From raymond_pluto at hotmail.com Sat Jan 4 11:00:15 2014 From: raymond_pluto at hotmail.com (raymond lukanta) Date: Sun, 5 Jan 2014 00:00:15 +0700 Subject: [Nikto-discuss] Nikto Capabilities Message-ID: I have a question about Nikto capabilities. In the Nikto description, it is said that Nikto is a web server scanner. But, in the -Tuning option (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test for SQL injection and XSS. Actually, it makes me confused. I need explanation why Nikto do the test for SQL injection and XSS. Because I think, injection and XSS is web application related (CMIIW). Thanks. --Raymond -------------- next part -------------- An HTML attachment was scrubbed... URL: From resident.deity at gmail.com Sun Jan 5 03:34:59 2014 From: resident.deity at gmail.com (a) Date: Sun, 5 Jan 2014 09:34:59 +0000 Subject: [Nikto-discuss] Nikto Capabilities In-Reply-To: References: Message-ID: Nikto performs a set of tests for pages on the web server and the configuration of its responses. The tuning option allows these the number of tests to be cut down, e.g. to known pages that have SQL injection. Where this differs from a web application scanner is that Nikto will only check for what it knows. To be honest web server scanner is a pointless label anyway. It's a tool that should be run as part of a set of tools (e.g. nmap, sslscan, sqlmap, burp) used during a test. It's not mutually exclusive with other tools. On 4 Jan 2014 17:00, "raymond lukanta" wrote: > I have a question about Nikto capabilities. > In the Nikto description, it is said that Nikto is a web server scanner. > But, in the -Tuning option ( > http://cirt.net/nikto2-docs/options.html#id2741238), there're a test for > SQL injection and XSS. Actually, it makes me confused. > > I need explanation why Nikto do the test for SQL injection and XSS. > Because I think, injection and XSS is web application related (CMIIW). > > > Thanks. > > -- > Raymond > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From raymond_pluto at hotmail.com Sun Jan 5 05:06:55 2014 From: raymond_pluto at hotmail.com (raymond lukanta) Date: Sun, 5 Jan 2014 18:06:55 +0700 Subject: [Nikto-discuss] Nikto Capabilities In-Reply-To: References: , Message-ID: Hmm.. Would you please give me further explanation about "Nikto will only check for what it knows"?As long as I understand, a web application scanner is also checking what it knows (by using plugins or databases). Thanks, --Raymond Date: Sun, 5 Jan 2014 09:34:59 +0000 Subject: Re: [Nikto-discuss] Nikto Capabilities From: resident.deity at gmail.com To: raymond_pluto at hotmail.com CC: nikto-discuss at attrition.org Nikto performs a set of tests for pages on the web server and the configuration of its responses. The tuning option allows these the number of tests to be cut down, e.g. to known pages that have SQL injection. Where this differs from a web application scanner is that Nikto will only check for what it knows. To be honest web server scanner is a pointless label anyway. It's a tool that should be run as part of a set of tools (e.g. nmap, sslscan, sqlmap, burp) used during a test. It's not mutually exclusive with other tools. On 4 Jan 2014 17:00, "raymond lukanta" wrote: I have a question about Nikto capabilities. In the Nikto description, it is said that Nikto is a web server scanner. But, in the -Tuning option (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test for SQL injection and XSS. Actually, it makes me confused. I need explanation why Nikto do the test for SQL injection and XSS. Because I think, injection and XSS is web application related (CMIIW). Thanks. -- Raymond _______________________________________________ Nikto-discuss mailing list Nikto-discuss at attrition.org https://attrition.org/mailman/listinfo/nikto-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From robin at digininja.org Sun Jan 5 05:26:14 2014 From: robin at digininja.org (Robin Wood) Date: Sun, 5 Jan 2014 11:26:14 +0000 Subject: [Nikto-discuss] Nikto Capabilities In-Reply-To: References: Message-ID: On 5 January 2014 11:06, raymond lukanta wrote: > Hmm.. > > Would you please give me further explanation about "Nikto will only check > for what it knows"? > As long as I understand, a web application scanner is also checking what it > knows (by using plugins or databases). Nikto uses hardcoded rules to check for things, for example it will look for the string "ABC" in file findme.php and if it finds it then it will report that vulnerability XYZ exists. This is different to a lot of scanners which do this but also do fuzzing where they will take test.php?id=1 and then try different values for the id to try to detect vulnerabilities. Therefore it can only detect things it knows about. Robin > Thanks, > -- > Raymond > > ________________________________ > Date: Sun, 5 Jan 2014 09:34:59 +0000 > Subject: Re: [Nikto-discuss] Nikto Capabilities > From: resident.deity at gmail.com > To: raymond_pluto at hotmail.com > CC: nikto-discuss at attrition.org > > > Nikto performs a set of tests for pages on the web server and the > configuration of its responses. The tuning option allows these the number of > tests to be cut down, e.g. to known pages that have SQL injection. > > Where this differs from a web application scanner is that Nikto will only > check for what it knows. > > To be honest web server scanner is a pointless label anyway. It's a tool > that should be run as part of a set of tools (e.g. nmap, sslscan, sqlmap, > burp) used during a test. It's not mutually exclusive with other tools. > > On 4 Jan 2014 17:00, "raymond lukanta" wrote: > > I have a question about Nikto capabilities. > In the Nikto description, it is said that Nikto is a web server scanner. > But, in the -Tuning option > (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test for > SQL injection and XSS. Actually, it makes me confused. > > I need explanation why Nikto do the test for SQL injection and XSS. Because > I think, injection and XSS is web application related (CMIIW). > > > Thanks. > > -- > Raymond > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > From raymond_pluto at hotmail.com Sun Jan 5 05:33:24 2014 From: raymond_pluto at hotmail.com (raymond lukanta) Date: Sun, 5 Jan 2014 18:33:24 +0700 Subject: [Nikto-discuss] Nikto Capabilities In-Reply-To: References: , , Message-ID: So, Nikto checks the content of every files on the web server? Like code scanning? --Raymond > From: robin at digininja.org > Date: Sun, 5 Jan 2014 11:26:14 +0000 > Subject: Re: [Nikto-discuss] Nikto Capabilities > To: raymond_pluto at hotmail.com > CC: resident.deity at gmail.com; nikto-discuss at attrition.org > > On 5 January 2014 11:06, raymond lukanta wrote: > > Hmm.. > > > > Would you please give me further explanation about "Nikto will only check > > for what it knows"? > > As long as I understand, a web application scanner is also checking what it > > knows (by using plugins or databases). > > Nikto uses hardcoded rules to check for things, for example it will > look for the string "ABC" in file findme.php and if it finds it then > it will report that vulnerability XYZ exists. This is different to a > lot of scanners which do this but also do fuzzing where they will take > test.php?id=1 and then try different values for the id to try to > detect vulnerabilities. > > Therefore it can only detect things it knows about. > > Robin > > > Thanks, > > -- > > Raymond > > > > ________________________________ > > Date: Sun, 5 Jan 2014 09:34:59 +0000 > > Subject: Re: [Nikto-discuss] Nikto Capabilities > > From: resident.deity at gmail.com > > To: raymond_pluto at hotmail.com > > CC: nikto-discuss at attrition.org > > > > > > Nikto performs a set of tests for pages on the web server and the > > configuration of its responses. The tuning option allows these the number of > > tests to be cut down, e.g. to known pages that have SQL injection. > > > > Where this differs from a web application scanner is that Nikto will only > > check for what it knows. > > > > To be honest web server scanner is a pointless label anyway. It's a tool > > that should be run as part of a set of tools (e.g. nmap, sslscan, sqlmap, > > burp) used during a test. It's not mutually exclusive with other tools. > > > > On 4 Jan 2014 17:00, "raymond lukanta" wrote: > > > > I have a question about Nikto capabilities. > > In the Nikto description, it is said that Nikto is a web server scanner. > > But, in the -Tuning option > > (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test for > > SQL injection and XSS. Actually, it makes me confused. > > > > I need explanation why Nikto do the test for SQL injection and XSS. Because > > I think, injection and XSS is web application related (CMIIW). > > > > > > Thanks. > > > > -- > > Raymond > > > > _______________________________________________ > > Nikto-discuss mailing list > > Nikto-discuss at attrition.org > > https://attrition.org/mailman/listinfo/nikto-discuss > > > > > > _______________________________________________ > > Nikto-discuss mailing list > > Nikto-discuss at attrition.org > > https://attrition.org/mailman/listinfo/nikto-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From robin at digininja.org Sun Jan 5 05:44:48 2014 From: robin at digininja.org (Robin Wood) Date: Sun, 5 Jan 2014 11:44:48 +0000 Subject: [Nikto-discuss] Nikto Capabilities In-Reply-To: References: Message-ID: On 5 January 2014 11:33, raymond lukanta wrote: > So, Nikto checks the content of every files on the web server? Like code > scanning? No, it checks for files it knows about for content it knows about. So if