Vulnerability scanning with Nikto

Nikto is a very popular and easy to use webserver assessment tool to find potential problems and vulnerabilities very quickly. This tutorial shows you how to scan webservers for vulnerabilities using Nikto in Kali Linux. Nikto comes standard as a tool with Kali Linux and should be your first choice when pen testing webservers and web applications. Nikto is scanning for 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers according to the official Nikto website. You should know that Nikto is not designed as a stealthy tool and scans the target in the fastest way possible which makes the scanning process very obvious in the log files of an intrusion detection systems (IDS).

Nikto comes with the following features:

Features
These are some of the major features in the current version:

  • SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
    Perl/NetSSL)
  • Full HTTP proxy support
  • Checks for outdated server components
  • Save reports in plain text, XML, HTML, NBE or CSV
  • Template engine to easily customize reports
  • Scan multiple ports on a server, or multiple servers via input file (including nmap output)
  • LibWhisker’s IDS encoding techniques
  • Easily updated via command line
  • Identifies installed software via headers, favicons and files
  • Host authentication with Basic and NTLM
  • Subdomain guessing
  • Apache and cgiwrap username enumeration
  • Mutation techniques to “fish” for content on web servers
  • Scan tuning to include or exclude entire classes of vulnerability
    checks
  • Guess credentials for authorization realms (including many default id/pw combos)
  • Authorization guessing handles any directory, not just the root
    directory
  • Enhanced false positive reduction via multiple methods: headers,
    page content, and content hashing
  • Reports “unusual” headers seen
  • Interactive status, pause and changes to verbosity settings
  • Save full request/response for positive tests
  • Replay saved positive requests
  • Maximum execution time per target
  • Auto-pause at a specified time
  • Checks for common “parking” sites
  • Logging to Metasploit
  • Thorough documentation

Another nice feature in Nikto is the possibility to define the test using the -Tuning parameter. This will let you run only the tests you need which can safe you a lot of time:

0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection

a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)

Nikto has it’s own updating mechanism. We encourage you to check for updates before using Nikto. Nikto can be updated using the following command:

nikto -update

Scanning webservers with Nikto

Let’s start Nikto to scan for interesting files with option 1 using the following command:
nikto -host [hostname or IP]-Tuning 1

Nikto webserver scanner kali

Nikto will now display the Apache, OpenSSL and PHP version of the targeted webserver. Also it will give you an overview of possible vulnerabilities including the Open Source Vulnerabilities Database (OSVDB) reference. When you search the OSVDB website for the reference code it will explain the possible vulnerability in more detail. The OSVDB project currently covers more than 120,980 vulnerabilities, spanning 198,973 products from 4,735 researchers, over 113 years.

Running all Nikto scans against a host

To run all scans against a particular host you can use the following command:

nikto -host [hostname or IP]

Running all scans will take a lot of time to complete.

Running Nikto against multiple hosts

Nikto offers several options to test multiple hosts:

  • By using a valid hosts file containing one host per line
  • Piping Nmap output to Nikto.

A valid host file is a text file containing the hosts, you have to use one line for each host in order to make it valid for Nikto. Instead of using the hostname as an argument for the -h option you should use the filepath to the valid hosts file.

Another solution is to pipe the Nmap output to Nikto. Nmap will output the valid hosts to Nikto and Nikto will run the selected scans against these hosts. The following command will run a Nmap scan on host 192.168.0.0 – 192.168.0.24 using a grepable output which is defined by the -oG- flag:

nmap -p80 192.168.0.0/24 -oG – | nikto -h –

Please note that you should use a dash (-) for Nikto’s host option to use the hosts supplied by Nmap.

In your nikto scan options, use tack capital F htm to signify the output format as html.

Below is an example command:

nikto -h example.com -Display V -F htm -output niktoscan.html

(H/T to http://www.hackingtutorials.org)

Windows: adding routes

To view the existing routes,

C:\> route print

To add a static route,

Syntax:

C:\> route add <target> mask <netmask> <gateway IP> metric <metric cost> if <interface>

Example:

C:\> route add 10.10.10.0 mask 255.255.255.0 192.168.1.1 metric 1

Note: If there is more than one Network Interface and if the interface is not mentioned, the interface is selected based on the gateway IP.

