1Nikto(1) Nikto(1)
2
3
4
6 Nikto - Web Server and CGI Scanner, Version 1.36
7
9 nikto.pl [-h target] [options]
10
12 Nikto is a tool for finding default web files and examing web server
13 and CGI security. It makes a lot of reqeusts to the remote server,
14 which in some cases may cause the server to crash. It may also be
15 illegal to use this software against servers you do not have permission
16 to do test.
17
19 Nikto is designed to examine web servers and look for items in multiple
20 categories:
21
22 · misconfigurations
23
24 · default files and scripts
25
26 · insecure files and scripts
27
28 · outdated software
29
30 It uses Rain Forest Puppy's LibWhisker (wiretrip.net) for HTTP func‐
31 tionality, and can perform checks in HTTP or HTTPS. It also supports
32 basic port scanning and will determine if a web server is running on
33 any open ports.
34
35 Nikto checks and code can be automatically udpated from the main dis‐
36 tribution server by using the -update option (see below) to ensure
37 Nikto is checking the most recent vulnerabilities.
38
39 Nikto will also load user defined checks at startup if they are placed
40 in a file named user_scan_database.db in the plugins directory. Unlike
41 scan_database.db, this file will not be over-written if the -update
42 option is used. This should always be used if you add your own checks
43 (and you should send those checks to sullo@cirt.net).
44
45 Nikto leaves a footprint on a server it scans--both in an invalid 404
46 check and in the User-Agent header. This can be changed by forcing the
47 $NIKTO{fingerprint} and $NIKTO{useragent} to new values in the source
48 code, or, if any IDS evasion (-e) option is used. Note that it's
49 pretty obvious when Nikto is scanning a server anyway--the large number
50 of invalid requests sticks out a lot in the server logs, although with
51 an IDS evasion technique it might not be extremely obvious that it was
52 Nikto.
53
54 Why the name Nikto? See the movies "The Day the Earth Stood Still" and,
55 of course "Army of Darkness" for the answer. For a full list of pop-
56 culture references to this, see http://www.blather.net/ar‐
57 chives2/issue2no21.html which has a lot of good information.
58
60 The options listed below are all optional except the -h target specifi‐
61 cation. They can all be abbreviated to the first letter (i.e., -m for
62 -mutate), with the exception of -verbose and -debug.
63
64 -config <config file>
65 Read the specified configuration file instead of the default
66 one.
67
68 -Cgidirs <dirs>
69 Optionally force the CGI directories to scan. Valid values are
70 'none' to not check any, 'all' to force scan all CGi directories
71 (like the deprecated -allcgi), or a value to use as the CGI
72 directory, i.e. '/cgi/'.
73
74 -cookies
75 Print out the cookie names and values that were received during
76 the scan.
77
78 -evasion <evasion method>
79 IDS evasion techniques. This enables the intrusion detection
80 evasion in LibWhisker. Multiple options can be used by string‐
81 ing the numbers together, i.e. to enable methods 1 and 5, use
82 "-e 15". The valid options are (use the number preceeding each
83 description):
84
85 1 Random URI encoding (non-UTF8)
86
87 2 Add directory self-reference /./
88
89 3 Premature URL ending
90
91 4 Prepend long random string to request
92
93 5 Fake parameters to files
94
95 6 TAB as request spacer instead of spaces
96
97 7 Random case sensitivity
98
99 8 Use Windows directory separator \ instead of /
100
101 9 Session splicing
102
103 See the LibWhisker source for more information, or
104 http://www.wiretrip.net/
105
106 -findonly
107 Use port scan to find valid HTTP and HTTPS ports only, but do
108 not perform checks against them.
109
110 -Format
111 Output format for the file specified with the -output option.
112 Valid formats are:
113
114 HTM HTML output format.
115
116 TXT Text output format. This is the default if -F is not
117 specified.
118
119 CSV Comma Seperated Value format.
120
121 -generic
122 Force full scan rather than trusting the "Server:" identifica‐
123 tion string, as many servers allow this to be changed.
124
125 -host <ip, hostname or file>
126 Target host(s) to check against. This can be an IP address or
127 hostname, or a file of IPs or hostnames. If this argument is a
128 file, it should formatted as described below. This is the only
129 required option.
130
131 -id <user:password:realm>
132 HTTP Authentication use, format is userid:password for authoriz‐
133 ing Nikto a web server realm. For NTLM realms, format is
134 id:password:realm.
