Nikto - veebiserverite veebirakenduste haavatavus ja CGI-skanner
Nikto veebiskanner on veel üks hea tööriist mis tahes Linuxi administraatori arsenali jaoks. See on GPL-litsentsi alusel välja antud avatud lähtekoodiga veebiskanner, mida kasutatakse veebiserverite põhjalike testide tegemiseks mitme üksuse, sealhulgas üle 6500 potentsiaalselt ohtliku faili/CGI-de jaoks.
Selle on kirjutanud Chris Solo ja David Lodge haavatavuse hindamiseks. See kontrollib üle 1250 veebiserveri vananenud versioone ja üle 270 versioonispetsiifilist probleemi. Samuti kontrollib see vananenud veebiserveri tarkvara ja pistikprogramme ning teatab sellest.
Nikto veebiskänneri omadused
- toetab SSL-i
- toetab täielikku HTTP puhverserverit
- Aruannete salvestamiseks toetab teksti, HTML-i, XML-i ja CSV-d.
- Mitme pordi otsimine
- Saab skannida mitmes serveris, võttes sisendeid sellistest failidest nagu nmap-väljund
- Toetage LibWhisker IDS-i
- Piisavalt võimeline installitud tarkvara tuvastamiseks koos päiste, failide ja eelistustega
- Metasploitide logid
- Ebatavaliste päiste aruanded.
- Apache'i ja cgiwrapi kasutajate loendamine
- Autentige hostid Basicu ja NTLM-iga
- Skaneeringuid saab määratud ajal automaatselt peatada.
Nikto nõuded
Põhiliste Perli, Perli moodulite, OpenSSL-i installidega süsteem peaks võimaldama Nikto käivitamist. Seda on põhjalikult testitud Windowsis, Mac OSX-is ja erinevates Unixi/Linuxi distributsioonides nagu Red Hat, Debian, Ubuntu, BackTrack jne.
Nikto veebiskänneri installimine Linuxi
Enamik tänapäeva Linuxi süsteeme on varustatud eelinstallitud pakettidega Perl, Perl Modules ja OpenSSL. Kui see pole komplektis, saate need installida vaikimisi süsteemi paketihalduri utiliidi nimega yum või apt-get.
yum install perl perl-Net-SSLeay openssl
apt-get install perl openssl libnet-ssleay-perl
Seejärel kloonige oma Githubi hoidlast uusimad stabiilsed Nikto lähtefailid, liikuge kataloogi Nikto/programs/ja käivitage see perli abil:
$ git clone https://github.com/sullo/nikto.git $ cd nikto/programs $ perl nikto.pl -h
Option host requires an argument
-config+ Use this config file
-Display+ Turn on/off display outputs
-dbcheck check database and other key files for syntax errors
-Format+ save file (-o) format
-Help Extended help information
-host+ target host
-id+ Host authentication to use, format is id:pass or id:pass:realm
-list-plugins List all available plugins
-output+ Write output to this file
-nossl Disables using SSL
-no404 Disables 404 checks
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-root+ Prepend root value to all requests, format is /directory
-ssl Force ssl mode on port
-Tuning+ Scan tuning
-timeout+ Timeout for requests (default 10 seconds)
-update Update databases and plugins from CIRT.net
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
Note: This is the short help output. Use -H for full help text.
„Valiku host nõuab argumenti” ütleb selgelt, et me ei lisanud testi tegemisel vajalikke parameetreid. Niisiis, proovisõidu tegemiseks peame lisama vajaliku põhiparameetri.
Põhiskaneerimine eeldab hosti, mida soovite sihtida, vaikimisi skaneerib see pordi 80, kui midagi pole täpsustatud. Host võib olla kas süsteemi hostinimi või IP-aadress. Saate hosti määrata, kasutades valikut “-h”.
Näiteks tahan teha TCP-pordil 80 IP-ga 172.16.27.56 skannimise.
perl nikto.pl -h 172.16.27.56
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 172.16.27.56 + Target Hostname: example.com + Target Port: 80 + Start Time: 2014-01-10 00:48:12 (GMT5.5) --------------------------------------------------------------------------- + Server: Apache/2.2.15 (CentOS) + Retrieved x-powered-by header: PHP/5.3.3 + The anti-clickjacking X-Frame-Options header is not present. + Server leaks inodes via ETags, header found with file /robots.txt, inode: 5956160, size: 24, mtime: 0x4d4865a054e32 + File/dir '/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 1 entry which should be manually viewed. + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + Multiple index files found: index.php, index.htm, index.html + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3233: /phpinfo.php: Contains PHP configuration information + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /test.html: This might be interesting... + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /connect.php?path=http://cirt.net/rfiinc.txt?: Potential PHP MySQL database connection string found. + OSVDB-3092: /test.php: This might be interesting... + 6544 items checked: 0 error(s) and 16 item(s) reported on remote host + End Time: 2014-01-10 00:48:23 (GMT5.5) (11 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Kui soovite skannida mõnel muul pordinumbril, lisage suvand “-p” [-port]. Näiteks tahan teha skannimise IP 172.16.27.56-l TCP-pordil 443.
perl nikto.pl -h 172.16.27.56 -p 443
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time: 2014-01-10 01:08:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 2817021, size: 5, mtime: 0x4d5123482b2e9
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Server is using a wildcard certificate: '*.mid-day.com'
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2014-01-10 01:11:20 (GMT5.5) (174 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedSamuti saate täieliku URL-i süntaksiga määrata hostid, pordid ja protokollid ning see skannitakse.
perl nikto.pl -h http://172.16.27.56:80
Samuti saate skannida mis tahes veebisaiti. Näiteks siin skannisin ma saidil google.com.
perl nikto.pl -h http://www.google.com
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 173.194.38.177 + Target Hostname: www.google.com + Target Port: 80 + Start Time: 2014-01-10 01:13:36 (GMT5.5) --------------------------------------------------------------------------- + Server: gws + Cookie PREF created without the httponly flag + Cookie NID created without the httponly flag + Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN + Uncommon header 'x-xss-protection' found, with contents: 1; mode=block + Uncommon header 'alternate-protocol' found, with contents: 80:quic + Root page / redirects to: http://www.google.co.in/?gws_rd=cr&ei=xIrOUomsCoXBrAee34DwCQ + Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place + Uncommon header 'x-content-type-options' found, with contents: nosniff + No CGI Directories found (use '-C all' to force check all possible dirs) + File/dir '/groups/' in robots.txt returned a non-forbidden or redirect HTTP code (302) ….
Ülaltoodud käsk täidab veebiserveris hulga http-päringuid (st rohkem kui 2000 testi).
Samas seansis saate skannida ka mitu pordi. Mitme pordi skannimiseks samast hostist lisage valik “-p” [-port] ja määrake sadamate loend. Sadamaid saab määratleda vahemikuna (s.o. 80–443) või eraldatud komaga (s.t. 80 443). Näiteks tahan skannida pordid 80 ja 443 hostil 172.16.27.56.
perl nikto.pl -h 172.16.27.56 -p 80,443
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on cmsstage.mid-day.com:88
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 80
+ Start Time: 2014-01-10 20:38:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time: 2014-01-10 20:38:36 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ All CGI directories 'found', use '-C none' to test none
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
.....Oletame, et süsteemil, kus Nikto töötab, on juurdepääs sihtmasinale ainult HTTP puhverserveri kaudu, testi saab siiski teha kahel erineval viisil. Üks kasutab faili nikto.conf ja teine viis on käivitada otse käsurealt.
Avage fail nikto.conf mis tahes käsurea redaktori abil.
vi nikto.conf
Otsige muutujat “PROXY” ja märkige rida algusest peale “#”, nagu näidatud. Seejärel lisage puhverserver, port, puhverserveri kasutaja ja parool. Salvestage ja sulgege fail.
# Proxy settings -- still must be enabled by -useproxy PROXYHOST=172.16.16.37 PROXYPORT=8080 PROXYUSER=pg PROXYPASS=pg
Nüüd käivitage Nikto, kasutades valikut "-useproxy". Pange tähele, et kõik ühendused edastatakse HTTP-puhverserveri kaudu.
[email nikto-2.1.5]# perl nikto.pl -h localhost -p 80 -useproxy
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2014-01-10 21:28:29 (GMT5.5) --------------------------------------------------------------------------- + Server: squid/2.6.STABLE6 + Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6) + The anti-clickjacking X-Frame-Options header is not present. + Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0 + Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080
Nikto käivitamiseks otse käsurealt, kasutades valikut “-useproxy”, seades argumendiks puhverserveri.
[email nikto-2.1.5]# perl nikto.pl -h localhost -useproxy http://172.16.16.37:8080/
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2014-01-10 21:34:51 (GMT5.5) --------------------------------------------------------------------------- + Server: squid/2.6.STABLE6 + Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6) + The anti-clickjacking X-Frame-Options header is not present. + Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0 + Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080
Võite Nikto uuendada automaatselt uusimatele pistikprogrammidele ja andmebaasidele, lihtsalt käivitage käsk “-update”.
perl nikto.pl -update
Kui uued värskendused on saadaval, näete allalaaditud uute värskenduste loendit.
+ Retrieving 'nikto_report_csv.plugin' + Retrieving 'nikto_headers.plugin' + Retrieving 'nikto_cookies.plugin' + Retrieving 'db_tests' + Retrieving 'db_parked_strings' + Retrieving 'CHANGES.txt' + CIRT.net message: Please submit Nikto bugs to http://trac2.assembla.com/Nikto_2/report/2
Nikto pistikprogramme ja andmebaase saate käsitsi alla laadida ja uuendada ka saidilt http://cirt.net/nikto/UPDATES/.
Viited
Nikto koduleht