This Static route gets erased when the system reboots. To avoid this, use the -p (Persistent) switch to the above command:

C:\> route -p add 10.10.10.0 mask 255.255.255.0 192.168.1.1 metric 1

This writes the persistent route to the following Windows Registry key as a string value (REG_SZ):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

Also, you can write a small batch file with the route commands and add it to the startup folder to add the routes at startup (similar to the startup scripts in Solaris)

Tags

Related Posts

Share This

yum/pacman/apt-get/zypper/emerge Rosetta Stone

Action Arch Red Hat/Fedora Debian/Ubuntu SUSE/openSUSE Gentoo
Install a package(s) by name pacman -S yum install apt-get install zypper install
zypper in
emerge [-a]
Remove a package(s) by name pacman -Rs yum remove/erase apt-get autoremove zypper remove
zypper rm
emerge -C
Search for package(s) by searching the expression in name, description, short description. What exact fields are being searched by default varies in each tool. Mostly options bring tools on par. pacman -Ss yum search apt-cache search zypper search
zypper se [-s]
emerge -S
Upgrade Packages – Install packages which have an older version already installed pacman -Syu yum update apt-get update; apt-get upgrade zypper update zypper up emerge -u world
Upgrade Packages – Another form of the update command, which can perform more complex updates — like distribution upgrades. When the usual update command will omit package updates, which include changes in dependencies, this command can perform those updates. pacman -Syu yum distro-sync apt-get dist-upgrade zypper dup emerge -uDN world
Reinstall given Package – Will reinstall the given package without dependency hassle. pacman -S yum reinstall apt-get install –reinstall zypper install –force emerge [-a]
Installs local package file, e.g. app.rpm and uses the installation sources to resolve dependencies pacman -U yum localinstall dpkg -i && apt-get install -f zypper in /path/to/local.rpm emerge
Updates package(s) with local packages and uses the installation sources to resolve dependencies pacman -U yum localupdate debi emerge
Use some magic to fix broken dependencies in a system pacman dep level – testdb, shared lib level – findbrokenpkgs or lddd package-cleanup –problems apt-get –fix-broken
aptitude install
zypper verify revdep-rebuild
Only downloads the given package(s) without unpacking or installing them pacman -Sw yumdownloader (found in yum-utils package) apt-get install –download-only (into the package cache)
apt-get download (bypass the package cache)
zypper –download-only emerge –fetchonly
Remove dependencies that are no longer needed, because e.g. the package which needed the dependencies was removed. pacman -Qdtq | pacman -Rs – yum autoremove apt-get autoremove zypper rm -u emerge –depclean
Downloads the corresponding source package(s) to the given package name(s) Use ABS && makepkg -o yumdownloader –source apt-get source / debcheckout zypper source-install emerge –fetchonly
Remove packages no longer included in any repositories. package-cleanup –orphans aptitude purge ‘~o’
Install/Remove packages to satisfy build-dependencies. Uses information in the source package. automatic yum-builddep apt-get build-dep zypper si -d emerge -o
Add a package lock rule to keep its current state from being changed ${EDITOR} /etc/pacman.conf
modify IgnorePkg array
yum.conf <–”exclude” option (add/amend) apt-mark hold pkg Put package name in /etc/zypp/locks, or zypper al /etc/portage/package.mask
Delete a package lock rule remove package from IgnorePkg line in /etc/pacman.conf yum.conf <–”exclude” option (remove/amend) apt-mark unhold pkg Remove package name from /etc/zypp/locks /etc/portage/package.mask (or package.unmask)
Show a listing of all lock rules cat /etc/pacman.conf yum.conf (research needed) /etc/apt/preferences View /etc/zypp/locks cat /etc/portage/package.mask
Add a checkpoint to the package system for later rollback (unnecessary, done on every transaction) n/a
Remove a checkpoint from the system N/A N/A n/a
Provide a list of all system checkpoints N/A yum history list n/a
Rolls entire packages back to a certain date or checkpoint. N/A yum history rollback n/a
Undo a single specified transaction. N/A yum history undo n/a
Mark a package previously installed as a dependency as explicitly required. pacman -D –asexplicit apt-mark manual emerge –select
Install package(s) as dependency / without marking as explicitly required. pacman -S –asdeps aptitude install ‘pkg&M’ emerge -1