135
136 -mutate
137 Mutate checks. This causes Nikto put all files with all directo‐
138 ries from the .db files and can the host. You might find some
139 oddities this way. Note that it generates a lot of checks.
140
141 -nolookup
142 Don't perform a host name lookup.
143
144 -output <filename>
145 Write output to this file when complete. Format is text unless
146 specified via -Format.
147
148 -port <port number>
149 Port number to scan, defaults to port 80 if missing. This can
150 also be a range or list of ports, which Nikto will check for web
151 servers. If a web server is found, it will perform a full scan
152 unless the -f option is used.
153
154 -root <root>
155 Always prepend this to requests, i.e., changes a request of
156 "/password.txt" to "/directory/password.txt" (assuming the value
157 passed on the CLI was "/directory")
158
159 -ssl Force SSL mode on port(s) listed. Note that Nikto attempts to
160 determine if a port is HTTP or HTTPS automatically, but this can
161 be slow if the server fails to respond or is slow to respond to
162 the incorrect one. This sets SSL usage for all hosts and ports.
163
164 -timeout <timeout>
165 Set timeout for each request, default is 10 seconds
166
167 -useproxy
168 Use the proxy defined in config.txt for all requests
169
170 -vhost <ip or hostname>
171 Virtual host to use for the "Host:" header, in case it is dif‐
172 ferent from the target.
173
174 -Version
175 Print version numbers of Nikto, all plugins and all databases.
176 -404 Pass a string to be matched against content. If a page
177 matches to this string, it cannot be treated as a positive (it
178 will be skipped, like a 404 response).
179
180 Print version numbers of Nikto, all plugins and all databases.
181
182 These options cannot be abbreviated to the first letter:
183
184 -dbcheck
185 This option will check the syntax of the checks in the
186 scan_database.db and user_scan_database.db files. This is really
187 only useful if you are adding checks or are having problems.
188
189 -debug Print a huge amount of detail out. In most cases this is going
190 to be more information than you need, so try -verbose first.
191
192 -update
193 This will connect to cirt.net and download updated scan_data‐
194 base.db and plugin files. Use this with caution as you are down‐
195 loading files--perhaps including code--from an "untrusted"
196 source. This option cannot be combined with any other, but
197 required variables (like the PROXY settings) will be loaded from
198 the config.txt file.
199
200 -verbose
201 Print out a lot of extra data during a run. This can be useful
202 if a scan or server is failing, or to see exactly how a server
203 responds to each request.
204
206 If a file is specified with -h instead of a hostname or IP, Nikto will
207 open the file to use it as a list of targets. The file should be for‐
208 matted with one host per line. If no port is specified, port 80 is
209 assumed. Multiple ports may be specified per host. If a host file is
210 used, any ports specified via -p are added to every host. Valid lines
211 would be:
212
213 10.100.100.100
214 10.100.100.100:443
215 10.100.100.100,443
216 10.100.100.100:443:8443
217 10.100.100.100,443,8443
218 evilash.example.com,80
219 (etc)
220
222 The config.txt file provides a means to set variables at run-time with‐
223 out modifying the Nikto source itself. The options below can be set in
224 the file. Options that accept multiple values (CGIDIRS, SKIPPORTS,
225 etc.) should just use a space to distinguish multiple values. None of
226 these are required unless you need them.
227
228 CLIOPTS
229 Add any option here to be added to every Nikto execution,
230 whether specified at the command line or not.
231
232 NMAP Path to nmap. If defined, Nikto will use nmap to port scan a
233 host rather than PERL code, and so should be faster.
234
235 SKIPPORTS
236 Port number never to scan (so you don't crash services, per‐
237 haps?).
238
239 PROXYHOST
240 Server to use as a proxy, either IP or hostname, no 'http://'
241 needed.
242
243 PROXYPORT
244 Port number that PROXYHOST uses as a proxy.
245
246 PROXYUSER
247 If the PROXYHOST requires authentication, use this ID. Nikto
248 will prompt for it if this is not set & it is needed.
249
250 PROXYPASS
251 If the PROXYHOST requires a password for PROXYUSER, use this
252 password. Nikto will prompt for it if this is not set & it is
253 needed.
254
255 PLUGINDIR
256 If Nikto can't find it's plugin directory for some reason, enter
257 the full path and the problem is solved.
258
259 UPDATES
260 Turns data push to cirt.net on. Please see the CIRT.NET UPDATES
261 section for details.
262
263 MAX_WARN
264 If the number of OK or MOVED messages reaches this number, a
265 warning will printed.
