[Nikto-discuss] Recent changes in trunk

David Lodge dave at cirt.net
Sat Aug 1 11:37:59 UTC 2009


To fix the reporting bug I created earlier that was found by Jabra, I've  
made some massive changes to the way Nikto handles targets and reporting,  
a quick synopsis is below:
* Nikto will now work out and assign "marks" (the variable target had  
already been used :-) before it starts scanning
* Nikto will call reporter plugins for each item found
* Nikto will no longer use nmap to portscan ports

How you will see this when running nikto is that, the inputs to -host and  
-port have been changed. You used to be able to supply:
nikto.pl -host <file>
nikto.pl -host <url>
nikto.pl -host "hostname1 hostname2" -port 80-81

This now looks like:
nikto.pl -host hostname1,file,url -port port1,port2

Where the host list can be any number of hosts, urls or files containing  
hosts or urls. If ports are supplied they are applied to all hosts/urls  
which don't already have ports.

For example if we have the files host1.txt containing:
http://fred/
jim:8081

And host2.txt containing:
http://shelia:89/

Then we can do:
nikto.pl -host host1.txt,host2.txt,arabella -port 80,443

This will set the marks as:
http://fred:80
https://fred:443
http://jim:8081
http://shelia:89
http://arabella:80
https://arabella:443

I ended up removing nmap from the code, as this was only use in certain  
cases to do a prelude to a test that Nikto would do anyway. This removes  
some functionality that would allow Nikto to do a portscan. In my opinion,  
Nikto shouldn't be doing portscans, nmap (or your favourite portscanner)  
can do a much better job than Nikto can do and I'd rather take a feed from  
nmap, rather than have Nikto spawn nmap, so instead of doing:
nikto.pl -host 192.168.0.0/24 -port 80,443,8000-9000

We should do:
nmap -p80,443,8000-9000 192.168.0.0/24 -oG - | nikto.pl -host -

Nikto can already do the second. Should Nikto do the first? I certainly  
don't use it like this, but is this how other people use it?

Finally reporting is now done on the fly, so items are written to the  
report as they're found. This means that you can now CTRL+C in the middle  
of a scan and not lose your results (this is a big positive for me).  
Though, it will not write host and file closing statements on HTML or XML  
types.

Comments/opinions?

dave


More information about the Nikto-discuss mailing list