eric.ness.net

So after what is a very long hiatus I have decided to pick back up and start writing again. To get my toes back in the proverbial water I have decided to write briefly about an open source web server scanner called Nikto.

If you have any experience with Kali Linux, you will have more than likely come across Nikto. Nikto is a great way to quickly scan a web server for low hanging vulnerability fruit. Some of the highlights are that it cover over 6700 dangerous files and programs and over a 1000 different checks on a variety of servers (outdated/vulnerable checks). To be clear this is not a tool one would use in a stealthy situation. In fact it is about as loud as it gets and needless to say one should only use an application like this for projects you have permission to do so on.

With this in mind I want to do a live check on a project that I recently did for an organization that I am part of. One member of the group thought it would be great to do a variety of vulnerability checks and this is the result. For brevity I have removed all “line:” results as they only listed directories it found.

root@stock:~/nikto/nikto/program# ./nikto.pl -h https://-----------.--------------.org/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          xxx.xxx.xxx.xxx
+ Target Hostname:    -----------.--------------.org
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /CN=-----------.--------------.org
                   Altnames: -----------.--------------.org
                   Ciphers:  ECDHE-RSA-CHACHA20-POLY1305
                   Issuer:   /C=US/O=Let's Encrypt/CN=R3
+ Start Time:         2021-07-17 12:08:05 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx
+ Retrieved x-powered-by header: PHP/7.4.21, PleskLin
+ The anti-clickjacking X-Frame-Options header is not present.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ Entry '/translations/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/js/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/tools/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/pdf/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/webservice/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Uncommon header 'content-disposition' found, with contents: Attachment
+ Entry '/upload/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ "robots.txt" contains 136 entries which should be manually viewed.
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017 for details.
+ OSVDB-3092: /INSTALL.txt: Default file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 9959 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time:           2021-07-17 12:20:08 (GMT0) (723 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

As you can see the results on this server are not very interesting at all.