Skip to main content

How to scan for web server vulnerabilities with Nikto2 in Kali Linux

Nikto is an open source web server vulnerabilities scanner, it is written in Perl, publically available since 2011. Nikto provides the hability to search in webservers for wide known vulnerabilites. It does by itself more than 6.400 verifications about potentially dangerous web server flaws. Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files. For more information about Nikto, please visit the official repository of the project at Github here or visit the official documentation here.

In this article, we will explain you briefly how to use Nikto properly and easily in Kali Linux.

How to use it?

Nikto is included by default on any Kali Linux distribution, so if you type in the console:

nikto --help
 COPY SNIPPET

You should be able to see all the options that the CLI tool has on the output. Now, in order to scan for vulnerabilities on a website/server is so simple as running the following command:

nikto -h <server-ip> -p <port>
 COPY SNIPPET

Where:

  • -h: the ip address or hostname of the server that you want to scan.
  • -p: as not every website runs on the 80 port, you may specify the port with this option.

Note that some servers may run multiple websites on the same server, so they will share the same IP, so if you want a specific scan for the correct website, provide the domain (hostname) instead of the IP e.g google.com. However if you want to scan a website that uses a SSL certificated (secured connection), the port should obviously change as well, for example to scan our own website we could just simply run:

nikto -h ourcodeworld.com -p 443
 COPY SNIPPET

And the scan should start as well. With a secured website, you will see as well the information of the SSL certificate and Nikto will run additional test for checking vulnerabilities on the SSL certificate. The output of nikto in the command line looks like this:

Nikto CLI Kali Linux Example

The scannning will took a while. In our case it took around 15 minutes and Nikto made 8348 requests checking for vulnerabilities:

Nikto CLI completed scan

As a server administrator should i fix everything on the generated list?

After detecting all the vulnerabilities of the server, is up to you to fixing them on the server that you've just tested. Note that not all the + are vulnerabilities, but information as well, so you will need to interpret correctly the information provided by Nikto and proceed according to the warning. Nikto uses the OSVDB (Open Source Vulnerability Database) codes, to provide information about the discovered vulnerabilities.

For example, when we scan the output of our website through the HTTPS protocol, we will have additional warnings:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          69.64.34.144
+ Target Hostname:    ourcodeworld.com
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.ourcodeworld.com
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
+ Start Time:         2019-05-18 14:53:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache
+ Retrieved x-powered-by header: PleskLin
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server leaks inodes via ETags, header found with file /cgi-bin/, fields: 0x31b 0x56c06c7df334a 
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Server is using a wildcard certificate: *.ourcodeworld.com
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content.
 COPY SNIPPET

The message "Server is using a wildcard certificate: *.ourcodeworld.com" is generated by the tool, but, what does this means, i mean, we are using a SSL certificate to protect the website, that's better than nothing right? Well, in theory Nikto displays this warning because Wildcard Certificates are less secure than regular certificates, interesting right?. Other important example that you need to interpret right is the following: "The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack", you can find a detailed but easy to understand explanation about the BREACH attack here. As mentioned on the article, the solution for this issue may be turning off the HTTP compression, but how in the world would you send uncompressed resources to your users ! That would increase the download times etc, recommended solutions for this issue would be instead on our code, not in the server by itself:

  1. Protecting the vulnerable pages with a CSRF token.
  2. Adding random bytes to the response to hide the actual compressed length.
  3. Separating the sensitive data from the pages where input text is displayed.

The other epic message is the "OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content.". Sure in some cases, the exposal of this information on a website would be harmful, but this kind of file is necessary for Google Web Masters to positionate the website in google ! With such messages, as a pentester you don't need to be paranoic and read carefully the warnings and intervene properly so you won't mess up things that are already working properly.

Happy pentesting !

Comments

Post a Comment

Popular posts from this blog

How to use Ngx-Charts in Angular ?

Charts helps us to visualize large amount of data in an easy to understand and interactive way. This helps businesses to grow more by taking important decisions from the data. For example, e-commerce can have charts or reports for product sales, with various categories like product type, year, etc. In angular, we have various charting libraries to create charts.  Ngx-charts  is one of them. Check out the list of  best angular chart libraries .  In this article, we will see data visualization with ngx-charts and how to use ngx-charts in angular application ? We will see, How to install ngx-charts in angular ? Create a vertical bar chart Create a pie chart, advanced pie chart and pie chart grid Introduction ngx-charts  is an open-source and declarative charting framework for angular2+. It is maintained by  Swimlane . It is using Angular to render and animate the SVG elements with all of its binding and speed goodness and uses d3 for the excellent math functions, scales, axis and shape ge
Post a Comment
Read more

JavaScript new features in ES2019(ES10)

The 2019 edition of the ECMAScript specification has many new features. Among them, I will summarize the ones that seem most useful to me. First, you can run these examples in  node.js ≥12 . To Install Node.js 12 on Ubuntu-Debian-Mint you can do the following: $sudo apt update $sudo apt -y upgrade $sudo apt update $sudo apt -y install curl dirmngr apt-transport-https lsb-release ca-certificates $curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash - $sudo apt -y install nodejs Or, in  Chrome Version ≥72,  you can try those features in the developer console(Alt +j). Array.prototype.flat && Array.prototype. flatMap The  flat()  method creates a new array with all sub-array elements concatenated into it recursively up to the specified depth. let array1 = ['a','b', [1, 2, 3]]; let array2 = array1.flat(); //['a', 'b', 1, 2, 3] We should also note that the method excludes gaps or empty elements in the array: let array1
Post a Comment
Read more

Understand Angular’s forRoot and forChild

  forRoot   /   forChild   is a pattern for singleton services that most of us know from routing. Routing is actually the main use case for it and as it is not commonly used outside of it, I wouldn’t be surprised if most Angular developers haven’t given it a second thought. However, as the official Angular documentation puts it: “Understanding how  forRoot()  works to make sure a service is a singleton will inform your development at a deeper level.” So let’s go. Providers & Injectors Angular comes with a dependency injection (DI) mechanism. When a component depends on a service, you don’t manually create an instance of the service. You  inject  the service and the dependency injection system takes care of providing an instance. import { Component, OnInit } from '@angular/core'; import { TestService } from 'src/app/services/test.service'; @Component({ selector: 'app-test', templateUrl: './test.component.html', styleUrls: ['./test.component
Post a Comment
Read more