【安全牛学习笔记】扫描工具-Nikto

╋━━━━━━━╋

┃实验环境 ┃

┃Metasploitable┃

┃ Dvwa ┃

╋━━━━━━━╋

Username admin

password password

╋━━━━━━━━━━━╋

┃侦查 ┃

┃Httrack ┃

┃ 减少与目标系统互 ┃

╋━━━━━━━━━━━╋

root@kali:~# mkdir dvwa

root@kali:~# httrack

welcom to HTTrack Website Coier (Offline Brower) 3.48-20

To see the option list, enter a blank line or try httrack --help

Enter project name :dvwa

Base path (return=/root/websites/) :/root/dvwa

Enter URLs (separated by commas or blank spaces) :http://192.168.1.109/dvwa/

Action:

(enter) 1 Mirror Web Site(s)

2 Mirror Web Site(s) with Wizard

3 Just Get Files Indicated

4 Mirror ALL links in URLs (Multiple Mirror)

5 Test Links In URLs (Bookmark Test)

0 Quit

Proxy (return=none) :

You can define wildcards, like: -*.gif +www.*.com/*.zip -*img_*.zip

Wildcards (return=none) :*

You can define additional options, such as recurse leve (-r<number>),separedy blank space

To see the option list, type help

Additional options (return=none) :

---> Wizard command line: httrack http://192.168.1.109/dvwa/ -W -O "/root/dvwa/dvwa" -%v *

Ready to lauch the mirror? (Y/n) :

WARNING! You are runing this program as root!

It might be a good idea to run as a differrnt user

Mirror launched to Thu, 03 Dec 2015 19:47:12 by HTTrack Website Copier/3.48-20 [XR&CO'2014]

Mirroring http:192.168.1.109/dvwa/ * with the wizard help..

╋━━━━━━━╋

┃扫描工具 ┃

┃Nikto ┃

┃Vega ┃

┃Skipfish ┃

┃W3af ┃

┃Arachni ┃

┃Owasp-zap ┃

╋━━━━━━━╋

推荐《web Pentration Testing with Kali Linux》

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

┃NIKTO ┃

┃Perl语言开发的开源web安全扫描器 ┃

┃软件版本 ┃

┃搜索存在安全隐患的文件 ┃

┃服务器配置漏洞 ┃

┃WEB Application层面的安全隐患 ┃

┃避免404误判 ┃

┃ 很多服务器不遵守RFC标准，对于不存在的对象返回200响应码┃

┃ 依据响应文件内容判断，不同扩展名的文件404响应内容不同 ┃

┃ 去除时间信息后的内容取MD5值 ┃

┃ -no404 ┃

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

root@kali:~# nikto

- Nikto v2.1.6

---------------------------------------------------------------------------

+ ERROR: No host specified

-config+ Use this config file

-Display+ Turn on/off display outputs

-dbcheck check database and other key files for syntax errors

-Format+ save file (-o) format

-Help Extended help information

-host+ target host

-id+ Host authentication to use, format is id:pass or id:pass:realm

-list-plugins List all available plugins

-output+ Write output to this file

-nossl Disables using SSL

-no404 Disables 404 checks

-Plugins+ List of plugins to run (default: ALL)

-port+ Port to use (default 80)

-root+ Prepend root value to all requests, format is /directory

-ssl Force ssl mode on port

-Tuning+ Scan tuning

-timeout+ Timeout for requests (default 10 seconds)

-update Update databases and plugins from CIRT.net

-Version Print plugin and database versions

-vhost+ Virtual host (for Host header)

+ requires a value

Note: This is the short help output. Use -H for full help text.

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

┃nikto -list-plugins ┃

┃nikto -update ┃

┃ cirt.net ┃

┃ http://cirt.net/nikto/UPDATES ┃ 192.168.60.90:80

┃nikto -host http://1.1.1.1 ┃ https://192.168.60.90:443

┃nikto -host 192.168.1.1 -ssl -port 443,8443,995 ┃ 192.168.60.90

┃nikto -host host.txt ┃

┃nmap -p80 192.168.1.0/24 -oG - | nikto -host - ┃

┃nikto -host 192.168.1.1 -useproxy http://localhost:8087 ┃

┃-vhost ┃

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

root@kali:~# nikto -update

+ ERROR (302): Unable to get cirt.net/nikto/UPDATES/2.1.6/versions.txt

root@kali:~# nikto -list-plugins

Plugin: auth

Guess authentication - Attempt to guess authentication realms

Plugin: put_del_test

Put/Delete test - Attempts to upload and delete files through the PUT and DELETE HTTP methods.

