sullo / nikto Goto Github PK

There are several web projects which have dictionaries of common files/directories. These are partially supported by the nikto_dictionary_attack plugin, although this was built around the dirbuster dictionaries.

Allow support for other common types of dictionaries, such as fuzzdb.

Also allow support for variables defined in nikto.conf/db_variables to be used to define the path, e.g. @fuzzdb or @dirbuster.

find a way to test a 302 on a dir without giving false positives, like... /admin/ -> 302 -> /admin/login.aspx

this was missed!

If you save a report and use the -id option the username/pass will be saved to the report. this should be masked.

At the moment messages to the calling console are done through nprint or add_vulnerability.

Nprint is quite hacky and has lots of

if (fred) { jim }
elsif (shelia) { arrabella}
type constructs.

The proposal to replace both log and add_vulnerability with a new function log with a format: log($message, $type, $mark, [$nikto_id, $osvdb, $method, $uri])

Where message is the raw message, type is the type of message (verbose, vulnerability, debug, error, fatal error ad nauseam) $mark etc are the standard parameters.

This will also include a hook to allow plugins to intercept messages (e.g. for writing to report files).

For some plugins the recon/scan phase loads the database which works fine for single target scans, but if we scan multiple targets this may cause the database to be loaded for each target which isn't efficient. It may also mess us up when we thread Nikto.

We could load during plugin initialisation, but this would cause the database to be loaded even if we're not running the plugin.

It may be best to create a new "load" hook which is run between Nikto initialisation and before we do individual targets. This could then allow the plugin to do any database mangling and not take up extra memory, CPU and IO for multiple targets.

The nikto_manual.html is outdated and needs replacing.

The regexes in this are pretty bad/slow and maybe unnecessary.

find a way to test a 302 on a dir without giving false positives, like... /admin/ -> 302 -> /admin/login.aspx

this was missed!

Nikto currently uses 3 global hashes to keep configuration data: %NIKTOCONFIG - for stuff read from the config file
%NIKTO - for general stuff
%CLI - for stuff read from the command line
As well as wasting memory and confusing plugin developers, it breaks the keep data only once rule. It also makes life more difficult for alternative UIs.

We should mangulate these 3 hashes into one (%NIKTO), this gives us the side benefit of following the standard over-rule process e.g. CLI over-rules config over-rules defaults.

We also keep information in %NIKTO (such as the help text) throughout its life which isn't needed once we've finished checking the CLI, wasting more memory.

Changed 4 years ago by deity

This is interesting - pp and libwhisker don't work well together - it seems to be due to the out of date version of openssl with the only Net::SSLeay that you can get for activestate perl.

May need to investigate other perls...

comment:3 Changed 4 years ago by deity

Milestone changed from Nikto 2.04 to Future

comment:4 Changed 3 years ago by deity

Owner set to deity
Fixed the issue with Net::SSLeay - with ActiveState? Perl, Net::SSL is used instead. But this leads to a few questions about pre-compiled Windows distributions:

Need to test on a machine that has never seen perl
Do we release as an MSI or just as a directory
A patch is needed to read the home environment correctly under Windows.

comment:5 Changed 3 years ago by sullo
What's the plan for compiling? PerlApp?, PAR, perl2exe...?

comment:6 Changed 3 years ago by deity
I've managed a successful compile and archive with PAR - though this does give a large executable (over 2M in size) and there is a wee delay before Nikto spawns.

This tells me its technically feasible, but needs some more time tuning to get to a release candidate.

Reference: http://seclists.org/fulldisclosure/2012/Dec/242

Check for the following:

• wp-content/plugins/w3tc/dbcache

And code from point 2 to do password hash stealing.

Other security tools have XSL transforms for reformatting their security reports, so that one can easily view the XML results in a browser.

As NiktoXML is a simple DTD it should be able to knock up a quick XSL to format the results nicely (and maybe replace the -output html option).

