From magnuspublic at mac.com Sat Dec 5 23:18:41 2009 From: magnuspublic at mac.com (Magnus) Date: Sun, 06 Dec 2009 00:18:41 +0100 Subject: [Nikto-discuss] Problem updating 2.10 of 2.1.0 Message-ID: <07DCB1D9-5A8C-48B4-932B-2285F27AC472@mac.com> Using BackTrack4 I have trouble updating: /pentest/scanners/nikto/nikto.pl -update + ERROR (404): Unable to get www.cirt.net/nikto/UPDATES/2.10/versions.txt (i do have a web connection) When I look at the URL: www.cirt.net/nikto/UPDATES/2.10/versions.txt I notice that it is misspelled. It should be www.cirt.net/nikto/UPDATES/2.1.0/versions.txt So just 2.1.0 instead of the 2.10. I cannot find a way to edit the update URL. I tried disabling DNS to force nikto to use ip for updates (I corrected the ip in /pentest/scanners/nikto/nikto.conf) I get the same error: + ERROR (404): Unable to get 174.142.17.165/nikto/UPDATES/2.10/versions.txt Also the misspelled URL: 2.10/versions.txt > Then I tried updating manually by downloading from www.cirt.net/nikto/UPDATES/2.1.0/ and placing it in the /pentest/scanners/nikto/plugins folder. Now nikto would start a scan anymore. PLEASE HELP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20091205/a6be19e7/attachment.html From csullo at gmail.com Sun Dec 6 04:24:09 2009 From: csullo at gmail.com (Sullo) Date: Sat, 5 Dec 2009 23:24:09 -0500 Subject: [Nikto-discuss] Problem updating 2.10 of 2.1.0 In-Reply-To: <07DCB1D9-5A8C-48B4-932B-2285F27AC472@mac.com> References: <07DCB1D9-5A8C-48B4-932B-2285F27AC472@mac.com> Message-ID: I can't duplicate this with the 2.1.0 version that is on cirt.net I'd recommend downloading a new version--all the update URLs/paths/versions seem to be accurate. -Sullo On Sat, Dec 5, 2009 at 6:18 PM, Magnus wrote: > Using BackTrack4 I have trouble updating: > /pentest/scanners/nikto/nikto.pl -update > + ERROR (404): Unable to get www.cirt.net/nikto/UPDATES/2.10/versions.txt > (i do have a web connection) > When I look at the URL:?www.cirt.net/nikto/UPDATES/2.10/versions.txt I > notice that it is misspelled. > It should be?www.cirt.net/nikto/UPDATES/2.1.0/versions.txt > So just 2.1.0 instead of the 2.10. I cannot find a way to edit the update > URL. > I tried disabling DNS to force nikto to use ip for updates (I corrected the > ip in?/pentest/scanners/nikto/nikto.conf) > I get the same error: > + ERROR (404): Unable to get?174.142.17.165/nikto/UPDATES/2.10/versions.txt > Also the misspelled URL: 2.10/versions.txt >> Then I tried updating manually by downloading >> from?www.cirt.net/nikto/UPDATES/2.1.0/ and placing it in >> the?/pentest/scanners/nikto/plugins folder. > Now nikto would start a scan anymore. > PLEASE HELP > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://www.osvdb.org/ From resident.deity at gmail.com Wed Dec 9 12:43:42 2009 From: resident.deity at gmail.com (david lodge) Date: Wed, 9 Dec 2009 12:43:42 +0000 Subject: [Nikto-discuss] Problem updating 2.10 of 2.1.0 In-Reply-To: <07DCB1D9-5A8C-48B4-932B-2285F27AC472@mac.com> References: <07DCB1D9-5A8C-48B4-932B-2285F27AC472@mac.com> Message-ID: 2009/12/5 Magnus : > Using BackTrack4 I have trouble updating: > /pentest/scanners/nikto/nikto.pl -update > + ERROR (404): Unable to get www.cirt.net/nikto/UPDATES/2.10/versions.txt > (i do have a web connection) > When I look at the URL:?www.cirt.net/nikto/UPDATES/2.10/versions.txt I > notice that it is misspelled. > It should be?www.cirt.net/nikto/UPDATES/2.1.0/versions.txt > So just 2.1.0 instead of the 2.10. I cannot find a way to edit the update > URL. It does look like BT4 used the pre-release (2.10) version of Nikto. As the naming scheme changed during development (from 2.10 to 2.1.0) then the BT version will try and collect from the wrong path. Two ways of working around this: 1. Get 2.1.0 from http://www.cirt.net/Nikto and use that - there will be bug fixes etc.: 2.10 was a bit of a mess before I cleaned it up prior to release. 