From michael.wiegand at intevation.de Wed Jun 18 09:21:58 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Wed, 18 Jun 2008 11:21:58 +0200 Subject: [Nikto-discuss] Nikto Integration in OpenVAS Message-ID: <200806181121.58872.michael.wiegand@intevation.de> Hello, I'm working on improving the Nikto integration with OpenVAS (http://www.openvas.org/), the still-GPL fork of Nessus. I've made some improvements to nikto.nasl, the plugin for Nikto integration we inherited from Nessus. It is now compatible with Nikto 2 (but will still work with older versions) and has improved error handling in case nikto.pl can't be found or the target does not return 404 on requests for non-existent pages. I've removed support for the -allcgi and -gener options as they seem to be no longer present in Nikto 2. I haven't used Nikto in great detail (yet!), so I'm not sure for which options it would make sense to integrate them into nikto.nasl; they would then show up and be controllable in the plugin options section in OpenVAS-Client. I'd really appreciate your feedback on this topic. If you have any other ideas or comments on how support for Nikto in OpenVAS could be improved, please let me know. Nikto is a great tool and I'd really love to enhance support for it in OpenVAS. If you are interested in helping with plugin development oder developing OpenVAS in general, please feel free to subscribe to our mailing lists; openvas-plugins, openvas-devel and openvas-discuss are probably the ones you would be most interested in. If you want to take a look at the current SVN version of nikto.nasl, you can do so at http://www.openvas.org/?oid=1.3.6.1.4.1.25623.1.0.14260 . Regards, Michael -- Michael Wiegand OpenPGP key: D7D049EC Intevation GmbH, Osnabr?ck http://www.intevation.de/ Amtsgericht Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From dave at cirt.net Thu Jun 19 18:19:27 2008 From: dave at cirt.net (David Lodge) Date: Thu, 19 Jun 2008 14:19:27 -0400 Subject: [Nikto-discuss] Nikto 2.03 goals Message-ID: <20080619141927.pzu8y1imo8skc4g0@webmail.cirt.net> Just a quick email to mention that I've categorised all outstanding work on Assembla into milestones for the next version. My aim for 2.03 is to concentrate on bug fixes, updates to plugins and reworks on reporting and how nikto decides what to scan. I'd like to make a release of nikto 2.03 quite early (as it'll be the first release without Sullo), so I'm aiming for end of July. (This is partially selfish as I'm now a full time pen tester, so will need nikto up to speed.) If there are bugs/enhancements missed out, could you submit a ticket to Assembla? If you feel you can fix one of the current bugs, please take ownership and assign it to yourself. Thanks dave From csullo at gmail.com Thu Jun 19 18:53:58 2008 From: csullo at gmail.com (Sullo) Date: Thu, 19 Jun 2008 14:53:58 -0400 Subject: [Nikto-discuss] Officially Introducing: Dave Message-ID: Dave's email kicked me into gear... as I just posted on the web site: "I'm happy to announce that Nikto has a new lead developer! He goes by the name "Dave" but I think his parents actually named him "deity." Whatever you decide to call him, please welcome him to the club and make sure he knows the secret handshake. He's been hard at work over at Assembla fixing my broken code and adding new features, and is steadily progressing towards a 2.03 release (targeted for end of July). If you can't wait for the release, you can always check out the source from here ." Additionally, Jabra (who wrote all the cool XML output) has been fixing other bugs in the reports code, and has something secret up his sleeve... It's been quiet on the list, but Nikto is still alive--if you have the time to help these guys out, please head over to the dev arena and make something happen! -Sullo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20080619/b45bad34/attachment.html From jabra at spl0it.org Fri Jun 20 04:11:41 2008 From: jabra at spl0it.org (Jabra) Date: Fri, 20 Jun 2008 00:11:41 -0400 Subject: [Nikto-discuss] Nikto 2.03 goals In-Reply-To: <20080619141927.pzu8y1imo8skc4g0@webmail.cirt.net> References: <20080619141927.pzu8y1imo8skc4g0@webmail.cirt.net> Message-ID: <20080620041141.GA19130@navi.v2s.org> On 19.Jun.2008 02:19PM -0400, David Lodge wrote: > Just a quick email to mention that I've categorised all outstanding > work on Assembla into milestones for the next version. > > My aim for 2.03 is to concentrate on bug fixes, updates to plugins and > reworks on reporting and how nikto decides what to scan. I'd like to > make a release of nikto 2.03 quite early (as it'll be the first > release without Sullo), so I'm aiming for end of July. (This is > partially selfish as I'm now a full time pen tester, so will need > nikto up to speed.) > > If there are bugs/enhancements missed out, could you submit a ticket > to Assembla? If you feel you can fix one of the current bugs, please > take ownership and assign it to yourself. Dave, great work with all the updates to the tickets! As for the 2.03 release, I'm excited to see how things progress in the future. Also, I wanted to mention that tonight Backtrack 3 has been released. I'm a member of the development team and I made sure Nikto 2 was included. http://www.remote-exploit.org/backtrack_download.html Regards, Jabra -- Jabra < jabra at spl0it.org > http://www.spl0it.org From curtislamasters at gmail.com Sat Jun 21 02:39:33 2008 From: curtislamasters at gmail.com (Curtis LaMasters) Date: Fri, 20 Jun 2008 21:39:33 -0500 Subject: [Nikto-discuss] SQL Injection with Nikto Message-ID: <6b13ab0f0806201939w51906f11g74b4802fa315fc8@mail.gmail.com> I've been trying to figure out how to scan a website for the ability to SQL inject (it's a website that I run yes...). Unfortunately I have not be able to get a desirable result. I was hoping you all could point me in the right direction. Thanks Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20080620/5eda927f/attachment-0001.html From sullo at cirt.net Sat Jun 21 03:59:35 2008 From: sullo at cirt.net (Sullo) Date: Fri, 20 Jun 2008 23:59:35 -0400 Subject: [Nikto-discuss] SQL Injection with Nikto In-Reply-To: <6b13ab0f0806201939w51906f11g74b4802fa315fc8@mail.gmail.com> References: <6b13ab0f0806201939w51906f11g74b4802fa315fc8@mail.gmail.com> Message-ID: <485C7CA7.2030104@cirt.net> Curtis LaMasters wrote: > I've been trying to figure out how to scan a website for the ability > to SQL inject (it's a website that I run yes...). Unfortunately I have > not be able to get a desirable result. I was hoping you all could > point me in the right direction. Check out Paros and WebScarab--you may have luck with them. Nikto isn't built to crawl a site and look for something like unknown/undisclosed SQLi in applications, but both them are (and are also free). http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project http://www.parosproxy.org/index.shtml Regards Sullo From jabra at spl0it.org Sat Jun 21 05:14:35 2008 From: jabra at spl0it.org (Jabra) Date: Sat, 21 Jun 2008 01:14:35 -0400 Subject: [Nikto-discuss] SQL Injection with Nikto In-Reply-To: <485C7CA7.2030104@cirt.net> References: <6b13ab0f0806201939w51906f11g74b4802fa315fc8@mail.gmail.com> <485C7CA7.2030104@cirt.net> Message-ID: <20080621051435.GA22688@navi.v2s.org> On 20.Jun.2008 11:59PM -0400, Sullo wrote: > Curtis LaMasters wrote: > > I've been trying to figure out how to scan a website for the ability > > to SQL inject (it's a website that I run yes...). Unfortunately I have > > not be able to get a desirable result. I was hoping you all could > > point me in the right direction. > > Check out Paros and WebScarab--you may have luck with them. Nikto isn't > built to crawl a site and look for something like unknown/undisclosed > SQLi in applications, but both them are (and are also free). > > http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project > http://www.parosproxy.org/index.shtml Curtis, There are two addition tools that I can recommend. One is burpsuite. http://portswigger.net/suite/ Another web based proxy that does really awesome stuff. Check the web app security book for more details. http://www.amazon.com/gp/product/0470170778?ie=UTF8&tag=portswinet-20&link_code=as3&camp=211189&creative=373489&creativeASIN=0470170778 The second is sqlninja. http://sqlninja.sourceforge.net/ All of these tools are included in Backtrack 3 which is a security LiveCd that allows you too boot a cdrom containing a Linux system along with all the security tools you need. http://remote-exploit.org/backtrack.html Regards, Jabra > > Regards > Sullo > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss -- Jabra < jabra at spl0it.org > http://www.spl0it.org From jabra at spl0it.org Wed Jun 25 04:15:29 2008 From: jabra at spl0it.org (Jabra) Date: Wed, 25 Jun 2008 00:15:29 -0400 Subject: [Nikto-discuss] XML Review Message-ID: <20080625041529.GA23116@navi.v2s.org> Since Nikto has XML support, I would like to have a bunch of people review it to see if there is anything that can be improved. Ideally, the XML would contain all the data that Nikto can provide and perhaps even more. XML is only useful if it contains all the data we want it to have. Let's get the party started. (The ball is in your court) Please send in your comments, questions and suggestions. Regards, Jabra -- Jabra < jabra at spl0it.org > http://www.spl0it.org