./Nikto.pl
| November 28th, 2009
Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.
Description
Examine a web server to find potential problems and security vulnerabilities, including:
*
Server and software misconfigurations
*
Default files and programs
*
Insecure files and programs
*
Outdated servers and programs
Nikto is built on LibWhisker (by RFP) and can run on any platform which has a PERL environment. It supports SSL, proxies, host authentication, IDS evasion and more. It can be updated automatically from the command-line, and supports the optional submission of updated version data back to the maintainers.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Options:
-config+ Use this config file
-Cgidirs+ Scan these CGI dirs: ‘none’, ‘all’, or values like "/cgi/ /cgi-a/"
-Display+ Turn on/off display outputs:
1 Show redirects
2 Show cookies received
3 Show all 200/OK responses
4 Show URLs which require authentication
D Debug Output
V Verbose Output
-dbcheck Check database and other key files for syntax errors (cannot be abbreviated)
-evasion+ IDS evasion technique:
1 Random URI encoding (non-UTF8)
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Change the case of the URL
8 Use Windows directory separator (\)
-findonly Find http(s) ports only, don’t perform a full scan
-Format+ Save file (-o) format:
htm HTML Format
csv Comma-separated-value
txt Plain text (default if not specified)
xml XML Format
-host+ Target host
-Help Extended help information
-id+ Host authentication to use, format is userid:password
-mutate+ Guess additional file names:
1 Test all files with all root directories
2 Guess for password file names
3 Enumerate user names via Apache (/~user type requests)
4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 Attempt to brute force sub-domain names, assume that the host name is the parent domain
6 Attempt to guess directory names from the supplied dictionary file
-mutate-options Provide information for mutates
-nocache Disables the URI cache
-nossl Disables using SSL
-no404 Disables nikto attempting to guess a 404 page
-output+ Write output to this file
-port+ Port to use (default 80)
-Pause+ Pause between tests (seconds)
-root+ Prepend root value to all requests, format is /directory
-ssl Force ssl mode on port
-Single Single request mode
-timeout+ Timeout (default 2 seconds)
-Tuning+ Scan tuning:
0 File Upload
1 Interesting File / Seen in logs
2 Misconfiguration / Default File
3 Information Disclosure
4 Injection (XSS/Script/HTML)
5 Remote File Retrieval – Inside Web Root
6 Denial of Service
7 Remote File Retrieval – Server Wide
8 Command Execution / Remote Shell
9 SQL Injection
a Authentication Bypass
b Software Identification
c Remote Source Inclusion
x Reverse Tuning Options (i.e., include all except specified)
-useproxy Use the proxy defined in config.txt
-update Update databases and plugins from cirt.net (cannot be abbreviated)
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
