/home/talaron/rush/notes/nikto.htm

++ NIKTO ++

v1.32

Sullo, sullo@cirt.net

http://www.cirt.net/code/nikto.shtml

OVERVIEW

Nikto is an Open Source (GPL) web server scanner

which performs comprehensive tests against web servers for multiple items,

including over 2600 potentially dangerous files/CGIs,

versions on over 625 servers, and version specific problems on over 230 servers.

Nikto is not designed as an overly stealthy tool.

It will test a web server in the shortest timespan possible.

There is support for LibWhisker's anti-IDS methods.

INSTALL

Le tarball decompresse se presente sous la forme d'un script perl nikto.pl,

d'un repertoire de plugins (scripts), d'un fichier de config.

Aucune install n'est indispensable (il vaut mieux avoir SSL et nmap tout de

meme)

Pour SSL, il faut le module Perl SSL (NET::SSLeay).

DESCRIPTION

Nikto scan les ports pour trouver un serveur web, cherche le repertoire de CGI,

verifie les versions des softs, et ensuite, selon les plugins, execute une

serie de tests sur ce serveur.

Apres recherche, il ne semble pas exister d'autres fichiers plugins que ceux

presents dans le tarball.

Description des tests:

- Essayer de recuperer la liste des utilisateurs Apache avec un utilisateur

inexistant grace a une requete ~username

- Verifier le contenu des en-tetes

- Recuperer et verifier les options http

- Regarder si la version du serveur correspond a une version du fichier

server_msgs.db pour des tests specifiques

- Verifier que les versions sont a jour

- Chercher un fichier de mots de passe

- Essayer de s'identifier avec les ids et mot de passe par defaut

- Lister les utilisateurs Apache (par brute force) qui pourront plus tard etre

utiliser pour faire du brute force sur les utilisateurs du systeme (par SSH)

Des methodes d'evasion permettent d'etre discret.

Voici les differentes methodes d'evasion disponibles:

Encodage aleatoire des URI (non-UTF8)

Auto reference des repertoires /./

Fin prematuree des URL

Rajout d'une chaine aleatoire en debut de requete

Faux parametres aux fichiers

Utilisation de TAB comme caractere d'espacement dans les requetes

Changement aleatoire de la casse des caracteres

Utilisation des separateurs Windows \ au lieu du /

Decoupage des sessions

Les methodes d'evasion augmentent _considerablement_ la longueur des tests.

UTILISATION

Une option update permet de mettre a jour les failles ou les numeros de

version des softs connus pas nikto

Un fichier de conf permet de lancer automatiquement certaines options.

exemple d'utilisation:

./nikto.pl -h x.x.x.x -e 123456789 -p 1-65535

permet de lancer nikto sur le serveur x.x.x.x, en utilisation les methodes

d'evasion 0, 1, ..., 9 (on peux jouer sur ce parametre), et en cherchant un

serveur sur les ports 0 a 65535 (limiter cette recherche si le port du serveur

web est deja connu)

EXEMPLES - RESULTATS

$ ./nikto.pl -h 192.168.0.3

-***** SSL support not available (see docs for SSL install instructions) *****

---------------------------------------------------------------------------

- Nikto 1.32/1.19 - www.cirt.net

+ Target IP: 192.168.0.3

+ Target Hostname: 192.168.0.3

+ Target Port: 80

+ Start Time: Fri Apr 2 18:19:08 2004

---------------------------------------------------------------------------

+ Server: Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.1.2

- Server did not understand HTTP , switching to HTTP 1.1

+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE

+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled.

+ Apache/1.3.26 appears to be outdated (current is at least Apache/2.0.47). Apache 1.3.28 is still maintained and considered secure.

+ PHP/4.1.2 appears to be outdated (current is at least 4.3.4RC2)

+ Apache/1.3.26 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.

+ PHP/4.1.2 - PHP below 4.3.3 may allow local attackers to safe mode and gain access to unauthorized files. BID-8203.

