are from memory so check output of -list-plugins to be sure those are correct. Also see: http://cirt.net/nikto2-docs/options.html#id2741238 I'm not sure it will be one request but probably 2-3 if you set the options right, since it tests ssl and possibly more than one method. You can use -ssl and -nossl to save a request if you know ahead of time or don't mind guessing based on port. Let us know how it turns out! -Sullo On Aug 30, 2013, at 9:30 AM, Thi?baut Devergranne wrote: > Hi guys, > > I'm very new to Nikto and I'm trying to find out how to conduct a server version tests (like php, asp) sending the minimal number of requests, ideally one. > > I understand it's possible to do that using the -Plugin parameter but i'm kind of lost after that. > > Anyone could help to put me on the right track ? > Thanks > > > > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From t.devergranne at gmail.com Mon Sep 2 03:02:33 2013 From: t.devergranne at gmail.com (=?iso-8859-1?Q?Thi=E9baut_Devergranne?=) Date: Mon, 2 Sep 2013 10:02:33 +0200 Subject: [Nikto-discuss] (no subject) In-Reply-To: References: Message-ID: Thanks for the feedback. If I uses theses options Nikto doesn't tell me about any problems any more ; here's a test : hstd# nikto -Plugins "@@none;nikto_outdated;nikto_versions" -no404 -h http://www.domain.com - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: bla.bla. + Target Hostname: www.domain.com + Target Port: 80 + Start Time: 2013-09-02 09:58:56 (GMT2) --------------------------------------------------------------------------- + Server: Apache/2.2.6 (Unix) PHP/5.2.5 mod_ssl/2.2.6 OpenSSL/0.9.8g + 6545 items checked: 0 error(s) and 0 item(s) reported on remote host + End Time: 2013-09-02 09:58:56 (GMT2) (0 seconds) --------------------------------------------------------------------------- So the server runs a vulnerable version of php but Nikto doesn't give me any information about it. Is there something i'm missing ? Thanks ! TD Le 1 sept. 2013 ? 15:28, csullo at gmail.com a ?crit : > I am not near a computer, sorry, but you want to use the -no404 option combined with -Plugins. > > It should be like: -Plugins "@@none;nikto_outdated;nikto_versions" > > Those are from memory so check output of -list-plugins to be sure those are correct. > > Also see: > http://cirt.net/nikto2-docs/options.html#id2741238 > > I'm not sure it will be one request but probably 2-3 if you set the options right, since it tests ssl and possibly more than one method. You can use -ssl and -nossl to save a request if you know ahead of time or don't mind guessing based on port. > > Let us know how it turns out! > > -Sullo > > On Aug 30, 2013, at 9:30 AM, Thi?baut Devergranne wrote: > >> Hi guys, >> >> I'm very new to Nikto and I'm trying to find out how to conduct a server version tests (like php, asp) sending the minimal number of requests, ideally one. >> >> I understand it's possible to do that using the -Plugin parameter but i'm kind of lost after that. >> >> Anyone could help to put me on the right track ? >> Thanks >> >> >> >> >> >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From resident.deity at gmail.com Wed Sep 11 18:41:39 2013 From: resident.deity at gmail.com (a) Date: Thu, 12 Sep 2013 00:41:39 +0100 Subject: [Nikto-discuss] (no subject) In-Reply-To: References: Message-ID: I see the problem: the plugin names are wrong, it should usually be without the nikto_. You can see the full list of plugins and their names by doing a: nikto -list-plugins Although the plugin name is usually nikto_plugin it doesn't have to be. In case of doubt always use the name shown when doing a -list-plugins. The command line you're looking for is: nikto -Plugins 'outdated' -no404 -host http://www.domain.com Be warned: reporting is done by a plugin as well, so if you want to save the result to a file, you'll need to include the reporting plugin as well: nikto -Plugins 'outdated,report_xml' -no404 -host http://www.domain.com-output domain.xml On 2 September 2013 09:02, Thi?baut Devergranne wrote: > Thanks for the feedback. If I uses theses options Nikto doesn't tell me > about any problems any more ; here's a test : > > hstd# nikto -Plugins "@@none;nikto_outdated;nikto_versions" -no404 -h > http://www.domain.com > - Nikto v2.1.5 > --------------------------------------------------------------------------- > + Target IP: bla.bla. > + Target Hostname: www.domain.com > + Target Port: 80 > + Start Time: 2013-09-02 09:58:56 (GMT2) > --------------------------------------------------------------------------- > + Server: Apache/2.2.6 (Unix) PHP/5.2.5 mod_ssl/2.2.6 OpenSSL/0.9.8g > + 6545 items checked: 0 error(s) and 0 item(s) reported on remote host > + End Time: 2013-09-02 09:58:56 (GMT2) (0 seconds) > --------------------------------------------------------------------------- > > So the server runs a vulnerable version of php but Nikto doesn't give me > any information about it. Is there something i'm missing ? > > Thanks ! > TD > > > Le 1 sept. 2013 ? 15:28, csullo at gmail.com a ?crit : > > I am not near a computer, sorry, but you want to use the -no404 option > combined with -Plugins. > > It should be like: -Plugins "@@none;nikto_outdated;nikto_versions" > > Those are from memory so check output of -list-plugins to be sure those > are correct. > > Also see: > http://cirt.net/nikto2-docs/options.html#id2741238 > > I'm not sure it will be one request but probably 2-3 if you set the > options right, since it tests ssl and possibly more than one method. You > can use -ssl and -nossl to save a request if you know ahead of time or > don't mind guessing based on port. > > Let us know how it turns out! > > -Sullo > > On Aug 30, 2013, at 9:30 AM, Thi?baut Devergranne > wrote: > > Hi guys, > > I'm very new to Nikto and I'm trying to find out how to conduct a server > version tests (like php, asp) sending the minimal number of requests, > ideally one. > > I understand it's possible to do that using the -Plugin parameter but i'm > kind of lost after that. > > Anyone could help to put me on the right track ? > Thanks > > > > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From robin at digininja.org Thu Sep 12 02:00:41 2013 From: robin at digininja.org (Robin Wood) Date: Thu, 12 Sep 2013 08:00:41 +0100 Subject: [Nikto-discuss] (no subject) In-Reply-To: References: Message-ID: On 12 Sep 2013 00:41, "a" wrote: > > I see the problem: the plugin names are wrong, it should usually be without the nikto_. You can see the full list of plugins and their names by doing a: > nikto -list-plugins > > Although the plugin name is usually nikto_plugin it doesn't have to be. In case of doubt always use the name shown when doing a -list-plugins. > > The command line you're looking for is: > nikto -Plugins 'outdated' -no404 -host http://www.domain.com > > Be warned: reporting is done by a plugin as well, so if you want to save the result to a file, you'll need to include the reporting plugin as well: > nikto -Plugins 'outdated,report_xml' -no404 -host http://www.domain.com-output domain.xml > Couldn't you automatically bring the appropriate report plugin in as required? It sounds like the kind of thing that someone could waste a lot of time on trying to work out reporting is failing. Robin > > On 2 September 2013 09:02, Thi?baut Devergranne wrote: >> >> Thanks for the feedback. If I uses theses options Nikto doesn't tell me about any problems any more ; here's a test : >> >> hstd# nikto -Plugins "@@none;nikto_outdated;nikto_versions" -no404 -h http://www.domain.com >> - Nikto v2.1.5 >> --------------------------------------------------------------------------- >> + Target IP: bla.bla. >> + Target Hostname: www.domain.com >> + Target Port: 80 >> + Start Time: 2013-09-02 09:58:56 (GMT2) >> --------------------------------------------------------------------------- >> + Server: Apache/2.2.6 (Unix) PHP/5.2.5 mod_ssl/2.2.6 OpenSSL/0.9.8g >> + 6545 items checked: 0 error(s) and 0 item(s) reported on remote host >> + End Time: 2013-09-02 09:58:56 (GMT2) (0 seconds) >> --------------------------------------------------------------------------- >> >> So the server runs a vulnerable version of php but Nikto doesn't give me any information about it. Is there something i'm missing ? >> >> Thanks ! >> TD >> >> >> Le 1 sept. 2013 ? 