72.タスク72-スキャンツールNikto(Httrackを使用)



72 Task 72 Scanning Tool Nikto



1. Introduction to Nikto ①, Open source web security scanner developed in Perl language ②, used to search for files with hidden security risks ③ Scanning server configuration vulnerabilities ④ Scanning Web Application-level security risks ⑤ Avoid 404 misjudgment: Many servers do not abide by the RFC standard and return a 200 response code for non-existent objects According to the content of the response file, the response content of the file 404 with different extensions is different The content after removing the time information takes the MD5 value ⑥, -no404: improve performance, but there is a misjudgment 2. The nikto command man nikto //View the manual nikto -list-plugins //View plugin nikto //View version and other information nikto -host //You can add url, ip, domain name (d port number) nikto -evasion //Use the evasion technique of IDS in LibWhisker ①, random URL encoding (non-UTF-8 mode) ②, choose the path ③、End the route prematurely (/./) ④ Prioritize long random character strings ⑤, parameter spoofing ⑥, Use TAB as the command separator ⑦、Use the changed URL ⑧, use the Windows path separator '' 3. nikto combat Example 1: Scan the site with nikto Target machine: Metasploitable (192.168.97.140:80) or (http://192.168.97.140/dvwa) 1、 # nikto -host http://192.168.97.140/dvwa - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.97.140 + Target Hostname: 192.168.97.140 + Target Port: 80 + Start Time: 2020-02-18 20:42:42 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) DAV/2 + Cookie PHPSESSID created without the httponly flag + Cookie security created without the httponly flag + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Root page / redirects to: login.php + No CGI Directories found (use '-C all' to force check all possible dirs) + Server may leak inodes via ETags, header found with file /dvwa/robots.txt, inode: 93164, size: 26, mtime: Tue Mar 16 13:56:22 2010 + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /dvwa/config/: Directory indexing found. + /dvwa/config/: Configuration information may be available remotely. + OSVDB-12184: /dvwa/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /dvwa/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /dvwa/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /dvwa/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /dvwa/login/: This might be interesting... + OSVDB-3268: /dvwa/docs/: Directory indexing found. + OSVDB-3092: /dvwa/CHANGELOG.txt: A changelog was found. + /dvwa/login.php: Admin login page/section found. + /dvwa/?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827 + /dvwa/login.php?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827 + /dvwa/CHANGELOG.txt: Version number implies that there is a SQL Injection in Drupal 7, can be used for authentication bypass (Drupageddon: see https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html). + 7914 requests: 0 error(s) and 25 item(s) reported on remote host + End Time: 2020-02-18 20:43:09 (GMT8) (27 seconds) --------------------------------------------------------------------------- + 1 host(s) tested 2、 # nikto -host 192.168.97.140:80 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.97.140 + Target Hostname: 192.168.97.140 + Target Port: 80 + Start Time: 2020-02-18 20:43:53 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) DAV/2 + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + /phpinfo.php: Output from the phpinfo() function was found. + OSVDB-3268: /doc/: Directory indexing found. + OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Wed Dec 10 01:24:00 2008 + OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: /test/: Directory indexing found. + OSVDB-3092: /test/: This might be interesting... + OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /phpMyAdmin/: phpMyAdmin directory found + OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 8726 requests: 0 error(s) and 27 item(s) reported on remote host + End Time: 2020-02-18 20:44:21 (GMT8) (28 seconds) --------------------------------------------------------------------------- + 1 host(s) tested 3、 # nikto -host 192.168.97.140 -p 80 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.97.140 + Target Hostname: 192.168.97.140 + Target Port: 80 + Start Time: 2020-02-18 20:47:19 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) DAV/2 + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + /phpinfo.php: Output from the phpinfo() function was found. + OSVDB-3268: /doc/: Directory indexing found. + OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Wed Dec 10 01:24:00 2008 + OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: /test/: Directory indexing found. + OSVDB-3092: /test/: This might be interesting... + OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /phpMyAdmin/: phpMyAdmin directory found + OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 8726 requests: 0 error(s) and 27 item(s) reported on remote host + End Time: 2020-02-18 20:47:56 (GMT8) (37 seconds) --------------------------------------------------------------------------- + 1 host(s) tested 4、 #vim host.txt 192.168.97.140:80 http://192.168.97.140/dvwa :wq # nikto -host host.txt - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.97.140 + Target Hostname: 192.168.97.140 + Target Port: 80 + Start Time: 2020-02-18 20:51:13 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) DAV/2 + Cookie PHPSESSID created without the httponly flag + Cookie security created without the httponly flag + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to pr otect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Root page / redirects to: login.php + No CGI Directories found (use '-C all' to force check all possible dirs) + Server may leak inodes via ETags, header found with file /dvwa/robots.txt, inode: 93164, size: 26, mtime: Tue Mar 16 13:56:22 2010 + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brut e force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alt ernatives for 'index' were found: index.php + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 i s the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /dvwa/config/: Directory indexing found. + /dvwa/config/: Configuration information may be available remotely. + OSVDB-12184: /dvwa/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially se nsitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /dvwa/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially se nsitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /dvwa/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially se nsitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /dvwa/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially se nsitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /dvwa/login/: This might be interesting... + OSVDB-3268: /dvwa/docs/: Directory indexing found. + OSVDB-3092: /dvwa/CHANGELOG.txt: A changelog was found. + /dvwa/login.php: Admin login page/section found. + /dvwa/?