From chookroon_1986 at hotmail.com Fri Dec 5 08:52:30 2008 From: chookroon_1986 at hotmail.com (=?windows-874?B?udKnytLHyMPRs8LSILTT4LnUucXNwg==?=) Date: Fri, 5 Dec 2008 15:52:30 +0700 Subject: [Nikto-discuss] update nikto Message-ID: My name is sojy.I am student.Now,I study with vulnerability server and use Nikto. I use putty in config server and I want update nikto in server. But I can't make update nikto.I key command [---- nikto-2.02]#"perl nikto.pl-update" but it show "Can't open perl script "nikto.pl-update":No such file or directory".Why ? Please tell me. Thank you Sojy _________________________________________________________________ แบ่งปันช่วงเวลาพิเศษของคุณด้วย Photo Gallery http://get.live.com/photogallery/overview -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20081205/8e10774b/attachment.html From csullo at gmail.com Fri Dec 5 15:07:21 2008 From: csullo at gmail.com (Sullo) Date: Fri, 5 Dec 2008 10:07:21 -0500 Subject: [Nikto-discuss] update nikto In-Reply-To: References: Message-ID: You need a space after the "nikto.pl", so it should be: perl nikto.pl -update -Sullo 2008/12/5 ???????????? ????????? : > My name is sojy.I am student.Now,I study with vulnerability server and use > Nikto. > I use putty in config server and I want update nikto in server. But I can't > make update nikto.I key command [---- nikto-2.02]#"perl nikto.pl-update" but > it show "Can't open perl script "nikto.pl-update":No such file or > directory".Why ? Please tell me. > Thank you > Sojy > > ________________________________ > ??????????? Space ??????????? ???? Windows Live Writer Windows Live Writer > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > From dave at cirt.net Fri Dec 5 16:18:14 2008 From: dave at cirt.net (David Lodge) Date: Fri, 05 Dec 2008 16:18:14 -0000 Subject: [Nikto-discuss] update nikto In-Reply-To: References: Message-ID: On Fri, 05 Dec 2008 15:07:21 -0000, Sullo wrote: > You need a space after the "nikto.pl", so it should be: > perl nikto.pl -update Just another note; all nikto.pl does at the moment is update the databases and plugins for that version (in your case nikto 2.02). It won't upgrade nikto through a version. To get the latest version of nikto (2.03) then you'll have to manually download it from http://www.cirt.net/nikto/nikto-current.tar.gz Thanks dave From lehmann at arcor-so.net Wed Dec 10 20:41:36 2008 From: lehmann at arcor-so.net (Alexander Lehmann) Date: Wed, 10 Dec 2008 21:41:36 +0100 Subject: [Nikto-discuss] Classification of Apache version number Message-ID: <49402980.7080601@arcor-so.net> Hello, I'm hope if it is ok to report bugs or suggestions to the list, but I didn't find any other contact email on the page. When checking Apache version, "Apache/2" is considered outdated, since it is below 2.2.9, however this is due to a config option that only reports the major version of Apache, so it would probably be better to report that checking the minor version is not possible. bye, Alexander From Samir_Gulhane at satyam.com Thu Dec 11 08:16:14 2008 From: Samir_Gulhane at satyam.com (Samir_Gulhane) Date: Thu, 11 Dec 2008 13:46:14 +0530 Subject: [Nikto-discuss] Nitko Compatibility with Java Web based applications Message-ID: <6BBC5818E13C5647A13F883DB3CA6043041118832F@hstmbx001.corp.satyam.ad> Hi All, Can anyone tell me whether Nitko Security tool can be used with Java Web Based applications.Also if it is comaptible what are the prerequisites (Sofware Requirements) to run this tool? Thanks, Samir ________________________________ DISCLAIMER: This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20081211/d36cb780/attachment-0001.html From wkwang at cisco.com Thu Dec 11 19:39:29 2008 From: wkwang at cisco.com (Peter Wang (wkwang)) Date: Thu, 11 Dec 2008 14:39:29 -0500 Subject: [Nikto-discuss] False positive on Boa Web Server? Message-ID: <8E296595B6471A4689555D5D725EBB2109E43B4A@xmb-rtp-20a.amer.cisco.com> Hi, Nikto 2.03 reported three vulnerabilities about Boa Web Server. Boa/0.94.14rc21 appears to be outdated (current is at least 1.1.5) Boa - http://www.boa.org/ Boa/0.94.14rc21 appears to be outdated (current is at least 1.2.2c) But in boa web site and it listed 0.94.14rc21 is the Latest Development Version. Also did a goggle search and couldn't find any current version such 1.1.5 or 1.2.2c as Nikto claimed. Are you aware if newer version than 0.94.14rc21 out there? Or it's just a false positive. Thanks, Peter From sullo at cirt.net Fri Dec 12 13:20:25 2008 From: sullo at cirt.net (Sullo) Date: Fri, 12 Dec 2008 08:20:25 -0500 Subject: [Nikto-discuss] Nitko Compatibility with Java Web based applications In-Reply-To: <6BBC5818E13C5647A13F883DB3CA6043041118832F@hstmbx001.corp.satyam.ad> References: <6BBC5818E13C5647A13F883DB3CA6043041118832F@hstmbx001.corp.satyam.ad> Message-ID: <49426519.4050604@cirt.net> Samir_Gulhane wrote: > Hi All, > Can anyone tell me whether Nitko Security tool can be used with > Java Web Based applications.Also if it is comaptible what are the > prerequisites (Sofware Requirements) to run this tool? Nikto can run against all types of web servers, as it is looking for specific files and responses and not specific languages for web applications. The basic requirement is perl, but more information can be found in the documentation: http://cirt.net/nikto2-docs/ -Sullo From sullo at cirt.net Fri Dec 12 13:54:26 2008 From: sullo at cirt.net (Sullo) Date: Fri, 12 Dec 2008 08:54:26 -0500 Subject: [Nikto-discuss] False positive on Boa Web Server? In-Reply-To: <8E296595B6471A4689555D5D725EBB2109E43B4A@xmb-rtp-20a.amer.cisco.com> References: <8E296595B6471A4689555D5D725EBB2109E43B4A@xmb-rtp-20a.amer.cisco.com> Message-ID: <49426D12.8060905@cirt.net> Peter Wang (wkwang) wrote: > Are you aware if newer version than 0.94.14rc21 out there? Or it's just > a false positive. This is likely because at some point a Nikto user reported a version greater than that, and it was updated in the database. I've reverted it back to the correct version and put a new db_outdated on the web site. Run 'nikto.pl -update' to grab the latest copy. Regards, Sullo From lehmann at arcor-so.net Sun Dec 14 02:39:46 2008 From: lehmann at arcor-so.net (Alexander Lehmann) Date: Sun, 14 Dec 2008 03:39:46 +0100 Subject: [Nikto-discuss] Classification of lighttpd and a false positive Message-ID: <494471F2.7030201@arcor-so.net> Hello, I ran nikto against a server running lighttpd, this way I noticed two things that may be changed in the detection: first, though 1.5.0 is available, the current production branch is 1.4, so the current version is 1.4.20 right now. I think 1.5.0 is a pre-release. second, you get a false positive for ghttpd, since it matches li(ghttpd) bye, Alexander From dave at subverted.org Mon Dec 15 22:17:07 2008 From: dave at subverted.org (dave-san) Date: Mon, 15 Dec 2008 15:17:07 -0700 Subject: [Nikto-discuss] Nikto output issues from svn Message-ID: <4946D763.1070803@subverted.org> Hello all, I just fetched a local copy of Nikto through svn. I am getting an error. A quick search of the code turned up no such function "write_output()". $ svn up At revision 88. $ ./nikto.pl -h ./portal.target Undefined subroutine &main::write_output called at ./nikto.pl line 124. Any thoughts? Thanks, Dave From dave at cirt.net Mon Dec 15 22:50:13 2008 From: dave at cirt.net (David Lodge) Date: Mon, 15 Dec 2008 22:50:13 -0000 Subject: [Nikto-discuss] Nikto output issues from svn In-Reply-To: <4946D763.1070803@subverted.org> References: <4946D763.1070803@subverted.org> Message-ID: On Mon, 15 Dec 2008 22:17:07 -0000, dave-san wrote: > I just fetched a local copy of Nikto through svn. I am getting an error. > A quick search of the code turned up no such function > "write_output()". Darnit... It looks like I got out of sync with my commits with trying to move report writing to plugins. I've uploaded the latest version; though text output is still a work in process... Sorry, this be my fault... dave From dave at cirt.net Mon Dec 15 22:58:28 2008 From: dave at cirt.net (David Lodge) Date: Mon, 15 Dec 2008 22:58:28 -0000 Subject: [Nikto-discuss] Classification