Hacking with nikto – A tutorial for beginners

By | May 3, 2013

Nikto

Nikto is a vulnerability scanner that scans webservers for thousands of vulnerabilities and other known issues. It is very easy to use and does everything itself, without much instructions. It is included by default in pen testing distros like Kali linux. On other oses/platforms you need to install it manually. Can be downloaded from http://cirt.net/Nikto2.

The website describes nikto as follows

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Install nikto on ubuntu

On Ubuntu nikto can be installed directly from synaptic manager.

$ sudo apt-get install nikto

Nikto is written in perl, so you need to have perl installed to be able to run it.

Install nikto on windows

On windows first install the perl interpreter. It can be downloaded from http://www.activestate.com/activeperl. Its free. Download the installer and install perl.

Next download nikto and extract the contents of the archive into a directory. Now run from the command prompt like this.

C:\pentest\nikto-2.1.5>perl nikto.pl -h example.com

The above command actually runs the perl interpreter which loads the nikto.pl source file and runs it with whatever options are provided next to it.

Using Nikto

Lets now use nikto on some webserver and see what kind of things it can do. Lets try a test against a certain php+mysql website that is hosted on apache. The actual urls shall not be shown in the output

$ nikto -h somesite.org
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          208.90.215.95
+ Target Hostname:    somesite.org
+ Target Port:        80
+ Start Time:         2012-08-11 14:27:31
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (FreeBSD) mod_ssl/2.2.22 OpenSSL/1.0.1c DAV/2
+ robots.txt contains 4 entries which should be manually viewed.
+ mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ ETag header found on server, inode: 5918348, size: 121, mtime: 0x48fc943691040
+ mod_ssl/2.2.22 OpenSSL/1.0.1c DAV/2 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /lists/admin/: PHPList pre 2.6.4 contains a number of vulnerabilities including remote administrative access, harvesting user info and more. Default login to admin interface is admin/phplist
+ OSVDB-2322: /gallery/search.php?searchstring=<script>alert(document.cookie)</script>: Gallery 1.3.4 and below is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. http://www.securityfocus.com/bid/8288.
+ OSVDB-7022: /calendar.php?year=<script>alert(document.cookie);</script>&month=03&day=05: DCP-Portal v5.3.1 is vulnerable to  Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-3092: /system/: This might be interesting...
+ OSVDB-3092: /template/: This may be interesting as the directory may hold sensitive files or reveal system information.
+ OSVDB-3092: /updates/: This might be interesting...
+ OSVDB-3092: /README: README file found.
+ 6448 items checked: 1 error(s) and 14 item(s) reported on remote host
+ End Time:           2012-08-11 15:52:57 (5126 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
$

The output has lots of useful information. Nikto has detected the following :

1. Webserver
2. XSS vulnerabilitites.
3. Vulnerable web applications like phplist and gallery.
4. Information leaking pages.

Nikto also provides the osvdb numbers of the issues for further analysis. So overall nikto is a very informative tool. The next task for a hacker should be to find out how to exploit one of the so many vulnerabilities found out.

Most of the tests done by nikto are based on set rules or a dictionary. For example nikto has a list of default directories to look for, list of files to look for. So the entire scanning process just enumerates the presence of predefined urls on the http server. Apart from this nikto also looks into the http headers for additional information and also tests get parameters for xss vulnerabilities.

Check the additional options supported by nikto using the help switch as follows

root@kali:~# nikto -Help

Analysing nikto

To understand how nikto works and discovers vulnerabilities we can analyse it further. Nikto has an option to use an http proxy. So by using a tool that can intercept the http requests and show them in proper format, we can analyse the queries made by nikto. One such tool is burp suite. It has an integrated http proxy. It has a free edition that we are going to use.

Download free edition of burp suite from
http://www.portswigger.net/burp/

Burp suite is written in java, so the JRE is needed to run it. On ubuntu it can be installed from synaptic package manager. Start the burp suite and go to proxy tab. The proxy tab has 3 sub tabs namely : intercept, options and history. In the intercept tab turn intercept off. Otherwise burp suite will ask for a confirmation before allowing each request. Then go to the history tab. The history tab will show us all requests that nikto shall be making.

Next we need to tell nikto to use the proxy server. The command to use proxy would be

$ nikto -host www.binarytides.com -useproxy http://localhost:8080/

Here is a screenshot of how the burp suite would show the requests.

Burp suite provides a bunch of information, like the request, response, headers etc.

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

4 Comments

Hacking with nikto – A tutorial for beginners
  1. kamal

    what to do, if instead of installed perl, perl nikto .pl typed on command prompt, is giving error and not running correctly.

    1. Silver Moon

      the output is pretty self explanatory. it mentions the server details with details on what services are running on it, what is the version of those services and what vulnerabilities exist in them.

      It also scans for some php applications and provides the OSVDB number of any known vulnerabilities in those applications.

Leave a Reply

Your email address will not be published. Required fields are marked *