2. Edit line 51 in nikto.pl: $NIKTO{version} = "2.10"; As Sullo said earlier, I'd really strongly advise that you grab 2.1.0 instead of hacking the version you currently have installed. From magnusoron at me.com Thu Dec 10 07:31:48 2009 From: magnusoron at me.com (Magnus Trouw) Date: Thu, 10 Dec 2009 08:31:48 +0100 Subject: [Nikto-discuss] Problem updating 2.10 of 2.1.0 In-Reply-To: References: <07DCB1D9-5A8C-48B4-932B-2285F27AC472@mac.com> Message-ID: <76F751D2-5440-4E72-AE1F-23F5E965E869@me.com> Tnx! That explains a lot. Gonna try and replace the bt4 nikto. Magnus Op 9 dec 2009 om 13:43 heeft david lodge het volgende geschreven:\ > 2009/12/5 Magnus : >> Using BackTrack4 I have trouble updating: >> /pentest/scanners/nikto/nikto.pl -update >> + ERROR (404): Unable to get www.cirt.net/nikto/UPDATES/2.10/versions.txt >> (i do have a web connection) >> When I look at the URL: www.cirt.net/nikto/UPDATES/2.10/ >> versions.txt I >> notice that it is misspelled. >> It should be www.cirt.net/nikto/UPDATES/2.1.0/versions.txt >> So just 2.1.0 instead of the 2.10. I cannot find a way to edit the >> update >> URL. > > It does look like BT4 used the pre-release (2.10) version of Nikto. As > the naming scheme changed during development (from 2.10 to 2.1.0) then > the BT version will try and collect from the wrong path. > > Two ways of working around this: > 1. Get 2.1.0 from http://www.cirt.net/Nikto and use that - there will > be bug fixes etc.: 2.10 was a bit of a mess before I cleaned it up > prior to release. > 2. Edit line 51 in nikto.pl: > $NIKTO{version} = "2.10"; > > As Sullo said earlier, I'd really strongly advise that you grab 2.1.0 > instead of hacking the version you currently have installed. From zakiakhmad at gmail.com Fri Dec 11 10:47:39 2009 From: zakiakhmad at gmail.com (Zaki Akhmad) Date: Fri, 11 Dec 2009 17:47:39 +0700 Subject: [Nikto-discuss] Help on Nikto Result Message-ID: Hello, I have this nikto result and I need help what does it mean: + Default account found for 'Members Only' at /webadmin/ (ID 'operator', PW '$schwarzepumpe'). Intershop + ERROR: Unable to authenticate to "Members Only" + ERROR: Unable to authenticate to "Members Only" What is $schwarzepumpe? Is it encrypted password? Then what is Intershop? -- Zaki Akhmad From csullo at gmail.com Fri Dec 11 14:39:22 2009 From: csullo at gmail.com (Sullo) Date: Fri, 11 Dec 2009 09:39:22 -0500 Subject: [Nikto-discuss] Help on Nikto Result In-Reply-To: References: Message-ID: That is actually the password it is (or thinks it is) authenticating with, so: ID: operator Pass: $schwarzepumpe On Fri, Dec 11, 2009 at 5:47 AM, Zaki Akhmad wrote: > Hello, > > I have this nikto result and I need help what does it mean: > > + Default account found for 'Members Only' at /webadmin/ (ID > 'operator', PW '$schwarzepumpe'). Intershop > + ERROR: Unable to authenticate to "Members Only" > + ERROR: Unable to authenticate to "Members Only" > > What is $schwarzepumpe? Is it encrypted password? > Then what is Intershop? > > -- > Zaki Akhmad > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net | http://www.osvdb.org/ From zakiakhmad at gmail.com Fri Dec 11 15:25:15 2009 From: zakiakhmad at gmail.com (Zaki Akhmad) Date: Fri, 11 Dec 2009 15:25:15 +0000 Subject: [Nikto-discuss] Help on Nikto Result In-Reply-To: References: Message-ID: On Fri, Dec 11, 2009 at 2:39 PM, Sullo wrote: > That is actually the password it is (or thinks it is) authenticating with, so: > ID: operator > Pass: $schwarzepumpe So it's not encrypted or encoded password? But when I try it with that userid and password, I can't get through the authentication. BTW, what's the intershop? -- Zaki Akhmad From csullo at gmail.com Sat Dec 12 14:27:10 2009 From: csullo at gmail.com (Sullo) Date: Sat, 12 Dec 2009 09:27:10 -0500 Subject: [Nikto-discuss] Help on Nikto Result In-Reply-To: References: Message-ID: On Fri, Dec 11, 2009 at 10:25 AM, Zaki Akhmad wrote: > So it's not encrypted or encoded password? But when I try it with that > userid and password, I can't get through the authentication. It may be a false positive, then, though I couldn't say why without looking at the HTTP response. > BTW, what's the intershop? Not sure, but I think it's a shopping cart program. I'm sure Google knows ;) -Sullo -- http://www.cirt.net | http://www.osvdb.org/ From zakiakhmad at gmail.com Tue Dec 15 10:05:02 2009 From: zakiakhmad at gmail.com (Zaki Akhmad) Date: Tue, 15 Dec 2009 17:05:02 +0700 Subject: [Nikto-discuss] Help on Nikto Result In-Reply-To: References: Message-ID: On Sat, Dec 12, 2009 at 9:27 PM, Sullo wrote: > It may be a false positive, then, though I couldn't say why without > looking at the HTTP