Referece: http://www.exploit-db.com/exploits/23005/

Allow the user to set the testing order for db_tests items, using the same categories that can be used for Tuning.

entropysearch.cgi has a user enumeration vulnerability in the user parameter. We can add this to the apacheusers plugin along with the other methods.

reported by steve01:
This patch adds a template variable that contains the itemids of all things tested and also adds this to the standard XML report. This is against the nikto-current distributed at ​http://www.cirt.net/nikto/nikto-current.tar.gz

diff -Naur ../orig/plugins/nikto_reports.plugin ./plugins/nikto_reports.plugin
--- ../orig/plugins/nikto_reports.plugin 2008-09-04 13:00:41.000000000 -0400
+++ ./plugins/nikto_reports.plugin 2008-09-15 18:31:18.169663592 -0400
@@ -129,6 +129,7 @@
$variables{"#TEMPL_LINK_NAME"} = "$protocol://$TARGETS{$CURRENT_HOST_ID}{hostname}:$CURRENT_PORT";
$variables{"#TEMPL_LINK_IP"} = "$protocol://$TARGETS{$CURRENT_HOST_ID}{ip}:$CURRENT_PORT/";
$variables{"#TEMPL_ITEMS_FOUND"} = $TARGETS{$CURRENT_HOST_ID}{total_vulns};

• $variables{"#TEMPL_ITEMS_ITEMIDS"} = join(',', keys %TESTS);

if ($TARGETS{$CURRENT_HOST_ID}{hostname} ne "")
{
diff -Naur ../orig/templates/xml_close.tmpl ./templates/xml_close.tmpl
--- ../orig/templates/xml_close.tmpl 2008-09-04 13:00:41.000000000 -0400
+++ ./templates/xml_close.tmpl 2008-09-15 18:32:37.282099523 -0400
@@ -1 +1,2 @@
+<tested_itemids>#TEMPL_ITEMS_ITEMIDS</tested_itemids>

Changed 4 years ago by deity
It's a good idea; and I like what you're doing here (as it aids the repeatability or a test and show differences 'twixt two tests).

Unfortunately, as it's currently written it won't work, either on 2.03, or on the trunk version, as several items aren't written to the TESTS hash unless they're successfully tested.

What's worse is that, in trying to make nikto thread safe, I'm cutting out a lot of global variables and the TESTS variable is one of those destined for the chop (globals being the bane of threading).

I'm going to leave this call open, and when I rework the plugin architecture I'll ensure that a method to accurately record all tests to be performed in the plugin is part of it.

Milestone changed from Nikto 2.1.0 to Future
Moving this to future: I want to add a way of registering tids for each plugin (to minimise duplication). This'll be added then.

https://github.com/evilpacket/DVCS-Pillage

hg, git, bzr, etc...

Regular expressions invalidate the need for multiple pass/fail match fields in db_tests. We should consolidate them to a single match field and a single fail field. A single field for each will let us do easy alternation for pass or fail matching, but keep us from having to use fairly expensive lookarounds for negative matching and both pass/fail conditions.

The code for apache_enum_users always returns if it doesn't succeed with a ~user test.

As we could do with adding entropysearch; it'll probably be quicker to rewrite the logic of this plugin.

Basically, the logic for the apache_enum_users plugin goes:

Test to see whether ~user works
If not leave
Test to see whether cgiwrap is going be used then enum with cgiwrap
Otherwise enum with ~user
So basically it won't enum with cgiwrap unless you can enum with ~user.

We should look for HTTP PATCH verb and alert on it.

http://www.innoq.com/blog/st/2010/03/rfc_5789_patch_method_for_http.html

--- plugins/nikto_headers.plugin.old    2013-01-11 13:42:06.843697611 +0100
+++ plugins/nikto_headers.plugin        2013-01-11 13:43:55.399702866 +0100
@@ -105,11 +105,12 @@
              my $inode = "0x$fields[0]";
              my $size  = "0x$fields[1]";
              my $mtime = "0x$fields[2]";
+            my $ltime=substr( sprintf("%s",hex($mtime)) , 0,10);

-            # for some reason $mtime is mangled
+            # Thanks to Anna at qcic.nl $mtime is no longer mangled
              $message .=
                ($ishex == 1)
-              ? sprintf(", inode: %d, size: %d, mtime: %s", hex($inode), hex($size), $mtime)
+              ? sprintf(", inode: %d, size: %d, mtime: %s", hex($inode), hex($size), scalar(localtime($ltime)) )
                : sprintf(", inode: %s, size: %s, mtime: %s", $inode,      $size,      $mtime);
          }
          else {

When we check 404 strings, we check + to figure out if we should use the HTTP response code, content match or content hash. This fails miserably when a "subdirectory" has completely different response codes than the root level.

