Nikto
https://cirt.net/Nikto2
Nikto はイギリスの Netspark 社がスポンサーをしている無料 Web アプリケーションセキュリティスキャナー。 Perl で開発されている。
安定版は 2015-07-09 にリリースされた Nikto 2.1.6 になる。
GitHub では継続的なメンテナンスが行われている様子。
インストール
EPEL
yum install epel-release
yum install nikto perl-Net-SSLeay
EPEL リポジトリでは 2018-06-08 にビルドされた 2.1.6-1 がインストールされる。
perl-Net-SSLeay
パッケージは SSL のサイトの診断に必要。インストールされていないと ***** SSL support not available (see docs for SSL install) *****
というエラーが出力される。
Atomic
yum install wget
curl -s http://www.atomicorp.com/installers/atomic | sh
yum install nikto
Atomic リポジトリでは 2017-03-10 にビルドされた 2.1.6-1147 がインストールできる。
アップデート
nikto -update
出力例
+ Retrieving 'nikto_report_csv.plugin'
+ Retrieving 'nikto_headers.plugin'
+ Retrieving 'nikto_cookies.plugin'
+ Retrieving 'db_tests'
+ Retrieving 'db_parked_strings'
+ Retrieving 'CHANGES.txt'
スキャン
nikto -h localhost
出力例
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: 2016-01-16 10:00:00 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) PHP/5.4.16
+ Server leaks inodes via ETags, header found with file /, fields: 0x220 0x529841bdd9a78
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ PHP/5.4.16 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.16). Apache 2.2.31 is also current for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Retrieved x-powered-by header: PHP/5.4.16
+ OSVDB-3092: /test.php: This might be interesting...
+ 8225 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2016-01-16 10:00:11 (GMT9) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
設定ファイル
/etc/nikto/config
#########################################################################################################
# CONFIG STUFF
# $Id: config.txt 94 2009-01-21 22:47:25Z deity $
#########################################################################################################
# default command line options, can't be an option that requires a value. used for ALL runs.
# CLIOPTS=-g -a
# ports never to scan
SKIPPORTS=21 111
# User-Agent variables:
# @VERSION - Nikto version
# @TESTID - Test identifier
# @EVASIONS - List of active evasions
USERAGENT=Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)
# RFI URL. This remote file should return a phpinfo call, for example: <?php phpinfo(); ?>
# You may use the one below, if you like.
#RFIURL=http://cirt.net/rfiinc.txt?
# IDs never to alert on (Note: this only works for IDs loaded from db_tests)
#SKIPIDS=
# The DTD
NIKTODTD=docs/nikto.dtd
# the default HTTP version to try... can/will be changed as necessary
DEFAULTHTTPVER=1.0
# Nikto can submit updated version strings to CIRT.net. It won't do this w/o permission. You should
# send updates because it makes the data better for everyone ;) *NO* server specific information
# such as IP or name is sent, just the relevant version information.
# UPDATES=yes - ask before each submission if it should send
# UPDATES=no - don't ask, don't send
# UPDATES=auto - automatically attempt submission *without prompting*
UPDATES=yes
# Warning if MAX_WARN OK or MOVED responses are retrieved
MAX_WARN=20
# Prompt... if set to 'no' you'll never be asked for anything. Good for automation.
#PROMPTS=no
# cirt.net : set the IP so that updates can work without name resolution -- just in case
CIRT=174.142.17.165
# Proxy settings -- still must be enabled by -useproxy
#PROXYHOST=127.0.0.1
#PROXYPORT=8080
#PROXYUSER=proxyuserid
#PROXYPASS=proxypassword
# Cookies: send cookies with all requests
# Multiple can be set by separating with a semi-colon, e.g.:
# "cookie1"="cookie value";"cookie2"="cookie val"
#STATIC-COOKIE=
# The below allows you to vary which HTTP methods are used to check whether an HTTP(s) server
# is running. Some web servers, such as the autopsy web server do not implement the HEAD method
CHECKMETHODS=HEAD GET
# If you want to specify the location of any of the files, specify them here
EXECDIR=/usr/share/nikto # Location of Nikto
PLUGINDIR=/usr/share/nikto/plugins # Location of plugin dir
# DBDIR=/opt/nikto/databases # Location of plugin dir
TEMPLATEDIR=/usr/share/nikto/templates # Location of tempmlate dir
DOCDIR=/usr/share/nikto/docs # Location of docs dir
# Default plugin macros
@@MUTATE=dictionary;subdomain
@@DEFAULT=@@ALL;-@@MUTATE;tests(report:500)
#Choose SSL libs
# Options:
# SSLeay - use Net::SSLeay
# SSL - use Net::SSL
# auto - automatically choose whats available
# (SSLeay wins if both are available)
LW_SSL_ENGINE=auto