of lighttpd and a false positive In-Reply-To: <494471F2.7030201@arcor-so.net> References: <494471F2.7030201@arcor-so.net> Message-ID: On Sun, 14 Dec 2008 02:39:46 -0000, Alexander Lehmann wrote: > I ran nikto against a server running lighttpd, this way I noticed two > things that may be changed in the detection: Both of the below look like bugs: * It look like lighttpd isn't properly matching the different branches * The matching for lighttpd is too close. Do you want to raise these as bugs at http://trac2.assembla.com/Nikto_2/newticket (you can do this anonymously). Then I can work on them when I have some free time. Thanks dave From dave at cirt.net Mon Dec 15 23:00:24 2008 From: dave at cirt.net (David Lodge) Date: Mon, 15 Dec 2008 23:00:24 -0000 Subject: [Nikto-discuss] Classification of Apache version number In-Reply-To: <49402980.7080601@arcor-so.net> References: <49402980.7080601@arcor-so.net> Message-ID: On Wed, 10 Dec 2008 20:41:36 -0000, Alexander Lehmann wrote: > I'm hope if it is ok to report bugs or suggestions to the list, but I > didn't find any other contact email on the page. I'd prefer a bug report at: http://trac2.assembla.com/Nikto_2/newticket as this email gets a lot of spam. (In my past I posted to full disclosure from this address - woe is me!) This means I can track it better. > When checking Apache version, "Apache/2" is considered outdated, since > it is below 2.2.9, however this is due to a config option that only > reports the major version of Apache, so it would probably be better to > report that checking the minor version is not possible. Yep; looks like a bug to fix - where it doesn't cope with "cut-down" version of the version strings. If you could raise a bug I'll deal with it... Thanks dave From dave at subverted.org Tue Dec 16 18:02:29 2008 From: dave at subverted.org (dave-san) Date: Tue, 16 Dec 2008 11:02:29 -0700 Subject: [Nikto-discuss] Nikto output issues from svn In-Reply-To: References: <4946D763.1070803@subverted.org> Message-ID: <4947ED35.8030205@subverted.org> David Lodge wrote: > On Mon, 15 Dec 2008 22:17:07 -0000, dave-san wrote: >> I just fetched a local copy of Nikto through svn. I am getting an >> error. A quick search of the code turned up no such function >> "write_output()". > > Darnit... > > It looks like I got out of sync with my commits with trying to move > report writing to plugins. I've uploaded the latest version; though text > output is still a work in process... > > Sorry, this be my fault... > > dave > Ah, no problem. Thanks for the update, Dave From traef at ebasedsecurity.com Fri Dec 19 21:09:43 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Fri, 19 Dec 2008 15:09:43 -0600 Subject: [Nikto-discuss] Using DirBuster lists Message-ID: I was looking at including the list of directory names to check by including the lists from OWASP's DirBuster project. I'd like to hear reasons for and against doing such a thing. Everyone? Anyone? Thank you in advance for your consideration. Thomas J. Raef www.ebasedsecurity.com www.wewatchyourwebsite.com "We Watch Your Website because - you don't" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20081219/339b016b/attachment.html From jericho at attrition.org Fri Dec 19 21:12:44 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 19 Dec 2008 21:12:44 +0000 (UTC) Subject: [Nikto-discuss] Using DirBuster lists In-Reply-To: References: Message-ID: : I was looking at including the list of directory names to check by : including the lists from OWASP's DirBuster project. : : I'd like to hear reasons for and against doing such a thing. for: thorough lists, can find some good directories against: even their short list is pretty hefty, and generates a ton of requests. the long list? takes way too long to run against a single host. From traef at ebasedsecurity.com Fri Dec 19 22:15:26 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Fri, 19 Dec 2008 16:15:26 -0600 Subject: [Nikto-discuss] Using DirBuster lists Message-ID: Next question, where would I put this list. I would probably