One way to fix would be to expand the testing map and make it more accurate/dynamic, so that we would only check /+ if we have a test for that at the root level. If we do this on the fly (for each check), when we see a request for /servlet/some.servlet, if we don't have a mapped 404 method for /servlet/+ we would just check it on the fly. this would get scans rolling faster though in the end it makes little difference overall compared to up-front processing

Allow the -Tuning option option to accept a keyword search parameter, such as:

-Tuning search:admin

to only run tests which contain 'admin' in the db_tests entry.

We should be able to provide a location for a favicon.ico file in the database, as they don't always live at /favicon.ico

Add an option to snarf up any cookies seen from base request(s) and then send them back on subsequent requests. Have seen a server which allowed some resource to be returned but only if a cookie was present.

Drupal sends a Link: header with each response which is something like:

Link: <​https://www.evilsite.co.uk:443/>; rel=canonical,</node/69>; real="short link"

This would allow mapping of the drupal set up.

Reference: http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us

If you test a server which doesn't resolve, nikto errors, but does create an empty report file. We should write the host header and reason for error to the report file, so if it's run in a script/batch you'll have a record as to why it failed.

When using the -root option, some report items will have the directory name listed twice, e.g.:

• /dir1/dir/item.txt

instead of

• /dir1/item.txt

Add '-Format all' to allow saving of all (file based) report types, so a user can have them all.

Would also like to support something like '-Format xml,csv' so user can specify exactly what they want.

Take "screen shots" of the main page, as well as findings and store/use for HTML report.

Sorry to reopen this again, the XML looked OK but I've just started parsing it for the Dradis importer and realised that it still isn't valid.

The problem is that the current format is:

<niktoscan>

<scandetails>...</scandetails>

</niktoscan> <niktoscan>

<scandetails>...</scandetails>

</niktoscan>

without an overall wrapper tag. Parsers consider this invalid, it should look something like this:

<nikto>

<niktoscan>

<scandetails>...</scandetails>

</niktoscan> <niktoscan>

<scandetails>...</scandetails>

</niktoscan>

</nikto>

to be valid. For now I'm going to force in the open and close tags so that I can parse it. Adding this shouldn't be too hard I don't think but it will change the format and so probably break the file for anyone else parsing it. Not sure what to suggest.

cc @digininja

The full help documentation references SVN, not git.

I've done a quick proof of concept on a local copy of the code (not going to be changed on the svn repository, until I make a decision). It is relatively trivial to set up plugins to run in separate threads. Though perl's pretty brain dead method of threading makes this quite hard and kludgy. (You have to share non-complex variables to pass data 'twixt the parent and the thread. If you want anything more complicated than a hash then you're out of luck).

This also makes it trivial to add key presses to return status indicators, alter verbosity etc.

This leaves some questions that need answers to:

Number of threads needed
Way of passing %age complete for each plugin
Do we want sub-threading of plugins (e.g. nikto_tests.plugin takes so much longer than any other plugin)
mark counters don't work due to aforementioned perl brain deadness in use of complex variables

got this error:
Undefined subroutine &main::get_ips called at /root/pentest/web/nikto/plugins/nikto_headers.plugin line 72.

here is the command that i used:
./nikto.pl -no404 -nossl -useproxy -config nikto.burp.conf -host 192.168.150.101

Currently the plugins/nikto_core.plugin library contains both Nikto internal methods to do Nikto internal magic and methods for plugins to use for their own flavour of magic. This could cause confusion with plugin developers.

We should split up nikto_core into "internal" functions and functions for plugins. Potentially creating the plugin functions as a perl module.

Add severity levels (.e.g, High/Med/Low/Info?) for all checks. Notate/color-code them in reports.

url: wp-content/plugins/portable-phpmyadmin/wp-pma-mod
source: http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089165.html

Create a method to allow arbitrary headers to be set with every request.
**
Technically this is easy enough, as most stuff routes through nfetch and setup_hash. The only difficult bit is the UI variant, a couple of suggestions:

In nikto.conf:
HEADERS=X-Debug:true X-RevealSource:true

and on the CLI:
-headers X-Debug:true,X-RevealSource:true

nikto_auth.plugin does not use nfetch. it should.

since nfetch can return the full response object (%response), the received headers doesn't really need to be returned on its own as the recipient of the nfetch() return values can pull it out of %response. That should cut down the amount of data (and confusion) flying around.

