From applekid at dirtysouf.net Thu Dec 6 10:25:33 2012 From: applekid at dirtysouf.net (applekid) Date: Thu, 6 Dec 2012 11:25:33 -0500 Subject: [Nikto-discuss] Undefined subroutine &main::get_ips Message-ID: Hello, I got an additional problem after doing the svn update. Perhaps I did it from the wrong directory? root at deckard:/pentest/web/nikto# svn up C plugins/db_headers C plugins/db_parked_strings D plugins/db_multiple_index C plugins/db_favicon D plugins/db_embedded D plugins/db_content_search D plugins/db_server_msgs C plugins/db_tests D plugins/db_variables C plugins/db_outdated D plugins/nikto_single.plugin D plugins/db_404_strings D plugins/db_realms D plugins/db_httpoptions C plugins/db_subdomains U plugins/nikto_report_text.plugin U plugins/nikto_paths.plugin G plugins/nikto_multiple_index.plugin G plugins/nikto_favicon.plugin U plugins/nikto_report_xml.plugin U plugins/nikto_report_nbe.plugin U plugins/nikto_report_html.plugin A plugins/JSON-PP.pm G plugins/nikto_auth.plugin U plugins/nikto_siebel.plugin U plugins/LW2.pm U plugins/nikto_report_msf.plugin svn: Failed to add file 'plugins/nikto_clientaccesspolicy.plugin': an unversioned file of the same name already exists When I attempt to run nikto: root at deckard:/pentest/web/nikto# ./nikto.pl -h host.com -output host-nikto.txt Can't locate /pentest/web/nikto/plugins/nikto_single.plugin in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at ./nikto.pl line 87. Can't seem to get a stat on this one even after looking at the affected bit of code. Any suggestions on what I may want to try? Cheers, jw -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Thu Dec 6 10:54:49 2012 From: csullo at gmail.com (Sullo) Date: Thu, 6 Dec 2012 11:54:49 -0500 Subject: [Nikto-discuss] Undefined subroutine &main::get_ips In-Reply-To: References: Message-ID: Your entire install is borked! I'd say start from scratch if you can--move all the files out to a temp location (just in case) and do an svn up, and it should recreate everything you need. Right now it looks like some files are still out of whack. On Thu, Dec 6, 2012 at 11:25 AM, applekid wrote: > Hello, I got an additional problem after doing the svn update. Perhaps I > did it from the wrong directory? > > root at deckard:/pentest/web/nikto# svn up > C plugins/db_headers > C plugins/db_parked_strings > D plugins/db_multiple_index > C plugins/db_favicon > D plugins/db_embedded > D plugins/db_content_search > D plugins/db_server_msgs > C plugins/db_tests > D plugins/db_variables > C plugins/db_outdated > D plugins/nikto_single.plugin > D plugins/db_404_strings > D plugins/db_realms > D plugins/db_httpoptions > C plugins/db_subdomains > U plugins/nikto_report_text.plugin > U plugins/nikto_paths.plugin > G plugins/nikto_multiple_index.plugin > G plugins/nikto_favicon.plugin > U plugins/nikto_report_xml.plugin > U plugins/nikto_report_nbe.plugin > U plugins/nikto_report_html.plugin > A plugins/JSON-PP.pm > G plugins/nikto_auth.plugin > U plugins/nikto_siebel.plugin > U plugins/LW2.pm > U plugins/nikto_report_msf.plugin > svn: Failed to add file 'plugins/nikto_clientaccesspolicy.plugin': an > unversioned file of the same name already exists > > When I attempt to run nikto: > > root at deckard:/pentest/web/nikto# ./nikto.pl -h host.com -output > host-nikto.txt > Can't locate /pentest/web/nikto/plugins/nikto_single.plugin in @INC (@INC > contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 > /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 > /usr/local/lib/site_perl .) at ./nikto.pl line 87. > > > Can't seem to get a stat on this one even after looking at the affected > bit of code. Any suggestions on what I may want to try? > > > Cheers, > jw > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://richsec.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From zoltan1.balazs at gmail.com Sun Dec 9 05:30:39 2012 From: zoltan1.balazs at gmail.com (=?ISO-8859-1?Q?Bal=E1zs_Zolt=E1n?