nikto(1)

NAME

Nikto - Web Server and CGI Scanner Version - 1.3x

SYNOPSIS

nikto [-h target] [options]

WARNING

Nikto is a tool for finding default web files and examing

web server and CGI security. It makes a lot of reqeusts to the

remote server, which in some cases may cause the server to crash.

It may also be illegal to use this software against servers you

do not have permission to do test.

DESCRIPTION

Nikto is designed to examine web servers and look for

items in multiple categories:

· misconfigurations

· default files and scripts

· insecure files and scripts

· outdated software

It uses Rain Forest Puppy's LibWhisker (wiretrip.net) for HTTP

functionality, and can perform checks in

HTTP or HTTPS.

It also supports basic port scanning and will de

termine if a web server is running on any open ports.

Nikto checks and code can be automatically udpated from the

main distribution server by

using the 'update' option (see below) to ensure Nikto is

checking the most recent vulnerabilities.

Nikto will also load user defined checks at startup if they

are placed in a file named "user_scan_database.db" in

the plugins directory. Unlike scan_database.db, this file

will not be over-written if the -update option is used. This

should always be used if you add your own checks (and you should

send those checks to sullo@cirt.net).

Nikto leaves a footprint on a server it scans--both in an

invalid 404 check and in the User-Agent header. This can

be changed by forcing the $NIKTO{fingerprint} and $NIK

TO{useragent} to new values in the source code, OR, if any

IDS evasion (-e) option is used.

Note that it's pretty obvious when Nikto is scan

ning a server anyway--the large number of invalid requests sticks

out a lot in the server logs, although with an IDS evasion tech

nique it might not be extremely obvious that it was Nikto.

Why the name Nikto? See the movies The Day the Earth Stood

Still" and, of course "Army of Darkness" for the answer. For a

full list of pop-culture references to this, see

http://www.blather.net/archives2/issue2no21.html which has a lot

of good information.

OPTIONS

The options listed below are all optional except the -h

target specification.

They can all be abbreviated to the first letter

(i.e., -m for -mutate), with the exception of -verbose and -de

bug.

-allcgi

Force scan of all possible CGI directories defined

in the config.txt value CGIDIRS, regardless of whether they might

exist or not.

-cookies

Print out the cookie names and values that were re

ceived during the scan.

-evasion <evasion method>

IDS evasion techniques.

This enables the intrusion detection evasion

in LibWhisker. Multiple options can be used by stringing the

numbers together, i.e. to enable methods 1 and 5, use "-e 15".

The valid options are (use the number preceeding each descrip

tion):

1 Random URI encoding (non-UTF8)

2 Add directory self-reference /./

3 Premature URL ending

4 Prepend long random string to re

quest

5 Fake parameters to files

6 TAB as request spacer instead of

spaces

7 Random case sensitivity

8 Use Windows directory separator in

stead of /

9 Session splicing See the LibWhisker

source for more information, or http://www.wiretrip.net/

-findonly Use port scan to find valid HTTP and HTTPS ports

only, but do not perform checks against them.

-Format Output format for the file specified with the

-output option. Valid formats are: HTM - HTML output format. TXT

- Text output format. This is the default if -F is not specified.

CSV - Comma Seperated Value format.

-generic Force full scan rather than trusting the "Serv

er:" identification string, as many servers allow this to be

changed.

-host <ip, hostname or file>

Target host(s) to check against. This can be an IP

address or hostname, or a file of IPs or hostnames.

If this argument is a file, it should for

matted as described below. This is the only required option.

-id <user:password:realm> HTTP Authentication use, format

is userid:password for authorizing Nikto a web server realm. For

NTLM realms, format is id:password:realm.

-mutate Mutate checks. This causes Nikto put all files

with all directories from the .db files and can the host. You

might find some oddities this way. Note that it generates a lot

of checks.

-nolookup Don't perform a host name lookup.

-output <filename>

Write output to this file when complete.

Format is text unless specified via -Format.

-port <port number>

Port number to scan, defaults to port 80 if

missing.

This can also be a range or list of ports,

which

Nikto will check for web servers.

If a web server is found, it will perform a

full scan unless the -f option is used.

-root Always prepend this to requests, i.e., changes a re

quest of "/password.txt" to "/directory/password.txt" (assuming

the value passed on the CLI was "/directory")

-ssl

Force SSL mode on port(s) listed.

Note that Nikto attempts to determine if a

port is HTTP or HTTPS automatically, but this can be slow if the

server fails to respond or is slow to respond to the incorrect

one. This sets SSL usage for *all* hosts and ports.

-timeout Timeout for each request, default is 10 seconds

-useproxy

Use the proxy defined in config.txt for all requests

-vhost <ip or hostname> Virtual host to use for the

"Host:" header, in case it is different from the target.

-Version Print version numbers of Nikto, all plugins and

all databases.

These options cannot be abbreviated to the first letter:

-dbcheck This option will check the syntax of the checks in the

scan_database.db and user_scan_database.db files. This is really

only useful if you are adding checks or are having problems.

-debug Print a huge amount of detail out. In most

cases this is going to be more information than you need, so try

-verbose first.

-update

This will connect to cirt.net and download updated

scan_database.db and plugin files. Use this with caution as you

are downloading files--perhaps including code--from an "untrust

ed" source. This option cannot be combined with any other, but

required variables (like the PROXY settings) will be loaded from

the config.txt file.

-verbose

Print out a lot of extra data during a run. This can be

useful if a scan or server is failing, or to see exactly how a

server responds to each request.

HOSTNAME FILE

If a file is specified with -h instead of a hostname or

IP, Nikto will open the file to use it as a list of targets. The

file should be formatted with one host per line. If no port is

specified, port 80 is assumed. Multiple ports may be specified

per host. If a host file is used, any ports specified via -p are

added to every host. Valid lines would be: 10.100.100.100

10.100.100.100:443 10.100.100.100,443 10.100.100.100:443:8443

10.100.100.100,443,8443 evilash.example.com,80 (etc)

CONFIG FILE

The 'config.txt' file provides a means to set variables at

run-time without modifying the Nikto source itself. The options

below can be set in the file. Options that accept multiple values

(CGIDIRS, SKIPPORTS, etc.) should just use

a space to distinguish multiple values.

None of these are required unless you need them.

CLIOPTS - Add any option here to be added to every Nikto

execution, whether specified at the command line or not.

NMAP - Path to nmap. If defined, Nikto will use nmap to

port scan a host rather than PERL code, and so should be faster.

SKIPPORTS - Port number never to scan (so you don't crash ser

vices, perhaps?). PROXYHOST - Server to use as a proxy, either

IP or hostname, no 'http://' needed. PROXYPORT - Port number

that PROXYHOST uses as a proxy. PROXYUSER - If the PROXYHOST re

quires authentication, use this ID. Nikto will prompt for it if

this is not set & it is needed.

PROXYPASS - If the PROXYHOST requires a password for

PROXYUSER, use this password.

Nikto will prompt for it if this is not set & it is

needed. DEFAULTHTTPVER - First try this HTTP method. If this

fails, Nikto will attempt to find a valid one. Useful if you want

try something non-standard. PLUGINDIR - If Nikto can't find it's

plugin directory for some reason, enter the full path and the

problem is solved. STATIC-COOKIE - The name/value of this cook

ie, if set, will be sent for every request (useful for auth cook

ies).

Variables that start with the 'at' sign (@) will be used when

scan rules are loaded. For each value (seperated by space), the

rule

will be duplicated. See the TEST DATABASES section for

more information.

Predefined variables are:

@CGIDIRS

- CGI directories to look for, valid ones (or all)

will be used for CGI checks against the remote host.

@MUTATEDIRS

- Additional directories to use when operating un

der the Mutate mode besides ones already defined the .db files.

@MUTATEFILES - Additional files to use when operating under the

Mutate mode besides ones already defined the .db files.

@ADMINDIRS

- Typical administration directories.

TEST DATABASES

Rules in the scan databases can use dynamic variables from

config.txt. Any variable that starts with the 'at' sign (@) will

be substited in rules. For example:

A rule of "generic","@CGIDIRStest.html","200","GET","Test"

with "@CGIDIRS=/cgi-bin/ /cgi-sys/" will test for:

/cgi-bin/test.html /cgi-sys/test.html

Any number of these variables can be set, and any number

can be used in a rule (i.e., "@CGIDIRS@ADMINDIRStest.html"). Ad

ditionally, the generic @HOSTNAME and @IP are available, which

use the current target's hostname or IP.

Rules can be specified which also have conditionals for test

success. This can allow a test to look for a 200 HTTP response

but not contain the word "home". This would look like

"200!home" in the scan_database.db file.

EXAMPLES

A basic scan of a web server on port 80. The -h option is

the only option that is required for a basic scan of a web server

on the standard HTTP port.

nikto.pl -h 10.100.100.10

A basic scan of a web server on port 443, forcing SSL

encryption and ignoring the Server header.

Note that Nikto does not assume port 443 to be SSL,

but if HTTP fails it will try HTTPS.

nikto.pl -h 10.100.100.10 -p 443 -s -g Scanning multiple ports on the server, letting Nikto determine

if they are HTTP and SSL encrypted. nikto.pl -h 10.100.100.10 -p 80-90 Scanning specific ports on the system.

nikto.pl -h 10.100.100.10 -p 80,443,8000,8080

You may combine IDS evasion techniques as desired.

nikto.pl -h 10.100.100.10 -p 80 -e 167 IMPORTANT FILES

config.txt - run-time configuration options, see the CON

FIG FILE section nikto_core.plugin - main Nikto code, absolutely

required nikto_plugin_order.txt - determines the order in which

plugins are executed LW.pm - The stand-alone LibWhisker file. It

is probably better to install the LibWhisker module directly than

to use this. user_scan_database.db - If it exists in the plugins

directory, it will load these checks as well. Same syntax as

scan_database.db

ADDITIONAL SOFTWARE

LibWhisker is required for proper execution of Nikto. The

LW.pm library is included with Nikto, but it is recommended that

you download and install the full LibWhisker module from

http://www.wiretrip.net/. If you are not using an installed Lib

whisker, you will need to change Nikto.pl so that it includes the

proper LW.pm file. Edit Nikto.pl and comment the line: use LW;

and uncomment the line below it: require "./plugins/LW.pm";

nmap can be used to speed up port scans. This should be much

faster than relying on PERL code to perform port scans. Nmap can

be obtained from http://www.nmap.org/, it is not included

with Nikto. Versions 3.0 and below should be fine.

SSL software is required to test using HTTPS.

For Windows systems, the SSL software and libraries

can be obtained from http://www.activestate.com/. For unix sys

tems, OpenSSL from http://www.openssl.org/ and the Net::SSLeay

module from http://www.cpan.org/ are required.

CHECKS

Checks, both information and actual security problems, are

derived from a number of sources. These include the mailing lists

BugTraq, NTBugTraq, WebAppSec (WWW-Mobile-Code), and others. The

web sites www.securitytracker.com, www.securiteam.com, www.pack

etstormsecurity.com and www.securityfocus.com. Additionally, up

dates to Nessus are watched and many thanks to all the plugin

writers (and to Renaud for Nessus itself) (http://www.nes

sus.org/).

WARNINGS

Nikto can cause harm to your local system, the remote

system and/or the network.

Some options can generate over 70,000 HTTP requests

to a target. Do not run Nikto againsts hosts you are not autho

rized to perform testing against. Cirt.net takes no responsibili

ty for anything done with this software, any problems it may

cause or problems it may find.

Plugins are standard PERL.

They are included and executed when Nikto is run.

If you run the -update option, new and updated plugins will be

downloaded from cirt.net. This means you are downloading code,

and potentially running it, without viewing it yourself. Please

consider the implications. Do not assume code distributed from

Cirt.net is not harmful, as accidents happen and a malicious

third party may have inserted a dangerous plugin. Cirt.net as

sumes no responsibility if any malicious code is delivered via

the -update option.

DISTRIBUTION

Nikto and updated databases and plugins is distributed

from http://www.cirt.net/

SEE ALSO

LibWhisker - http://www.wiretrip.net/ Nmap

http://www.nmap.org/ OpenSSL - http://www.openssl.org/ CPAN

http://www.cpan.org/ ActiveState - http://www.activestate.com/

Nessus - http://www.nessus.org/

LICENSE

This copyright applies to all code included in this dis

tribution, but does not include the LibWhisker software, which is

distributed under its own license.

Copyright (C) 2001-2003 Sullo/CIRT.net

This program is free software; you can redistribute it

and/or modify it under the terms of the GNU General Public Li

cense

as published by the Free Software Foundation; either

version 2

of the License, or (at your option) any later ver

sion.

This program is distributed in the hope that it will be

useful, but WITHOUT ANY WARRANTY; without even the implied war

ranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See the GNU General Public License for more de

tails.

You should have received a copy of the GNU General

Public License along with this program; if not, write to the

Free Software Foundation, Inc., 59 Temple Place

Suite 330, Boston, MA

02111-1307, USA.

Contact Information: See the AUTHOR section. AUTHOR

Sullo, sullo@cirt.net http://www.cirt.net/

Suggestions/fixes/support from: Jericho/attrition.org,

rfp/wiretrip.net, Zel/firewallmonkeys.com, Zeno/cgisecurity.com,

Darby/cirt.net, Valdez/cirt.net, S Saady, P Ero

nen/nixu.com, M Arboi, T Seyrat, J DePriest, P Woroshow,

fr0stman, E Udassin, H Heimann

Tests and contributed/suggested by: M Richardson,

Jericho/attrition.org, Prickley Paw, M Arboi, H Heimann

And Xiola.net for succeeding where everyone else has failed.

June 04, 2003

Nikto(1)