قالب وردپرس درنا توس
Home / Tips and Tricks / How to search for vulnerabilities on any site that uses Nikto «Zero Byte :: WonderHowTo

How to search for vulnerabilities on any site that uses Nikto «Zero Byte :: WonderHowTo



Before you attack any site, a hacker or penetration tester will first compile a list of target sites. After using some good reconstruction and finding the right places to point, they will use a web server's scanning tool like Nikto to hunt for vulnerabilities that may be potential attack vectors.

Nikto is a simple, open-source web server scanner that reviews a website and reports back vulnerabilities found on the site to exploit or hack the site. It is also one of the most widely used website vulnerability tools in the industry, and in many circles, the industry standard considered.

Although this tool is extremely effective, it is not filthy at all. Any site with an intrusion detection system or other on-site security measures will detect that it is being scanned.

The right way to use Nikto

If you only run Nikto yourself on a targeted website, you cannot know what to do with the information from the scan. Nikto is actually more like a laser pointer to call in a much larger strike, and you get to see how it plays a little.

Let's first talk about the target surface. This is pretty much anywhere a hacker tries to attack and can contain things like network-exposed printers and a web server. When we are going to use Nikto later, we need to provide it with one of three different types of information: an IP address for a local service, a web domain to attack or an SSL / HTTPS website.

Before diving directly into a scan with Nikto, it is better to do another reconnaissance using an open-source intelligence tool like Maltego. Tools like this can help build a profile and a more focused list of available goals that should be focused on. When it's ready, Nikto can be used to pinpoint potential vulnerabilities to targets on the list.

If it is lucky, there will be a vulnerability with a weapon utilization, which means that there is a tool out there to take advantage of the weakness. With the appropriate tool, which automatically exploits the vulnerability, a hacker can access the target to perform a number of behind-the-scenes attacks, such as adding code to perform a malicious activity.

Step 1: Install Nikto [19659005] If you run Kali Linux, Nikto will be pre-installed, so you do not need to download or install anything. It will be in the "Vulnerability Analysis" category. If you do not have it for any reason you can get Nikto from its GitHub or just use apt install command.

  apt install nikto 

If you do this On a Mac, you can use Homebrew to install Nikto.

  bridge installation nikto 

Step 2: Get to know Nikto

Before you enter scanning web servers with Nikto, you can use help options to see everything that can be done within Nikto.

  nikto -Help 
  Options:
-ask + If you want to ask about sending updates
yes ask about each (default)
no Don't ask, don't send
auto Don't ask, just send
-Cgidirs + Scan these CGI dirs: "none", "all" or values ​​like "/ cgi / / cgi-a /"
-config + Use this configuration file
-Display + Turn on / off display outputs:
1 View redirects
2 View received cookies
3 Show all 200 / OK answers
4 Display URLs that require authentication
D Troubleshooting effect
E View all HTTP errors
P Print progress to STDOUT
S Scrub feed of IP and host name
V Improved output
-dbcheck Check the database and other key files for syntax errors
-evasion + Coding technique:
1 Random URI encoding (non-UTF8)
2 Directory Reference (/./)
3 Preliminary URL end
4 Prepare long random string
5 Fake parameter
6 TAB as request spacer
7 Change the case with the URL
8 Use the Windows directory separator ( t
A Use a carriage return (0x0d) as a request spacer
B Use binary value 0x0b as a request spacer
-Format + Save file (-o) format:
csv Comma Separated Value
htm html format
nbe Nessus NBE format
sql Generic SQL (see document for schedule)
txt Plain text
XML XML format
(unless specified, the format will be taken from the file extension sent to output)
-Help extended help information
-host + Target host
-404code Ignore these HTTP codes as negative answers (always). The format is "302,301".
-404string Ignore this string in response body content as negative response (always). May be a common expression.
-id + Tool verification to use, the format is id: passport or id: pass: realm
-key + Client certificate key file
-list-plugins List all available plugins, do no testing
-maxtime + Maximum test time per host (eg 1h, 60m, 3600s)
-mutate + Guess additional filenames:
1 Test all files with all root directories
2 Guess password file name
3 List user name via Apache (/ ~ user type request)
4 List user name via cgiwrap (/ cgi-bin / cgiwrap / ~ user type requests)
5 Try to share the domain name for brute force, assuming that the host name is the parent domain
6 Try guessing catalog names from the included order file
mutate options Provide information for mutants
-nointeractive Disables interactive features
-nolookup Disables DNS search
-nossl Disables the use of SSL
-no404 Disables nikto trying to guess a 404 page
-Option Over-ride an option in nikto.conf, can be issued several times
output + Write output to this file (& # 39;. & # 39; for auto name)
-Pause + Pause between tests (seconds, integers or floats)
-Plugins + List of plugins to run (default: ALL)
port + port to use (default 80)
-RSAcert + Client certificate file
-rot + Prepare root value for all requests, the format is / directory
-Save Save Positive Answers to This Directory (& # 39;. & # 39; For Automatic Name)
-ssl Power ssl position on the gate
-Tuning + Scan tuning:
1 Interesting file / View in logs
2 Error configuration / Default file
3 Information information
4 Injection (XSS / Script / HTML)
5 Remote File Download - Inside Web Root
6 Denial of Service
7 Remote File Download - Server Broad
8 Command Execution / Remote Shell
9 SQL injection
0 File upload
an authentication byte
b Software identification
c Remote Source Inclusion
d WebService
an Administrative console
x Reverse Tuning Options (ie include all except exceptions)
-timeout + Request timeout (default 10 seconds)
-Userdbs Only download user databases, not standard databases
all Disable default dbs and load only dbs
tests Disable only db_tests and load utb_tests
-user agent Overrides the standard user
-until Run until specified time or duration
Update databases and plugins from CIRT.net
-useproxy Use the proxy defined in nikto.conf or argument http: // server: port
-Version Print plugin and database versions
-host + Virtual host (for host head)
+ requires a value 

