Nikto - Web服务器的Web应用程序漏洞和CGI扫描程序

Nikto是一个根据GPL许可证发布的开源网络扫描器,用于对多个危险项目的Web服务器执行全面测试。

Nikto的网络扫描仪是另一个好有任何的Linux管理员的武器库的工具。 它是在GPL许可下发布了一个开源的Web扫描仪,它是用来超过6500潜在危险的文件在Web服务器上进行综合测试多个项目,包括/ CGI的

安装Nikto Web扫描仪

Nikto Web扫描仪

这是写由克里斯·Solo戴维·洛奇脆弱性评估,它会检查过期版本超过1250个Web服务器和超过250个版本的具体问题。 它还扫描和报告过时的Web服务器软件和插件。

Nikto Web扫描仪的特点

  1. 支持SSL
  2. 支持完整的HTTP代理
  3. 支持文本,HTML,XML和CSV来保存报告。
  4. 扫描多个端口
  5. 可以通过从诸如nmap输出的文件输入来扫描多个服务器
  6. 支持LibWhisker IDS
  7. 能够足够识别已安装的软件与标题,文件和图标
  8. Metasploits的日志
  9. “不正常”标头的报告。
  10. Apache和cgiwrap用户枚举
  11. 使用Basic和NTLM验证主机
  12. 扫描可以在指定时间自动暂停。

Nikto要求

基本Perl,Perl 的模块系统,OpenSSL的安装应使Nikto的运行。 它在Windows,Mac OSX和各种Unix / Linux发行版,例如红帽 ,Debian,Ubuntu的的BackTrack等进行了全面测试

在Linux上安装Nikto Web Scanner

大多数今天的Linux系统都带有预安装Perl,Perl 的模块OpenSSL包。 如果不包括在内,你可以使用一个名为Yumapt-get的系统默认的包管理工具安装它们。

在Red Hat / CentOS / Fedora上
[root@howtoing ]# yum install perl perl-Net-SSLeay openssl
在Debian / Ubuntu / Linux Mint
[root@howtoing ]# apt-get install perl openssl libnet-ssleay-perl

其次,从官方项目页面下载最新的稳定Nikto的源码包,或者您可以使用下面的wget命令直接下载。

# wget http://www.cirt.net/nikto/nikto-2.1.5.tar.gz

使用归档管理器实用程序解压缩它或使用以下tar命令。

[root@howtoing ]# tar -xvf nikto-2.1.5.tar.gz

现在,运行使用perl的命令,如下所示Nikto的脚本。

[root@howtoing ]# cd nikto-2.1.5
[root@howtoing nikto-2.1.5]# perl nikto.pl
示例输出
- Nikto v2.1.5
---------------------------------------------------------------------------
+ ERROR: No host specified
-config+            Use this config file
-Display+           Turn on/off display outputs
-dbcheck            check database and other key files for syntax errors
-Format+            save file (-o) format
-Help               Extended help information
-host+              target host
-id+                Host authentication to use, format is id:pass or id:pass:realm
-list-plugins       List all available plugins
-output+            Write output to this file
-nossl              Disables using SSL
-no404              Disables 404 checks
-Plugins+           List of plugins to run (default: ALL)
-port+              Port to use (default 80)
-root+              Prepend root value to all requests, format is /directory
-ssl                Force ssl mode on port
-Tuning+            Scan tuning
-timeout+           Timeout for requests (default 10 seconds)
-update             Update databases and plugins from CIRT.net
-Version            Print plugin and database versions
-vhost+             Virtual host (for Host header)
+ requires a value
Note: This is the short help output. Use -H for full help text.

错误:没有主机指定 ”显然是在告诉我们没有包括必要的参数,而做一个测试。 因此,我们需要添加一个基本的必要参数来进行测试运行。

基本测试

基本的扫描要求你想要的目标主机,默认情况下,如果未指定任何它扫描端口80。 主机可以是一个主机名或一个系统的一个IP地址 您可以使用“-h”选项指定的主机。 例如,我想对TCP端口80上的IP 172.16.27.56扫描。

[root@howtoing nikto-2.1.5]# perl nikto.pl -h 172.16.27.56
示例输出
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          172.16.27.56
+ Target Hostname:    example.com
+ Target Port:        80
+ Start Time:         2014-01-10 00:48:12 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 5956160, size: 24, mtime: 0x4d4865a054e32
+ File/dir '/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Multiple index files found: index.php, index.htm, index.html
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /test.html: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /connect.php?path=http://cirt.net/rfiinc.txt?: Potential PHP MySQL database connection string found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 6544 items checked: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2014-01-10 00:48:23 (GMT5.5) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

