Now let’s examine the plug-ins that come bundled with Nikto. This will help you understand how the existing plug-ins function, before you write your own.
-
nikto_core
The
core
plug-in, as the name suggests, contains the core functionality for the main vulnerability-checking routines. These routines are available for use within the rest of the plug-ins. This plug-in and its exported routines were discussed in detail in the previous section.-
nikto_realms
This plug-in checks whether the web server uses HTTP Basic authentication. If it does, it loads default usernames and passwords and attempts to guess valid credentials.
-
nikto_headers
This plug-in iterates through the returned HTTP headers in the server response and reports back any that are interesting from a security perspective; these include
X-Powered-By
,Content-Location
,Servlet-Engine
, andDAAP-Server
.-
nikto_robots
This plug-in retrieves the robots.txt file if it is available and reports back interesting entries, such as
Disallow
. The robots.txt file is checked by “friendly” web site crawlers to determine if it should follow any rules when crawling the web site.-
nikto_httpoptions
This plug-in reviews the allowed HTTP methods, as reported via an
OPTIONS
request to the web server. Dangerous methods includePUT
,CONNECT
, andDELETE
, among others.-
nikto_outdated
This plug-in focuses on the
Server
HTTP header and uses a “best-guess” parser that determines the web server version, then checks that version against a list of up-to-date web server versions found in the outdated.db file.-
nikto_msgs
As with the
nikto_outdated
plug-in, this plug-in focuses on theServer
HTTP header but it uses the web server version to determine if there are any version-specific security warnings.-
nikto_apacheusers
This plug-in checks to see if the
UserDir
option in Apache, or the equivalent in another web server, is enabled. If this option is enabled, you can enumerate valid system users by generating URIs such as /~root for use in requests.-
nikto_mutate
This plug-in is enabled only if
-m
1
is specified on the command line. If theMUTATEDIRS
andMUTATEFILES
variables are set in Nikto’s configuration, each request is mutated three times. The first time is the standard request, the second has theMUTATEDIRS
item prepended to the URI, and the third has aMUTATEFILES
entry appended to the URI. You should not use this plug-in with its default settings because the mutation engine is extremely slow.-
nikto_passfiles
This plug-in is enabled only if
-m
2
is specified on the command line. This plug-in has an array of common password filenames such as passwd, .htpasswd, etc. It combines the filenames with common file extensions and directory names to make requests in an attempt to check for files with interesting information (usually credentials). Be aware that using this plug-in with its default settings yields more than 2,000 checks.-
nikto_user_enum_apache
This plug-in is enabled only if
-m
3
is specified on the command line. This plug-in guesses usernames with the same URI formatting technique as thenikto_apacheusers
plug-in. It’s not recommend for general use because the default generation engine is set for five-character alphabetic usernames and thus produces 11,881,376 checks.-
nikto_user_enum_cgiwrap
This plug-in is enabled only if
-m 4
is specified on the command line. Its logic is very similar to that of thenikto_user_enum_apache
plug-in. The key difference is that this plug-in uses an enumeration technique specific to the CGIWrap program. CGIWrap is a web server extension that allows for better security by running CGI scripts as the user that created them instead of as the web server user. The plug-in generates URIs such as /cgi-bin/cgiwrap/userguess. Keeping in mind that the username generation routine is the same as innikto_user_enum_apache
, the same warnings apply.
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.