Nikto - Ranjivost web aplikacije i CGI skener za web servere
Nikto Web Scanner je još jedan dobar alat za arsenal bilo kojeg Linux administratora. To je web skener otvorenog koda objavljen pod GPL licencom, koji se koristi za obavljanje sveobuhvatnih testova na web serverima za više stavki uključujući preko 6500 potencijalno opasnih fajlova/CGI-ova .
Preporučeno čitanje: WPSeku – Skener ranjivosti za pronalaženje sigurnosnih problema u WordPressu
Napisali su ga Chris Solo i David Lodge za procjenu ranjivosti, provjerava zastarjele verzije preko 1250 web servera i preko 270 problema specifičnih za verziju. Također skenira i izvještava za zastarjeli softver i dodatke web servera.
Karakteristike Nikto Web skenera
- Podržava SSL
- Podržava puni HTTP proxy
- Podržava tekst, HTML, XML i CSV za spremanje izvještaja.
- Skenirajte više portova
- Može skenirati na više servera uzimajući inpute iz datoteka kao što je nmap izlaz
- Podrška za LibWhisker IDS
- Dovoljno sposoban da identifikuje instalirani softver pomoću zaglavlja, datoteka i favikona
- Dnevnici za Metasploits
- Izvještaji za “neobična” zaglavlja.
- Apache i cgiwrap nabrajanje korisnika
- Autentifikujte hostove sa Basic i NTLM
- Skeniranja se mogu automatski pauzirati u određeno vrijeme.
Nikto Requirements
Sistem sa osnovnom instalacijom Perl, Perl modula, OpenSSL trebao bi omogućiti pokretanje Nikto. Temeljito je testiran na Windows, Mac OSX i raznim Unix/Linux distribucijama kao što je Red Hat, Debian, Ubuntu, BackTrack, itd.
Instalacija Nikto Web Scannera na Linux
Većina današnjih Linux sistema dolazi s unaprijed instaliranim Perl, Perl modulima i OpenSSL paketima. Ako nisu uključeni, možete ih instalirati koristeći zadani uslužni program za upravljanje sistemskim paketima pod nazivom yum ili apt-get.
Na Red Hat/CentOS/Fedora
[root@tecmint ]# yum install perl perl-Net-SSLeay opensslNa Debian/Ubuntu/Linux Mint
[root@tecmint ]# apt-get install perl openssl libnet-ssleay-perlZatim klonirajte najnovije stabilne Nikto izvorne datoteke iz Github spremišta, premjestite se u direktorij Nikto/programs/ i pokrenite ga koristeći perl:
git clone https://github.com/sullo/nikto.git
cd nikto/programs
perl nikto.pl -h
Sample Output
Option host requires an argument
-config+ Use this config file
-Display+ Turn on/off display outputs
-dbcheck check database and other key files for syntax errors
-Format+ save file (-o) format
-Help Extended help information
-host+ target host
-id+ Host authentication to use, format is id:pass or id:pass:realm
-list-plugins List all available plugins
-output+ Write output to this file
-nossl Disables using SSL
-no404 Disables 404 checks
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-root+ Prepend root value to all requests, format is /directory
-ssl Force ssl mode on port
-Tuning+ Scan tuning
-timeout+ Timeout for requests (default 10 seconds)
-update Update databases and plugins from CIRT.net
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
Note: This is the short help output. Use -H for full help text.
“Opcija host zahtijeva argument” jasno govori da nismo uključili potrebne parametre dok smo radili test. Dakle, moramo dodati osnovni neophodan parametar za probni rad.
Osnovno testiranje
Osnovno skeniranje zahtijeva host kojeg želite ciljati, po defaultu skenira port 80 ako ništa nije navedeno. Host može biti ili ime hosta ili IP adresa sistema. Možete odrediti host koristeći opciju “-h ”.
Na primjer, želim da izvršim skeniranje na IP 172.16.27.56 na TCP portu 80.
[root@tecmint nikto-2.1.5]# perl nikto.pl -h 172.16.27.56Sample Output
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 80
+ Start Time: 2014-01-10 00:48:12 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 5956160, size: 24, mtime: 0x4d4865a054e32
+ File/dir '/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Multiple index files found: index.php, index.htm, index.html
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /test.html: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /connect.php?path=http://cirt.net/rfiinc.txt?: Potential PHP MySQL database connection string found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 6544 items checked: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2014-01-10 00:48:23 (GMT5.5) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedAko želite skenirati na drugom broju porta, dodajte opciju “-p ” [-port]. Na primjer, želim da izvršim skeniranje na IP 172.16.27.56 na TCP portu 443.
