Below are all of the Nikto command line options and explanations. A brief version of this text is available by running Nikto with the -h (-help) option.
Nikto Scanner für Webserver mit Metasploit-Logging. Die aktuelle Version des Webserverscanners Nikto bietet Logging für Metasploit und kann während eines Scans. Wikto – how does it work and how do I use it? and Wikto is not just Nikto for. As a simple extra a manual query text box was added. 文件名称: nikto-2.1.1 下载 收藏√ [ 5 4 3 2 1 ] 所属分类: Internet-Socket-Network 开发工具..\nikto.1.\nikto.dtd.\nikto_manual.html plugins\db_404_strings. Nikto v2.1.5 - The Manual. Table of Contents. 1. Introduction Overview Description Advanced Error Detection Logic History 2. Installation Requirements Install 3. Usage. Hacking WmapNikto。按照国际惯例: install # cp wmap_nikto.rb./modules/auxiliary/scanner/http/ edit nikto.conf. +-----manual +-----index.php +-----categories.php.
Using the Nikto Web Application Vulnerability Scanner. October 2. 01. 2About Nikto. Nikto is an extremely popular web application vulnerability scanner. Web application vulnerability scanners are designed to examine a web server to find security issues.
Identifying security problems proactively, and fixing them, is an important step towards ensuring the security of your web servers. Nikto checks for a number of dangerous conditions and vulnerable software.
Running Nikto on a regular basis will ensure that you identify common problems in your web server or web applications. Because most web servers host a number of web applications, with new software deployed over time, it is a good idea to run a scanner like Nikto against your servers on a routine basis. Nikto is completely open source and is written in Perl. Nikto is a quite venerable (it was first released in 2. In addition to being written in Perl, which makes it highly portable, Nikto is a non- invasive scanner.
Running a Nikto scan won't exploit any vulnerabilities that are identified and therefor is safe to run against production servers. Because Nikto is written in Perl it can run anywhere that Perl with run, from Windows to Mac OS X to Linux.
Nikto runs at the command line, without any graphical user interface (GUI). While this might be considered a disadvantage, Nikto's use of the command line interface (CLI) to it is ideal for running the tool remotely over SSH connections. Nikto's architecture also means that you don't need GUI access to a system in order to install and run Nikto.
The CLI also allows Nikto to easily interface with shell scripts and other tools. Nikto makes liberal use of files for configuration and direction as well, which also eases integration with other tools. For instance, you could schedule a scan via a shell script, gather a list of targets by querying a database and writing the results to a file, then have Nikto scan the targets specified in the file on a routine basis and report the results via e- mail. How Nikto Works. Nikto operates by doing signature matching to known vulnerable web services, including dynamic web applications, CGI scripts, and web server configurations. Nikto does this by making requests to the web server and evaluating responses.
Nikto includes a number of options that allow requests to include data such as form posts or header variables and does pattern matching on the returned responses. Nikto uses a database of URL's for its scan requests. Nikto queries this database and makes calls to resources that indicate the presence of web application or server configurations. This detection technique is quite reliable, but is far from stealthy. Notably, this discovery technique results in an extremely large number of 4. HTTP response code for "requested resource not found").
Additionally, all though this can be modified, the User Agent string sent in each request clearly identifies Nikto as the source of the requests. In addition to URL discovery Nikto will probe web servers for configuration problems. Things like directory listings, debugging options that are enabled, and other issues are quickly identified by Nikto.
Nikto will even probe HTTP and HTTPS versions of sites and can be configured to scan non- standard ports (such as port 8. Java web servers listen by default). Nikto is also capable of sending data along with requests to servers (such as URL data, known as GET variables, or form data, known as POST data). Nikto examines the full response from servers as well. This allows Nikto to perform testing for vulnerabilities such as cross site scripting (XSS) or even SQL injection. Nikto will also search for insecure files as well as default files.
This can reveal problems with web applications such as forgotten backups, left over installation files, and other artifacts that could jeopardize the security of a server. Like the detection of known vulnerable, or outdated, web applications this process is passive and won't cause any harm to servers.
Installing Nikto - Perl. The first step to installing Nikto is to ensure that you have a working version of Perl. Perl is a scripting language, which means programs are stored as plain text and then run through an interpreter at execution time. The Perl interpreter consumes plain text Perl programs and compiles a machine readable binary which is then run by the operating system. There are a number of advantages and disadvantages to this approach. Portability is one big advantage. Perl source code can run on any machine with a Perl interpreter (sort of like how Java can run on any machine with Java installed).
