Nikto - ranljivost spletnih aplikacij in skener CGI za spletne strežnike
Nikto Web Scanner je še eno dobro orodje za arzenal katerega koli skrbnika Linuxa. Gre za odprtokodni spletni optični bralnik, izdan pod licenco GPL, ki se uporablja za izvajanje obsežnih testov na spletnih strežnikih za več elementov, vključno z več kot 6500 potencialno nevarnimi datotekami/CGI.
Za oceno ranljivosti sta napisala Chris Solo in David Lodge, preverja zastarele različice več kot 1250 spletnih strežnikov in več kot 270 težav, povezanih z različico. Prav tako skenira in poroča o zastareli programski opremi in vtičnikih spletnega strežnika.
Značilnosti spletnega skenerja Nikto
- Podpira SSL
- Podpira poln HTTP proxy
- Podpira besedilo, HTML, XML in CSV za shranjevanje poročil.
- Poiščite več vrat
- Lahko skenira na več strežnikih, tako da vnese iz datotek, kot je izhod nmap
- Podpirajte LibWhisker IDS
- Zmogljiv za prepoznavanje nameščene programske opreme z glavami, datotekami in pripomočki
- Dnevniki za metasploite
- Poročila za »nenavadne« glave.
- Naštevanje uporabnikov Apache in cgiwrap
- Preveri pristnost gostiteljev s sistemoma Basic in NTLM
- Optično branje je mogoče samodejno zaustaviti ob določenem času.
Zahteve za Nikto
Sistem z osnovno namestitvijo Perla, modulov Perl in OpenSSL mora omogočiti Nikto zagon. Temeljito je bil preizkušen v sistemih Windows, Mac OSX in različnih distribucijah Unix/Linux, kot so Red Hat, Debian, Ubuntu, BackTrack itd.
Namestitev spletnega skenerja Nikto v Linux
Večina današnjih sistemov Linux ima vnaprej nameščene pakete Perl, Perl Modules in OpenSSL. Če niso vključeni, jih lahko namestite s privzetim pripomočkom upravitelja sistemskih paketov, imenovanim yum ali apt-get.
yum install perl perl-Net-SSLeay openssl
apt-get install perl openssl libnet-ssleay-perl
Nato iz njegovega skladišča Github klonirajte najnovejše stabilne izvorne datoteke Nikto, se premaknite v imenik Nikto/programs/in zaženite z uporabo perl:
$ git clone https://github.com/sullo/nikto.git $ cd nikto/programs $ perl nikto.pl -h
Option host requires an argument
-config+ Use this config file
-Display+ Turn on/off display outputs
-dbcheck check database and other key files for syntax errors
-Format+ save file (-o) format
-Help Extended help information
-host+ target host
-id+ Host authentication to use, format is id:pass or id:pass:realm
-list-plugins List all available plugins
-output+ Write output to this file
-nossl Disables using SSL
-no404 Disables 404 checks
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-root+ Prepend root value to all requests, format is /directory
-ssl Force ssl mode on port
-Tuning+ Scan tuning
-timeout+ Timeout for requests (default 10 seconds)
-update Update databases and plugins from CIRT.net
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
Note: This is the short help output. Use -H for full help text.
\ "Možnost gostitelj zahteva argument" jasno pove, da med izvajanjem testa nismo vključili potrebnih parametrov. Zato moramo dodati osnovni potrebni parameter za izvedbo preizkusa.
Za osnovno skeniranje je potreben gostitelj, na katerega želite ciljati, privzeto pa skenira vrata 80, če ni določeno nič. Gostitelj je lahko ime gostitelja ali naslov IP sistema. Gostitelja lahko določite z možnostjo\"- h".
Na primer, želim opraviti pregled IP 172.16.27.56 na vratih TCP 80.
perl nikto.pl -h 172.16.27.56
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 172.16.27.56 + Target Hostname: example.com + Target Port: 80 + Start Time: 2014-01-10 00:48:12 (GMT5.5) --------------------------------------------------------------------------- + Server: Apache/2.2.15 (CentOS) + Retrieved x-powered-by header: PHP/5.3.3 + The anti-clickjacking X-Frame-Options header is not present. + Server leaks inodes via ETags, header found with file /robots.txt, inode: 5956160, size: 24, mtime: 0x4d4865a054e32 + File/dir '/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 1 entry which should be manually viewed. + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + Multiple index files found: index.php, index.htm, index.html + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3233: /phpinfo.php: Contains PHP configuration information + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /test.html: This might be interesting... + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /connect.php?path=http://cirt.net/rfiinc.txt?: Potential PHP MySQL database connection string found. + OSVDB-3092: /test.php: This might be interesting... + 6544 items checked: 0 error(s) and 16 item(s) reported on remote host + End Time: 2014-01-10 00:48:23 (GMT5.5) (11 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Če želite optično prebrati na drugo številko vrat, dodajte možnost\"- p" [-port]. Na primer, želim opraviti pregled na IP 172.16.27.56 na TCP vratih 443.
perl nikto.pl -h 172.16.27.56 -p 443
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time: 2014-01-10 01:08:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 2817021, size: 5, mtime: 0x4d5123482b2e9
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Server is using a wildcard certificate: '*.mid-day.com'
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2014-01-10 01:11:20 (GMT5.5) (174 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedPrav tako lahko določite gostitelje, vrata in protokole s polno sintakso URL-ja in bo optično prebran.
perl nikto.pl -h http://172.16.27.56:80
Lahko tudi optično preberete katero koli spletno stran. Na primer, tukaj sem opravil pregled na google.com.
perl nikto.pl -h http://www.google.com
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 173.194.38.177 + Target Hostname: www.google.com + Target Port: 80 + Start Time: 2014-01-10 01:13:36 (GMT5.5) --------------------------------------------------------------------------- + Server: gws + Cookie PREF created without the httponly flag + Cookie NID created without the httponly flag + Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN + Uncommon header 'x-xss-protection' found, with contents: 1; mode=block + Uncommon header 'alternate-protocol' found, with contents: 80:quic + Root page / redirects to: http://www.google.co.in/?gws_rd=cr&ei=xIrOUomsCoXBrAee34DwCQ + Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place + Uncommon header 'x-content-type-options' found, with contents: nosniff + No CGI Directories found (use '-C all' to force check all possible dirs) + File/dir '/groups/' in robots.txt returned a non-forbidden or redirect HTTP code (302) ….
Zgornji ukaz bo na spletnem strežniku izvedel kup http zahtev (tj. Več kot 2000 testov).
V isti seji lahko izvedete tudi skeniranje več vrat. Če želite optično prebrati več vrat na istem gostitelju, dodajte možnost “-p” [-port] in določite seznam vrat. Vrata lahko definiramo kot obseg (tj. 80–443) ali kot vejico (tj. 80 443). Na primer, želim skenirati vrata 80 in 443 na gostitelju 172.16.27.56.
perl nikto.pl -h 172.16.27.56 -p 80,443
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on cmsstage.mid-day.com:88
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 80
+ Start Time: 2014-01-10 20:38:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.
---------------------------------------------------------------------------
+ Target IP: 172.16.27.56
+ Target Hostname: example.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
Ciphers: DHE-RSA-AES256-GCM-SHA384
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time: 2014-01-10 20:38:36 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ All CGI directories 'found', use '-C none' to test none
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
.....Recimo, da ima sistem, v katerem se izvaja Nikto, dostop do ciljnega gostitelja samo prek strežnika HTTP, strežnik pa še vedno lahko izvedemo na dva različna načina. Eden uporablja datoteko nikto.conf, drugi pa zagon neposredno iz ukazne vrstice.
Datoteko nikto.conf odprite s katerim koli urejevalnikom ukazne vrstice.
vi nikto.conf
Poiščite spremenljivko »PROXY« in od začetka vrstic razkomentirajte »#«, kot je prikazano. Nato dodajte gostitelja proxy, vrata, uporabnika proxy in geslo. Shranite in zaprite datoteko.
# Proxy settings -- still must be enabled by -useproxy PROXYHOST=172.16.16.37 PROXYPORT=8080 PROXYUSER=pg PROXYPASS=pg
Zdaj zaženite Nikto z uporabo možnosti -useproxy. Vse povezave bodo posredovane prek strežnika HTTP.
[email nikto-2.1.5]# perl nikto.pl -h localhost -p 80 -useproxy
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2014-01-10 21:28:29 (GMT5.5) --------------------------------------------------------------------------- + Server: squid/2.6.STABLE6 + Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6) + The anti-clickjacking X-Frame-Options header is not present. + Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0 + Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080
Če želite Nikto zagnati neposredno iz ukazne vrstice z uporabo možnosti -useproxy, tako da nastavite proxy kot argument.
[email nikto-2.1.5]# perl nikto.pl -h localhost -useproxy http://172.16.16.37:8080/
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2014-01-10 21:34:51 (GMT5.5) --------------------------------------------------------------------------- + Server: squid/2.6.STABLE6 + Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6) + The anti-clickjacking X-Frame-Options header is not present. + Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0 + Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080
Nikto lahko samodejno posodobite na najnovejše vtičnike in zbirke podatkov, preprosto zaženite ukaz “-update”.
perl nikto.pl -update
Če so na voljo nove posodobitve, bo prikazan seznam prenesenih novih posodobitev.
+ Retrieving 'nikto_report_csv.plugin' + Retrieving 'nikto_headers.plugin' + Retrieving 'nikto_cookies.plugin' + Retrieving 'db_tests' + Retrieving 'db_parked_strings' + Retrieving 'CHANGES.txt' + CIRT.net message: Please submit Nikto bugs to http://trac2.assembla.com/Nikto_2/report/2
Prav tako lahko ročno prenesete in posodobite Nikto vtičnike in zbirke podatkov s spletnega mesta http://cirt.net/nikto/UPDATES/.
Referenčne povezave
Domača stran Nikto