[Nikto-discuss] Nikto Capabilities

Robin Wood robin at digininja.org
Sun Jan 5 05:44:48 CST 2014


On 5 January 2014 11:33, raymond lukanta <raymond_pluto at hotmail.com> wrote:
> So, Nikto checks the content of every files on the web server? Like code
> scanning?

No, it checks for files it knows about for content it knows about. So
if it doesn't know about a file called ignoreme.txt then it won't look
at it.

I suggest you have a look at the source and the plugins and you'll
soon see what it is doing. You can also set up a web server and
monitor the logs then run it against it and you'll see all the files
being requested.

Robin

> --
> Raymond
>
>> From: robin at digininja.org
>> Date: Sun, 5 Jan 2014 11:26:14 +0000
>
>> Subject: Re: [Nikto-discuss] Nikto Capabilities
>> To: raymond_pluto at hotmail.com
>> CC: resident.deity at gmail.com; nikto-discuss at attrition.org
>
>>
>> On 5 January 2014 11:06, raymond lukanta <raymond_pluto at hotmail.com>
>> wrote:
>> > Hmm..
>> >
>> > Would you please give me further explanation about "Nikto will only
>> > check
>> > for what it knows"?
>> > As long as I understand, a web application scanner is also checking what
>> > it
>> > knows (by using plugins or databases).
>>
>> Nikto uses hardcoded rules to check for things, for example it will
>> look for the string "ABC" in file findme.php and if it finds it then
>> it will report that vulnerability XYZ exists. This is different to a
>> lot of scanners which do this but also do fuzzing where they will take
>> test.php?id=1 and then try different values for the id to try to
>> detect vulnerabilities.
>>
>> Therefore it can only detect things it knows about.
>>
>> Robin
>>
>> > Thanks,
>> > --
>> > Raymond
>> >
>> > ________________________________
>> > Date: Sun, 5 Jan 2014 09:34:59 +0000
>> > Subject: Re: [Nikto-discuss] Nikto Capabilities
>> > From: resident.deity at gmail.com
>> > To: raymond_pluto at hotmail.com
>> > CC: nikto-discuss at attrition.org
>> >
>> >
>> > Nikto performs a set of tests for pages on the web server and the
>> > configuration of its responses. The tuning option allows these the
>> > number of
>> > tests to be cut down, e.g. to known pages that have SQL injection.
>> >
>> > Where this differs from a web application scanner is that Nikto will
>> > only
>> > check for what it knows.
>> >
>> > To be honest web server scanner is a pointless label anyway. It's a tool
>> > that should be run as part of a set of tools (e.g. nmap, sslscan,
>> > sqlmap,
>> > burp) used during a test. It's not mutually exclusive with other tools.
>> >
>> > On 4 Jan 2014 17:00, "raymond lukanta" <raymond_pluto at hotmail.com>
>> > wrote:
>> >
>> > I have a question about Nikto capabilities.
>> > In the Nikto description, it is said that Nikto is a web server scanner.
>> > But, in the -Tuning option
>> > (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test
>> > for
>> > SQL injection and XSS. Actually, it makes me confused.
>> >
>> > I need explanation why Nikto do the test for SQL injection and XSS.
>> > Because
>> > I think, injection and XSS is web application related (CMIIW).
>> >
>> >
>> > Thanks.
>> >
>> > --
>> > Raymond
>> >
>> > _______________________________________________
>> > Nikto-discuss mailing list
>> > Nikto-discuss at attrition.org
>> > https://attrition.org/mailman/listinfo/nikto-discuss
>> >
>> >
>> > _______________________________________________
>> > Nikto-discuss mailing list
>> > Nikto-discuss at attrition.org
>> > https://attrition.org/mailman/listinfo/nikto-discuss
>> >


More information about the Nikto-discuss mailing list