response. Is this what you mean by the HTTP response? $echo "GET /webadmin/*" | nc tralalaxxx.com 80 -- Zaki Akhmad PS: I decode the URL for privacy reason From resident.deity at gmail.com Tue Dec 15 11:04:01 2009 From: resident.deity at gmail.com (david lodge) Date: Tue, 15 Dec 2009 11:04:01 +0000 Subject: [Nikto-discuss] Help on Nikto Result In-Reply-To: References: Message-ID: >> It may be a false positive, then, though I couldn't say why without >> looking at the HTTP response. > > Is this what you mean by the HTTP response? > > $echo "GET /webadmin/*" | nc tralalaxxx.com 80 > Yep; definitely a false positive; this is a problem with web servers that use to do redirection: you'll always end up with shed loads of false positives on many tools. The way nikto does authentication testing is, if it gets a response with a www-authenticate header, it then tries all passwords and userids it knows of for the realm until it gets a response without a www-authenticate header. So in this case *any* response will not return a www-authenticate header. What I don't get about this case is that the authentication string that comes back is the 90th one checked. I'll really need to see the output of a "-d D" flag to debug this properly. Unfortunately "-d D" produces a lot of output, so I normally advise writing it to a file and then redacting down to the important bits. You could also try requesting the page through "nikto -Single" and sending me the (redacted) output of that. Note, that your above HTTP request isn't quite well formed, it should be something like: echo "GET http://www.tralalaxxx.com/webadmin/ HTTP/1.1" | nc 80 dave From zakiakhmad at gmail.com Tue Dec 15 11:45:55 2009 From: zakiakhmad at gmail.com (Zaki Akhmad) Date: Tue, 15 Dec 2009 18:45:55 +0700 Subject: [Nikto-discuss] Help on Nikto Result In-Reply-To: References: Message-ID: On Tue, Dec 15, 2009 at 6:04 PM, david lodge wrote: > > Note, that your above HTTP request isn't quite well formed, it should > be something like: > echo "GET http://www.tralalaxxx.com/webadmin/ HTTP/1.1" | nc 80 I get this message, after I execute that command: no port[s] to connect to BTW, thanks a lot for the explanation. -- Zaki Akhmad From resident.deity at gmail.com Tue Dec 15 12:28:03 2009 From: resident.deity at gmail.com (david lodge) Date: Tue, 15 Dec 2009 12:28:03 +0000 Subject: [Nikto-discuss] Help on Nikto Result In-Reply-To: References: Message-ID: 2009/12/15 Zaki Akhmad : > On Tue, Dec 15, 2009 at 6:04 PM, david lodge wrote: >> >> Note, that your above HTTP request isn't quite well formed, it should >> be something like: >> echo "GET http://www.tralalaxxx.com/webadmin/ HTTP/1.1" | nc 80 > > I get this message, after I execute that command: > no port[s] to connect to I missed out the hostname on the nc command, it should be: echo "GET http://www.tralalaxxx.com/webadmin/ HTTP/1.1" | nc www.tralalaxxx.com 80 I've just found a bug in nikto, and maybe one in libwhisker, in a totally unrelated situation, that may also account for this false positive. At the moment the authentication code just looks to see whether it gets a response without the authenticate header. But, if there's an error reading from the server (usually caused by buggy servers, embedded devices or over zealous IPSs) then nikto will see this as being a successful authentication. In my case this was due to a buggy web server getting the content-length wrong for 404 messages. Also, the password you get is the 3rd in the list, maybe being caused by the web server causing delays for excessive authentication requests. I'll open a bug for this, but it would still help if I could get a trace of the connection. dave From tim.waters at lbvd.nl Tue Dec 15 14:59:00 2009 From: tim.waters at lbvd.nl (Tim Waters) Date: Tue, 15 Dec 2009 15:59:00 +0100 Subject: [Nikto-discuss] nikto using 1.5Gb memory Message-ID: <4B27A434.4050401@lbvd.nl> Hi list, Today my Nikto hung up on by using 1.5 Gb of memory. I had a tweet about it and Chris asked me to put it on the list. So here it is :) This is what I did. 1. I had not used nikto in a while, so decided to update it first with nikto --update like this: ./nikto.pl -update + Retrieving 'db_outdated' + www.cirt.net message: Please submit your bugs!! 2. I ran a scan with a few options like this: ./nikto.pl -Cgidirs all -host -mutate ../../../../Desktop/scan/03.nikto-.txt - Nikto v2.03/2.04 --------------------------------------------------------------------------- + Target IP: + Target Hostname: + Target Port: 80 + Using Mutation: Test all files with all root directories + Using Mutation: Guess for password file names + Using Mutation: Enumerate user names via Apache (/~user type requests) + Using Mutation: Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests) + Start Time: 2009-12-16 10:03:17 --------------------------------------------------------------------------- + Server: Apache ^Cbash: [8182: 1] tcsetattr: Interrupted system call In the last line you can see I had to interrupt it because it slowed my system down to much. Other scans with less options ( setting -Cgidirs to none, setting -mutate to 2 or 3, or lossing -mutate at all ) did not end up with nikto using as much memory. More info: Nikto Versions --------------------------------------------------------------------------- File Version Last Mod ----------------------------- -------- ---------- Nikto main 2.03 LibWhisker 2.4 db_404_strings 2.000 db_favicon 2.003 db_outdated 2.008 db_realms 2.000 db_server_msgs 2.002 db_tests 2.004 #LASTMOD:Mon Jan 26 11:34:05 2009 db_variables 2.000 nikto_apache_expect_xss.plugin 2.00 nikto_apacheusers.plugin 2.02 nikto_cgi.plugin 2.02 nikto_core.plugin 2.04 nikto_favicon.plugin 2.04 nikto_headers.plugin 2.03 nikto_httpoptions.plugin 2.03 nikto_msgs.plugin 2.02 nikto_mutate.plugin 2.03 nikto_outdated.plugin 2.04 nikto_passfiles.plugin 2.00 nikto_plugin_order.txt 2.00 nikto_put_del_test.plugin 2.01 nikto_reports.plugin 2.02 nikto_robots.plugin 2.01 nikto_single.plugin 2.00 nikto_user_enum_apache.plugin 2.01 nikto_user_enum_cgiwrap.plugin 2.02 Regards, Tim From csullo at gmail.com Tue Dec 15 15:19:25 2009 From: csullo at gmail.com (Sullo) Date: Tue, 15 Dec 2009 10:19:25 -0500 Subject: [Nikto-discuss] nikto using 1.5Gb memory In-Reply-To: <4B27A434.4050401@lbvd.nl> References: <4B27A434.4050401@lbvd.nl> Message-ID: Thanks for posting Tim, appreciate it. It's the hated/loved -mutate options. Ok, so this is both bug and not bug. Tests are indeed queued in memory when the scan is set up, since we don't have a real database to use for temporary storage. During a "normal" scan, this isn't much of a problem because the memory utilization is fairly low. However, when you start using the mutation techniques, the number of queued requests gets seriously large--hence the memory problems. I can think of a few ways to once and for all solve this mutate memory issue: - get rid of mutate - use temporary storage - use a 'real' database (I know Dave talked about this a while back) - make multiple iterations through the scan database (store smaller portions in memory) That's all I can think of, from least to most "interesting" ways to solve it. The multiple iterations thing probably would require some hacks to the core which doesn't sound too good, though... Anyone? -Sullo On Tue, Dec 15, 2009 at 9:59 AM, Tim Waters wrote: > Hi list, > > Today my Nikto hung up on by using 1.5 Gb of memory. I had a tweet about > it and Chris asked me to put it on the list. > So here it is :) > > This is what I did. > 1. I had not used nikto in a while, so decided to update it first with > nikto --update like this: > > ./nikto.pl -update > + Retrieving 'db_outdated' > + www.cirt.net message: Please submit your bugs!! > > 2. I ran a scan with a few options like this: > ./nikto.pl -Cgidirs all -host -mutate > ../../../../Desktop/scan/03.nikto-.txt > - Nikto v2.03/2.04 > --------------------------------------------------------------------------- > + Target IP: ? ? ? ? ? > + Target Hostname: ? ? > + Target Port: ? ? ? ?80 > + Using Mutation: ? ? Test all files with all root directories > + Using Mutation: ? ? Guess for password file names > + Using Mutation: ? ? Enumerate user names via Apache (/~user type requests) > + Using Mutation: ? ? Enumerate user names via cgiwrap > (/cgi-bin/cgiwrap/~user type requests) > + Start Time: ? ? ? ? 