Having a wildcard certificate produces two messages (as shown below), it reality the root issue is the wildcard certificate which can never match the hostname correctly (as *'s aren't allowed in hostnames).

• Server is using a wildcard certificate: '*.vulnerable.com/emailAddress=[email protected]'
• Hostname 'wibble.vulnerable.com' does not match certificate's
  CN '*.vulnerable.com/emailAddress=[email protected]'

[Originally reported by Serge van den Boom]

When running Nikto with a source script the interactive features chomp characters off stdin.

Obviously this isn't a desirable feature for batch runs, so Nikto should either check for the host being a tty, allow the user to disable interactivity or buffer up all of stdin at initiation.

--- plugins/nikto_headers.plugin.old    2013-01-11 13:42:06.843697611 +0100
+++ plugins/nikto_headers.plugin    2013-01-11 13:43:55.399702866 +0100
@@ -105,11 +105,12 @@
             my $inode = "0x$fields[0]";
             my $size  = "0x$fields[1]";
             my $mtime = "0x$fields[2]";
+            my $ltime=substr( sprintf("%s",hex($mtime)) , 0,10);
 
-            # for some reason $mtime is mangled
+            # Thanks to Anna at qcic.nl  $mtime is no longer mangled
             $message .=
               ($ishex == 1)
-              ? sprintf(", inode: %d, size: %d, mtime: %s", hex($inode), hex($size), $mtime)
+              ? sprintf(", inode: %d, size: %d, mtime: %s", hex($inode), hex($size), scalar(localtime($ltime)) )
               : sprintf(", inode: %s, size: %s, mtime: %s", $inode,      $size,      $mtime);
         }
         else {

Design a new update system to make life easier and updates work better.

• Use IO::Uncompress::Bunzip2 or similar to ease downloading dbs
• Wrap Bunzip2 load in an eval{}
• Use traditional or new bz2 updater, depending on availability
• Use a date based "version" for files
• Check hashes (stored elsewhere) of downloadable files
• Consider update of nikto.pl
• Consider adding/removing of plugins/* files
• Pull directly from source repo

headers and db_headers should be updated. there shouldn't be a list of 'interesting' headers inside nikto_headers.plugin. The database should be upgraded to denote headers as interesting or not, and custom report messages if necessary.

Under Unix/Linux?/BSD/Mac OS X; Nikto looks in /etc for nikto.conf (then checks $HOME, then checks .). As Windows has no equivalent of /etc (other than %SystemRoot?%) we need to decide on a sensible location for system wide home of nikto.conf.

We may need to roll this into an "official" nikto location on Windows, maybe %programfiles%\nikto.

This can be worked around by placing nikto.conf into %userprofile%

When we restrict which plugins run via -Plugins, it is not necessary to perform some expensive operations.

Don't need to run map_codes() unless nikto_tests.plugin or nikto_robots.plugin is run. This will save us some 200 requests. Need to make sure any time is_404 is called or %FoF is needed this has been run.
I think set_scan_items() is another place we can save some execution time and memory if the things it sets up aren't needed.

Currently fetch/nfetch is very simple in its behaviour and just performs the request rather than actually trying to do something sensible with the response. In most cases where we usually expect a 200/404/500 this is okay and the plugin can manage it by itself.

Where it gets complicated is when we have status like 3xx or 401, at the moment each plugin handles them differently (with only nikto_tests handling 401s).

There should be standard methods/functions that plugins can use to forward non-200/404/500 requests to, if the plugin is not interested in the HTTP code.

This could be implemented like:

$cleanresponse = processresponse(%request, %response);
Where cleanupresponse will perform any non-trivial HTTP actions (e.g. follow redirects, attempt authorisation, pull 201 temporary content etc.)

Time related data in reports can often be incorrect.

• elapsedtime in xml report is blank
• any report generated after a control-c has missing or incomplete data
• There is a scope issue (it seeems from a quick look) with the availability of some of this info from %mark to the reporting functions.
• In the case of canceled scans, a method should be called before writing reports to populate the otherwise missing end timestamps.