Package information management
Get a dump of the whole system information – Prints, Saves or similar the current state of the package management system. Preferred output is text or XML. (Note: Why either-or here? No tool offers the option to choose the output format.) (see /var/lib/pacman/local) (see /var/lib/rpm/Packages) apt-cache stats n/a emerge –info
Show all or most information about a package. The tools’ verbosity for the default command vary. But with options, the tools are on par with each other. pacman -[S|Q]i yum list or info apt-cache show / apt-cache policy zypper info zypper if emerge -S; emerge -pv; eix
Search for package(s) by searching the expression in name, description, short description. What exact fields are being searched by default varies in each tool. Mostly options bring tools on par. pacman -Ss yum search apt-cache search zypper search zypper se [-s] emerge -S
Display changelogs yum changelog (found in yum-plugin-changelog package) apt-get changelog
e-mail delivery of package changes apt-get install apt-listchanges
Lists packages which have an update available. Note: Some provide special commands to limit the output to certain installation sources, others use options. pacman -Qu yum list updates yum check-update apt-get upgrade -> n zypper list-updates zypper patch-check (just for patches) emerge -uDNp world
Display a list of all packages in all installation sources that are handled by the packages management. Some tools provide options or additional commands to limit the output to a specific installation source. pacman -Sl yum list available apt-cache dumpavail apt-cache dump (Cache only) apt-cache pkgnames zypper packages emerge -ep world
Displays packages which provide the given exp. aka reverse provides. Mainly a shortcut to search a specific field. Other tools might offer this functionality through the search command. pkgfile <filename> yum provides / yum whatprovides apt-file search <filename> zypper what-provides zypper wp equery belongs (only installed packages); pfl
Display packages which require X to be installed, aka show reverse/ dependencies. pacman -Sii yum resolvedep apt-cache rdepends / aptitude search ~Dpattern IN PROGRESS equery depends
Display packages which conflict with given expression (often package). Search can be used as well to mimic this function. (none) repoquery –whatconflicts aptitude search ‘~Cpattern’ IN PROGRESS
List all packages which are required for the given package, aka show dependencies. pacman -[S|Q]i yum deplist apt-cache depends / apt-cache show zypper info –requires emerge -ep
List what the current package provides yum provides dpkg -s / aptitude show IN PROGRESS equery files
List the files that the package holds. Again, this functionality can be mimicked by other more complex commands. pacman -Ql $pkgname
pkgfile -l
repoquery -l $pkgname dpkg-query -L $pkgname IN PROGRESS equery files
List all packages that require a particular package repoquery –whatrequires [–recursive] aptitude search \~D{depends,recommends,suggests}:pattern / aptitude why pkg equery depends -a
Search all packages to find the one which holds the specified file. auto-apt is using this functionality. pkgfile -s yum provides / yum whatprovides apt-file search IN PROGRESS equery belongs
Display all packages that the specified packages obsoletes. yum list obsoletes apt-cache show IN PROGRESS
Verify dependencies of the complete system. Used if installation process was forcefully killed. testdb yum deplist apt-get check n/a emerge -uDN world
Generates a list of installed packages pacman -Q yum list installed dpkg –list | grep ^i zypper emerge -ep world
List packages that are installed but are not available in any installation source (anymore). pacman -Qm yum list extras deborphan zypper se -si | grep ‘System Packages’ eix-test-obsolete
List packages that were recently added to one of the installation sources, i.e. which are new to it. (none) yum list recent aptitude search ‘~N’ / aptitude forget-new n/a eix-diff
Show a log of actions taken by the software management. cat /var/log/pacman.log yum history cat /var/log/yum.log cat /var/log/dpkg.log cat /var/log/zypp/history located in /var/log/portage
Clean up all local caches. Options might limit what is actually cleaned. Autoclean removes only unneeded, obsolete information. pacman -Sc
pacman -Scc
yum clean all apt-get clean / apt-get autoclean / aptitude clean zypper clean eclean distfiles
