Nikto Web Server Scan: View from the Access Log

      No Comments on Nikto Web Server Scan: View from the Access Log

Playing, I am, with the Nikto web server scanning package. I scanned my own site, just for fun. While it does take some time, it did finish. I wondered how it would look from my site’s raw access log viewpoint. In summary, Nikto is not stealthy at all. It is also easily detected and banned mid-scan, as it takes a long time to complete.

Essentially you start a Terminal, and type “nikto -h “. There are lots of options, such as output to a log. The Nikto output highlights web site vulnerabilities and cross references these with a database of known hacks. Using this tool you can highlight the site’s weaknesses and then strengthen your site from hackers.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

source

Nikto has a known user agent name, followed by the test it is running.

Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:000001)

It actually runs 6,608 different tests, and 7,790 server requests overall. That is a lot.

Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:apache_expect_xss)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:apacheusers: invalid user)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:apacheusers: known user)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:cgi dir check)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:clientaccesspolicy)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:crossdomain)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:embedded detection)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:favicon)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:getinfo)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:headers: Translate-f #1)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:httpoptions: DEBUG)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:httpoptions: OPTIONS *)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:httpoptions: OPTIONS /)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:map_codes)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:parked detection)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:put_del_test: PUT)
Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:robots)

Interestingly it also does a bunch of POSTS to the site, all but two resulting in 403s, and the two outliers resulted in a 404.

POST /_vti_bin/_vti_aut/author.dll?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false&listBorders=fals HTTP/1.1
POST /_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false&listBorders=fals HTTP/1.1
POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1
POST /_vti_bin/shtml.dll/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611 HTTP/1.1
POST /_vti_bin/shtml.exe/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611 HTTP/1.1
POST /admin/db.php HTTP/1.1
POST /cgi-bin/lastlines.cgi?process HTTP/1.1
POST /cgi-bin/post-query HTTP/1.1
POST /cgi-sys/lastlines.cgi?process HTTP/1.1
POST /cgi-sys/post-query HTTP/1.1
POST /Mem/dynaform/Login.htm?WINDWEB_URL=%2FMem%2Fdynaform%2FLogin.htm&ListIndexUser=0&sWebParam1=admin000 HTTP/1.1
POST /private.php HTTP/1.1
POST /search.php HTTP/1.1
POST /servlet/CookieExample?cookiename= HTTP/1.1
POST /servlet/custMsg?guestName= HTTP/1.1

These server requests are a bit different, but were tested:

INDEX / HTTP/1.1
OPTIONS * HTTP/1.1
OPTIONS / HTTP/1.1
OPTIONS // HTTP/1.1
PUT /nikto-test-i0pkcsI0.html HTTP/1.1
SEARCH / HTTP/1.1

Overall, Nikto seems thorough, but is really not stealthy. I suppose if it was really stealthy, by doing 3 server requests at a time, it would take forever to complete. Some other hosts stopped my probing. They must look at the number of probes and temporarily freeze the incoming IP. It is easy to see why.

Related posts:

  1. Attack from spbot OpenLinkProfiler.org

Leave a Reply

Your email address will not be published. Required fields are marked *