15:28, csullo at gmail.com a ?crit : >> >>> I am not near a computer, sorry, but you want to use the -no404 option combined with -Plugins. >>> >>> It should be like: -Plugins "@@none;nikto_outdated;nikto_versions" >>> >>> Those are from memory so check output of -list-plugins to be sure those are correct. >>> >>> Also see: >>> http://cirt.net/nikto2-docs/options.html#id2741238 >>> >>> I'm not sure it will be one request but probably 2-3 if you set the options right, since it tests ssl and possibly more than one method. You can use -ssl and -nossl to save a request if you know ahead of time or don't mind guessing based on port. >>> >>> Let us know how it turns out! >>> >>> -Sullo >>> >>> On Aug 30, 2013, at 9:30 AM, Thi?baut Devergranne < t.devergranne at gmail.com> wrote: >>> >>>> Hi guys, >>>> >>>> I'm very new to Nikto and I'm trying to find out how to conduct a server version tests (like php, asp) sending the minimal number of requests, ideally one. >>>> >>>> I understand it's possible to do that using the -Plugin parameter but i'm kind of lost after that. >>>> >>>> Anyone could help to put me on the right track ? >>>> Thanks >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Nikto-discuss mailing list >>>> Nikto-discuss at attrition.org >>>> https://attrition.org/mailman/listinfo/nikto-discuss >> >> >> >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: From t.devergranne at gmail.com Thu Sep 12 07:21:48 2013 From: t.devergranne at gmail.com (=?iso-8859-1?Q?Thi=E9baut_Devergranne?=) Date: Thu, 12 Sep 2013 14:21:48 +0200 Subject: [Nikto-discuss] (no subject) In-Reply-To: References: Message-ID: Sorry I tried with the configuration you suggested but had no results whatsoever. Regards Le 12 sept. 2013 ? 01:41, a a ?crit : > I see the problem: the plugin names are wrong, it should usually be without the nikto_. You can see the full list of plugins and their names by doing a: > nikto -list-plugins > > Although the plugin name is usually nikto_plugin it doesn't have to be. In case of doubt always use the name shown when doing a -list-plugins. > > The command line you're looking for is: > nikto -Plugins 'outdated' -no404 -host http://www.domain.com > > Be warned: reporting is done by a plugin as well, so if you want to save the result to a file, you'll need to include the reporting plugin as well: > nikto -Plugins 'outdated,report_xml' -no404 -host http://www.domain.com -output domain.xml > > > > On 2 September 2013 09:02, Thi?baut Devergranne wrote: > Thanks for the feedback. If I uses theses options Nikto doesn't tell me about any problems any more ; here's a test : > > hstd# nikto -Plugins "@@none;nikto_outdated;nikto_versions" -no404 -h http://www.domain.com > - Nikto v2.1.5 > --------------------------------------------------------------------------- > + Target IP: bla.bla. > + Target Hostname: www.domain.com > + Target Port: 80 > + Start Time: 2013-09-02 09:58:56 (GMT2) > --------------------------------------------------------------------------- > + Server: Apache/2.2.6 (Unix) PHP/5.2.5 mod_ssl/2.2.6 OpenSSL/0.9.8g > + 6545 items checked: 0 error(s) and 0 item(s) reported on remote host > + End Time: 2013-09-02 09:58:56 (GMT2) (0 seconds) > --------------------------------------------------------------------------- > > So the server runs a vulnerable version of php but Nikto doesn't give me any information about it. Is there something i'm missing ? > > Thanks ! > TD > > > Le 1 sept. 2013 ? 15:28, csullo at gmail.com a ?crit : > >> I am not near a computer, sorry, but you want to use the -no404 option combined with -Plugins. >> >> It should be like: -Plugins "@@none;nikto_outdated;nikto_versions" >> >> Those are from memory so check output of -list-plugins to be sure those are correct. >> >> Also see: >> http://cirt.net/nikto2-docs/options.html#id2741238 >> >> I'm not sure it will be one request but probably 2-3 if you set the options right, since it tests ssl and possibly more than one method. You can use -ssl and -nossl to save a request if you know ahead of time or don't mind guessing based on port. >> >> Let us know how it turns out! >> >> -Sullo >> >> On Aug 30, 2013, at 9:30 AM, Thi?baut Devergranne wrote: >> >>> Hi guys, >>> >>> I'm very new to Nikto and I'm trying to find out how to conduct a server version tests (like php, asp) sending the minimal number of requests, ideally one. >>> >>> I understand it's possible to do that using the -Plugin parameter but i'm kind of lost after that. >>> >>> Anyone could help to put me on the right track ? >>> Thanks >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Nikto-discuss