Vulnerability assessment
Last updated
Last updated
Windows version. Scanning with a policy
Windows tool
Nikto help
start the scan
-h specifies the targer
-Tuning scan perimenters, x specifies run all scans against the target
Finding cgi directories
saving the scan
-o filename where result will be saved
-F file type
Scanning on other ports
Plugins further extend the capabilities of Nikto. Using information gathered from our basic scans, we can pick and choose plugins that are appropriate to our target. You can use the --list-plugins flag with Nikto to list the plugins or view the whole list in an easier to read format online.
Some interesting plugins include:
We can specify the plugin we wish to use by using the-Plugin argument and the name of the plugin we wish to use...For example, to use the "apacheuser" plugin, our Nikto scan would look like so:
Nikto has several categories of vulnerabilities that we can specify our scan to enumerate and test for. The following list is not extensive and only include the ones that you may commonly use. We can use the -Tuningflag and provide a value in our Nikto scan:
Rather than working with the output on the terminal, we can instead, just dump it directly into a file for further analysis - making our lives much easier!
Nikto is capable of putting to a few file formats including:
Text File
HTML report
We can use the -o argument (short for -Output) and provide both a filename and compatible extension. We can specify the format (-f) specifically, but Nikto is smart enough to use the extension we provide in the-o argument to adjust the output accordingly.
For example, let's scan a web server and output this to "report.html": nikto -h http://ip_address -o report.html
We can increase the verbosity of our Nikto scan by providing the following arguments with the-Display flag. Unless specified, the output given by Nikto is not the entire output, as it can sometimes be irrelevant (but that isn't always the case!)
| Plugin Name | Description |
|---|---|
| Category Name | Description | Tuning Option |
|---|---|---|
| Argument | Description | Reasons for Use |
|---|---|---|
apacheusers
Attempt to enumerate Apache HTTP Authentication Users
cgi
Look for CGI scripts that we may be able to exploit
robots
Analyse the robots.txt file which dictates what files/folders we are able to navigate to
dir_traversal
Attempt to use a directory traversal attack (i.e. LFI) to look for system files such as /etc/passwd on Linux (http://ip_address/application.php?view=../../../../../../../etc/passwd)
File Upload
Search for anything on the web server that may permit us to upload a file. This could be used to upload a reverse shell for an application to execute.
0
Misconfigurations / Default Files
Search for common files that are sensitive (and shouldn't be accessible such as configuration files) on the web server.
2
Information Disclosure
Gather information about the web server or application (i.e. verison numbers, HTTP headers, or any information that may be useful to leverage in our attack later)
3
Injection
Search for possible locations in which we can perform some kind of injection attack such as XSS or HTML
4
Command Execution
Search for anything that permits us to execute OS commands (such as to spawn a shell)
8
SQL Injection
Look for applications that have URL parameters that are vulnerable to SQL Injection
9
1
Show any redirects that are given by the web server.
Web servers may want to relocate us to a specific file or directory, so we will need to adjust our scan accordingly for this.
2
Show any cookies received
Applications often use cookies as a means of storing data. For example, web servers use sessions, where e-commerce sites may store products in your basket as these cookies. Credentials can also be stored in cookies.
E
Output any errors
This will be useful for debugging if your scan is not returning the results that you expect!