Nikto - 用于 Web 服务器的 Web 应用程序漏洞和 CGI 扫描程序

Nikto Web Scanner 是 Linux 管理员的另一个必备工具。它是一个在 GPL 许可证下发布的开源 Web 扫描仪，用于在 Web 服务器上对多个项目执行全面测试，包括超过 6500 个潜在危险的文件/CGI 。

建议阅读： WPSeku – 用于查找 WordPress 中安全问题的漏洞扫描程序

它由 Chris Solo 和 David Lodge 编写，用于漏洞评估，它会检查 1250 Web 服务器上的过时版本，并且超过 270 个版本特定问题。它还扫描并报告过时的 Web 服务器软件和插件。

Nikto 网络扫描仪的特点

1. 支持SSL
2. 支持完整的 HTTP 代理
3. 支持文本、HTML、XML 和 CSV 保存报告。
4. 扫描多个端口
5. 可以通过从 nmap 输出等文件中获取输入来扫描多个服务器
6. 支持 LibWhisker IDS
7. 能够通过标题、文件和图标识别已安装的软件
8. Metasploits 日志
9. 报告“异常”标题。
10. Apache 和 cgiwrap 用户枚举
11. 使用 Basic 和 NTLM 验证主机
12. 扫描可以在指定时间自动暂停。

尼克托要求

具有基本 Perl、Perl 模块、OpenSSL 安装的系统应该能够运行 Nikto。它已经在 Windows、Mac OSX 和各种 Unix/Linux 发行版（例如 Red）上进行了全面测试帽子、Debian、Ubuntu、BackTrack等。

在 Linux 上安装 Nikto Web Scanner

当今的大多数 Linux 系统都预装了 Perl、Perl 模块 和 OpenSSL 软件包。如果未包含，您可以使用名为 yum 或 apt-get 的默认系统包管理器实用程序来安装它们。

在 Red Hat/CentOS/Fedora 上

[root@tecmint ]# yum install perl perl-Net-SSLeay openssl

在 Debian/Ubuntu/Linux Mint 上

[root@tecmint ]# apt-get install perl openssl libnet-ssleay-perl

接下来，从其 Github 存储库克隆最新的稳定 Nikto 源文件，移至 Nikto/programs/ 目录并使用 perl 运行它：

git clone https://github.com/sullo/nikto.git
cd nikto/programs
perl nikto.pl -h 

样本输出

Option host requires an argument

       -config+            Use this config file
       -Display+           Turn on/off display outputs
       -dbcheck            check database and other key files for syntax errors
       -Format+            save file (-o) format
       -Help               Extended help information
       -host+              target host
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -output+            Write output to this file
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -Plugins+           List of plugins to run (default: ALL)
       -port+              Port to use (default 80)
       -root+              Prepend root value to all requests, format is /directory
       -ssl                Force ssl mode on port
       -Tuning+            Scan tuning
       -timeout+           Timeout for requests (default 10 seconds)
       -update             Update databases and plugins from CIRT.net
       -Version            Print plugin and database versions
       -vhost+             Virtual host (for Host header)
   		+ requires a value

	Note: This is the short help output. Use -H for full help text.

“选项主机需要一个参数”清楚地表明我们在进行测试时没有包含所需的参数。因此，我们需要添加一个基本的必要参数来进行测试运行。

基础测试

基本扫描需要您想要定位的主机，如果未指定任何内容，默认情况下它会扫描端口 80。主机可以是系统的主机名或IP 地址。您可以使用“-h”选项指定主机。

例如，我想对 TCP 端口 80 上的 IP 172.16.27.56 进行扫描。

[root@tecmint nikto-2.1.5]# perl nikto.pl -h 172.16.27.56

样本输出

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          172.16.27.56
+ Target Hostname:    example.com
+ Target Port:        80
+ Start Time:         2014-01-10 00:48:12 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 5956160, size: 24, mtime: 0x4d4865a054e32
+ File/dir '/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Multiple index files found: index.php, index.htm, index.html
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /test.html: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /connect.php?path=http://cirt.net/rfiinc.txt?: Potential PHP MySQL database connection string found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 6544 items checked: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2014-01-10 00:48:23 (GMT5.5) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

如果您想扫描不同的端口号，请添加“-p”[-port]选项。例如，我想在 TCP 端口 443 上对 IP 172.16.27.56 进行扫描。

[root@tecmint nikto-2.1.5]# perl nikto.pl -h 172.16.27.56 -p 443

样本输出

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          172.16.27.56
+ Target Hostname:    example.com
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
                   Ciphers: DHE-RSA-AES256-GCM-SHA384
                   Issuer:  /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time:         2014-01-10 01:08:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 2817021, size: 5, mtime: 0x4d5123482b2e9
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Server is using a wildcard certificate: '*.mid-day.com'
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2014-01-10 01:11:20 (GMT5.5) (174 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