+ /icons/ - Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used all, the /icons directory should be removed. (GET)

+ / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)

+ / - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACK)

+ /\"><img%20src=\"javascript:alert(document.domain)\"> - The IBM Web Traffic Express Caching Proxy is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)

+ /./ - Appending '/./' to a directory allows indexing (GET)

+ /?Open - This displays a list of all databases on the server. ÊDisable this capability via server options. (GET)

+ /xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<font%20size=50>DEFACED<!--//-- - MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version. (GET)

+ /?PageServices - The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. CVE-1999-0269. (GET)

+ /?wp-cs-dump - The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. CVE-1999-0269. (GET)

+ 14547 items checked - 9 item(s) found on remote host(s)

+ End Time: Fri Apr 2 18:21:13 2004 (125 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

$ ./nikto.pl -h 192.168.0.2

---------------------------------------------------------------------------

- Nikto 1.32/1.19 - www.cirt.net

+ Target IP: 192.168.0.2

+ Target Hostname: 192.168.0.2

+ Target Port: 80

+ Start Time: Sat Apr 3 17:10:11 2004

---------------------------------------------------------------------------

+ Server: Apache

- Server did not understand HTTP , switching to HTTP 1.1

+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

+ HTTP method 'PUT' method may allow clients to save files on the web server.

+ HTTP method 'CONNECT' may allow server to proxy client requests.

+ HTTP method 'DELETE' may allow clients to remove files on the web server.

+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists.

+ HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed.

+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled.

+ /icons/ - Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used all, the /icons directory should be removed. (GET)

+ / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)

+ / - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACK)

+ /\"><img%20src=\"javascript:alert(document.domain)\"> - The IBM Web Traffic Express Caching Proxy is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)

+ /?Open - This displays a list of all databases on the server. ÊDisable this capability via server options. (GET)

+ 14547 items checked - 6 item(s) found on remote host(s)

+ End Time: Sat Apr 3 17:11:46 2004 (95 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

$ ./nikto.pl -h 192.168.0.3 -e 123456789

---------------------------------------------------------------------------

- Nikto 1.32/1.19 - www.cirt.net

+ Target IP: 192.168.0.3

+ Target Hostname: 192.168.0.3

+ Target Port: 80

+ Using IDS Evasion: Random URI encoding (non-UTF8)

+ Using IDS Evasion: Directory self-reference (/./)

+ Using IDS Evasion: Premature URL ending

+ Using IDS Evasion: Prepend long random string

+ Using IDS Evasion: Fake parameter

+ Using IDS Evasion: TAB as request spacer

+ Using IDS Evasion: Random case sensitivity

+ Using IDS Evasion: Use Windows directory separator (\)

+ Using IDS Evasion: Session splicing

+ Start Time: Fri Apr 2 18:58:15 2004

---------------------------------------------------------------------------

+ Server: Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.1.2

- Server did not understand HTTP , switching to HTTP 1.1

+ Apache/1.3.26 appears to be outdated (current is at least Apache/2.0.47). Apache 1.3.28 is still maintained and considered secure.

+ PHP/4.1.2 appears to be outdated (current is at least 4.3.4RC2)

+ Apache/1.3.26 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.

+ PHP/4.1.2 - PHP below 4.3.3 may allow local attackers to safe mode and gain access to unauthorized files.

Interrupted. (20h30)

INTERPRETATION

Comme annonce plus haut, tant de methodes d'evasion ralentissent

considerablement les tests.

Plusieurs types d'informations et leur implications sont disponibles:

- informatives

+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE

+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled.

L'option TRACE n'est pas utile en utilisation normale, il est alors judicieux

de la desactiver.

+ / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)

Le Cross Site Scripting est le fait d'executer un script sur un site

en passant par un lien avec du code en hexa pour etre plus discret par exemple.

Ainsi il devient possible au pirate de demander a recuperer un cookie pour

en exploiter les informations.

- problemes de version:

+ Apache/1.3.26 appears to be outdated (current is at least Apache/2.0.47). Apache 1.3.28 is still maintained and considered secure.

+ Apache/1.3.26 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.

Les nouvelles versions de programmes corrigent souvent de nombreux bugs qui

peuvent etre facilement exploites par les pirates.

Si une version obsolete est detectee, la porte est annoncee ouverte a toute

personne pouvant explotier un bug sur une version connue.

En l'occurence, ce bug d'Apache permet de faire un buffer overflow,

il est alors tres dangereux de ne pas mettre a jour cette version d'Apache.

- Detection de fichiers

+ /icons/ - Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used all, the /icons directory should be removed. (GET)

Ce qui n'est pas utile a l'utilisateur mais peut l'etre au pirate devrait etre

proscrit.

++ Libwhisker (used by nikto)++

http://www.wiretrip.net/rfp/lw.asp

Libwhisker is under the GPL.

Libwhisker is a Perl module geared specificly for HTTP testing.

Utilise par nikto pour faire ses requetes, permet aussi de faire de l'evasion.