Because Perl is compiled every time it is run it is also very easy to change programs. Perl's plain text format makes it ideal for open source projects because it is so easy to open and read the source code. The one major disadvantage to this approach is that it is somewhat slower than pre- compiled software.
Installing Nikto - Windows. On Windows machines this can be little more troublesome than other operating systems. Perl. org, the official site for Perl recommends two distributions of Perl for Windows: Strawberry Perl and Active.
State Perl. Active. State has a longer history of supporting Perl on Windows, and offers commercial support, but both should be sufficient.
Fig 1: Perl. org Download Site. For the purposes of this article I will demonstrate Nikto on Windows XP using Active. State, however the process is nearly identical for all versions of Windows. To begin Be sure to select the version of Perl that fits your architecture (3.
Fig 2: Active. State. Perl Download Site. The download from Active. State consists of a Microsoft installer (. Fig 3: Active. State's MSI download of Perl. Running the MSI will prompt you to answer a few questions about the installation.
Using the defaults for answers is fine. You may wish to consider omitting the installation of Examples if you have limited space, however. Fig 4: Active. State Installer.
Once installed you can check to make sure Perl is working properly by invoking the Perl interpreter at the command line. To do this open a command prompt (Start - > All Programs - > Accessories - > Command Prompt) and typing. The '- v' flag causes the interpreter to display version information. Assuming the interpreter prints out version information then Perl is installed and you can proceed to install Nikto's dependencies.
Fig 5: Perl version information in Windows command prompt. Installing Nikto - Windows Dependencies. In order for Nikto to function properly you first need to install Secure Socket Layer (SSL) extensions to Perl.
This is required in order to run Nikto over HTTPS, which uses SSL. Active. State includes a graphical package manager that can be used to install the necessary libraries. You can find the Perl Package Manager under Start - > All Programs - > Active. Perl - > Perl Package Manager. Once you open this program you'll notice the search box in the top center. Type 'ssl' into this search box and hit enter.
You should see the Net- SSLeay package. Check the 'Installed' column of the display to ensure the package is installed. Fig 6: Active. State Perl Package Manager showing the Net- SSLeay package. The Nikto distribution can be downloaded in two compressed formats. Bzip. 2 and Gz are the available options. Neither is standard on Windows so you will need to install a third party unzipping program, like 7- zip (http: //www. Download and Install - Windows.
Download the Nikto source code from http: //www. The download link is the first line of text under the tabs and is easy to miss. Click on the 'gz' link to download the gzip format source code. Fig 7: Cirt. net Nikto download site. Save the source code file on your machine. The best place to do this is under C: Program Files so you will be able to find it easily.
Next, open up a file browser (click on My Computer or the like) and navigate to the C: Program Files directory. You'll see the downloaded Nikto source, but more than likely Windows doesn't have the '. Right click on the source and select '7- zip' from the options menu, then 'Extract Here' to extract the program.
Fig 8: Extracting the Nikto source. This will unzip the file, but it is still in a . Tape ARchive format.
Repeat the process of right clicking, selecting '7- zip' and choosing 'Extract Here' to expose the source directory. Now that the source code is uncompressed you can begin using Nikto. Test to ensure that Nikto is running completely by navigating to the source code directory in a command prompt and typing the command 'nikto. Version' and ensuring that the version output displays.
Fig 9: Nikto on Windows displaying version information. Installing Nikto - Linux. Installing Nikto on Linux is an extremely straightforward process. Ensure that Perl and Open. SSL are installed using the package management system on your distribution. On a Cent. OS, Red Hat, or Fedora system simply use. Net- SSLeay. once installed you can download the Nikto source using.
Then you should test to ensure Nikto is installed properly using. Version. Nikto is fairly straightforward tool to use. Extensive documentation is available at http: //cirt. The first thing to do after installing Nikto is to update the database of definitions. This can be done using the command. The simplest way to start up Nikto is to point it at a specific IP address.
For instance, to test the sites at 1. This will produce fairly verbose output that may be somewhat confusing at first. Take the time to read through the output to understand what each advisory means. Many of the alerts in Nikto will refer to OSVDB numbers. These are Open Source Vulnerability Database (http: //osvdb. You can search on OSVDB for further information about any vulnerabilities identified. Fig 1. 0: Nikto running on Windows.
The default output becomes unwieldy, however, as soon as you begin testing more than a single site. In order to make output more manageable it is worthwhile to explore Nikto's various reporting formats.