Plugin: clientaccesspolicy

clientaccesspolicy.xml - Checks whether a client access file exists, and if it contains a wildcard entry.

Plugin: apache_expect_xss

Apache Expect XSS - Checks whether the web servers has a cross-site scripting vulnerability through the Expect: HTTP header

Plugin: fileops

File Operations - Saves results to a text file.

Plugin: msgs

Server Messages - Checks the server version against known issues.

Plugin: report_nbe

NBE reports - Produces a NBE report.

Plugin: embedded

Embedded Detection - Checks to see whether the host is an embedded server.

Plugin: report_csv

CSV reports - Produces a CSV report.

Plugin: drupal

Drupal Specific Tests - Performs a selection of drupal specific tests

Options:

0: Flag to tell plugin to enumerate modules

path: Basic path for modules (can usually be found in page source).

Plugin: ssl

SSL and cert checks - Perform checks on SSL/Certificates

Plugin: subdomain

Sub-domain forcer - Attempts to bruteforce commonly known sub-domains

Plugin: mutiple_index

Multiple Index - Checks for multiple index files

Plugin: cgi

CGI - Enumerates possible CGI directories.

Plugin: report_xml

Report as XML - Produces an XML report.

Plugin: apacheusers

Apache Users - Checks whether we can enumerate usernames directly from the web server

Options:

dictionary: Filename for a dictionary file of users

home: Look for ~user to enumerate

size: Maximum size of username if bruteforcing

enumerate: Flag to indicate whether to attempt to enumerate users

cgiwrap: User cgi-bin/cgiwrap to enumerate

Plugin: report_text

Text reports - Produces a text report.

Plugin: shellshock

shellshock - Look for the bash 'shellshock' vulnerability.

Options:

uri: uri to assess

Plugin: outdated

Outdated - Checks to see whether the web server is the latest version.

Plugin: report_sqlg

Generic SQL reports - Produces SQL inserts into a generic database.

Plugin: robots

Robots - Checks whether there's anything within the robots.txt file and analyses it for other paths to pass to other scripts.

Options:

nocheck: Flag to disable checking entries in robots file.

Plugin: report_html

Report as HTML - Produces an HTML report.

Plugin: sitefiles

Site Files - Look for interesting files based on the site's IP/name

Plugin: httpoptions

HTTP Options - Performs a variety of checks against the HTTP options returned from the server.

Plugin: parked

Parked Detection - Checks to see whether the host is parked at a registrar or ad location.

Plugin: negotiate

Negotiate - Checks the mod_negotiation MultiViews.

Plugin: dictionary

Dictionary attack - Attempts to dictionary attack commonly known directories/files

Options:

method: Method to use to enumerate.

dictionary: Dictionary of paths to look for.

Plugin: favicon

Favicon - Checks the web server's favicon against known favicons.

Plugin: siebel

Siebel Checks - Performs a set of checks against an installed Siebel application

Options:

languages: List of Languages

enumerate: Flag to indicate whether we shall attempt to enumerate known apps

applications: List of applications

application: Application to attack

Plugin: cookies

HTTP Cookie Internal IP - Looks for internal IP addresses in cookies returned from an HTTP request.

Plugin: paths

Path Search - Look at link paths to help populate variables

Plugin: ms10_070

http://www.microsoft.com/technet/security/bulletin/ms10-070.asp Check - Determine if a site is vulnerable to http://www.microsoft.com/technet/security/bulletin/ms10-070.asp

Plugin: content_search

Content Search - Search resultant content for interesting strings

Plugin: tests

Nikto Tests - Test host with the standard Nikto tests

Options:

tids: A range of testids that will only be run

passfiles: Flag to indicate whether to check for common password files

report: Report a status after the passed number of tests

all: Flag to indicate whether to check all files with all directories

Plugin: headers

HTTP Headers - Performs various checks against the headers returned from an HTTP request.

Defined plugin macros:

@@MUTATE = "dictionary;subdomain"

@@DEFAULT = "@@ALL;-@@MUTATE;tests(report:500)"

(expanded) = "apacheusers;mutiple_index;put_del_test;tests(report:500);report_nbe;parked;report_html;apache_expect_xss;content_search;cookies;shellshock;fileops;negotiate;msgs;siebel;outdated;drupal;report_sqlg;sitefiles;auth;headers;favicon;ms10_070;clientaccesspolicy;report_csv;embedded;paths;report_text;report_xml;httpoptions;cgi;ssl;robots"

@@NONE = ""