Step 3: Use the basic syntax

As you can see from the previous step, Nikto has many options, but for our purposes we stick to the basic syntax as follows. We replace with the actual IP addresses or the hostname's angle brackets.

  nikto -h  

However, Nikto can do a scan that can go after SSL and port 443, the port that HTTPS websites use (HTTP uses port 80 by default). So we are not only limited to scanning old sites, we can make vulnerability assessments on websites that use SSL, which is basically a requirement that these days should be indexed in the search results.

If we know that it is an SSL page that we are targeting, we can enter it in Nikto to save time on the scan by adding ssl to the end of command.

  nikto -h  -ssl 

Step 4: Scan an SSL-enabled website

Let's start by scanning pbs.org to see some of the types of information a Nikto scan comes to show. When we have connected to port 443 we see that there is some useful information about cipher and a list of other details, so that the server is Nginx, but there are not very interesting data here for us.

  nikto -h pbs .org -ssl 
  - Nikto v2.1.6
-------------------------------------------------- ----------------------------
- STATUS: Start!
+ Goal IP: 54.225.198.196
+ Measure hostname: pbs.org
+ Traget Port: 443
-------------------------------------------------- ----------------------------
+ SSl Info: Subject: /CN=www.pbs.org
Altname: account.pbs.org, admin.pgs.org, dipsy-tc.pbs.org, docs.pbs.org, ga.video.cdn.pbs.org, git.pbs.org, heart.ops.pbs. org, hub-dev.pbs.org, image.pbs.org,
jaws ..pbs.org, kids.pbs.org, koth-qa.svp.pbs.org, login.pbs.org, ops.pbs.org, pbs.org, player.pbs.org, projects.pbs.org , sentry.pbs.org, teacherline.pbs.org,
urs.pbs.org, video.pbs.org, weta-qa.svp.pbs.org, whut-qa.svp.pbs.org, wnet.video-qa.pbs.org, wnet.video-staging.pbs. org, www-cache.pbs.org, www.pbs.org
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Publisher: / C-US / 0 = Let's encrypt / CN = Let's encrypt authority X3
+ Start time: 2018-12-05 23:34:06 (GMT-8)
-------------------------------------------------- ----------------------------
+ Server: nginx
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS Protection title is not defined. This heading can indicate the user agent to protect against certain forms of XSS
+ Less common heading & x39; p-fwsrvname & # 39; Found with content: fwcacheproxy1
+ The site uses SSL and the HTTP header Strict-Transport-Security is not defined.
+ The option X-Content-Type-Options is not set. This may allow the user agent to make the content of the site differently to the MIME type
+ Redirect / redirect to: https://www.pbs.org/
+ No CGI directories found (use & # 39; C all & # 39; to force check all possible routers)
+ RC-1918 IP address found in the heading "x-pbs appsvrip": IP is "10.137.181.52".
+ Unusual heading "x-cache-fs status" was found, with content: EXPIRED
+ Less common heading "x-pbs-appsvrname" was found, with content: fwcacheproxy1
+ Unusual heading "x-pbs appsvrip" was found, with content: 10.137.181.52
+ Server leaks inodes via ETags, header found with file /pbs.org.zip, fields: 0x5b96537e 0x1678
+ 7446 requests: 0 errors (s) and 10 objects (s) reported on remote hosts
+ End time: 2018-12-06 00:30:29 (GMT-8) (3383 seconds)
-------------------------------------------------- ----------------------------
+ 1 host (s) tested 

