Nikto - Ranjivost web aplikacija i CGI skener za web poslužitelje
Nikto Web Scanner je još jedan dobar alat koji postoji za bilo koji arsenal Linux administratora. Riječ je o web-skeneru otvorenog koda objavljenom pod GPL licencom, koji se koristi za provođenje sveobuhvatnih testova na web-poslužiteljima za više stavki, uključujući preko 6500 potencijalno opasnih datoteka/CGI-a.
Napisali su ga Chris Solo i David Lodge za procjenu ranjivosti, provjerava zastarjele verzije preko 1250 web poslužitelja i preko 270 problema specifičnih za verziju. Također skenira i izvještava o zastarjelom softveru i dodacima web poslužitelja.
Značajke Nikto web skenera
- Podržava SSL
- Podržava puni HTTP proxy
- Podržava tekst, HTML, XML i CSV za spremanje izvješća.
- Potražite više priključaka
- Može skenirati na više poslužitelja uzimajući ulaze iz datoteka poput nmap izlaza
- Podržite LibWhisker IDS
- Dovoljno sposoban za prepoznavanje instaliranog softvera sa zaglavljima, datotekama i ikonama
- Dnevnici za metasploite
- Izvješća za "neobična" zaglavlja.
- Apache i cgiwrap nabrajanje korisnika
- Autentificirajte hostove pomoću Basic i NTLM
- Skeniranje se može automatski pauzirati u određeno vrijeme.
Nikto zahtjevi
Sustav s osnovnim Perl, Perl modulima, OpenSSL instalacijom trebao bi omogućiti Niktou da radi. Temeljito je testiran na Windowsima, Mac OSX-ima i raznim Unix/Linux distribucijama kao što su Red Hat, Debian, Ubuntu, BackTrack itd.
Instalacija Nikto Web Scannera na Linux
Većina današnjih Linux sustava dolazi s unaprijed instaliranim Perl, Perl modulima i OpenSSL paketima. Ako nisu uključeni, možete ih instalirati pomoću zadanog uslužnog programa upravitelja sistemskog paketa nazvanog yum ili apt-get.
yum install perl perl-Net-SSLeay openssl
apt-get install perl openssl libnet-ssleay-perl
Zatim klonirajte najnovije stabilne Nikto izvorne datoteke iz svog Github spremišta, premjestite se u direktorij Nikto/programs/i pokrenite ga pomoću perl:
$ git clone https://github.com/sullo/nikto.git $ cd nikto/programs $ perl nikto.pl -h
Option host requires an argument
-config+ Use this config file
-Display+ Turn on/off display outputs
-dbcheck check database and other key files for syntax errors
-Format+ save file (-o) format
-Help Extended help information
-host+ target host
-id+ Host authentication to use, format is id:pass or id:pass:realm
-list-plugins List all available plugins
-output+ Write output to this file
-nossl Disables using SSL
-no404 Disables 404 checks
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-root+ Prepend root value to all requests, format is /directory
-ssl Force ssl mode on port
-Tuning+ Scan tuning
-timeout+ Timeout for requests (default 10 seconds)
-update Update databases and plugins from CIRT.net
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
Note: This is the short help output. Use -H for full help text.
"Domaćin opcije zahtijeva argument" jasno govori da nismo uključili potrebne parametre tijekom provođenja testa. Dakle, trebamo dodati osnovni parametar potreban za probno pokretanje.
Za osnovno skeniranje potreban je domaćin kojeg želite ciljati, a prema zadanim postavkama skenira port 80 ako ništa nije navedeno. Domaćin može biti ime hosta ili IP adresa sustava. Domaćina možete odrediti pomoću opcije -h.
Na primjer, želim izvršiti skeniranje na IP 172.16.27.56 na TCP portu 80.
perl nikto.pl -h 172.16.27.56
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 172.16.27.56 + Target Hostname: example.com + Target Port: 80 + Start Time: 2014-01-10 00:48:12 (GMT5.5) --------------------------------------------------------------------------- + Server: Apache/2.2.15 (CentOS) + Retrieved x-powered-by header: PHP/5.3.3 + The anti-clickjacking X-Frame-Options header is not present. + Server leaks inodes via ETags, header found with file /robots.txt, inode: 5956160, size: 24, mtime: 0x4d4865a054e32 + File/dir '/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 1 entry which should be manually viewed. + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + Multiple index files found: index.php, index.htm, index.html + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3233: /phpinfo.php: Contains PHP configuration information + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /test.html: This might be interesting... + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /connect.php?path=http://cirt.net/rfiinc.txt?: Potential PHP MySQL database connection string found. + OSVDB-3092: /test.php: This might be interesting... + 6544 items checked: 0 error(s) and 16 item(s) reported on remote host + End Time: 2014-01-10 00:48:23 (GMT5.5) (11 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Ako želite skenirati na drugi broj porta, dodajte opciju “-p” [-port]. Na primjer, želim izvršiti skeniranje na IP 172.16.27.56 na TCP portu 443.