@@ALL = "auth;put_del_test;clientaccesspolicy;apache_expect_xss;fileops;msgs;report_nbe;embedded;report_csv;drupal;ssl;subdomain;mutiple_index;cgi;report_xml;apacheusers;report_text;shellshock;outdated;report_sqlg;robots;report_html;sitefiles;httpoptions;parked;negotiate;dictionary;favicon;siebel;cookies;paths;ms10_070;content_search;tests;headers"

root@kali:~# nikto -host http://192.168.1.109/dvwa/

root@kali:~# nikto -host 192.168.1.109 -port 80

root@kali:~# nikto -host www.baidu.com -port 443 -ssl

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP: 180.97.33.107

+ Target Hostname: www.baidu.com

+ Target Port: 443

---------------------------------------------------------------------------

+ SSL Info: Subject: /C=CN/ST=Beijing/L=Beijing/O=Beijing Baidu Netcom Science Technology Co., Ltd./OU=service operation department/CN=baidu.com

Ciphers: ECDHE-RSA-AES128-GCM-SHA256

Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3

+ Start Time: 2016-03-03 14:42:02 (GMT8)

---------------------------------------------------------------------------

+ Server: bfe/1.0.8.14

+ Cookie BAIDUID created without the secure flag

+ Cookie BAIDUID created without the httponly flag

+ Cookie BIDUPSID created without the secure flag

+ Cookie BIDUPSID created without the httponly flag

+ Cookie PSTM created without the secure flag

+ Cookie PSTM created without the httponly flag

+ Cookie BDSVRTM created without the secure flag

+ Cookie BDSVRTM created without the httponly flag

+ Cookie __bsi created without the secure flag

+ Cookie __bsi created without the httponly flag

+ IP address found in the 'server' header. The IP is "1.0.8.14".

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ Uncommon header 'bdqid' found, with contents: 0xd83f739e00019f43

+ Uncommon header 'bdpagetype' found, with contents: 1

+ Uncommon header 'bduserid' found, with contents: 0

+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Server leaks inodes via ETags, header found with file /crossdomain.xml, fields: 0x54532a74 0x131

+ /crossdomain.xml contains 2 lines which include the following domains: *.baidu.com *.bdstatic.com

+ Cookie BD_NOT_HTTPS created without the secure flag

+ Cookie BD_NOT_HTTPS created without the httponly flag

......

root@kali:~# nmap -p80 192.168.1.0/24 -oG - | nikto -host -

- Nikto v2.1.6

---------------------------------------------------------------------------

+ nmap Input Queued: 192.168.1.1:80

+ nmap Input Queued: 192.168.1.103:80

+ Target IP: 192.168.1.1

+ Target Hostname: 192.168.1.1

+ Target Port: 80

+ Start Time: 2016-03-03 16:45:55 (GMT8)

---------------------------------------------------------------------------

+ Server: No banner retrieved

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directiories found (use '-C all' to force check all possible dirs)

+ Web Server returns a valid response with junk HTTP methonds, this may cause false positives.

......

root@kali:~# nikto -host http://www.baidu.com -useproxy http://localhost:8087

root@kali:~# -vhost

╋━━━━━━━━━━━━━━━━╋

┃Nikto-interactive ┃

┃Space-report current scan status┃

┃v - verbose mode on/off ┃

┃d - debug mode on/off ┃

┃e - error reporting on/off ┃

┃p - progress reporting on/off ┃

┃r - redirect display on/off ┃

┃c - cookie display on/off ┃

┃a - auth display on/off ┃

┃q - quit ┃

┃N - next host ┃

┃p - Pause ┃

╋━━━━━━━━━━━━━━━━╋

root@kali:~# vi /etc/nikto.conf

#########################################################################################################

# CONFIG STUFF

# $Id: config.txt 94 2009-01-21 22:47:25Z deity $

#########################################################################################################

# default command line options, can't be an option that requires a value. used for ALL runs.

# CLIOPTS=-g -a

# ports never to scan

SKIPPORTS=21 111

# User-Agent variables:

# @VERSION - Nikto version

# @TESTID - Test identifier

# @EVASIONS - List of active evasions

USERAGENT=Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)

# RFI URL. This remote file should return a phpinfo call, for example: <?php phpinfo(); ?>

# You may use the one below, if you like.

RFIURL=http://cirt.net/rfiinc.txt?