Step 5: Scan an IP address

Now that we did a quick search of a website, let's try to use Nikto on a local network to find embedded servers as a login page for a router or an HTTP service on another machine that is just a server without a website. To get started, let us find our IP address with ifconfig .

  ifconfig 
  en0: flags = 8863  mtu 1500
inet 192.168.0.48 netmask 0xffffff00 broadcast 192.168.0.255
inet6 XXXX :: XXX: XXXX: XXXX: XXXX% en0 prefix 64 secured scopeid 0x8
ether XX: XX: XX: XX: XX: XX Execution 1000 (Ethernet)
inet6 XXXX :: XXX: XXXX: XXXX: XXXX% en0 prefix 64 autoconf secured
inet6 XXXX :: XXX: XXXX: XXXX: XXXX% en0 prefix 64 autoconf temporary
nd6 options = 201 
media: autoselect
status: active

a2: flags = 8863  mtu 1500
alternative = 60 
ether XX: XX: XX: XX: XX: XX
media: autoselect 
status: inactive 

The IP address we want is "inet" one. Then we can run ipcalc on it to get our network. If you do not have ipcalc you can install it with apt install ipcalc and try again. The assortment will be next to "Network", in my case, 192.168.0.0/24.

ipcalc 192.168.0.48 
  Address: 192.168.0.48 11000000.10101000.00000000. 00110000
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111
=>
Network: 192.168.0.0/24 11000000.10101000.00000000. 00000000
HostMin: 192.168.0.1 11000000.10101000.00000000. 00000001
HostMax: 192.168.0.254 11000000.10101000.00000000. 11111110
Shipping: 192.168.0.255 11000000.10101000.00000000. 11111111
Hosts / Net: 254 Class C, Private Internet 

Now we will run Nmap to find services running in the network area. Let us scan port 80 with our assortment and thank and (grepable output) to extract only the hosts that are running, that is, responders, indicating that port 80 is open. Then we save everything to a file, which I name nullbyt.txt but can be named something.

  nmap -p 80 192.168.0.0/24-and nullbyte.txt [19659017] Start Nmap 7.60 (https://nmap.org) at 2018-12-06 00:43 PST
Nmap scan report for 192.168.0.1
Values ​​are up (0.021s latency).

PORT STATE SERVICE
80 / tcp open http

Nmap scan report for 192.168.0.2
Values ​​are up (0.088s latency).

PORT STATE SERVICE
80 / tcp open http

Nmap scan report for 192.168.0.4
Values ​​are up (0.032s latency).

PORT STATE SERVICE
80 / tcp open http

Nmap scan report for 192.168.0.5
Values ​​are up (0,020s latency).

PORT STATE SERVICE
80 / tcp open http

Nmap scan report for 192.168.0.11
Values ​​are up (0.068s latency).

PORT STATE SERVICE
80 / tcp closed http

Nmap scan report for 192.168.0.24
Values ​​are up (0.023s latency).

PORT STATE SERVICE
80 / tcp closed http

Nmap scan report for 192.168.0.31
Values ​​are up (0.059s latency).

PORT STATE SERVICE
80 / tcp closed http

Nmap scan report for 192.168.0.48
Values ​​are up (0.030s latency).

PORT STATE SERVICE
80 / tcp closed http

Nmap scan report for 192.168.0.60
Values ​​are up (0.092s latency).