如果你想在扫描不同的端口号,然后添加“-p”[-port]选项。 例如,我想对IP 172.16.27.56扫描TCP端口443上。

[root@howtoing nikto-2.1.5]# perl nikto.pl -h 172.16.27.56 -p 443
示例输出
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          172.16.27.56
+ Target Hostname:    example.com
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer:  /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time:         2014-01-10 01:08:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 2817021, size: 5, mtime: 0x4d5123482b2e9
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Server is using a wildcard certificate: '*.mid-day.com'
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2014-01-10 01:11:20 (GMT5.5) (174 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

您也可以使用完整的URL语法指定主机端口协议 ,它会被扫描。

[root@howtoing nikto-2.1.5]# perl nikto.pl -h http://172.16.27.56:80

您还可以扫描任何网站。 例如,我在这里做了google.com扫描。

[root@howtoing nikto-2.1.5]# perl nikto.pl -h http://www.google.com
示例输出
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          173.194.38.177
+ Target Hostname:    www.google.com
+ Target Port:        80
+ Start Time:         2014-01-10 01:13:36 (GMT5.5)
---------------------------------------------------------------------------
+ Server: gws
+ Cookie PREF created without the httponly flag
+ Cookie NID created without the httponly flag
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'x-xss-protection' found, with contents: 1; mode=block
+ Uncommon header 'alternate-protocol' found, with contents: 80:quic
+ Root page / redirects to: http://www.google.co.in/?gws_rd=cr&ei=xIrOUomsCoXBrAee34DwCQ
+ Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-content-type-options' found, with contents: nosniff
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ File/dir '/groups/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
….

上面的命令将执行一堆Web服务器上的HTTP请求(即超过2000测试)的。

多端口测试

您也可以在同一会话中执行多个端口扫描。 扫描同一台主机上的多个端口,加上“-p”[-port]选项,并指定端口的列表。 端口可以被定义为一个范围(即,80-443),或作为逗号分隔(即,80,443)。 例如,我想扫描主机172.16.27.56上的端口80443。

[root@howtoing nikto-2.1.5]# perl nikto.pl -h 172.16.27.56 -p 80,443
示例输出
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on cmsstage.mid-day.com:88
---------------------------------------------------------------------------
+ Target IP:          172.16.27.56
+ Target Hostname:    example.com
+ Target Port:        80
+ Start Time:         2014-01-10 20:38:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.
---------------------------------------------------------------------------
+ Target IP:          172.16.27.56
+ Target Hostname:    example.com
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer:  /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time:         2014-01-10 20:38:36 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ All CGI directories 'found', use '-C none' to test none
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
.....

使用代理

比方说,在这里Nikto的运行只有通过HTTP代理访问目标主机系统,测试仍然可以使用两种不同的方式进行。 一种是使用nikto.conf文件,另一种方式是直接在命令行运行。

使用Nikto.conf文件

使用任何命令行编辑器中打开nikto.conf文件。

[root@localhost nikto-2.1.5]# vi nikto.conf

搜索的变量“ 代理 ”,并从行开头注释的'#',如图所示。 然后添加代理主机端口代理用户名密码 保存并关闭文件。

# Proxy settings -- still must be enabled by -useproxy
PROXYHOST=172.16.16.37
PROXYPORT=8080
PROXYUSER=pg
PROXYPASS=pg

现在,使用“-useproxy”选项执行的日高 请注意,所有的连接将通过HTTP代理中继。

root@localhost nikto-2.1.5]# perl nikto.pl -h localhost -p 80 -useproxy
示例输出
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        80
+ Start Time:         2014-01-10 21:28:29 (GMT5.5)
---------------------------------------------------------------------------
+ Server: squid/2.6.STABLE6
+ Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0
+ Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080
使用命令行

要直接从使用“-useproxy”选项,通过设置代理作为参数从命令行运行的日高

root@localhost nikto-2.1.5]# perl nikto.pl -h localhost -useproxy http://172.16.16.37:8080/
示例输出
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        80
+ Start Time:         2014-01-10 21:34:51 (GMT5.5)
---------------------------------------------------------------------------
+ Server: squid/2.6.STABLE6
+ Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0
+ Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080

更新Nikto

您可以自动更新日高至最新的插件数据库 ,只需运行“ -更新 ”命令。

[root@localhost nikto-2.1.5]# perl nikto.pl -update

如果有新更新可用,您将看到下载的新更新的列表。

+ Retrieving 'nikto_report_csv.plugin'
+ Retrieving 'nikto_headers.plugin'
+ Retrieving 'nikto_cookies.plugin'
+ Retrieving 'db_tests'
+ Retrieving 'db_parked_strings'
+ Retrieving 'CHANGES.txt'
+ CIRT.net message: Please submit Nikto bugs to http://trac2.assembla.com/Nikto_2/report/2

您也可以手动下载和更新来自Nikto的插件和数据库http://cirt.net/nikto/UPDATES/

参考链接

Nikto主页