Add a local package to the local package cache mostly for debugging purposes. cp $pkgname /var/cache/pacman/pkg/ apt-cache add n/a cp $srcfile /usr/portage/distfiles
Display the source package to the given package name(s) repoquery -s apt-cache showsrc n/a
Generates an output suitable for processing with dotty for the given package(s). apt-cache dotty n/a
Set the priority of the given package to avoid upgrade, force downgrade or to overwrite any default behavior. Can also be used to prefer a package version from a certain installation source. ${EDITOR} /etc/pacman.conf
Modify HoldPkg and/or IgnorePkg arrays
yum-plugin-priorities and yum-plugin-protect-packages /etc/apt/preferences, apt-cache policy zypper mr -p ${EDITOR} /etc/portage/package.keywords
Add a line with =category/package-version
Remove a previously set priority /etc/apt/preferences zypper mr -p ${EDITOR} /etc/portage/package.keywords
remove offending line
Show a list of set priorities. apt-cache policy /etc/apt/preferences n/a cat /etc/portage/package.keywords
Ignores problems that priorities may trigger. n/a
Installation sources management ${EDITOR} /etc/pacman.conf ${EDITOR} /etc/yum.repos.d/${REPO}.repo ${EDITOR} /etc/apt/sources.list layman
Add an installation source to the system. Some tools provide additional commands for certain sources, others allow all types of source URI for the add command. Again others, like apt and yum force editing a sources list. apt-cdrom is a special command, which offers special options design for CDs/DVDs as source. ${EDITOR} /etc/pacman.conf ${EDITOR} /etc/yum.repos.d/${REPO}.repo apt-cdrom add zypper service-add layman, overlays
Refresh the information about the specified installation source(s) or all installation sources. pacman -Sy (always upgrade the whole system afterwards) yum clean expire-cache && yum check-update apt-get update zypper refresh zypper ref layman -f
Prints a list of all installation sources including important information like URI, alias etc. cat /etc/pacman.d/mirrorlist cat /etc/yum.repos.d/* apt-cache policy zypper service-list layman -l
Disable an installation source for an operation yum –disablerepo=${REPO} emerge package::repo-to-use
Download packages from a different version of the distribution than the one installed. yum –releasever=${VERSION} apt-get install -t release package/ apt-get install package/release (deps not covered) echo “category/package ~amd64” >> /etc/portage/package.keywords && emerge package
Other commands
Start a shell to enter multiple commands in one session yum shell apt-config shell zypper shell
Package Verification
Single package pacman -Qk[k] <package> rpm -V <package> debsums rpm -V <package> equery check
All packages pacman -Qk[k] rpm -Va debsums rpm -Va equery check
Package Querying
List installed local packages along with version pacman -Q rpm -qa dpkg -l emerge -e world
Display local package information: Name, version, description, etc. pacman -Qi rpm -qi dpkg -s / aptitude show emerge -pv and emerge -S
Display remote package information: Name, version, description, etc. pacman -Si yum info apt-cache show / aptitude show emerge -pv and emerge -S
Display files provided by local package pacman -Ql rpm -ql dpkg -L equery files
Display files provided by a remote package pkgfile -l repoquery -l apt-file list pattern pfl
Query the package which provides FILE pacman -Qo rpm -qf (installed only) or yum whatprovides (everything) dpkg -S / dlocate equery belongs
Query a package supplied on the command line rather than an entry in the package management database pacman -Qp rpm -qp dpkg -I
Show the changelog of a package pacman -Qc rpm -q –changelog apt-get changelog equery changes -f
Search locally installed package for names or descriptions pacman -Qs rpm -qa ‘*<str>*’ aptitude search ‘~i(~n name|~d description)’ eix -S -I
List packages not required by any other package pacman -Qt package-cleanup –all –leaves deborphan -anp1
Building Packages
Build a package makepkg -s rpmbuild -ba (normal)
mock (in chroot)
debuild rpmbuild -ba ebuild; quickpkg
Check for possible packaging issues namcap rpmlint lintian repoman
List the contents of a package file pacman -Qpl <file> rpmls rpm -qpl dpkg -c rpm -qpl
Extract a package tar -Jxvf rpm2cpio | cpio -vid dpkg-deb -x rpm2cpio | cpio -vid tar -jxvf
Query a package supplied on the command line rather than an entry in the package management database pacman -Qp rpm -qp dpkg -I
Action Arch Red Hat/Fedora Debian/Ubuntu SUSE/openSUSE Gentoo