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827 + /dvwa/login.php?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827 + /dvwa/CHANGELOG.txt: Version number implies that there is a SQL Injection in Drupal 7, can be used for authentication bypass (Drupageddon: see https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html). + 7914 requests: 0 error(s) and 25 item(s) reported on remote host + End Time: 2020-02-18 20:51:39 (GMT8) (26 seconds) --------------------------------------------------------------------------- + 1 host(s) tested 5、 # nikto -host www.baidu.com -port 443 --ssl - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 183.232.231.174 + Target Hostname: www.baidu.com + Target Port: 443 --------------------------------------------------------------------------- + SSL Info: Subject: /C=CN/ST=beijing/L=beijing/OU=service operation department/O=Beijing Baidu Netc om Science Technology Co., Ltd/CN=baidu.com Ciphers: ECDHE-RSA-AES128-GCM-SHA256 Issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 + Message: Multiple IP addresses found: 183.232.231.174, 183.232.231.172 + Start Time: 2020-02-18 20:53:08 (GMT8) --------------------------------------------------------------------------- + Server: BWS/1.1 + Cookie BAIDUID created without the secure flag + Cookie BAIDUID created without the httponly flag + Cookie BIDUPSID created without the secure flag + Cookie BIDUPSID created without the httponly flag + Cookie PSTM created without the secure flag + Cookie PSTM created without the httponly flag + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'traceid' found, with contents: 158203038802045693549898740171579656555 + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The site uses SSL and Expect-CT header is not present. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Server banner has changed from 'BWS/1.1' to 'Apache' which may suggest a WAF, load balancer or proxy is in place ^C^Z [1]+ Stopped nikto -host www.baidu.com -port 443 --ssl 6、namp+nikto nmap -p 80 192.168.97.0/24 -oG - | nikto -host - //-oG output result //- output here //nikto -host-here-is the result of the previous nmap //First scan nmap which ip has opened port 80, then use nikto to scan the website # nmap -p80 192.168.97.0/24 -oG - | nikto -host - - Nikto v2.1.6 --------------------------------------------------------------------------- + nmap Input Queued: 192.168.97.140:80 + Target IP: 192.168.97.140 + Target Hostname: 192.168.97.140 + Target Port: 80 + Start Time: 2020-02-18 20:54:54 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) DAV/2 + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + /phpinfo.php: Output from the phpinfo() function was found. + OSVDB-3268: /doc/: Directory indexing found. + OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Wed Dec 10 01:24:00 2008 + OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: /test/: Directory indexing found. + OSVDB-3092: /test/: This might be interesting... + OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /phpMyAdmin/: phpMyAdmin directory found + OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 8726 requests: 0 error(s) and 27 item(s) reported on remote host + End Time: 2020-02-18 20:55:19 (GMT8) (25 seconds) --------------------------------------------------------------------------- + 1 host(s) tested 7. In short: found the following directories, we can traverse in order in the browser /doc /usr/doc /test /icons /icons/README /phpMyAdmin /phpMyAdmin/Documentation.html /phpMyAdmin/README 8. Some operations in the scanning process: //Click on, then off Enter Report the current status v View the scanning process, not just see the scan results d View debug information, the most detailed scanning process e View error p Scanning progress r display redirection c show cookie a show identity authentication q Exit N Scan next P Pause scanning 9. Nikto's configuration file: /etc/nikto.conf ①、USERAGENT=Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID) //You can change the useragent to the useragent of other browsers to hide yourself ②、RFIURL=http://cirt.net/rfiinc.txt? //Test the files contained in the remote file ③、Cookie The format is like this: STATIC-COOKIE='cookie1'='cookie value''cookie2'='cookie val' Amend to: COOKIE='PHPSESSID'='f78ecdb9ddabf004730e34d1c51dd450''security'='high' //The cookie value can be obtained from the browser: Step 1: Enter the browser and enter http://192.168.97.140/dvwa Step 2: Type F12 (can be refreshed multiple times during the process) Step 3: Click Storage to view the cookie, copy the value, and paste it into the configuration file of /etc/nikto.conf 10、nikto -evasion nikto -host http://192.168.97.140/dvwa -evasion 167 //The circumvention techniques of 1, 6, and 7 are used here nikto -host http://192.168.97.140/dvwa -evasion 167 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.97.140 + Target Hostname: 192.168.97.140 + Target Port: 80 + Using Encoding: Random URI encoding (non-UTF8) + Using Encoding: TAB as request spacer + Using Encoding: Change the case of the URL + Start Time: 2020-02-18 21:04:39 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) DAV/2 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + /dvwa/fx29id1.txt: Payload for Fx29ID RFI exploit. The server may have been compromised to act as a repository for this file. + Cookie PHPSESSID created without the httponly flag + Cookie security created without the httponly flag + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10 + 7914 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-02-18 21:05:00 (GMT8) (21 seconds) --------------------------------------------------------------------------- + 1 host(s) tested