PORT STATE SERVICE
80 / tcp closed http

Nmap done: 256 IP addresses (9 hosts) scanned in 8.92 seconds 

There is a nice little trick that can send all hosts directly to Nikto for scanning. We use cat to read the output stored in our document null byte.txt (or whatever you named it). Then, awk is a Linux tool that helps to search for the following patterns, where Up means that the values ​​are up and print $ 2 means to write other words in that line for each, ie just the IP address. Then we send that data to a new file called targetIP.txt (or whatever you want to name it).

  cat nullbyte.txt | awk & # 39; / up $ / {print $ 2} & # 39; | cat >> targetIP.txt 

We can now see the contents of our new file with cat to see all IP addresses that have port 80 open.

  cat targetIP.txt 
  192.168 .0.1
192.168.0.2
192.168.0.4
192.168.0.5
192.168.0.11
192.168.0.24
192.168.0.31
192.168.0.48
192.168.0.60 

This is perfect for Nikto as it can easily interpret files like this. So we can send this transfer to Nikto with the following command.

  nikto -h targetIP.txt 

The results will be similar to the ones we received when performing SSL search.

Step 6: Scan an HTTP website

We have scanned a secure site and an IP address on a local network, and now is the time to go for an insecure web domain with port 80. For this example, i " afl. com.au", which did not use SSL when I performed this scan.

  nikto -h www.afl.com.au 
  - Nikto v2.1.6
-------------------------------------------------- -------------------------
+ Goal IP: 159.180.84.10
+ Measure hostname: www.afl.com.au
+ Target Port: 80
+ Start time: 2018-12-05 21:48:32 (GMT-8)
-------------------------------------------------- -------------------------
+ Server: Start / nginx
+ Returned via heading: 1.1 lacquer (Larn / 6.1), 1.1 e9ba0a9a729ff2960a04323bf1833df8.cloudfront.net (CloudFront)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS Protection title is not defined. This heading can indicate the user agent to protect against certain forms of XSS
+ Unusual heading "x-cache" was found, containing content: Missing from the cloudfront
+ Unusual heading "x-instar-cache-id" was found, containing: 17: 12768802731504004780 :: 1544075250
+ Unusual heading "v-cache-hit" was found, with content: Hit
+ Less common headline & # 39; x-amz-cf ID & # 39; found with content: Dr-r6OwO5kk9ABt4ejzpc7R7AIF6SuH6kfJHQgP0v6xZoHwMLE55rQ ==
+ Unusual heading "x-instart request-id" was found, with content: 12814413144077601501: BEQ01-CPVNPPRY18: 1552504721: 0
+ Unusual heading "x-oneagent-js-injection" was found, with content: true
+ Less common heading "grace", with content: cache
+ The option X-Content-Type-Options is not set. This may allow the user agent to make the content of the site differently to the MIME type
+ Unusual heading "x-ruxit-js-agent" was found, with content: true
+ Cookie dtCookie created without the httponly flag
+ Server Banner has changed from & # 39; start / nginx & # 39; to & gt; nginx & # 39; who can suggest a WAF, load balancer or proxy is in place
+ No CGI directories found (use & # 39; C all & # 39; to force check all possible routers)
+ Entry & # 39; / Sites / & # 39; in robots.txt returned a non-prohibited or redirect HTTP code (200)
+ Entry & # 39; / search / & # 39; in robots.txt returned a non-prohibited or redirect HTTP code (200)
+ Entry & # 39; * .mobile app & # 39; in robots.txt returned a non-prohibited or redirected HTTP code (400)
+ Entry & rsquo; liveradio in robots.txt returned a non-prohibited or redirect HTTP code (400)
+ Entry & # 39; * .smartmobile & # 39; in robots.txt returned a non-prohibited or redirect HTTP code (400)
+ Entry & # 39; * .responsive & # 39; in robots.txt returned a non-prohibited or redirect HTTP code (400)
+ Entry / statistics? * / & # 39; I robots.txt returned a non-prohibited or redirect HTTP code (200)
+ "robots.txt" contains 8 entries to be displayed manually.
+ OSVDB-3092: /sitemap.xml: This provides a nice list of site content.
+ OSVDB-3092: / psql_history: This may be interesting ...
+ OSVDB-3092: / global /: This may be interesting ...
+ OSVDB-3092: / home /: This may be interesting ...
+ OSVDB-3092: / news: This can be interesting ...
+ OSVDB-3092: /search.vts: This may be interesting ...
+ OSVDB-3092: /stats.htm: This may be interesting ...
+ OSVDB-3092: /stats.txt: This may be interesting ...
+ OSVDB-3092: / statistics /: This may be interesting ...
+ OSVDB-3092: / Stats /: This may be interesting ...
+ OSVDB-3093: /.wwwacl: Contains authorization information
+ OSVDB-3093: /.www_acl: Contains authorization information
+ OSVDB-3093: /.htpasswd: Contains authorization information
+ OSVDB-3093: /.access: Contains authorization information
+ OSVDB-3093: /.addressbook: PINE address book, can store sensitive email address contact information and notes
+ OSVDB-3093: /.bashrc: The user home dir was found with a shell rc file. This can reveal file and path information.
+ OSVDB-3093: /.bash_history: A user's home directory can be set to the web crimes, the case history retrieved. This should not be available through the web.
+ OSVDB-3093: /.forward: The user home dir was found with a mail forward file. Can reveal where the user's mail is forwarded to.
+ OSVDB-3093: /.history: A user's home directory can be set up on the web crimes, the case history retrieved. This should not be available through the web.
+ OSVDB-3093: /.htaccess: Contains configuration and / or authorization information
+ OSVDB-3093: /.lynx_cookies: The user home dir was found with the LYNX cookie file. Can reveal cookies received from arbitrary websites.
+ OSVDB-3093: /.mysql_history: Database SQL?
+ OSVDB-3093: /.passwd: Contains authorization information
+ OSVDB-3093: /.pinerc: The user home was found with a PINE-rc file. Can reveal system information, directories and more.
+ OSVDB-3093: /.plan: User home dir with a .plan, a now most outdated file for delivering information via the finger protocol
+ OSVDB-3093: /.proclog: User home dir with a Procmail rc file. Can reveal postal traffic, directories and more.
+ OSVDB-3093: /.procmailrc: User home dir with a Procmail rc file. Can uncover subdirectories, mail contacts and more.
+ OSVDB-3093: /.profile: The user home dir with a shell profile was found. Can reveal directory information and system configuration.
+ OSVDB-3093: /.rhosts: A user's home directory can be set to the web crimes, a .rhosts file was downloaded. This should not be available through the web.
+ OSVDB-3093: /.sh_history: A user's home directory can be set up on the web crimes, the case history retrieved. This should not be available through the web.
+ OSVDB-3093: /.ssh: A user's home directory can be set to the web crimes, a ssh file was downloaded. This should not be available through the web.
+ OSVDB-5709: /.nsconfig: Contains authorization information
+ / portal / changelog: Vignette richtext HTML editor changelog was found.
+ 7587 requests: 4 errors (s) and 55 objects (s) reported on remote hosts
+ End time: 2018-12-05 22:42:41 (GMT-8) (3249 seconds)
-------------------------------------------------- -------------------------
+ 1 host (s) tested 

