[Nikto-discuss] Help on Nikto Result

david lodge resident.deity at gmail.com
Tue Dec 15 11:04:01 UTC 2009


>> It may be a false positive, then, though I couldn't say why without
>> looking at the HTTP response.
>
> Is this what you mean by the HTTP response?
>
> $echo "GET /webadmin/*" | nc tralalaxxx.com 80
> <meta http-equiv="refresh" content="0;url=http://www.tralalaxxx.com/" />

Yep; definitely a false positive; this is a problem with web servers
that use <meta http-equiv> to do redirection: you'll always end up
with shed loads of false positives on many tools.

The way nikto does authentication testing is, if it gets a response
with a www-authenticate header, it then tries all passwords and
userids it knows of for the realm until it gets a response without a
www-authenticate header.

So in this case *any* response will not return a www-authenticate
header. What I don't get about this case is that the authentication
string that comes back is the 90th one checked.

I'll really need to see the output of a "-d D" flag to debug this
properly. Unfortunately "-d D" produces a lot of output, so I normally
advise writing it to a file and then redacting down to the important
bits. You could also try requesting the page through "nikto -Single"
and sending me the (redacted) output of that.

Note, that your above HTTP request isn't quite well formed, it should
be something like:
echo "GET http://www.tralalaxxx.com/webadmin/ HTTP/1.1" | nc 80

dave


More information about the Nikto-discuss mailing list