parse it down to reduce the number of requests, but where would I put such a list? Would config.txt allow me to specify a file to check? Thank you for your guidance. > -----Original Message----- > From: security curmudgeon [mailto:jericho at attrition.org] > Sent: Friday, December 19, 2008 3:13 PM > To: Thomas Raef > Cc: nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Using DirBuster lists > > > : I was looking at including the list of directory names to check by > : including the lists from OWASP's DirBuster project. > : > : I'd like to hear reasons for and against doing such a thing. > > for: thorough lists, can find some good directories > > against: even their short list is pretty hefty, and generates a ton of > requests. the long list? takes way too long to run against a single > host. From csullo at gmail.com Sat Dec 20 00:02:24 2008 From: csullo at gmail.com (Sullo) Date: Fri, 19 Dec 2008 19:02:24 -0500 Subject: [Nikto-discuss] Using DirBuster lists In-Reply-To: References: Message-ID: Check out the documentation, as it will give you some information on how to set up a user-defined test database, and Nikto will automatically load and use it when it is scanning. http://cirt.net/nikto2-docs/ch07.html Specifically, section 2. -Sullo On Fri, Dec 19, 2008 at 5:15 PM, Thomas Raef wrote: > Next question, where would I put this list. I would probably parse it > down to reduce the number of requests, but where would I put such a > list? > > Would config.txt allow me to specify a file to check? > > Thank you for your guidance. > >> -----Original Message----- >> From: security curmudgeon [mailto:jericho at attrition.org] >> Sent: Friday, December 19, 2008 3:13 PM >> To: Thomas Raef >> Cc: nikto-discuss at attrition.org >> Subject: Re: [Nikto-discuss] Using DirBuster lists >> >> >> : I was looking at including the list of directory names to check by >> : including the lists from OWASP's DirBuster project. >> : >> : I'd like to hear reasons for and against doing such a thing. >> >> for: thorough lists, can find some good directories >> >> against: even their short list is pretty hefty, and generates a ton of >> requests. the long list? takes way too long to run against a single >> host. > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net | http://www.osvdb.org/ From traef at ebasedsecurity.com Sat Dec 20 11:59:37 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Sat, 20 Dec 2008 05:59:37 -0600 Subject: [Nikto-discuss] Using DirBuster lists Message-ID: What did your udb_tests file look like? How was it formatted to allow the tests? Was it successful? Did it slow down the scan too much? How was it implemented? Thank you. From: Jason Leyrer [mailto:jleyrer at gmail.com] Sent: Friday, December 19, 2008 4:32 PM To: Thomas Raef Cc: security curmudgeon; nikto-discuss at attrition.org Subject: Re: [Nikto-discuss] Using DirBuster lists Thomas- I've done something similar to this in the past, in which I generated a udb_tests file from a list of directories I wanted to look for. I did this so I could run multiple checks per directory, i.e. does it exist?, is it indexable?, etc. On Fri, Dec 19, 2008 at 4:15 PM, Thomas Raef wrote: Next question, where would I put this list. I would probably parse it down to reduce the number of requests, but where would I put such a list? Would config.txt allow me to specify a file to check? Thank you for your guidance. > -----Original Message----- > From: security curmudgeon [mailto:jericho at attrition.org] > Sent: Friday, December 19, 2008 3:13 PM > To: Thomas Raef > Cc: nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Using DirBuster lists > > > : I was looking at including the list of directory names to check by > : including the lists from OWASP's DirBuster project. > : > : I'd like to hear reasons for and against doing such a thing. > > for: thorough lists, can find some good directories > > against: even their short list is pretty hefty, and generates a ton of > requests. the long list? takes way too long to run against a single > host. _______________________________________________ Nikto-discuss mailing list Nikto-discuss at attrition.org https://attrition.org/mailman/listinfo/nikto-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20081220/ec6b72e0/attachment.html From traef at ebasedsecurity.com Sat Dec 20 12:05:01 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Sat, 20 Dec 2008 06:05:01 -0600 Subject: [Nikto-discuss] Using DirBuster lists Message-ID: Ok. Thank you. I did read that but wasn't sure if there was some other method that the list might find better. I'll give it a try. Thanks again. > -----Original Message----- > From: Sullo [mailto:csullo at gmail.com] > Sent: Friday, December 19, 2008 6:02 PM > To: Thomas Raef > Cc: security curmudgeon; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Using DirBuster lists > > Check out the documentation, as it will give you some information on > how to set up a user-defined test database, and Nikto will > automatically load and use it when it is scanning. > > http://cirt.net/nikto2-docs/ch07.html > Specifically, section 2. > > -Sullo > > On Fri, Dec 19, 2008 at 5:15 PM, Thomas Raef > wrote: > > Next question, where would I put this list. I would probably parse it > > down to reduce the number of requests, but where would I put such a > > list? > > > > Would config.txt allow me to specify a file to check? > > > > Thank you for your guidance. > > > >> -----Original Message----- > >> From: security curmudgeon [mailto:jericho at attrition.org] > >> Sent: Friday, December 19, 2008 3:13 PM > >> To: Thomas Raef > >> Cc: nikto-discuss at attrition.org > >> Subject: Re: [Nikto-discuss] Using DirBuster lists > >> > >> > >> : I was looking at including the list of directory names to check by > >> : including the lists from OWASP's DirBuster project. > >> : > >> : I'd like to hear reasons for and against doing such a thing. > >> > >> for: thorough lists, can find some good directories > >> > >> against: even their short list is pretty hefty, and generates a ton > of > >> requests. the long list? takes way too long to run against a single > >> host. > > > > _______________________________________________ > > Nikto-discuss mailing list > > Nikto-discuss at attrition.org > > https://attrition.org/mailman/listinfo/nikto-discuss > > > > > > -- > > http://www.cirt.net | http://www.osvdb.org/ From dave at cirt.net Sat Dec 20 12:28:28 2008 From: dave at cirt.net (David Lodge) Date: Sat, 20 Dec 2008 12:28:28 -0000 Subject: [Nikto-discuss] Using DirBuster lists In-Reply-To: References: Message-ID: On Sat, 20 Dec 2008 12:05:01 -0000, Thomas Raef wrote: > I did read that but wasn't sure if there was some other method that the > list might find better. > > I'll give it a try. That method is for the current version (2.03). The next version to come out (2.10) has a reworked plugin interface and it may be easier to do this via a plugin, activated by a mutation. I need to do some research on dirbuster, but leave this with me - I'm got some scheduled time 'til the end of the year to look at Nikto, so I'll see what I can whip up. Thanks dave From traef at ebasedsecurity.com Sat Dec 20 15:02:31 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Sat, 20 Dec 2008 09:02:31 -0600 Subject: [Nikto-discuss] Using DirBuster lists Message-ID: Let me know if you need some testing, resources, etc. I'd like to how effective this might be. Thank you. > -----Original Message----- > From: David Lodge [mailto:dave at cirt.net] > Sent: Saturday, December 20, 2008 6:28 AM > To: Thomas Raef; Sullo > Cc: nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Using DirBuster lists > > On Sat, 20 Dec 2008 12:05:01 -0000, Thomas Raef > > wrote: > > I did read that but wasn't sure if there was some other method that > the > > list might find better. > > > > I'll give it a try. > > That method is for the current version (2.03). The next version to come > out (2.10) has a reworked plugin interface and it may be easier to do > this > via a plugin, activated by a mutation. > > I need to do some research on dirbuster, but