2009-12-16 10:03:17 > --------------------------------------------------------------------------- > + Server: Apache > ^Cbash: [8182: 1] tcsetattr: Interrupted system call > > In the last line you can see I had to interrupt it because it slowed my > system down to much. > > Other scans with less options ( setting -Cgidirs to none, setting > -mutate to 2 or 3, or lossing -mutate at all ) did not end up with nikto > using as much memory. > > More info: > > Nikto Versions > --------------------------------------------------------------------------- > File ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Version ? ? ?Last Mod > ----------------------------- ? ? ?-------- ? ? ---------- > Nikto main ? ? ? ? ? ? ? ? ? ? ? ? 2.03 > LibWhisker ? ? ? ? ? ? ? ? ? ? ? ? 2.4 > db_404_strings ? ? ? ? ? ? ? ? ? ? 2.000 > db_favicon ? ? ? ? ? ? ? ? ? ? ? ? 2.003 > db_outdated ? ? ? ? ? ? ? ? ? ? ? ?2.008 > db_realms ? ? ? ? ? ? ? ? ? ? ? ? ?2.000 > db_server_msgs ? ? ? ? ? ? ? ? ? ? 2.002 > db_tests ? ? ? ? ? ? ? ? ? ? ? ? ? 2.004 ? ? ? ?#LASTMOD:Mon Jan 26 > 11:34:05 2009 > db_variables ? ? ? ? ? ? ? ? ? ? ? 2.000 > nikto_apache_expect_xss.plugin ? ? 2.00 > nikto_apacheusers.plugin ? ? ? ? ? 2.02 > nikto_cgi.plugin ? ? ? ? ? ? ? ? ? 2.02 > nikto_core.plugin ? ? ? ? ? ? ? ? ?2.04 > nikto_favicon.plugin ? ? ? ? ? ? ? 2.04 > nikto_headers.plugin ? ? ? ? ? ? ? 2.03 > nikto_httpoptions.plugin ? ? ? ? ? 2.03 > nikto_msgs.plugin ? ? ? ? ? ? ? ? ?2.02 > nikto_mutate.plugin ? ? ? ? ? ? ? ?2.03 > nikto_outdated.plugin ? ? ? ? ? ? ?2.04 > nikto_passfiles.plugin ? ? ? ? ? ? 2.00 > nikto_plugin_order.txt ? ? ? ? ? ? 2.00 > nikto_put_del_test.plugin ? ? ? ? ?2.01 > nikto_reports.plugin ? ? ? ? ? ? ? 2.02 > nikto_robots.plugin ? ? ? ? ? ? ? ?2.01 > nikto_single.plugin ? ? ? ? ? ? ? ?2.00 > nikto_user_enum_apache.plugin ? ? ?2.01 > nikto_user_enum_cgiwrap.plugin ? ? 2.02 > > Regards, > > Tim > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net | http://www.osvdb.org/ From ryandewhurst at gmail.com Tue Dec 15 15:35:39 2009 From: ryandewhurst at gmail.com (Ryan Dewhurst) Date: Tue, 15 Dec 2009 15:35:39 +0000 Subject: [Nikto-discuss] nikto using 1.5Gb memory In-Reply-To: References: <4B27A434.4050401@lbvd.nl> Message-ID: I think sqlite might be a good option here: http://search.cpan.org/~msergeant/DBD-SQLite-0.31/lib/DBD/SQLite.pm Would mean the user having to install a dependency tho. 2009/12/15 Sullo : > Thanks for posting Tim, appreciate it. > > It's the hated/loved -mutate options. Ok, so this is both bug and not > bug. Tests are indeed queued in memory when the scan is set up, since > we don't have a real database to use for temporary storage. During a > "normal" scan, this isn't much of a problem because the memory > utilization is fairly low. > > However, when you start using the mutation techniques, the number of > queued requests gets seriously large--hence the memory problems. > > I can think of a few ways to once and for all solve this mutate memory issue: > - get rid of mutate > - use temporary storage > - use a 'real' database (I know Dave talked about this a while back) > - make multiple iterations through the scan database (store smaller > portions in memory) > > That's all I can think of, from least to most "interesting" ways to > solve it. The multiple iterations thing probably would require some > hacks to the core which doesn't sound too good, though... > > Anyone? > > -Sullo > > On Tue, Dec 15, 2009 at 9:59 AM, Tim Waters wrote: >> Hi list, >> >> Today my Nikto hung up on by using 1.5 Gb of memory. I had a tweet about >> it and Chris asked me to put it on the list. >> So here it is :) >> >> This is what I did. >> 1. I had not used nikto in a while, so decided to update it first with >> nikto --update like this: >> >> ./nikto.pl -update >> + Retrieving 'db_outdated' >> + www.cirt.net message: Please submit your bugs!! >> >> 2. I ran a scan with a few options like this: >> ./nikto.pl -Cgidirs all -host -mutate >> ../../../../Desktop/scan/03.nikto-.txt >> - Nikto v2.03/2.04 >> --------------------------------------------------------------------------- >> + Target IP: ? ? ? ? ? >> + Target Hostname: ? ? >> + Target Port: ? ? ? ?80 >> + Using Mutation: ? ? Test all files with all root directories >> + Using Mutation: ? ? Guess for password file names >> + Using Mutation: ? ? Enumerate user names via Apache (/~user type requests) >> + Using Mutation: ? ? Enumerate user names via cgiwrap >> (/cgi-bin/cgiwrap/~user type requests) >> + Start Time: ? ? ? ? 