Usando o Nikto webserver scanner
Colaboração: Alexandro Silva
Data de Publicação: 29 de fevereiro de 2008
O Nikto é web server scanner escrito em perl usado para detectar vulnerabilidades em servidores web. Ele é muito simples de ser usado e atualizado gerando relatórios em txt,html e csv.
Baixando o Nikto
wget -c http://www.cirt.net/nikto/nikto-current.tar.gz
Não é necessário fazer a instalação do mesmo pois ele é um script perl.
Help do Nikto
| -Cgidirs+ | scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/" |
| -dbcheck | check database and other key files for syntax errors (cannot be abbreviated) |
| -evasion+ | ids evasion technique |
| -Format+ | save file (-o) format |
| -host+ | target host |
| -Help | Extended help information |
| -id+ | host authentication to use, format is userid:password |
| -mutate+ | Guess additional file names |
| -output+ | write output to this file |
| -port+ | port to use (default 80) |
| -Display+ | turn on/off display outputs |
| -ssl | force ssl mode on port |
| -Single | Single request mode |
| -timeout+ | timeout (default 2 seconds) |
| -Tuning+ | scan tuning |
| -update | update databases and plugins from cirt.net (cannot be abbreviated) |
| -Version | print plugin and database versions |
| -vhost+ | virtual host (for Host header) |
| + requires a value |
Atualizando os plugins
./nikto.pl -update
Usando o Nikto
./nikto.pl -C all -host 200.128.X.X -o vitima.txt
- C all - Força a checagem de todos os diretórios em busca de cgi
- host - Ip da vitima
-o - Gera um arquivo de relatório
==Relatório gerado==
- Nikto 2.02/2.03 - cirt.net + Target IP: 200.128.X.X + Target Hostname: Vitima + Target Port: 80 + Start Time: 2008-02-23 23:39:34 + Server: Apache/2.0.54 (Win32) PHP/5.1.4 - Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST. + Apache/2.0.54 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current. + PHP/5.1.4 appears to be outdated (current is at least 5.2.5) + OSVDB-0: GET /................../config.sys : PWS allows files to be read by prepending multiple '.' characters. At worst, IIS, not PWS, should be used. + OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-3092: GET /manual/ : Web server manual found. + OSVDB-3233: GET /index.html.var : Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. + OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images + OSVDB-6659: GET /h2vP3F1siX65X0gGCoedXf11K8PpZSTPQP599a3I4u0TTqw1nGlL616opBSyM7IxVsF3TVoyZtpH59PqXNhFuRiEw4wGseD97ZeeLbLfvLoQcijFLIvNLslTZt3nd687RcPNpahPUA2FAPgiuADL5939Ic4es2fwarKmkKfW2XJrkRrQtPaOMYZnPCGDzZ7pw8xJ8b56GiWdh2nxFw5GE8z6TOgSWfJ< font>DEFACED<!--//-- : MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version. + 17457 items checked: 11 item(s) reported on remote host + End Time: 2008-02-24 0:32:00 (3192 seconds) + 1 host(s) tested <!--more-->