leave this with me - I'm > got > some scheduled time 'til the end of the year to look at Nikto, so I'll > see > what I can whip up. > > Thanks > > dave From jabra at spl0it.org Sat Dec 20 15:46:12 2008 From: jabra at spl0it.org (Jabra) Date: Sat, 20 Dec 2008 10:46:12 -0500 Subject: [Nikto-discuss] Using DirBuster lists In-Reply-To: References: Message-ID: <20081220154612.GA19222@navi.v2s.org> Perhaps this may help with integration. http://spl0it.org/files/pdirbuster.pl -- Jabra < jabra at spl0it.org > http://www.spl0it.org From traef at ebasedsecurity.com Sat Dec 20 16:22:33 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Sat, 20 Dec 2008 10:22:33 -0600 Subject: [Nikto-discuss] Using DirBuster lists Message-ID: Nice as a stand alone tool. Very nice. > -----Original Message----- > From: Jabra [mailto:jabra at spl0it.org] > Sent: Saturday, December 20, 2008 9:46 AM > To: David Lodge > Cc: Thomas Raef; Sullo; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Using DirBuster lists > > Perhaps this may help with integration. > > http://spl0it.org/files/pdirbuster.pl > > -- > Jabra < jabra at spl0it.org > > http://www.spl0it.org From jabra at spl0it.org Sat Dec 20 16:42:03 2008 From: jabra at spl0it.org (Jabra) Date: Sat, 20 Dec 2008 11:42:03 -0500 Subject: [Nikto-discuss] Using DirBuster lists In-Reply-To: References: Message-ID: <20081220164203.GE19222@navi.v2s.org> Yea, I think it is helpful to have it as both a separate tool as well as integrated into Nikto. Feel free to send me comments and/or suggestions. *Patches accepted* Regards, Jabra -- Jabra < jabra at spl0it.org > http://www.spl0it.org From dave at cirt.net Sat Dec 20 17:27:10 2008 From: dave at cirt.net (David Lodge) Date: Sat, 20 Dec 2008 17:27:10 -0000 Subject: [Nikto-discuss] Using DirBuster lists In-Reply-To: <20081220164203.GE19222@navi.v2s.org> References: <20081220164203.GE19222@navi.v2s.org> Message-ID: On Sat, 20 Dec 2008 16:42:03 -0000, Jabra wrote: > Yea, I think it is helpful to have it as both a separate tool as > well as integrated into Nikto. Useful for occurences when you want to run stand alone and then when you want to throw the book at it! My plan is to allow a dictionary to be provided to apache_user_enum and a new plugin to pre-populate the mutate dirs list. dave From jleyrer at gmail.com Fri Dec 19 22:32:24 2008 From: jleyrer at gmail.com (Jason Leyrer) Date: Fri, 19 Dec 2008 16:32:24 -0600 Subject: [Nikto-discuss] Using DirBuster lists In-Reply-To: References: Message-ID: Thomas- I've done something similar to this in the past, in which I generated a udb_tests file from a list of directories I wanted to look for. I did this so I could run multiple checks per directory, i.e. does it exist?, is it indexable?, etc. On Fri, Dec 19, 2008 at 4:15 PM, Thomas Raef wrote: > Next question, where would I put this list. I would probably parse it > down to reduce the number of requests, but where would I put such a > list? > > Would config.txt allow me to specify a file to check? > > Thank you for your guidance. > > > -----Original Message----- > > From: security curmudgeon [mailto:jericho at attrition.org] > > Sent: Friday, December 19, 2008 3:13 PM > > To: Thomas Raef > > Cc: nikto-discuss at attrition.org > > Subject: Re: [Nikto-discuss] Using DirBuster lists > > > > > > : I was looking at including the list of directory names to check by > > : including the lists from OWASP's DirBuster project. > > : > > : I'd like to hear reasons for and against doing such a thing. > > > > for: thorough lists, can find some good directories > > > > against: even their short list is pretty hefty, and generates a ton of > > requests. the long list? takes way too long to run against a single > > host. > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20081219/1315ed9f/attachment-0001.html From traef at ebasedsecurity.com Sat Dec 20 21:40:37 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Sat, 20 Dec 2008 15:40:37 -0600 Subject: [Nikto-discuss] Using DirBuster lists Message-ID: That would be great. Any specific