2009-12-16 10:03:17 >> --------------------------------------------------------------------------- >> + Server: Apache >> ^Cbash: [8182: 1] tcsetattr: Interrupted system call >> >> In the last line you can see I had to interrupt it because it slowed my >> system down to much. >> >> Other scans with less options ( setting -Cgidirs to none, setting >> -mutate to 2 or 3, or lossing -mutate at all ) did not end up with nikto >> using as much memory. >> >> More info: >> >> Nikto Versions >> --------------------------------------------------------------------------- >> File ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Version ? ? ?Last Mod >> ----------------------------- ? ? ?-------- ? ? ---------- >> Nikto main ? ? ? ? ? ? ? ? ? ? ? ? 2.03 >> LibWhisker ? ? ? ? ? ? ? ? ? ? ? ? 2.4 >> db_404_strings ? ? ? ? ? ? ? ? ? ? 2.000 >> db_favicon ? ? ? ? ? ? ? ? ? ? ? ? 2.003 >> db_outdated ? ? ? ? ? ? ? ? ? ? ? ?2.008 >> db_realms ? ? ? ? ? ? ? ? ? ? ? ? ?2.000 >> db_server_msgs ? ? ? ? ? ? ? ? ? ? 2.002 >> db_tests ? ? ? ? ? ? ? ? ? ? ? ? ? 2.004 ? ? ? ?#LASTMOD:Mon Jan 26 >> 11:34:05 2009 >> db_variables ? ? ? ? ? ? ? ? ? ? ? 2.000 >> nikto_apache_expect_xss.plugin ? ? 2.00 >> nikto_apacheusers.plugin ? ? ? ? ? 2.02 >> nikto_cgi.plugin ? ? ? ? ? ? ? ? ? 2.02 >> nikto_core.plugin ? ? ? ? ? ? ? ? ?2.04 >> nikto_favicon.plugin ? ? ? ? ? ? ? 2.04 >> nikto_headers.plugin ? ? ? ? ? ? ? 2.03 >> nikto_httpoptions.plugin ? ? ? ? ? 2.03 >> nikto_msgs.plugin ? ? ? ? ? ? ? ? ?2.02 >> nikto_mutate.plugin ? ? ? ? ? ? ? ?2.03 >> nikto_outdated.plugin ? ? ? ? ? ? ?2.04 >> nikto_passfiles.plugin ? ? ? ? ? ? 2.00 >> nikto_plugin_order.txt ? ? ? ? ? ? 2.00 >> nikto_put_del_test.plugin ? ? ? ? ?2.01 >> nikto_reports.plugin ? ? ? ? ? ? ? 2.02 >> nikto_robots.plugin ? ? ? ? ? ? ? ?2.01 >> nikto_single.plugin ? ? ? ? ? ? ? ?2.00 >> nikto_user_enum_apache.plugin ? ? ?2.01 >> nikto_user_enum_cgiwrap.plugin ? ? 2.02 >> >> Regards, >> >> Tim >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> > > > > -- > > http://www.cirt.net ? ? | ? ? ?http://www.osvdb.org/ > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- Ryan Dewhurst http://www.ethicalhack3r.co.uk http://www.dvwa.co.uk http://www.twitter.com/ethicalhack3r From csullo at gmail.com Tue Dec 15 16:11:07 2009 From: csullo at gmail.com (Sullo) Date: Tue, 15 Dec 2009 11:11:07 -0500 Subject: [Nikto-discuss] nikto using 1.5Gb memory In-Reply-To: References: <4B27A434.4050401@lbvd.nl> Message-ID: On Tue, Dec 15, 2009 at 10:35 AM, Ryan Dewhurst wrote: > I think sqlite might be a good option here: > http://search.cpan.org/~msergeant/DBD-SQLite-0.31/lib/DBD/SQLite.pm > > Would mean the user having to install a dependency tho. That's the only reason I've really avoided using sqlite or something like that--not wanting the dependency. But maybe as the number of tests and complexity grows it's something that can't be avoided? I wonder if there's a pure perl database/format that we could use to avoid a dependency--anyone know? From csullo at gmail.com Tue Dec 15 20:26:18 2009 From: csullo at gmail.com (Sullo) Date: Tue, 15 Dec 2009 15:26:18 -0500 Subject: [Nikto-discuss] nikto using 1.5Gb memory In-Reply-To: References: <4B27A434.4050401@lbvd.nl> Message-ID: On Tue, Dec 15, 2009 at 12:31 PM, david lodge wrote: > This has been complained about a few times - mutate option 1 is the > evil one. Without significantly changing the way this works, the only > real mitigation I could do was to put a note in the docs about it > (http://cirt.net/nikto2-docs/usage.html#id2788815). I'm sure we can do better! :-) > In terms of databases, we have the current Nikto format, which is > basically CSV files that are read into memory when used. This has > coped well for many years, but is creaking a bit at the sides > (especially around double quotes and reg exp characters). I did raise > the question about dblite a year or so ago and it was decided against > it as it would require DBD and sqlite. I have a lot of heartburn about this, but maybe it's unavoidable? Just poking around I found these two things I didn't know about, neither of which helps this problem but are interesting nonetheless: http://dev.mysql.com/tech-resources/articles/csv-storage-engine.html http://www.flat-file.net/ The first is just