Vulnerability assessment

1. Vulnerability assessment using openVAS

2. Vulnerability assessment using Nessus

Windows version. Scanning with a policy

https://localhost:8834localhost

3. Vulnerability assessment using GFI LanGuard

Windows tool

GFI LanGuard

4. Nikto scanner

Nikto help

nikto -H

start the scan

nikto -h islamabadtrafficpolice.gov.pk -Tuning x

-h specifies the targer

-Tuning scan perimenters, x specifies run all scans against the target

Finding cgi directories

nikto -h certifiedhacker.com -Cgidirs all

saving the scan

nikto -h certifiedhacker.com -o result -F txt

-o filename where result will be saved

-F file type

Scanning on other ports

nikto -h 10.10.10.1 -p 80,8000,8080

Nikto Plugins

Plugins further extend the capabilities of Nikto. Using information gathered from our basic scans, we can pick and choose plugins that are appropriate to our target. You can use the --list-plugins flag with Nikto to list the plugins or view the whole list in an easier to read format online.

Some interesting plugins include:

Plugin Name	Description
apacheusers	Attempt to enumerate Apache HTTP Authentication Users
cgi	Look for CGI scripts that we may be able to exploit
robots	Analyse the robots.txt file which dictates what files/folders we are able to navigate to
dir_traversal	Attempt to use a directory traversal attack (i.e. LFI) to look for system files such as /etc/passwd on Linux (http://ip_address/application.php?view=../../../../../../../etc/passwd)

Plugin Name

Description

apacheusers

Attempt to enumerate Apache HTTP Authentication Users

cgi

Look for CGI scripts that we may be able to exploit

robots

Analyse the robots.txt file which dictates what files/folders we are able to navigate to

dir_traversal

Attempt to use a directory traversal attack (i.e. LFI) to look for system files such as /etc/passwd on Linux (http://ip_address/application.php?view=../../../../../../../etc/passwd)

We can specify the plugin we wish to use by using the-Plugin argument and the name of the plugin we wish to use...For example, to use the "apacheuser" plugin, our Nikto scan would look like so:

nikto -h 10.10.10.1 -Plugin apacheuser

Tuning Your Scan for Vulnerability Searching

Nikto has several categories of vulnerabilities that we can specify our scan to enumerate and test for. The following list is not extensive and only include the ones that you may commonly use. We can use the -Tuningflag and provide a value in our Nikto scan:

Category Name	Description	Tuning Option
File Upload	Search for anything on the web server that may permit us to upload a file. This could be used to upload a reverse shell for an application to execute.	0
Misconfigurations / Default Files	Search for common files that are sensitive (and shouldn't be accessible such as configuration files) on the web server.	2
Information Disclosure	Gather information about the web server or application (i.e. verison numbers, HTTP headers, or any information that may be useful to leverage in our attack later)	3
Injection	Search for possible locations in which we can perform some kind of injection attack such as XSS or HTML	4
Command Execution	Search for anything that permits us to execute OS commands (such as to spawn a shell)	8
SQL Injection	Look for applications that have URL parameters that are vulnerable to SQL Injection	9

Category Name

Description

Tuning Option

File Upload

Search for anything on the web server that may permit us to upload a file. This could be used to upload a reverse shell for an application to execute.

Misconfigurations / Default Files

Search for common files that are sensitive (and shouldn't be accessible such as configuration files) on the web server.

Information Disclosure

Gather information about the web server or application (i.e. verison numbers, HTTP headers, or any information that may be useful to leverage in our attack later)

Injection

Search for possible locations in which we can perform some kind of injection attack such as XSS or HTML

Command Execution

Search for anything that permits us to execute OS commands (such as to spawn a shell)

SQL Injection

Look for applications that have URL parameters that are vulnerable to SQL Injection

Saving Your Findings

Rather than working with the output on the terminal, we can instead, just dump it directly into a file for further analysis - making our lives much easier!

Nikto is capable of putting to a few file formats including:

Text File
HTML report

We can use the -o argument (short for -Output) and provide both a filename and compatible extension. We can specify the format (-f) specifically, but Nikto is smart enough to use the extension we provide in the-o argument to adjust the output accordingly.

For example, let's scan a web server and output this to "report.html": nikto -h http://ip_address -o report.html

Verbosing our Scan

We can increase the verbosity of our Nikto scan by providing the following arguments with the-Display flag. Unless specified, the output given by Nikto is not the entire output, as it can sometimes be irrelevant (but that isn't always the case!)

Argument	Description	Reasons for Use
1	Show any redirects that are given by the web server.	Web servers may want to relocate us to a specific file or directory, so we will need to adjust our scan accordingly for this.
2	Show any cookies received	Applications often use cookies as a means of storing data. For example, web servers use sessions, where e-commerce sites may store products in your basket as these cookies. Credentials can also be stored in cookies.
E	Output any errors	This will be useful for debugging if your scan is not returning the results that you expect!

Argument

Description

Reasons for Use

Show any redirects that are given by the web server.

Web servers may want to relocate us to a specific file or directory, so we will need to adjust our scan accordingly for this.

Show any cookies received

Applications often use cookies as a means of storing data. For example, web servers use sessions, where e-commerce sites may store products in your basket as these cookies. Credentials can also be stored in cookies.

Output any errors

This will be useful for debugging if your scan is not returning the results that you expect!

PreviousScanning NextMetasploit and Meterpreter

Last updated 1 year ago