Above we can see that there is a warning server and some headers that help to specify how the site is configured. The newer stuff is the directories found that can help with configuration files that may contain credentials or other items that have been misconfigured and are inadvertently available.

The objects with the OSVDB prefix are vulnerabilities reported in the open source security database (a site closed in 2016). It is similar to other vulnerability databases like SecurityFocus, Microsoft's Technet and Common Vulnerabilities and Exposures. I prefer to check the National Vulnerability database.

Although there are no important things that can be exploited from this scan, you can, if any, use the CVE reference tool to translate the OSVDB identifier into a CVE so you can use one of the others the pages above to read more about the vulnerability.

Let's say we found something worth exploring, such as CVE-2018-10933, a Libssh vulnerability that we discussed in detail earlier. CVE contains information on what can be exploited, what the severity is (eg, critical) and other information that can help determine an attack vector. If it is worth using, you can search the Metasploit, because someone has already developed a weaponized module to make it easier to use.

Step 7: Couple scans with Metasploit

One of the best things about Nikto is that you can actually export information to a format that Metasploit can read when performing a scan. To do this, just use the above commands to perform the scan, but add -format msf + to the end of it. The format can help us quickly combine data retrieved with a weaponized exploit.

  nikto -h  -Format msf + 

So in this guide we went from deciding the goal area to find a vulnerability and then pairing it with a weapon utilization so we do not have to do all the work. Because Nikto is not a smooth tool, it is wise to perform these types of scans from a VPN, via Tor or another type of service so that your actual IP address is not marked for suspicious behavior.

Cover photo by Null Byte

Source link