# IDs never to alert on (Note: this only works for IDs loaded from db_tests)

#SKIPIDS=

# The DTD

NIKTODTD=/var/lib/nikto/docs/nikto.dtd

# the default HTTP version to try... can/will be changed as necessary

DEFAULTHTTPVER=1.0

# Nikto can submit updated version strings to CIRT.net. It won't do this w/o permission. You should

# send updates because it makes the data better for everyone ;) *NO* server specific information

# such as IP or name is sent, just the relevant version information.

# UPDATES=yes - ask before each submission if it should send

# UPDATES=no - don't ask, don't send

# UPDATES=auto - automatically attempt submission *without prompting*

UPDATES=yes

# Warning if MAX_WARN OK or MOVED responses are retrieved

MAX_WARN=20

# Prompt... if set to 'no' you'll never be asked for anything. Good for automation.

#PROMPTS=no

# cirt.net : set the IP so that updates can work without name resolution -- just in case

# Proxy settings -- still must be enabled by -useproxy

#PROXYHOST=127.0.0.1

#PROXYPORT=8080

#PROXYUSER=proxyuserid

#PROXYPASS=proxypassword

# Cookies: send cookies with all requests

# Multiple can be set by separating with a semi-colon, e.g.:

# "cookie1"="cookie value";"cookie2"="cookie val"

#STATIC-COOKIE=

# The below allows you to vary which HTTP methods are used to check whether an HTTP(s) server

# is running. Some web servers, such as the autopsy web server do not implement the HEAD method

CHECKMETHODS=HEAD GET

# If you want to specify the location of any of the files, specify them here

EXECDIR=/var/lib/nikto # Location of Nikto

PLUGINDIR=/var/lib/nikto/plugins # Location of plugin dir

DBDIR=/var/lib//nikto/databases # Location of database dir

TEMPLATEDIR=/var/lib/nikto/templates # Location of template dir

DOCDIR=/var/lib/nikto/docs # Location of docs dir

# Default plugin macros

@@MUTATE=dictionary;subdomain

@@DEFAULT=@@ALL;-@@MUTATE;tests(report:500)

# Choose SSL libs:

# SSLeay - use Net::SSLeay

# SSL - use Net::SSL

# auto - automatically choose whats available

# (SSLeay wins if both are available)

LW_SSL_ENGINE=auto

# Number of failures before giving up

FAILURES=20

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

┃nikto ┃

┃配置文件 ┃

┃ /etc/nikto.conf ┃

┃ STATIC-COOKIE="cookie1"="cookie value";"cookie2"="cookie valu"┃

┃-evasion : 使用LibWhisker中对IDS的躲避技术，可使用以下几种类型: ┃

┃ 1 随机URL编码（非UTF-8方式） ┃

┃ 2 自选择路径（/./） ┃

┃ 3 过早结束的URL ┃

┃ 4 优先考虑长随机字符串 ┃

┃ 5 参数欺骗 ┃

┃ 6 使用TAB作为命令的分隔符 ┃

┃ 7 使用变化的URL ┃

┃ 8 使用Windows路径分隔符"\" ┃

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

该笔记为安全牛课堂学员笔记，想看此课程或者信息安全类干货可以移步到安全牛课堂

Security+认证为什么是互联网+时代最火爆的认证？

牛妹先给大家介绍一下Security+

Security+ 认证是一种中立第三方认证，其发证机构为美国计算机行业协会CompTIA ；是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一，和CISSP偏重信息安全管理相比，Security+ 认证更偏重信息安全技术和操作。

通过该认证证明了您具备网络安全，合规性和操作安全，威胁和漏洞，应用程序、数据和主机安全，访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易，含金量较高，目前已被全球企业和安全专业人士所普遍采纳。

Security+认证如此火爆的原因？

原因一：在所有信息安全认证当中，偏重信息安全技术的认证是空白的， Security+认证正好可以弥补信息安全技术领域的空白。

目前行业内受认可的信息安全认证主要有CISP和CISSP，但是无论CISP还是CISSP都是偏重信息安全管理的，技术知识讲的宽泛且浅显，考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上，CISP也要求大专学历4年以上工作经验，这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中，无论是找工作还是升职加薪，或是投标时候报人员，认证都是必不可少的，这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍，由于Security+偏重信息安全技术，所以对工作经验没有特别的要求。只要你有IT相关背景，追求进步就可以学习和考试。

原因二： IT运维人员工作与翻身的利器。

在银行、证券、保险、信息通讯等行业，IT运维人员非常多，IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍，死亦写代码”的悲壮，但也有着“锄禾日当午，不如运维苦“的感慨。天天对着电脑和机器，时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识，掌握网络安全实践。职业发展朝着网络安全的方向发展，解决国内信息安全人才的匮乏问题。另外，即使不转型，要做好运维工作，学习安全知识取得安全认证也是必不可少的。

原因三：接地气、国际范儿、考试方便、费用适中！

CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。

在目前的信息安全大潮之下，人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的，相信Security+认证一定会成为最火爆的信息安全认证。

【安全牛学习笔记】扫描工具-Nikto

猜你喜欢