[root@tecmint nikto-2.1.5]# perl nikto.pl -h 172.16.27.56 -p 443Sample Output
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time: 2014-01-10 01:08:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 2817021, size: 5, mtime: 0x4d5123482b2e9
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Server is using a wildcard certificate: '*.mid-day.com'
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2014-01-10 01:11:20 (GMT5.5) (174 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedTakođer možete specificirati hostove, portove i protokole koristeći punu URL sintaksu i ona će biti skenirana.
[root@tecmint nikto-2.1.5]# perl nikto.pl -h http://172.16.27.56:80Također možete skenirati bilo koju web stranicu. Na primjer, ovdje sam skenirao na google.com.
[root@tecmint nikto-2.1.5]# perl nikto.pl -h http://www.google.comSample Output
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 173.194.38.177
+ Target Hostname: www.google.com
+ Target Port: 80
+ Start Time: 2014-01-10 01:13:36 (GMT5.5)
---------------------------------------------------------------------------
+ Server: gws
+ Cookie PREF created without the httponly flag
+ Cookie NID created without the httponly flag
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'x-xss-protection' found, with contents: 1; mode=block
+ Uncommon header 'alternate-protocol' found, with contents: 80:quic
+ Root page / redirects to: http://www.google.co.in/?gws_rd=cr&ei=xIrOUomsCoXBrAee34DwCQ
+ Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-content-type-options' found, with contents: nosniff
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ File/dir '/groups/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
….Gornja komanda će izvršiti gomilu http zahtjeva (tj. više od 2000 testova) na web serveru.
Testiranje više portova
Također možete izvršiti skeniranje više portova u istoj sesiji. Za skeniranje više portova na istom hostu, dodajte opciju “-p” [-port] i navedite listu portova. Portovi se mogu definirati kao raspon (tj. 80-443), ili kao odvojeni zarezi (tj., 80,443). Na primjer, želim da skeniram portove 80 i 443 na hostu 172.16.27.56.
[root@tecmint nikto-2.1.5]# perl nikto.pl -h 172.16.27.56 -p 80,443Sample Output
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on cmsstage.mid-day.com:88
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 80
+ Start Time: 2014-01-10 20:38:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time: 2014-01-10 20:38:36 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ All CGI directories 'found', use '-C none' to test none
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
.....Korištenje proxyja
Recimo da sistem na kojem je pokrenut Nikto ima pristup samo ciljnom hostu preko HTTP proxyja, test se još uvijek može izvesti na dva različita načina. Jedan od njih je korištenje datoteke nikto.conf, a drugi način je pokretanje direktno iz komandne linije.
Korištenje datoteke Nikto.conf
Otvorite datoteku nikto.conf koristeći bilo koji uređivač komandne linije.
[root@localhost nikto-2.1.5]# vi nikto.confPotražite varijablu “PROXY” i dekomentirajte ‘#’ s početka redova kao što je prikazano. Zatim dodajte proxy host, port, proxy korisnika i lozinku. Sačuvajte i zatvorite datoteku.
Proxy settings -- still must be enabled by -useproxy
PROXYHOST=172.16.16.37
PROXYPORT=8080
PROXYUSER=pg
PROXYPASS=pgSada izvršite Nikto koristeći opciju “-useproxy”. Imajte na umu da će sve veze biti proslijeđene putem HTTP proxyja.
root@localhost nikto-2.1.5]# perl nikto.pl -h localhost -p 80 -useproxySample Output
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: 2014-01-10 21:28:29 (GMT5.5)
---------------------------------------------------------------------------
+ Server: squid/2.6.STABLE6
+ Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0
+ Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080Korištenje komandne linije
Da pokrenete Nikto direktno iz komandne linije koristeći opciju “-useproxy” tako što ćete postaviti proxy kao argument.
root@localhost nikto-2.1.5]# perl nikto.pl -h localhost -useproxy http://172.16.16.37:8080/Sample Output
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: 2014-01-10 21:34:51 (GMT5.5)
---------------------------------------------------------------------------
+ Server: squid/2.6.STABLE6
+ Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0
+ Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080Ažuriranje Nikto
Možete automatski ažurirati Nikto na najnovije dodatke i baze podataka, jednostavno pokrenite naredbu “-update”.
[root@localhost nikto-2.1.5]# perl nikto.pl -updateAko su nova ažuriranja dostupna, vidjet ćete listu novih preuzetih ažuriranja.
+ Retrieving 'nikto_report_csv.plugin'
+ Retrieving 'nikto_headers.plugin'
+ Retrieving 'nikto_cookies.plugin'
+ Retrieving 'db_tests'
+ Retrieving 'db_parked_strings'
+ Retrieving 'CHANGES.txt'
+ CIRT.net message: Please submit Nikto bugs to http://trac2.assembla.com/Nikto_2/report/2Također možete ručno preuzeti i ažurirati Nikto dodatke i baze podataka sa http://cirt.net/nikto/UPDATES/.
Referentne veze
Nikto Homepage