266
267 PROMPTS
268 If set to "no", Nikto will never prompt for anything--proxy
269 auth, updates, nothing...
270
271 DEFAULTHTTPVER
272 First try this HTTP method. If this fails, Nikto will attempt to
273 find a valid one. Useful if you want try something non-standard.
274
275 STATIC-COOKIE
276 The name/value of this cookie, if set, will be sent for every
277 request (useful for auth cookies).
278
279 Variables that start with the 'at' sign (@) will be used when scan
280 rules are loaded. For each value (seperated by space), the rule will be
281 duplicated. See the TEST DATABASES section for more information.
282
283 Predefined variables are:
284
285 @CGIDIRS
286 CGI directories to look for, valid ones (or all) will be used
287 for CGI checks against the remote host.
288
289 @MUTATEDIRS
290 Additional directories to use when operating under the Mutate
291 mode besides ones already defined the .db files.
292
293 @MUTATEFILES
294 Additional files to use when operating under the Mutate mode
295 besides ones already defined the .db files.
296
297 @ADMINDIRS
298 Typical administration directories.
299
300 @USERS Typical user names for the user guessing plugins.
301
303 In order to help keep the Nikto databases up-to-date, you have the
304 ability to easily submit some updates back to cirt.net for inclusion in
305 new copies of the databases. Currently, this only includes software
306 versions (such as "Apache/7.0.3"). If Nikto scans a host and sees a
307 newer version on the host than it has in the database, or it is missing
308 entirely, (and your databases are fairly recent), this information can
309 be automatically (or manually) sent back to cirt.net.
310
311 Behaviour of this option is controlled in config.txt through the
312 UPDATES variable. If UPDATES is set to "no", Nikto will not send or ask
313 about sending values to cirt.net. If set to "auto", it will automati‐
314 cally send the data through an HTTP request. If set to "yes" (which is
315 the default), when there are updates it will ask if you would like to
316 submit and show you the data (unless PROMPTS=no).
317
318 There is only one thing submitted to cirt.net when you do this: the
319 "updated" version string. No information specific to the host tested
320 is sent. No information from the scanning source is sent (it does log
321 your IP address as seen by cirt.net's web server, but... nothing else).
322
323 If you're not comfortable with this, you may also email it to me at
324 sullo@cirt.net or just set UPDATES=no. Please don't complain and say
325 I'm stealing your data... just trying to save me some work ;)
326
327 Again: the default configuration of Nikto does not send any data to
328 cirt.net.
329
331 Rules in the scan databases can use dynamic variables from config.txt.
332 Any variable that starts with the 'at' sign (@) will be substited in
333 rules. For example: A rule of
334
335 "generic","@CGIDIRStest.html","200","GET","Test"
336
337 with "@CGIDIRS=/cgi-bin/ /cgi-sys/" will test for:
338
339 · /cgi-bin/test.html
340
341 · /cgi-sys/test.html
342
343 Any number of these variables can be set, and any number can be used in
344 a rule (i.e., "@CGIDIRS@ADMINDIRStest.html"). Additionally, the
345 generic @HOSTNAME and @IP are available, which use the current target's
346 hostname or IP.
347
348 Rules can be specified which also have conditionals for test success.
349 This can allow a test to look for a 200 HTTP response but not contain
350 the word "home". This would look like "200!home" in the scan_data‐
351 base.db file.
352
354 A basic scan of a web server on port 80. The -h option is the only
355 option that is required for a basic scan of a web server on the stan‐
356 dard HTTP port.
357
358 nikto.pl -h 10.100.100.10
359
360 A basic scan of a web server on port 443, forcing SSL encryption and
361 ignoring the Server header. Note that Nikto does not assume port 443
362 to be SSL, but if HTTP fails it will try HTTPS.
363
364 nikto.pl -h 10.100.100.10 -p 443 -s -g
365
366 Scanning multiple ports on the server, letting Nikto determine if they
367 are HTTP and SSL encrypted.