Tags

Related Posts

Share This

Check TCP connections and their remote origins

Useful if you feel you’re getting DDOS, flood, or other attacks:

netstat -an | grep tcp | awk '{print $5}'|sed 's/::ffff://'|cut -f1 -d':'| sort | uniq -c | sort -n -r

Tags

Related Posts

Share This

Eliminating too many TIME_WAIT sockets

Some time in your life you’ll run across an Apache server that always has tons of TIME_WAIT connections just seeming to hang out. While these don’t take up as many resources as an ESTABLISHED connection, why keep them around so long? This short article will show you how to identify how many you have, and how to tell your server to reduce them, reuse and recycle them (see, recycling IS a good thing).

First, SSH into your server and become root.

Next, let’s see how many TIME_WAITs you have hanging out:

netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

You should see something like this:

      1 established)
      1 Foreign
      3 FIN_WAIT2
      5 LAST_ACK
      6 CLOSING
      9 SYN_RECV
     10 ESTABLISHED
     22 FIN_WAIT1
     26 LISTEN
    466 TIME_WAIT

So – let’s get that number smaller.

See what your current values are in these files by catting them to the screen:

cat /proc/sys/net/ipv4/tcp_fin_timeout
cat /proc/sys/net/ipv4/tcp_tw_recycle
cat /proc/sys/net/ipv4/tcp_tw_reuse

If you have default settings, you’ll probably see values of 60, 0 and 0. Let’s change those values to 30, 1, 1.

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse

Now, let’s make the change persistent by adding them to the sysctl.conf file. First however, let’s make sure there aren’t any entries in there yet for these settings. cat the file and grep for the changes we’re about to make:

cat /etc/sysctl.conf | grep "net.ipv4.tcp_fin_timeout"
cat /etc/sysctl.conf | grep "net.ipv4.tcp_tw_recycle"
cat /etc/sysctl.conf | grep "net.ipv4.tcp_tw_reuse"

Make notes of what your settings are if you had any results.

Now, edit the /etc/sysctl.conf with your favorite editor and add these lines to the end of it (or edit the values you have in yours if they exist already):

# Decrease TIME_WAIT seconds
net.ipv4.tcp_fin_timeout = 30

# Recycle and Reuse TIME_WAIT sockets faster
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

Now, let’s rerun that command from before and see where your TIME_WAITs are at:

netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

(You may need to wait at least a minute or so, depending on what your old values were, to see a change here.)

Tags

Related Posts

Share This

Redirect all shell output

BASH Shell Redirect Output and Errors To /dev/null

How do I redirect output and errors to /dev/null under bash / sh shell scripting? How do I redirect the output of stderr to stdout, and then redirect this combined output to /dev/null?

You can send output to /dev/null, by using command >/dev/null syntax. However, this will not work when command will use the standard error (FD # 2). So you need to modify >/dev/null as follows to redirect both output and errors to /dev/null:

$ command > /dev/null 2>&1
$ ./script.sh > /dev/null 2>&1
$ ./example.pl > /dev/null 2>&1

You can also use the same syntax for all your cronjobs to avoid emails and output / error messages:

@hourly /scripts/backup/nas.backup >/dev/null 2>&1

Tags

Related Posts

Share This