Nikto: Scan Apache for Security Holes

by Mike on May 3, 2009

in Web Server

Nikto is a tool that can be used to assess your web server security.  The purpose of nikto is to test specific security aspects that are typically security risks.  It is a Perl program designed to locate mis-configurations, files and programs that are insecure and to located outdated applications.  Warning : This tool may have legal consequences if you use it on sites which you do not have permission…use with discretion and at your own risk.

From the web site:

“Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).”

Nikto does require the LibWhisker Perl module, but this is built into the program so it does not need to be installed.  You will want to install the Net::SSLeay Perl module if you want to test SSL.

Install Net::SSLeay
You can do this several ways.  You can install it using MCPAN. After the initial set up you will be able to install with these commands.

perl -MCPAN -e shell;
Cpan> install Net::SSLeay

You can install using apt-get (Debina/Ubuntu).
apt-get install libcrypt-ssleay-perl libnet-ssleay-perl

Install using dag.wieers.com RPMs.

http://dag.wieers.com/rpm/packages/perl-Net-SSLeay/

Download nikto
You can find a download of the current version from cirt.net.  Create a directory, move the download into it and move into it:

mkdir /usr/src
mv  nikto-current.tar.gz /usr/src
cd /usr/src

Untar the program.

tar zxvf nikto-current.tar.gz

Now you should have completed the installation and be ready to begin.

1. Basic Scan

perl nikto.pl -h

perl nikto.pl -h 192.168.5.103
—————————————————————————
- Nikto 2.02/2.03     -     cirt.net
+ Target IP:       192.168.5.103
+ Target Hostname: localhost.local
+ Target Port:     80
+ Start Time:      2009-04-28 10:56:23
—————————————————————————
+ Server: Apache/2.2.3 (CentOS) DAV/2
- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method (‘Allow’ Header): ‘TRACE’ is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 4347 items checked: 6 item(s) reported on remote host
End Time:        2009-04-28 10:56:30 (7 seconds)

LibWhisker uses 8 evasion techniques which are represented by numbers.   You can use these by using the -evasion option and the number.

1 – Random URI encoding (non-UTF8)
2 – Directory self-reference (/./)
3 – Premature URL ending
4 – Prepend long random string
5 – Fake parameter
6 – TAB as request spacer
7 – Change the case of the URL
8 – Use Windows directory separator (\)

perl nikto.pl -h 192.168.5.103 -evasion 1
—————————————————————————
- Nikto 2.02/2.03     -     cirt.net
+ Target IP:       192.168.5.103
+ Target Hostname: localhost.local
+ Target Port:     80
+ Using IDS Evasion:    Random URI encoding (non-UTF8)
+ Start Time:      2009-04-28 10:59:35
—————————————————————————
+ Server: Apache/2.2.3 (CentOS) DAV/2
- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method (‘Allow’ Header): ‘TRACE’ is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 4347 items checked: 6 item(s) reported on remote host
End Time:        2009-04-28 10:59:43 (8 seconds)

perl nikto.pl -h 192.168.5.103 -evasion 1
—————————————————————————
- Nikto 2.02/2.03     -     cirt.net
+ Target IP:       192.168.5.103
+ Target Hostname: localhost.local
+ Target Port:     80
+ Using IDS Evasion:    Random URI encoding (non-UTF8)
+ Start Time:      2009-04-28 12:31:25
—————————————————————————
+ Server: Microsoft-IIS/6.0
- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method (‘Allow’ Header): ‘TRACE’ is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 4347 items checked: 5 item(s) reported on remote host

Previous post:

Next post: