Thursday, July 24, 2008

Penetration testing tools - Nikto

| Armando Romeo |

Nikto is a web server security assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. Definately one of the most preferred free web app scanners available.

After a small vacation I'm back on the series of the best tools for web application penetration testers. Last time we gave a look at dirbuster in the category of information gathering. It was hard to pick one among all the nice tools around to fuzz and discover hidden parts of a web site.

Another similar tool I like is wfuzz, that works both through dictionary and brute force.

But this time I'm going to talk about nikto as it is one of the most known and used web application security scanners.

Quoting from the author's website

Nikto checks for 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.

A good thing is that nikto database of vulnerabilities can be updated easily from the command line (it's a command line tool written in perl btw).

Nikto is especially good once we have discovered what's running on the target web server and we want to know what's vulnerable.

Nikto is not meant as an attacking tool. It is more a vulnerability assessment tool that tries known exploits against the target to trigger known behaviours. When this happens it is reported to the user.
Nikto is not only useful in case the target has some off the shelf code known to be vulnerable to some publicly available exploit. But also helps at discovering known web server misconfigurations.

First useful thing that Nikto does when launched against a web site is to fingerprint the web server version.
Then tries all the signature database against the website according to the enabled tests (all by default).
This causes a big "noise" in the website log as it doesn't seem to narrow down the type of attacks according to the type of software found on the webserver, but this shouldn't be a problem for an authorized penetration testing job.
Joomla is a nice example: Nikto tries all the known exploits against joomla components even if these components are not installed on the Joomla distro it is assessing.
So 90% of the trials are non-sense while a more intelligent way to do it would have been to recognize what is installed and then try the exploits accordingly. But yeah, nikto is open source and anyone can adjust its functioning.

Nikto provides a good degree of flexibility by allowing the pen tester to tune the scan enabling only certain kinds of vulnerabilities to be tested such as Misconfiguration/default files, Information disclosure, Interesting file/seen in logs etc.

These can be enabled/disabled easily using the -Tuning switch followed by the reference number you can find in the nikto manual in the package.

This is an example that will trigger the tests of Remote File Retrieval and Command execution only:

perl -h -T 58

with the "x" we exclude the two and enable all the rest:

perl -h -T 58x

My favourite test is the number 1 : "Interesting File / Seen in logs" , it sometimes shows interesting stuff that can be very helpful for the whole penetration testing endeavours.

As a last note, false positive is probably the only problem affecting nikto. It sometimes reports completely meaninlgess threats so manual verification must be taken to validate the scan results.

Free Security Magazines