您还可以使用完整的URL语法指定主机、端口和协议，并且它将被扫描。

[root@tecmint nikto-2.1.5]# perl nikto.pl -h http://172.16.27.56:80

您还可以扫描任何网站。例如，我在 google.com 上进行了扫描。

[root@tecmint nikto-2.1.5]# perl nikto.pl -h http://www.google.com

样本输出

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          173.194.38.177
+ Target Hostname:    www.google.com
+ Target Port:        80
+ Start Time:         2014-01-10 01:13:36 (GMT5.5)
---------------------------------------------------------------------------
+ Server: gws
+ Cookie PREF created without the httponly flag
+ Cookie NID created without the httponly flag
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'x-xss-protection' found, with contents: 1; mode=block
+ Uncommon header 'alternate-protocol' found, with contents: 80:quic
+ Root page / redirects to: http://www.google.co.in/?gws_rd=cr&ei=xIrOUomsCoXBrAee34DwCQ
+ Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-content-type-options' found, with contents: nosniff
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ File/dir '/groups/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
….

上面的命令将在 Web 服务器上执行一堆 http 请求（即超过 2000 测试）。

多端口测试

您还可以在同一会话中执行多个端口扫描。要扫描同一主机上的多个端口，请添加“-p”[-port]选项并指定端口列表。端口可以定义为一个范围（即 80-443），或以逗号分隔（即 80,443）。例如，我想扫描主机172.16.27.56上的端口80和443。

[root@tecmint nikto-2.1.5]# perl nikto.pl -h 172.16.27.56 -p 80,443

样本输出

- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on cmsstage.mid-day.com:88
---------------------------------------------------------------------------
+ Target IP:          172.16.27.56
+ Target Hostname:    example.com
+ Target Port:        80
+ Start Time:         2014-01-10 20:38:26 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.

---------------------------------------------------------------------------
+ Target IP:          172.16.27.56
+ Target Hostname:    example.com
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject: /O=*.mid-day.com/OU=Domain Control Validated/CN=*.mid-day.com
                   Ciphers: DHE-RSA-AES256-GCM-SHA384
                   Issuer:  /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435
+ Start Time:         2014-01-10 20:38:36 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ All CGI directories 'found', use '-C none' to test none
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
.....

使用代理

假设运行 Nikto 的系统只能通过 HTTP 代理访问目标主机，仍然可以使用两种不同的方式执行测试。一种是使用 nikto.conf 文件，另一种方法是直接从命令行运行。

使用 Nikto.conf 文件

使用任何命令行编辑器打开 nikto.conf 文件。

[root@localhost nikto-2.1.5]# vi nikto.conf

搜索变量“PROXY”并取消注释行开头的“#”，如图所示。然后添加代理主机、端口、代理用户和密码。保存并关闭文件。

Proxy settings -- still must be enabled by -useproxy
PROXYHOST=172.16.16.37
PROXYPORT=8080
PROXYUSER=pg
PROXYPASS=pg

现在，使用“-useproxy”选项执行Nikto。请注意，所有连接都将通过 HTTP 代理进行中继。

root@localhost nikto-2.1.5]# perl nikto.pl -h localhost -p 80 -useproxy

样本输出

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        80
+ Start Time:         2014-01-10 21:28:29 (GMT5.5)
---------------------------------------------------------------------------
+ Server: squid/2.6.STABLE6
+ Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0
+ Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080

使用命令行

通过将代理设置为参数，使用“-useproxy”选项直接从命令行运行Nikto。

root@localhost nikto-2.1.5]# perl nikto.pl -h localhost -useproxy http://172.16.16.37:8080/

样本输出

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        80
+ Start Time:         2014-01-10 21:34:51 (GMT5.5)
---------------------------------------------------------------------------
+ Server: squid/2.6.STABLE6
+ Retrieved via header: 1.0 netserv:8080 (squid/2.6.STABLE6)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'x-squid-error' found, with contents: ERR_CACHE_ACCESS_DENIED 0
+ Uncommon header 'x-cache-lookup' found, with contents: NONE from netserv:8080

更新 Nikto

您可以自动将Nikto更新到最新的插件和数据库，只需运行“-update”命令即可。

[root@localhost nikto-2.1.5]# perl nikto.pl -update

如果有新更新可用，您将看到已下载的新更新列表。

+ Retrieving 'nikto_report_csv.plugin'
+ Retrieving 'nikto_headers.plugin'
+ Retrieving 'nikto_cookies.plugin'
+ Retrieving 'db_tests'
+ Retrieving 'db_parked_strings'
+ Retrieving 'CHANGES.txt'
+ CIRT.net message: Please submit Nikto bugs to http://trac2.assembla.com/Nikto_2/report/2

您还可以从 http://cirt.net/nikto/UPDATES/ 手动下载和更新 Nikto 插件和数据库。

参考链接

尼克托主页