mailing list >>> Nikto-discuss at attrition.org >>> https://attrition.org/mailman/listinfo/nikto-discuss > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Thu Sep 12 07:42:06 2013 From: csullo at gmail.com (Sullo) Date: Thu, 12 Sep 2013 08:42:06 -0400 Subject: [Nikto-discuss] (no subject) In-Reply-To: References: Message-ID: David's method seems to work for me: ./nikto.pl -h localhost -Plugins "@@none;outdated" -no404 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2013-09-12 08:40:49 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Unix) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8r + mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version) + OpenSSL/0.9.8r appears to be outdated (current is at least 1.0.1c). OpenSSL 0.9.8r is also current. + 6607 items checked: 0 error(s) and 2 item(s) reported on remote host + End Time: 2013-09-12 08:40:49 (GMT-4) (0 seconds) --------------------------------------------------------------------------- + 1 host(s) tested On Thu, Sep 12, 2013 at 8:21 AM, Thi?baut Devergranne < t.devergranne at gmail.com> wrote: > Sorry I tried with the configuration you suggested but had no results > whatsoever. > Regards > > > Le 12 sept. 2013 ? 01:41, a a ?crit : > > I see the problem: the plugin names are wrong, it should usually be > without the nikto_. You can see the full list of plugins and their names by > doing a: > nikto -list-plugins > > Although the plugin name is usually nikto_plugin it doesn't have to be. In > case of doubt always use the name shown when doing a -list-plugins. > > The command line you're looking for is: > nikto -Plugins 'outdated' -no404 -host http://www.domain.com > > Be warned: reporting is done by a plugin as well, so if you want to save > the result to a file, you'll need to include the reporting plugin as well: > nikto -Plugins 'outdated,report_xml' -no404 -host http://www.domain.com-output domain.xml > > > > On 2 September 2013 09:02, Thi?baut Devergranne wrote: > >> Thanks for the feedback. If I uses theses options Nikto doesn't tell me >> about any problems any more ; here's a test : >> >> hstd# nikto -Plugins "@@none;nikto_outdated;nikto_versions" -no404 -h >> http://www.domain.com >> - Nikto v2.1.5 >> >> --------------------------------------------------------------------------- >> + Target IP: bla.bla. >> + Target Hostname: www.domain.com >> + Target Port: 80 >> + Start Time: 2013-09-02 09:58:56 (GMT2) >> >> --------------------------------------------------------------------------- >> + Server: Apache/2.2.6 (Unix) PHP/5.2.5 mod_ssl/2.2.6 OpenSSL/0.9.8g >> + 6545 items checked: 0 error(s) and 0 item(s) reported on remote host >> + End Time: 2013-09-02 09:58:56 (GMT2) (0 seconds) >> >> --------------------------------------------------------------------------- >> >> So the server runs a vulnerable version of php but Nikto doesn't give me >> any information about it. Is there something i'm missing ? >> >> Thanks ! >> TD >> >> >> Le 1 sept. 2013 ? 15:28, csullo at gmail.com a ?crit : >> >> I am not near a computer, sorry, but you want to use the -no404 option >> combined with -Plugins. >> >> It should be like: -Plugins "@@none;nikto_outdated;nikto_versions" >> >> Those are from memory so check output of -list-plugins to be sure those >> are correct. >> >> Also see: >> http://cirt.net/nikto2-docs/options.html#id2741238 >> >> I'm not sure it will be one request but probably 2-3 if you set the >> options right, since it tests ssl and possibly more than one method. You >> can use -ssl and -nossl to save a request if you know ahead of time or >> don't mind guessing based on port. >> >> Let us know how it turns out! >> >> -Sullo >> >> On Aug 30, 2013, at 9:30 AM, Thi?baut Devergranne < >> t.devergranne at gmail.com> wrote: >> >> Hi guys, >> >> I'm very new to Nikto and I'm trying to find out how to conduct a server >> version tests (like php, asp) sending the minimal number of requests, >> ideally one. >> >> I understand it's possible to do that using the -Plugin parameter but i'm >> kind of lost after that. >> >> Anyone could help to put me on the right track ? >> Thanks >> >> >> >> >> >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> >> >> >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> >> > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://richsec.