strategy you'd use to implement that? We could offer some programming assistance to further the cause, if you'd like. > -----Original Message----- > From: David Lodge [mailto:dave at cirt.net] > Sent: Saturday, December 20, 2008 11:27 AM > To: Jabra; Thomas Raef > Cc: Sullo; nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Using DirBuster lists > > On Sat, 20 Dec 2008 16:42:03 -0000, Jabra wrote: > > Yea, I think it is helpful to have it as both a separate tool as > > well as integrated into Nikto. > > Useful for occurences when you want to run stand alone and then when > you > want to throw the book at it! > > My plan is to allow a dictionary to be provided to apache_user_enum and > a > new plugin to pre-populate the mutate dirs list. > > dave From andres.riancho at gmail.com Sat Dec 20 23:24:16 2008 From: andres.riancho at gmail.com (Andres Riancho) Date: Sat, 20 Dec 2008 21:24:16 -0200 Subject: [Nikto-discuss] Using DirBuster lists In-Reply-To: References: Message-ID: Thomas, On Fri, Dec 19, 2008 at 7:09 PM, Thomas Raef wrote: > I was looking at including the list of directory names to check by including > the lists from OWASP's DirBuster project. > > > > I'd like to hear reasons for and against doing such a thing. > > > > Everyone? Anyone? > > > > Thank you in advance for your consideration. > Implementing this is technically easy, but you guys have to think about licensing also. The DirBuster lists have a Creative Commons Attribution-Share Alike 3.0 License [0] which may or may not be compatible with the GPLv2 license of nikto. [0] http://creativecommons.org/licenses/by-sa/3.0/ > > Thomas J. Raef > > www.ebasedsecurity.com > > www.wewatchyourwebsite.com > > "We Watch Your Website because - you don't" > > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework From traef at ebasedsecurity.com Sun Dec 21 02:25:20 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Sat, 20 Dec 2008 20:25:20 -0600 Subject: [Nikto-discuss] Using DirBuster lists Message-ID: Good point. Thank you. > -----Original Message----- > From: Andres Riancho [mailto:andres.riancho at gmail.com] > Sent: Saturday, December 20, 2008 5:24 PM > To: Thomas Raef > Cc: nikto-discuss at attrition.org > Subject: Re: [Nikto-discuss] Using DirBuster lists > > Thomas, > > On Fri, Dec 19, 2008 at 7:09 PM, Thomas Raef > wrote: > > I was looking at including the list of directory names to check by > including > > the lists from OWASP's DirBuster project. > > > > > > > > I'd like to hear reasons for and against doing such a thing. > > > > > > > > Everyone? Anyone? > > > > > > > > Thank you in advance for your consideration. > > > > Implementing this is technically easy, but you guys have to think > about licensing also. The DirBuster lists have a Creative Commons > Attribution-Share Alike 3.0 License [0] which may or may not be > compatible with the GPLv2 license of nikto. > > [0] http://creativecommons.org/licenses/by-sa/3.0/ > > > > > Thomas J. Raef > > > > www.ebasedsecurity.com > > > > www.wewatchyourwebsite.com > > > > "We Watch Your Website because - you don't" > > > > > > > > _______________________________________________ > > Nikto-discuss mailing list > > Nikto-discuss at attrition.org > > https://attrition.org/mailman/listinfo/nikto-discuss > > > > > > > > -- > Andres Riancho > http://w3af.sourceforge.net/ > Web Application Attack and Audit Framework From dave at cirt.net Sun Dec 21 16:02:30 2008 From: dave at cirt.net (David Lodge) Date: Sun, 21 Dec 2008 16:02:30 -0000 Subject: [Nikto-discuss] Using DirBuster lists In-Reply-To: References: Message-ID: On Sat, 20 Dec 2008 23:24:16 -0000, Andres Riancho wrote: > Implementing this is technically easy, but you guys have to think > about licensing also. The DirBuster lists have a Creative Commons > Attribution-Share Alike 3.0 License [0] which may or may not be > compatible with the GPLv2 license of nikto. Which is why I'm planning to just add support for dictionary list in the DirBuster format to nikto. I'm not going to distribute a 25Mb file with nikto :-) dave