368
369 nikto.pl -h 10.100.100.10 -p 80-90
370
371 Scanning specific ports on the system.
372
373 nikto.pl -h 10.100.100.10 -p 80,443,8000,8080
374
375 You may combine IDS evasion techniques as desired.
376
377 nikto.pl -h 10.100.100.10 -p 80 -e 167
378
380 config.txt
381 run-time configuration options, see the CONFIG FILE section
382
383 nikto_core.plugin
384 main Nikto code, absolutely required
385
386 nikto_plugin_order.txt
387 determines the order in which plugins are executed
388
389 LW.pm The stand-alone LibWhisker file.
390
391 user_scan_database.db
392 If it exists in the plugins directory, it will load these checks
393 as well. Same syntax as scan_database.db
394
396 LibWhisker is required for proper execution of Nikto. The LW.pm library
397 is included with Nikto, but it is recommended that you download and
398 install the full LibWhisker module from http://www.wiretrip.net/. If
399 you are not using an installed Libwhisker, you will need to change
400 Nikto.pl so that it includes the proper LW.pm file. Edit Nikto.pl and
401 comment the line:
402
403 require "$NIKTO{plugindir}/LW.pm";
404
405 and uncomment the line below it:
406
407 use LW;
408
409 nmap can be used to speed up port scans. This should be much faster
410 than relying on PERL code to perform port scans. Nmap can be obtained
411 from http://www.nmap.org/, it is not included with Nikto.
412
413 SSL software is required to test using HTTPS. For Windows systems, the
414 SSL software and libraries can be obtained from http://www.actives‐
415 tate.com/. For unix systems, OpenSSL from http://www.openssl.org/ and
416 the Net::SSLeay module from http://www.cpan.org/ are required.
417
419 Checks, both information and actual security problems, are derived from
420 a number of sources. These include the mailing lists BugTraq, NTBug‐
421 Traq, WebAppSec (WWW-Mobile-Code), and others. The web sites www.secu‐
422 ritytracker.com, www.securiteam.com, www.packetstormsecurity.com and
423 www.securityfocus.com. Additionally, updates to Nessus are watched and
424 many thanks to all the plugin writers (and to Renaud for Nessus itself)
425 (http://www.nessus.org/).
426
428 Nikto can cause harm to your local system, the remote system and/or the
429 network. Some options can generate over 70,000 HTTP requests to a tar‐
430 get. Do not run Nikto againsts hosts you are not authorized to perform
431 testing against. Cirt.net takes no responsibility for anything done
432 with this software, any problems it may cause or problems it may find.
433
434 Plugins are standard PERL. They are included and executed when Nikto
435 is run. If you run the -update option, new and updated plugins will be
436 downloaded from cirt.net. This means you are downloading code, and
437 potentially running it, without viewing it yourself. Please consider
438 the implications. Do not assume code distributed from Cirt.net is not
439 harmful, as accidents happen and a malicious third party may have
440 inserted a dangerous plugin. Cirt.net assumes no responsibility if any
441 malicious code is delivered via the -update option.
442
444 Nikto and updated databases and plugins is distributed from
445 http://www.cirt.net/
446
448 LibWhisker
449 http://www.wiretrip.net/
450
451 Nmap http://www.nmap.org/
452
453 OpenSSL
454 http://www.openssl.org/
455
456 CPAN http://www.cpan.org/
457
458 ActiveState
459 http://www.activestate.com/
460
461 Nessus http://www.nessus.org/
462
464 This copyright applies to all code included in this distribution, but
465 does not include the LibWhisker software, which is distributed under
466 its own license.
467
468 Copyright (C) 2001-2005 Sullo/CIRT.net
469
470 This program is free software; you can redistribute it and/or modify it
471 under the terms of the GNU General Public License as published by the
472 Free Software Foundation; either version 2 of the License, or (at your
473 option) any later version.
474
475 This program is distributed in the hope that it will be useful, but
476 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
477 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
478 Public License for more details.
479
480 You should have received a copy of the GNU General Public License along
481 with this program; if not, write to the Free Software Foundation, Inc.,
482 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
483
484 Contact Information: See the AUTHOR section.
485
487 Sullo, sullo@cirt.net
488 http://www.cirt.net/
489
490 Suggestions/fixes/support from: Jericho/attrition.org, rfp/wire‐
491 trip.net, Zel/firewallmonkeys.com, Zeno/cgisecurity.com,
492 Darby/cirt.net, Valdez/cirt.net, S Saady, P Eronen/nixu.com, M Arboi, T
493 Seyrat, J DePriest, P Woroshow, fr0stman, E Udassin, H Heimann and more
494
495 Many tests and contributed/suggested by: M Richardson, Jericho/attri‐
496 tion.org, Prickley Paw, M Arboi, H Heimann and more
497
498 And Xiola.net for kicking ass.
499
500
501
502
503Nikto 1.36 February 12, 2007 Nikto(1)