perl nikto.pl -h 172.16.27.56 -p 443
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time: 2014-01-10 01:08:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 2817021, size: 5, mtime: 0x4d5123482b2e9
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Server is using a wildcard certificate: '*.mid-day.com'
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2014-01-10 01:11:20 (GMT5.5) (174 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedTakođer možete odrediti hostove, portove i protokole koristeći cjelovitu sintaksu URL-a, a ona će biti skenirana.
perl nikto.pl -h http://172.16.27.56:80
Također možete skenirati bilo koju web stranicu. Na primjer, ovdje sam napravio skeniranje na google.com.
perl nikto.pl -h http://www.google.com
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 173.194.38.177 + Target Hostname: www.google.com + Target Port: 80 + Start Time: 2014-01-10 01:13:36 (GMT5.5) --------------------------------------------------------------------------- + Server: gws + Cookie PREF created without the httponly flag + Cookie NID created without the httponly flag + Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN + Uncommon header 'x-xss-protection' found, with contents: 1; mode=block + Uncommon header 'alternate-protocol' found, with contents: 80:quic + Root page / redirects to: http://www.google.co.in/?gws_rd=cr&ei=xIrOUomsCoXBrAee34DwCQ + Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place + Uncommon header 'x-content-type-options' found, with contents: nosniff + No CGI Directories found (use '-C all' to force check all possible dirs) + File/dir '/groups/' in robots.txt returned a non-forbidden or redirect HTTP code (302) ….
Gornja naredba izvest će hrpu http zahtjeva (tj. Više od 2000 testova) na web poslužitelju.
Također možete izvršiti skeniranje više portova u istoj sesiji. Da biste skenirali više portova na istom hostu, dodajte opciju “-p” [-port] i navedite popis portova. Priključci se mogu definirati kao raspon (tj. 80-443) ili kao zarez odvojen (tj. 80.443). Na primjer, želim skenirati priključke 80 i 443 na hostu 172.16.27.56.
perl nikto.pl -h 172.16.27.56 -p 80,443
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on cmsstage.mid-day.com:88
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 80
+ Start Time: 2014-01-10 20:38:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time: 2014-01-10 20:38:36 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ All CGI directories 'found', use '-C none' to test none
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
.....Recimo da sustav u kojem je Nikto pokrenut ima pristup ciljanom hostu samo putem HTTP proxyja, test se i dalje može provesti na dva različita načina. Jedan koristi datoteku nikto.conf, a drugi način je izvođenje iz naredbenog retka.
Otvorite datoteku nikto.conf pomoću bilo kojeg uređivača naredbenog retka.
vi nikto.conf
Potražite varijablu "PROXY" i uklonite komentar s "#" s početka redaka kao što je prikazano. Zatim dodajte proxy host, port, proxy korisnika i lozinku. Spremite i zatvorite datoteku.
# Proxy settings -- still must be enabled by -useproxy PROXYHOST=172.16.16.37 PROXYPORT=8080 PROXYUSER=pg PROXYPASS=pg
Sada izvršite Nikto pomoću opcije -useproxy. Imajte na umu da će se sve veze prenositi putem HTTP proxyja.
[email nikto-2.1.5]# perl nikto.pl -h localhost -p 80 -useproxy
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2014-01-10 21:28:29 (GMT5.5) --------------------------------------------------------------------------- + Server: squid/2.6.STABLE6 + Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6) + The anti-clickjacking X-Frame-Options header is not present. + Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0 + Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080
Da biste Nikto pokrenuli izravno iz naredbenog retka pomoću opcije "-useproxy" postavljanjem proxyja kao argumenta.
[email nikto-2.1.5]# perl nikto.pl -h localhost -useproxy http://172.16.16.37:8080/
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2014-01-10 21:34:51 (GMT5.5) --------------------------------------------------------------------------- + Server: squid/2.6.STABLE6 + Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6) + The anti-clickjacking X-Frame-Options header is not present. + Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0 + Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080
Možete automatski ažurirati Nikto na najnovije dodatke i baze podataka, jednostavno pokrenite naredbu "-update".
perl nikto.pl -update
Ako su dostupna nova ažuriranja, vidjet ćete popis preuzetih novih ažuriranja.
+ Retrieving 'nikto_report_csv.plugin' + Retrieving 'nikto_headers.plugin' + Retrieving 'nikto_cookies.plugin' + Retrieving 'db_tests' + Retrieving 'db_parked_strings' + Retrieving 'CHANGES.txt' + CIRT.net message: Please submit Nikto bugs to http://trac2.assembla.com/Nikto_2/report/2
Također možete ručno preuzeti i ažurirati Nikto dodatke i baze podataka s http://cirt.net/nikto/UPDATES/.
Referentni linkovi
Početna stranica Nikto