odd/interesting--I had no idea. The latter may help solve some of the error checking issues we have if we stick with flat files. but I didn't find a magic bullet that would let us use csv as relational databases in a pure perl solution. oh well. I'd consider XML but the filesize gets huge rather quickly. > We may be able to rewrite the mutate 1 option so that it dynamically > makes new tests as it goes, but this will require some thinking. That's what I was thinking as well...would solve this problem w/o resorting to relying on installed software. > It's > definately something to think about for the next version. Though with > the plugin in interface it looks like we may deprecate the mutations > in flavour of known plugins (once I work out a sensible way to do it). > Interesting idea! -- http://www.cirt.net | http://www.osvdb.org/ From andres.riancho at gmail.com Wed Dec 16 12:39:03 2009 From: andres.riancho at gmail.com (Andres Riancho) Date: Wed, 16 Dec 2009 09:39:03 -0300 Subject: [Nikto-discuss] nikto using 1.5Gb memory In-Reply-To: References: <4B27A434.4050401@lbvd.nl> Message-ID: Sullo, Please read inline, On Tue, Dec 15, 2009 at 12:19 PM, Sullo wrote: > Thanks for posting Tim, appreciate it. > > It's the hated/loved -mutate options. Ok, so this is both bug and not > bug. Tests are indeed queued in memory when the scan is set up, since > we don't have a real database to use for temporary storage. During a > "normal" scan, this isn't much of a problem because the memory > utilization is fairly low. > > However, when you start using the mutation techniques, the number of > queued requests gets seriously large--hence the memory problems. > > I can think of a few ways to once and for all solve this mutate memory issue: > - get rid of mutate Thats not an option, people use it =) > - use temporary storage > - use a 'real' database (I know Dave talked about this a while back) As you say in another email, this means adding a dependency, not always an option. > - make multiple iterations through the scan database (store smaller > portions in memory) I think that this is one of the best. > That's all I can think of, from least to most "interesting" ways to > solve it. The multiple iterations thing probably would require some > hacks to the core which doesn't sound too good, though... > > Anyone? I think that another way to solve it is the following: - Create a Queue object with a size limit. The queue should block when somebody tries to add a new item and the size limit is hit. The Queue object should have ~1000 in size. - Create a thread that iterates through the mutate tests, and adds the tests to the Queue. At any given time, you'll have at most 1000 tests in memory, solving the memory usage issue. - Create another thread, that will read from the Queue and send the requests to the web server. If this thread reads from the Queue and there are no objects, then the scan is over. The only problem that could be found is that there are still tests to perform, but for some reason they were not added to the Queue before the test thread reads from it, but this can be easily solved by doing some double-check. This is one of the best ways of solving this issue (no extra dependencies, no disk usage, no ad-hoc database), which I found some time ago while developing w3af. Regards, > -Sullo > > On Tue, Dec 15, 2009 at 9:59 AM, Tim Waters wrote: >> Hi list, >> >> Today my Nikto hung up on by using 1.5 Gb of memory. I had a tweet about >> it and Chris asked me to put it on the list. >> So here it is :) >> >> This is what I did. >> 1. I had not used nikto in a while, so decided to update it first with >> nikto --update like this: >> >> ./nikto.pl -update >> + Retrieving 'db_outdated' >> + www.cirt.net message: Please submit your bugs!! >> >> 2. I ran a scan with a few options like this: >> ./nikto.pl -Cgidirs all -host -mutate >> ../../../../Desktop/scan/03.nikto-.txt >> - Nikto v2.03/2.04 >> --------------------------------------------------------------------------- >> + Target IP: ? ? ? ? ? >> + Target Hostname: ? ? >> + Target Port: ? ? ? ?80 >> + Using Mutation: ? ? Test all files with all root directories >> + Using Mutation: ? ? Guess for password file names >> + Using Mutation: ? ? Enumerate user names via Apache (/~user type requests) >> + Using Mutation: ? ? Enumerate user names via cgiwrap >> (/cgi-bin/cgiwrap/~user type requests) >> + Start Time: ? ? ? ? 