=) Date: Sun, 9 Dec 2012 12:30:39 +0100 Subject: [Nikto-discuss] Nikto 2.1.5 bug Message-ID: Hi all, I have found a bug in nikto while scanning SSL sites. For the test I set up a burp proxy locally so I can see all the traffic. The bug is in the GET resource, where the vhost is included in the request, so every request to an SSL site is a bad request. Nikto command: perl nikto.pl -config nikto.conf -host cirt.net -vhost cirt.net --useproxy Request generated (valid request): GET / HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.00 Host: cirt.net ##################################################################################### Nikto command: perl nikto.pl -config nikto.conf -host cirt.net -port 443 -ssl -vhost cirt.net --useproxy Invalid request generated: GET https://cirt.net:443/ HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.00 Host: cirt.net:443 Regards Zoltan From csullo at gmail.com Sun Dec 9 22:02:50 2012 From: csullo at gmail.com (Sullo) Date: Sun, 9 Dec 2012 23:02:50 -0500 Subject: [Nikto-discuss] Nikto 2.1.5 bug In-Reply-To: References: Message-ID: I don't see anything in the http book suggesting that this is an invalid request. In testing, I see expected responses from requests which have the host in both the host header and the URL. Am I missing something? If you're seeing responses from the server indicating an invalid request, have you tried more than one server and confirmed nothing in the burp proxy is changing the request? Thanks Sullo On Sun, Dec 9, 2012 at 6:30 AM, Bal?zs Zolt?n wrote: > Hi all, > > I have found a bug in nikto while scanning SSL sites. For the test I > set up a burp proxy locally so I can see all the traffic. > The bug is in the GET resource, where the vhost is included in the > request, so every request to an SSL site is a bad request. > > Nikto command: > perl nikto.pl -config nikto.conf -host cirt.net -vhost cirt.net --useproxy > > Request generated (valid request): > GET / HTTP/1.1 > Connection: Keep-Alive > User-Agent: Mozilla/5.00 > Host: cirt.net > > > ##################################################################################### > > Nikto command: > perl nikto.pl -config nikto.conf -host cirt.net -port 443 -ssl -vhost > cirt.net --useproxy > > Invalid request generated: > GET https://cirt.net:443/ HTTP/1.1 > Connection: Keep-Alive > User-Agent: Mozilla/5.00 > Host: cirt.net:443 > > Regards > Zoltan > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net | http://richsec.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From zoltan1.balazs at gmail.com Tue Dec 11 03:21:14 2012 From: zoltan1.balazs at gmail.com (=?ISO-8859-1?Q?Bal=E1zs_Zolt=E1n?=) Date: Tue, 11 Dec 2012 10:21:14 +0100 Subject: [Nikto-discuss] Nikto 2.1.5 bug In-Reply-To: References:

Message-ID: Hi, Thank you for the fast response. You are right, HTTP 1.1 servers must accept absoulute URL's. The problem was that the server was not following this directive from the protocol. Unfortunately, I can't tell more details about the server. Excuse me for the false alarm :) Zoltan On Mon, Dec 10, 2012 at 5:02 AM, Sullo wrote: > I don't see anything in the http book suggesting that this is an invalid > request. In testing, I see expected responses from requests which have the > host in both the host header and the URL. > > Am I missing something? If you're seeing responses from the server > indicating an invalid request, have you tried more than one server and > confirmed nothing in the burp proxy is changing the request? > > Thanks > Sullo > > > On Sun, Dec 9, 2012 at 6:30 AM, Bal?zs Zolt?n > wrote: >> >> Hi all, >> >> I have found a bug in nikto while scanning SSL sites. For the test I >> set up a burp proxy locally so I can see all the traffic. >> The bug is in the GET resource, where the vhost is included in the >> request, so every request to an SSL site is a bad request. >> >> Nikto command: >> perl nikto.pl -config nikto.conf -host cirt.net -vhost cirt.net --useproxy >> >> Request generated (valid request): >> GET / HTTP/1.1 >> Connection: Keep-Alive >> User-Agent: Mozilla/5.00 >> Host: cirt.net >> >> >> ##################################################################################### >> >> Nikto command: >> perl nikto.pl -config nikto.conf -host cirt.net -port 443 -ssl -vhost >> cirt.net --useproxy >> >> Invalid request generated: >> GET https://cirt.net:443/ HTTP/1.1 >> Connection: Keep-Alive >> User-Agent: Mozilla/5.00 >> Host: cirt.net:443 >> >> Regards >> Zoltan >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss > > > > > -- > > http://www.cirt.net | http://richsec.com/ From zakiakhmad at gmail.com Tue Dec 11 21:53:30 2012 From: zakiakhmad at gmail.com (Zaki Akhmad) Date: Wed, 12 Dec 2012 10:53:30 +0700 Subject: [Nikto-discuss] Nikto 2.1.5 Idle Message-ID: Hello, I am using nikto 2.1.5 to do web application scanning. Nikto detected a WAF, then it's becoming idle. Nothing happened. Where I can find more detailed information about this? Here's the nikto result: + Server: Microsoft-IIS/7.5 + Retrieved x-powered-by header: ASP.NET + Server leaks inodes via ETags, header found with file /, fields: 0xf649529557d4cd1:0 + The anti-clickjacking X-Frame-Options header is not present. + Cookie lkLQMSULhV created without the httponly flag + No CGI Directories found (use '-C all' to force check all possible dirs) + Retrieved x-aspnet-version header: 2.0.50727 + Uncommon header 'x-snapsis-pageblaster' found, with contents: v:3.4.5;c:-;x:+;r:+ + OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://172.16.1.100/images/". + Server banner has changed from 'Microsoft-IIS/7.5' to 'Microsoft-HTTPAPI/2.0' which may suggest a WAF, load balancer or proxy is in place + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + /examples/servlet/AUX: Apache Tomcat versions below 4.1 may be vulnerable to DoS by repeatedly requesting this file. -- Zaki Akhmad From csullo at gmail.com Tue Dec 11 22:06:50 2012 From: csullo at gmail.com (Sullo) Date: Tue, 11 Dec 2012 23:06:50 -0500 Subject: [Nikto-discuss] Nikto 2.1.5 Idle In-Reply-To: References: Message-ID: It is likely not idle, but just moving fairly slowly for whatever reason. If you press the space bar while running it will print out a current status after 10 requests. There are some other interactive features as well. http://cirt.net/nikto2-docs/usage.html#id2741122 On Tue, Dec 11, 2012 at 10:53 PM, Zaki Akhmad wrote: > Hello, > > I am using nikto 2.1.5 to do web application scanning. Nikto detected > a WAF, then it's becoming idle. Nothing happened. Where I can find > more detailed information about this? > > Here's the nikto result: > > + Server: Microsoft-IIS/7.5 > + Retrieved x-powered-by header: ASP.NET > + Server leaks inodes via ETags, header found with file /, fields: > 0xf649529557d4cd1:0 > + The anti-clickjacking X-Frame-Options header is not present. > + Cookie lkLQMSULhV created without the httponly flag > + No CGI Directories found (use '-C all' to force check all possible dirs) > + Retrieved x-aspnet-version header: 2.0.50727 > + Uncommon header 'x-snapsis-pageblaster' found, with contents: > v:3.4.5;c:-;x:+;r:+ > + OSVDB-630: IIS may reveal its internal or real IP in the Location > header via a request to the /images directory. The value is > "http://172.16.1.100/images/". > + Server banner has changed from 'Microsoft-IIS/7.5' to > 'Microsoft-HTTPAPI/2.0' which may suggest a WAF, load balancer or > proxy is in place > + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST > + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST > + /examples/servlet/AUX: Apache Tomcat versions below 4.1 may be > vulnerable to DoS by repeatedly requesting this file. > > -- > Zaki Akhmad > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss -- http://www.cirt.net | http://richsec.com/ From zakiakhmad at gmail.com Wed Dec 12 00:02:55 2012 From: zakiakhmad at gmail.com (Zaki Akhmad) Date: Wed, 12 Dec 2012 13:02:55 +0700 Subject: [Nikto-discuss] Nikto 2.1.5 Idle In-Reply-To: References: Message-ID: On Wed, Dec 12, 2012 at 11:06 AM, Sullo wrote: > It is likely not idle, but just moving fairly slowly for whatever > reason. If you press the space bar while running it will print out a > current status after 10 requests. There are some other interactive > features as well. Is it nikto running very slowly because of WAF presence? How nikto handle WAF? Is it possible for nikto to bypass WAF? -- Zaki Akhmad From csullo at gmail.com Wed Dec 12 08:23:50 2012 From: csullo at gmail.com (Sullo) Date: Wed, 12 Dec 2012 09:23:50 -0500 Subject: [Nikto-discuss] Nikto 2.1.5 Idle In-Reply-To: References:

Message-ID: Nikto does not change anything if a waf is detected (and even then, it may not really be a waf--up to you to try and validate that!). there are some evasion techniques included--see the docs for more information. However, these methods have been well documented and used for a while, so it's likely they won't work too well against a decent waf. On Wed, Dec 12, 2012 at 1:02 AM, Zaki Akhmad wrote: > On Wed, Dec 12, 2012 at 11:06 AM, Sullo wrote: > >> It is likely not idle, but just moving fairly slowly for whatever >> reason. If you press the space bar while running it will print out a >> current status after 10 requests. There are some other interactive >> features as well. > > Is it nikto running very slowly because of WAF presence? How nikto > handle WAF? Is it possible for nikto to bypass WAF? > > -- > Zaki Akhmad -- http://www.cirt.net | http://richsec.com/