Nikto: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 10: Zeile 10:
  
 
=Anwendung=
 
=Anwendung=
 +
==Ohne SSL==
 
*nikto -h opfer -p 80
 
*nikto -h opfer -p 80
<pre>
+
==SSL==
- Nikto v2.1.6
+
*nikto --ssl -h opfer -p 443
---------------------------------------------------------------------------
 
+ Target IP:          10.0.10.104
 
+ Target Hostname:    opfer.secure.local
 
+ Target Port:        80
 
+ Start Time:        2021-08-04 15:35:03 (GMT2)
 
---------------------------------------------------------------------------
 
+ Server: Apache/2.4.7 (Ubuntu)
 
+ The anti-clickjacking X-Frame-Options header is not present.
 
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 
+ No CGI Directories found (use '-C all' to force check all possible dirs)
 
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
 
+ Server may leak inodes via ETags, header found with file /, inode: 1d4, size: 5c81e4a62d19e, mtime: gzip
 
+ Cookie PHPSESSID created without the httponly flag
 
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.29
 
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
 
+ /test.php: Output from the phpinfo() function was found.
 
+ /config.php: PHP Config file may contain database IDs and passwords.
 
+ OSVDB-3233: /test.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
 
+ OSVDB-3233: /icons/README: Apache default file found.
 
+ /login.php: Admin login page/section found.
 
+ OSVDB-3092: /test.php: This might be interesting...
 
+ 7863 requests: 0 error(s) and 14 item(s) reported on remote host
 
+ End Time:          2021-08-04 15:35:50 (GMT2) (47 seconds)
 
---------------------------------------------------------------------------
 
+ 1 host(s) tested
 
</pre>
 
  
 
=Weiteres=
 
=Weiteres=

Version vom 27. Oktober 2022, 09:08 Uhr

Erklärung

  • Nikto Web Scanner ist ein Webserver-Scanner,
  • Er testet Webserver auf gefährliche Dateien/CGIs
  • Sowie veraltete Serversoftware und andere Probleme testet.
  • Er führt auch generische und servertypspezifische Prüfungen durch.
  • Außerdem erfasst und gibt alle empfangenen Cookies aus.

Installation

  • apt install nikto

Anwendung

Ohne SSL

  • nikto -h opfer -p 80

SSL

  • nikto --ssl -h opfer -p 443

Weiteres

  • -h = target host
  • -p = port
  • -l = List all available plugins
  • -F = Format (z.B. HTML, TXT, XML)
  • -o = Write output to this file (z.B. webscan.html)
  • -s = Force ssl mode on port
  • nikto -h opfer.secure.local -p 80 -o opfer.html -F HTML

Bericht in HTML Format

Nikto-html.png

Bericht in XML Format

Abgerufen von „http://wiki.ixheim.de/index.php?title=Nikto&oldid=37634