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Thu Sep 12 08:18:03 2013 From: csullo at gmail.com (Sullo) Date: Thu, 12 Sep 2013 09:18:03 -0400 Subject: [Nikto-discuss] (no subject) In-Reply-To: References: Message-ID: I've opened a ticket for this one--good call. -Sullo On Thu, Sep 12, 2013 at 3:00 AM, Robin Wood wrote: > > On 12 Sep 2013 00:41, "a" wrote: > > > > I see the problem: the plugin names are wrong, it should usually be > without the nikto_. You can see the full list of plugins and their names by > doing a: > > nikto -list-plugins > > > > Although the plugin name is usually nikto_plugin it doesn't have to be. > In case of doubt always use the name shown when doing a -list-plugins. > > > > The command line you're looking for is: > > nikto -Plugins 'outdated' -no404 -host http://www.domain.com > > > > Be warned: reporting is done by a plugin as well, so if you want to save > the result to a file, you'll need to include the reporting plugin as well: > > nikto -Plugins 'outdated,report_xml' -no404 -host > http://www.domain.com -output domain.xml > > > > Couldn't you automatically bring the appropriate report plugin in as > required? It sounds like the kind of thing that someone could waste a lot > of time on trying to work out reporting is failing. > > Robin > > > > > On 2 September 2013 09:02, Thi?baut Devergranne > wrote: > >> > >> Thanks for the feedback. If I uses theses options Nikto doesn't tell me > about any problems any more ; here's a test : > >> > >> hstd# nikto -Plugins "@@none;nikto_outdated;nikto_versions" -no404 -h > http://www.domain.com > >> - Nikto v2.1.5 > >> > --------------------------------------------------------------------------- > >> + Target IP: bla.bla. > >> + Target Hostname: www.domain.com > >> + Target Port: 80 > >> + Start Time: 2013-09-02 09:58:56 (GMT2) > >> > --------------------------------------------------------------------------- > >> + Server: Apache/2.2.6 (Unix) PHP/5.2.5 mod_ssl/2.2.6 OpenSSL/0.9.8g > >> + 6545 items checked: 0 error(s) and 0 item(s) reported on remote host > >> + End Time: 2013-09-02 09:58:56 (GMT2) (0 seconds) > >> > --------------------------------------------------------------------------- > >> > >> So the server runs a vulnerable version of php but Nikto doesn't give > me any information about it. Is there something i'm missing ? > >> > >> Thanks ! > >> TD > >> > >> > >> Le 1 sept. 2013 ? 15:28, csullo at gmail.com a ?crit : > >> > >>> I am not near a computer, sorry, but you want to use the -no404 option > combined with -Plugins. > >>> > >>> It should be like: -Plugins "@@none;nikto_outdated;nikto_versions" > >>> > >>> Those are from memory so check output of -list-plugins to be sure > those are correct. > >>> > >>> Also see: > >>> http://cirt.net/nikto2-docs/options.html#id2741238 > >>> > >>> I'm not sure it will be one request but probably 2-3 if you set the > options right, since it tests ssl and possibly more than one method. You > can use -ssl and -nossl to save a request if you know ahead of time or > don't mind guessing based on port. > >>> > >>> Let us know how it turns out! > >>> > >>> -Sullo > >>> > >>> On Aug 30, 2013, at 9:30 AM, Thi?baut Devergranne < > t.devergranne at gmail.com> wrote: > >>> > >>>> Hi guys, > >>>> > >>>> I'm very new to Nikto and I'm trying to find out how to conduct a > server version tests (like php, asp) sending the minimal number of > requests, ideally one. > >>>> > >>>> I understand it's possible to do that using the -Plugin parameter but > i'm kind of lost after that. > >>>> > >>>> Anyone could help to put me on the right track ? > >>>> Thanks > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Nikto-discuss mailing list > >>>> Nikto-discuss at attrition.org > >>>> https://attrition.org/mailman/listinfo/nikto-discuss > >> > >> > >> > >> _______________________________________________ > >> Nikto-discuss mailing list > >> Nikto-discuss at attrition.org > >> https://attrition.org/mailman/listinfo/nikto-discuss > >> > > > > > > _______________________________________________ > > Nikto-discuss mailing list > > Nikto-discuss at attrition.org > > https://attrition.org/mailman/listinfo/nikto-discuss > > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://richsec.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: