Security Forum Usenet Archiv Mailing List Archive  
IDS Firewall Honeypot Honeynet Web Security Linux Security Microsoft Security Virus - Wurm Backdoors - Trojaner Links
I-EYE Security Exploits Security Dokumentationen Security Online Scanner Security Scanner Security Tools Trojaner Portliste Impressum

Nikto CGI Scanner






Beschreibung
Nikto ist ein CGI Vulnerability Scanner. Dieser Scanner Such auf einem Webserver nach fehlerhaften CGI Scripten oder aber auch nach Fehlkonfiguration des Webservers. CGI Scanner gehören nicht in die Kategorie der unauffälligen Scanner, was diese Scanner nicht zur ersten Wahl eines Hackers macht. Da das Programm nikto nicht nur nach den CGI Scripten sucht, sollte man auf jedenfalls das Programm auf seinem Webserver laufen lassen, denn dieser Scanner findet immer etwas was man verbessern könnte.

Installation
Da das Programm nikto ein einfacher Perlscript ist kann man nach dem Download und dem Entpacken sofort loslegen. Die neueste Version finden Sie unter http://www.cirt.net/nikto/nikto-current.tar.gz .


Übergabeparameter

---------------------------------------------------------------------------
- Nikto 1.31/1.16   -   www.cirt.net

  Options:
    -allcgi         force scan of all possible CGI directories
    -cookies         print cookies found
    -evasion+        ids evasion technique (1-9, see below)
    -findonly        find http(s) ports only, don't perform a full scan
    -Format         save file (-o) Format: htm, csv or txt (assumed)
    -generic         force full (generic) scan
    -host+          target host
    -id+           host authentication to use, format is userid:password
    -mutate+         mutate checks (see below)
    -nolookup        skip name lookup
    -output+         write output to this file
    -port+          port to use (default 80)
    -root+          prepend root value to all requests, format is /directory
    -ssl           force ssl mode on port
    -timeout         timeout (default 10 seconds)
    -useproxy        use the proxy defined in config.txt
    -vhost+         virtual host (for Host header)
    -Version         print plugin and database versions
  + requires a value

  These options cannot be abbreviated:
    -debug          debug mode
    -dbcheck         syntax check scan_database.db and user_scan_database.db
    -update         update databases and plugins from cirt.net
    -verbose         verbose mode

  IDS Evasion Techniques:
    1    Random URI encoding (non-UTF8)
    2    Directory self-reference (/./)
    3    Premature URL ending
    4    Prepend long random string
    5    Fake parameter
    6    TAB as request spacer
    7    Random case sensitivity
    8    Use Windows directory separator (\)
    9    Session splicing

  Mutation Techniques:
    1    Test all files with all root directories
    2    Guess for password file names
    3    Enumerate user names via Apache (/~user type requests)
    4    Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)

Meiner Meinung nach erklären sich die meisten Optionen von selbst, trotzdem beschreibe ich die wichtigsten von ihnen.
-host www.test.de  Nach der Option –host kommt der Webservername oder IP Adresse des Servers den wir zu scannen beabsichtigen.
-port 80  Die Portnummer. Meist nicht erforderlich da die Standarteinstellung 80 ist und fast alle Webserver auch auf dem Port 80 laufen.
-Format txt  In welchen Format die Ausgabedatei geschrieben werden soll.
-vhost  Sollten auf dem Zielsystem mehrere Domains laufen so kann man mit diesem Parameter einen Domainnamen aussuchen dem man scannen beabsichtigt.
-update Hiermit wird die CGI Datenbank aus dem Internet Upgedatet.

Anwendung auf ein Zielsystem
Mit der dieser Eingabe wird ein Webserver gescannt.
perl nikto.pl –host www.mainedomain.de


Auswertung der Logdatei
Eine Logdatei von einem gescannten ISS 5.0 Webserver.

---------------------------------------------------------------------------
- Nikto 1.31/1.16   -   www.cirt.net
+ Target IP:    192.168.0.1
+ Target Hostname:
+ Target Port:   80
+ Start Time:   Fri Mar 5 16:08:37 2004
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Microsoft-IIS/5.0
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists.
+ HTTP method 'SEARCH' may be used to get directory listings if Index Server is running.
+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled.
+ Microsoft-IIS/5.0 is outdated if server is Win2000 (4.0 is current for NT 4)
+ / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
+ / - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACK)
+ /<script>alert('Vulnerable') </script>.shtml - Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /blahb.ida - Reveals physical path. To fix: Preferences -> Home directory -> Application & check 'Check if file exists' for the ISAPI mappings. MS01-033. (GET)
+ /blahb.idq - Reveals physical path. To fix: Preferences -> Home directory -> Application & check 'Check if file exists' for the ISAPI mappings. MS01-033. (GET)
+ /xxxxx.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval. Ensure Q252463i, Q252463a or Q251170 is installed. MS00-006. (GET)
+ /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir - IIS is vulnerable to a double-decode bug, which allows commands to be executed on the system. CAN-2001-0333. BID-2708. (GET)
+ /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir - IIS Unicode command exec problem, see http://www.wiretrip.net/rfp/p/doc.asp?id=57&face=2 and http://www.securitybugware.org/NT/1422.html. CVE-2000-0884 (GET)
+ /scripts/samples/search/qfullhit.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval. MS00-006. (GET)
+ /scripts/samples/search/qsumrhit.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval. MS00-006. (GET)
+ /_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir – IIS is vulnerable to a double-decode bug, which allows commands to be executed on the system. CAN-2001-0333. BID-2708. (GET)
+ /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir - IIS Unicode command exec problem, see http://www.wiretrip.net/rfp/p/doc.asp?id=57&face=2 and http://www.securitybugware.org/NT/1422.html. CVE-2000-0884 (GET)
+ /_vti_bin/fpcount.exe - Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. CAN-1999-1376. BID-2252. (GET)
+ /_vti_bin/shtml.dll/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611 - Gives info about server settings. CAN-2000-0413, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (POST)
+ /_vti_bin/shtml.exe - Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted. CAN-2000-0413, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (GET)
+ /_vti_bin/shtml.exe/_vti_rpc - FrontPage may be installed. (GET)
+ /_vti_bin/shtml.exe/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611 - Gives info about server settings. CAN-2000-0413, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (POST)
+ /_vti_bin/_vti_aut/author.dll?method=list+documents%3a3%2e0%2e2%2e1706&service%5f
name=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFiles=true&list
Folders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false&listBorders=fal
se - Needs Auth: (realm NTLM)
+ /_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&service%5f
name=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFiles=true&list
Folders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false&listBorders=fal
se - Needs Auth: (realm NTLM)
+ /_vti_inf.html - FrontPage may be installed. (GET)
+ 1973 items checked - 18 item(s) found on remote host(s)
+ End Time:    Fri Mar 5 16:09:00 2004 (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


Und hier eine Ausgabe von einem gescannten Apache Webserver.

---------------------------------------------------------------------------
- Nikto 1.31/1.16   -   www.cirt.net
+ Target IP:    192.168.0.8
+ Target Hostname: linux.online.de
+ Target Port:   80
+ Start Time:   Fri Mar 5 16:20:03 2004
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache/1.3.23 (Unix) PHP/4.1.0 mod_perl/1.26
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
+ HTTP method 'PUT' method may allow clients to save files on the web server.
+ HTTP method 'CONNECT' may allow server to proxy client requests.
+ HTTP method 'DELETE' may allow clients to remove files on the web server.
+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists.
+ HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed.
+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled.
+ Apache/1.3.23 appears to be outdated (current is at least Apache/2.0.47). Apache 1.3.28 is still maintained and considered secure.
+ PHP/4.1.0 appears to be outdated (current is at least 4.3.3)
+ mod_perl/1.26 appears to be outdated (current is at least v5.8.0)
+ mod_perl/1.26 appears to be outdated (current is at least 1.99_09)
+ Apache/1.3.23 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ PHP/4.1.0 mod_perl/1.26 - PHP below 4.3.3 may allow local attackers to safe mode and gain access to unauthorized files. BID-8203.
+ Apache/1.3.23 - Apache 1.x up 1.2.35 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ /~root - Enumeration of users is possible by requesting ~username (responds with Forbidden for real users, not found for non-existent users) (GET).
+ /icons/ - Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used all, the /icons directory should be removed. (GET)
+ / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
+ / - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACK)
+ /config.php - PHP Config file may contain database IDs and passwords. (GET)
+ /config/ - Configuration information may be available remotely. (GET)
+ /webalizer/ - Webalizer may be installed. Versions lower than 2.10-09 vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /cgi-bin/cgiwrap - Some versions of cgiwrap allow anyone to execute commands remotely. (GET)
+ /cgi-bin/cgiwrap/~xxxxx - Based on error message, cgiwrap can likely be used to find valid user accounts. Recompile cgiwrap with the '--with-quiet-errors' option to stop user enumeration. (GET)
+ /cgi-bin/cgiwrap/~xxxxx - Based on error message, cgiwrap can likely be used to find valid user accounts. (GET)
+ /cgi-bin/htsearch?-c/nonexistant - The ht::/Dig install may let an attacker force ht://Dig to read arbitrary config files for itself. (GET)
+ /config/checks.txt - This might be interesting... (GET)
+ /cgi-bin/search.pl - This might be interesting... (GET)
+ 2347 items checked - 13 item(s) found on remote host(s)
+ End Time:    Fri Mar 5 16:20:14 2004 (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested