2022年5月27日 星期五

[研究] Nikto2 v2.1.6 - Web Server Scanner 安裝與使用 (Fedora 36 x64_86)

[研究] Nikto2 v2.1.6 - Web Server Scanner 安裝與使用 (Fedora 36 x64_86)

2022-05-27

Nikto - 維基百科,自由的百科全書
https://zh.wikipedia.org/wiki/Nikto

Nikto2 是 Web Server Scanner。

Nikto是一款開源的(GPL)網頁伺服器掃描器,它可以對網頁伺服器進行全面的多種掃描,包含超過3300種有潛在危險的文件/CGIs;超過625種伺服器版本;超過230種特定伺服器問題。掃描項和插件可以自動更新(如果需要)。基於Whisker/libwhisker完成其底層功能。這是一款非常棒的工具,但其軟體本身並不經常更新,最新和最危險的可能檢測不到。

官方網站
http://www.cirt.net/nikto2

Nikto 最新為 v2.1.6 版,釋出時間 2015-07-09。

[user1@fedora ~]$ sudo yum info nikto
Last metadata expiration check: 0:32:14 ago on Fri 27 May 2022 09:15:54 AM CST.
Available Packages
Name         : nikto
Epoch        : 1
Version      : 2.1.6
Release      : 10.fc36
Architecture : noarch
Size         : 332 k
Source       : nikto-2.1.6-10.fc36.src.rpm
Repository   : fedora
Summary      : Web server scanner
URL          : https://www.cirt.net/Nikto2
License      : GPLv2+ and Redistributable, no modification permitted
Description  : Nikto is a web server scanner which performs comprehensive tests against web
             : servers for multiple items, including over 3300 potentially dangerous
             : files/CGIs, versions on over 625 servers, and version specific problems
             : on over 230 servers. Scan items and plugins are frequently updated and
             : can be automatically updated (if desired).

[user1@fedora ~]$

安裝

[user1@fedora ~]$ sudo yum install -y  nikto
Last metadata expiration check: 0:32:48 ago on Fri 27 May 2022 09:15:54 AM CST.
Dependencies resolved.
============================================================================================================
 Package                       Architecture       Version                         Repository           Size
============================================================================================================
Installing:
 nikto                         noarch             1:2.1.6-10.fc36                 fedora              332 k
Installing dependencies:
 nmap                          x86_64             3:7.92-1.fc36                   fedora              5.5 M
 perl-JSON-PP                  noarch             1:4.07-2.fc36                   fedora               66 k
 perl-Math-BigInt              noarch             1:1.9998.30-1.fc36              updates             199 k
 perl-Math-BigRat              noarch             0.2622-1.fc36                   updates              41 k
 perl-Math-Complex             noarch             1.59-486.fc36                   fedora               52 k
 perl-Time-HiRes               x86_64             4:1.9767-480.fc36               fedora               57 k
 perl-bignum                   noarch             0.65-1.fc36                     updates              50 k
 perl-libwhisker2              noarch             2.5-33.fc36                     fedora               88 k

Transaction Summary
============================================================================================================
Install  9 Packages

Total download size: 6.3 M
Installed size: 27 M
Downloading Packages:
(1/9): nikto-2.1.6-10.fc36.noarch.rpm                                       390 kB/s | 332 kB     00:00    
(2/9): perl-JSON-PP-4.07-2.fc36.noarch.rpm                                   67 kB/s |  66 kB     00:00    
(3/9): perl-Math-Complex-1.59-486.fc36.noarch.rpm                           315 kB/s |  52 kB     00:00    
(4/9): perl-Time-HiRes-1.9767-480.fc36.x86_64.rpm                           298 kB/s |  57 kB     00:00    
(5/9): perl-libwhisker2-2.5-33.fc36.noarch.rpm                              397 kB/s |  88 kB     00:00    
(6/9): perl-Math-BigRat-0.2622-1.fc36.noarch.rpm                            262 kB/s |  41 kB     00:00    
(7/9): perl-Math-BigInt-1.9998.30-1.fc36.noarch.rpm                         711 kB/s | 199 kB     00:00    
(8/9): perl-bignum-0.65-1.fc36.noarch.rpm                                   842 kB/s |  50 kB     00:00    
(9/9): nmap-7.92-1.fc36.x86_64.rpm                                          1.4 MB/s | 5.5 MB     00:03    
------------------------------------------------------------------------------------------------------------
Total                                                                       1.0 MB/s | 6.3 MB     00:06     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                    1/1 
  Installing       : perl-Math-Complex-1.59-486.fc36.noarch                                             1/9 
  Installing       : perl-Math-BigInt-1:1.9998.30-1.fc36.noarch                                         2/9 
  Installing       : perl-JSON-PP-1:4.07-2.fc36.noarch                                                  3/9 
  Installing       : perl-Math-BigRat-0.2622-1.fc36.noarch                                              4/9 
  Installing       : perl-bignum-0.65-1.fc36.noarch                                                     5/9 
  Installing       : perl-libwhisker2-2.5-33.fc36.noarch                                                6/9 
  Installing       : perl-Time-HiRes-4:1.9767-480.fc36.x86_64                                           7/9 
  Installing       : nmap-3:7.92-1.fc36.x86_64                                                          8/9 
  Installing       : nikto-1:2.1.6-10.fc36.noarch                                                       9/9 
  Running scriptlet: nikto-1:2.1.6-10.fc36.noarch                                                       9/9 
  Verifying        : nikto-1:2.1.6-10.fc36.noarch                                                       1/9 
  Verifying        : nmap-3:7.92-1.fc36.x86_64                                                          2/9 
  Verifying        : perl-JSON-PP-1:4.07-2.fc36.noarch                                                  3/9 
  Verifying        : perl-Math-Complex-1.59-486.fc36.noarch                                             4/9 
  Verifying        : perl-Time-HiRes-4:1.9767-480.fc36.x86_64                                           5/9 
  Verifying        : perl-libwhisker2-2.5-33.fc36.noarch                                                6/9 
  Verifying        : perl-Math-BigInt-1:1.9998.30-1.fc36.noarch                                         7/9 
  Verifying        : perl-Math-BigRat-0.2622-1.fc36.noarch                                              8/9 
  Verifying        : perl-bignum-0.65-1.fc36.noarch                                                     9/9 

Installed:
  nikto-1:2.1.6-10.fc36.noarch                        nmap-3:7.92-1.fc36.x86_64                            
  perl-JSON-PP-1:4.07-2.fc36.noarch                   perl-Math-BigInt-1:1.9998.30-1.fc36.noarch           
  perl-Math-BigRat-0.2622-1.fc36.noarch               perl-Math-Complex-1.59-486.fc36.noarch               
  perl-Time-HiRes-4:1.9767-480.fc36.x86_64            perl-bignum-0.65-1.fc36.noarch                       
  perl-libwhisker2-2.5-33.fc36.noarch                

Complete!
[user1@fedora ~]$

2.1.5版的nikto.pl,在2.1.6沒有看到了。

[user1@fedora bin]$ sudo find / -name nikto -print
find: ‘/run/user/1000/doc’: Permission denied
find: ‘/run/user/1000/gvfs’: Permission denied
/etc/nikto
/usr/bin/nikto
/usr/share/doc/nikto
/usr/share/licenses/nikto
/usr/share/nikto
[user1@fedora bin]$ 

參數說明

[user1@fedora ~]$ nikto -h 
Option host requires an argument

       -config+            Use this config file
       -Display+           Turn on/off display outputs
       -dbcheck            check database and other key files for syntax errors
       -Format+            save file (-o) format
       -Help               Extended help information
       -host+              target host
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -output+            Write output to this file
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -Plugins+           List of plugins to run (default: ALL)
       -port+              Port to use (default 80)
       -root+              Prepend root value to all requests, format is /directory 
       -ssl                Force ssl mode on port
       -Tuning+            Scan tuning
       -timeout+           Timeout for requests (default 10 seconds)
       -update             Update databases and plugins from CIRT.net
       -Version            Print plugin and database versions
       -vhost+             Virtual host (for Host header)
   		+ requires a value

	Note: This is the short help output. Use -H for full help text.

[user1@fedora ~]$

測試一下自己這台  (-h 參數表示目的主機;某些版本測自己會出現 Permission denied,測別台才行。)

[user1@fedora ~]$ nikto -h 192.168.128.130
- ***** RFIURL is not defined in nikto.conf--no RFI tests will run *****
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.128.130
+ Target Hostname:    192.168.128.130
+ Target Port:        80
+ Start Time:         2022-05-27 09:54:31 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.53 (Fedora Linux)
+ Server leaks inodes via ETags, header found with file /, fields: 0x211a 0x5db4c92a77a00 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 5896 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2022-05-27 09:54:42 (GMT8) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.53) are not in
      the Nikto database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n

[user1@fedora ~]$ 



(完)

參考

[研究] Nikto2 v2.1.6 - Web Server Scanner 安裝與使用 (Fedora 36 x64_86)
https://shaurong.blogspot.com/2022/05/nikto2-v216-web-server-scanner-fedora.html

[研究] Nikto2 v2.1.5 安裝與使用 (CentOS 7.0 x64_86)
http://shaurong.blogspot.tw/2014/08/nikto2-v215-centos-70-x6486.html

[研究] Nikto2 v2.1.5 安裝與使用 (CentOS 6.3 x86)
http://shaurong.blogspot.tw/2012/12/nikto2-v215-centos-63-x86.html

[研究] Nikto2 v2.1.4 安裝與使用 (Fedora 15 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=20385

[研究] Nikto2 v2.1.4 Web Scanner 安裝與使用 (CentOS 6.0 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?p=63655

沒有留言:

張貼留言