2009-12-16 10:03:17 >> --------------------------------------------------------------------------- >> + Server: Apache >> ^Cbash: [8182: 1] tcsetattr: Interrupted system call >> >> In the last line you can see I had to interrupt it because it slowed my >> system down to much. >> >> Other scans with less options ( setting -Cgidirs to none, setting >> -mutate to 2 or 3, or lossing -mutate at all ) did not end up with nikto >> using as much memory. >> >> More info: >> >> Nikto Versions >> --------------------------------------------------------------------------- >> File ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Version ? ? ?Last Mod >> ----------------------------- ? ? ?-------- ? ? ---------- >> Nikto main ? ? ? ? ? ? ? ? ? ? ? ? 2.03 >> LibWhisker ? ? ? ? ? ? ? ? ? ? ? ? 2.4 >> db_404_strings ? ? ? ? ? ? ? ? ? ? 2.000 >> db_favicon ? ? ? ? ? ? ? ? ? ? ? ? 2.003 >> db_outdated ? ? ? ? ? ? ? ? ? ? ? ?2.008 >> db_realms ? ? ? ? ? ? ? ? ? ? ? ? ?2.000 >> db_server_msgs ? ? ? ? ? ? ? ? ? ? 2.002 >> db_tests ? ? ? ? ? ? ? ? ? ? ? ? ? 2.004 ? ? ? ?#LASTMOD:Mon Jan 26 >> 11:34:05 2009 >> db_variables ? ? ? ? ? ? ? ? ? ? ? 2.000 >> nikto_apache_expect_xss.plugin ? ? 2.00 >> nikto_apacheusers.plugin ? ? ? ? ? 2.02 >> nikto_cgi.plugin ? ? ? ? ? ? ? ? ? 2.02 >> nikto_core.plugin ? ? ? ? ? ? ? ? ?2.04 >> nikto_favicon.plugin ? ? ? ? ? ? ? 2.04 >> nikto_headers.plugin ? ? ? ? ? ? ? 2.03 >> nikto_httpoptions.plugin ? ? ? ? ? 2.03 >> nikto_msgs.plugin ? ? ? ? ? ? ? ? ?2.02 >> nikto_mutate.plugin ? ? ? ? ? ? ? ?2.03 >> nikto_outdated.plugin ? ? ? ? ? ? ?2.04 >> nikto_passfiles.plugin ? ? ? ? ? ? 2.00 >> nikto_plugin_order.txt ? ? ? ? ? ? 2.00 >> nikto_put_del_test.plugin ? ? ? ? ?2.01 >> nikto_reports.plugin ? ? ? ? ? ? ? 2.02 >> nikto_robots.plugin ? ? ? ? ? ? ? ?2.01 >> nikto_single.plugin ? ? ? ? ? ? ? ?2.00 >> nikto_user_enum_apache.plugin ? ? ?2.01 >> nikto_user_enum_cgiwrap.plugin ? ? 2.02 >> >> Regards, >> >> Tim >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> > > > > -- > > http://www.cirt.net ? ? | ? ? ?http://www.osvdb.org/ > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- Andr?s Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ From csullo at gmail.com Thu Dec 17 02:50:09 2009 From: csullo at gmail.com (Sullo) Date: Wed, 16 Dec 2009 21:50:09 -0500 Subject: [Nikto-discuss] nikto using 1.5Gb memory In-Reply-To: References: <4B27A434.4050401@lbvd.nl> Message-ID: On Wed, Dec 16, 2009 at 7:39 AM, Andres Riancho wrote: >> I can think of a few ways to once and for all solve this mutate memory issue: >> - get rid of mutate > > ? ?Thats not an option, people use it =) good to know--I *never* do :-) > - Create a Queue object with a size limit. [snip] > - Create a thread that iterates through the mutate tests, and adds the > tests to the Queue. [snip] > - Create another thread, that will read from the Queue and send the > requests to the web server. [snip] Someone pointed out to me that DBM::Deep may solve some problems. Like File::Tie it can write to/from a flat file database, but unlike the File::Tie module it accesses the data in hash structures. The data would be saved to disk and could be accessed in an each() loop without loading it into memory, and because it's already hashed up it wouldn't take any (much) post-load processing. My thought is, though, if we head down this road it might make sense to make a lot of under-the-hood changes to have multiple threads spooling tests out, and a configurable number of threads taking them out and running them. Anyone previously jumped far enough into the dozens of thread modules to make a recommendation? -Sullo From michel.arboi at gmail.com Wed Dec 23 18:57:12 2009 From: michel.arboi at gmail.com (Michel Arboi) Date: Wed, 23 Dec 2009 19:57:12 +0100 Subject: [Nikto-discuss] nikto using 1.5Gb memory In-Reply-To: References: <4B27A434.4050401@lbvd.nl> Message-ID: On Tue, Dec 15, 2009 at 5:11 PM, Sullo wrote: > I wonder if there's a pure perl database/format that we could use to > avoid a dependency--anyone know? DB_File is the standard interface to BerkelyyDB. I think it comes with 99,99% Perl installations. DBM::Deep is pure Perl.