it doesn't know about a file called ignoreme.txt then it won't look at it. I suggest you have a look at the source and the plugins and you'll soon see what it is doing. You can also set up a web server and monitor the logs then run it against it and you'll see all the files being requested. Robin > -- > Raymond > >> From: robin at digininja.org >> Date: Sun, 5 Jan 2014 11:26:14 +0000 > >> Subject: Re: [Nikto-discuss] Nikto Capabilities >> To: raymond_pluto at hotmail.com >> CC: resident.deity at gmail.com; nikto-discuss at attrition.org > >> >> On 5 January 2014 11:06, raymond lukanta >> wrote: >> > Hmm.. >> > >> > Would you please give me further explanation about "Nikto will only >> > check >> > for what it knows"? >> > As long as I understand, a web application scanner is also checking what >> > it >> > knows (by using plugins or databases). >> >> Nikto uses hardcoded rules to check for things, for example it will >> look for the string "ABC" in file findme.php and if it finds it then >> it will report that vulnerability XYZ exists. This is different to a >> lot of scanners which do this but also do fuzzing where they will take >> test.php?id=1 and then try different values for the id to try to >> detect vulnerabilities. >> >> Therefore it can only detect things it knows about. >> >> Robin >> >> > Thanks, >> > -- >> > Raymond >> > >> > ________________________________ >> > Date: Sun, 5 Jan 2014 09:34:59 +0000 >> > Subject: Re: [Nikto-discuss] Nikto Capabilities >> > From: resident.deity at gmail.com >> > To: raymond_pluto at hotmail.com >> > CC: nikto-discuss at attrition.org >> > >> > >> > Nikto performs a set of tests for pages on the web server and the >> > configuration of its responses. The tuning option allows these the >> > number of >> > tests to be cut down, e.g. to known pages that have SQL injection. >> > >> > Where this differs from a web application scanner is that Nikto will >> > only >> > check for what it knows. >> > >> > To be honest web server scanner is a pointless label anyway. It's a tool >> > that should be run as part of a set of tools (e.g. nmap, sslscan, >> > sqlmap, >> > burp) used during a test. It's not mutually exclusive with other tools. >> > >> > On 4 Jan 2014 17:00, "raymond lukanta" >> > wrote: >> > >> > I have a question about Nikto capabilities. >> > In the Nikto description, it is said that Nikto is a web server scanner. >> > But, in the -Tuning option >> > (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test >> > for >> > SQL injection and XSS. Actually, it makes me confused. >> > >> > I need explanation why Nikto do the test for SQL injection and XSS. >> > Because >> > I think, injection and XSS is web application related (CMIIW). >> > >> > >> > Thanks. >> > >> > -- >> > Raymond >> > >> > _______________________________________________ >> > Nikto-discuss mailing list >> > Nikto-discuss at attrition.org >> > https://attrition.org/mailman/listinfo/nikto-discuss >> > >> > >> > _______________________________________________ >> > Nikto-discuss mailing list >> > Nikto-discuss at attrition.org >> > https://attrition.org/mailman/listinfo/nikto-discuss >> > From raymond_pluto at hotmail.com Fri Jan 24 23:12:35 2014 From: raymond_pluto at hotmail.com (raymond lukanta) Date: Sat, 25 Jan 2014 12:12:35 +0700 Subject: [Nikto-discuss] Nikto Dictionary Plugin Message-ID: Hi, I want to know how to use the dictionary plugin. I've been googling for the tutorial, but I couldn't find how to use it. Thanks. --Raymond -------------- next part -------------- An HTML attachment was scrubbed... URL: From sullo at cirt.net Mon Jan 27 14:55:59 2014 From: sullo at cirt.net (Sullo) Date: Mon, 27 Jan 2014 15:55:59 -0500 Subject: [Nikto-discuss] RVAsec 2014 CFP Open Message-ID: What: RVAsec 3 When: June 5-6th, 2014 Where: Richmond, VA, on the Virginia Commonwealth University campus CFP Deadline: 2/14 RVAsec is a Richmond, VA based security convention that brings top industry speakers to the midatlantic region. For 2014, the conference is a two day and dual-track format, with a mixed focus on technical and management/business presentations. All talks must be 55 minutes in length and can be on any security/privacy related topic. Note that we will not accept submissions which are sales/marketing. RVAsec has many speaker perks, including con admission (and half-off for a friend), speaker party, shirt/swag, awesome badges, and the opportunity to be the recipient of the RVAsec "STFU" sign! RVAsec has a limited travel budget, but speakers who request travel assistance may be eligible for: - Travel allotment up to $300 - 3 nights hotel at the Crowne Plaza Richmond Downtown For more information or to submit, please see: http://rvasec.com/2014-cfp/ -- http://rvasec.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: