Assembla home | Assembla project page

My Start Page

Context Navigation

source: documentation/doc.xml @ 301

Revision 301, 85.8 KB checked in by sullo, 3 years ago (diff)
Some doc updates (more needed)

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
3	"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
4	<!ENTITY description SYSTEM "sections/description.xml">
5	<!ENTITY options SYSTEM "sections/options.xml">
6	]>
7	<book>
8	<title>Nikto v2.1.1 - The Manual</title>
9
10	<chapter id="introduction">
11	<title>Introduction</title>
12
13	<section>
14	<title>Overview</title>
15
16	<para>Nikto is a web server assessment tool. It is designed to find
17	various default and insecure files, configurations and programs on any
18	type of web server.</para>
19	</section>
20
21	<section>
22	<title>Description</title>
23
24	&description;
25
26	<para>The name "Nikto" is taken from the movie "The Day the Earth Stood
27	Still", and of course subsequent abuse by Bruce Campbell in "Army of
28	Darkness". More information on the pop-culture popularity of Nikto can
29	be found at <ulink
30	url="http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html">http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html</ulink></para>
31	</section>
32
33	<section>
34	<title>Advanced Error Detection Logic</title>
35
36	<para>Most web security tools, (including Nikto 1.32 and below), rely
37	heavily on the HTTP response to determine if a page or script exists on
38	the target. Because many servers do not properly adhere to RFC standards
39	and return a 200 "OK" response for requests which are not found or
40	forbidden, this can lead to many false-positives. In addition, error
41	responses for various file extensions can differ--the "not found"
42	response for a .html file is often different than a .cgi.</para>
43
44	<para>Some testing tools, such as Nessus, also look at the content of
45	the response to help eliminate these false positives. While often
46	effective, this method relies on pre-defined strings to help eliminate
47	false positives.</para>
48
49	<para>As of version 2.0 Nikto no longer assumes the error pages for
50	different file types will be the same. A list of unique file extensions
51	is generated at run-time (from the test database), and each of those
52	extensions is tested against the target. For every file type, the "best
53	method" of determining errors is found: standard RFC response, content
54	match or MD4 hash (in decreasing order of preference). This allows Nikto
55	to use the fastest and most accurate method for each individual file
56	type, and therefore help eliminate the false positives seen for some
57	servers in version 1.32 and below.</para>
58
59	<para>For example, if a server responds with a 404 "not found" error for
60	a non-existent .txt file, Nikto will match the HTTP response of "404" on
61	tests. If the server responds with a 200 "OK" response, it will try to
62	match on the content, and assuming it finds a match (for example, the
63	words "could not be found"), it will use this method for determining
64	missing .txt files. If the other methods fail, Nikto will attempt to
65	remove date and time strings (which can constantly change) from the
66	returned page's content, generate an MD5 hash of the content, and then
67	match that hash value against future .txt tests. The latter is by far
68	the slowest type of match, but in many cases will provide valid results
69	for a particular file type.</para>
70	</section>
71
72	<section>
73	<title>History</title>
74
75	<para>The Nikto 1.00 Beta was released on December 27, 2001, (followed
76	almost immediately by the 1.01 release). Over the course of two years
77	Nikto's code evolved into the most popular freely available web
78	vulnerability scanner. The 2.0 release, in November, 2007 represents
79	several years of improvements.</para>
80
81	<para>In 2008, due to other commitments, Sullo, the original author
82	couldn't continue to support Nikto and the code was released under the
83	GPL and passed to the community for support.</para>
84	</section>
85	</chapter>
86
87	<chapter id="installation">
88	<title>Installation</title>
89
90	<section>
91	<title>Requirements</title>
92
93	<para>Any system which supports a basic PERL installation should allow
94	Nikto to run. It has been extensively tested on:</para>
95
96	<itemizedlist>
97	<listitem>
98	<para>Windows (using ActiveState Perl)</para>
99	</listitem>
100
101	<listitem>
102	<para>Mac OSX</para>
103	</listitem>
104
105	<listitem>
106	<para>Various Linux and Unix installations (including RedHat,
107	Solaris, Debian, Knoppix, etc.)</para>
108	</listitem>
109	</itemizedlist>
110
111	<para>The only required PERL module that does not come standard is
112	LibWhisker. Nikto comes with and is configured to use a local LW.pm file
113	(in the plugins directory), but users may wish to change Nikto to use a
114	version installed on the system. See Section 2 for further
115	information.</para>
116
117	<para>For SSL support the Net::SSLeay PERL module must be installed
118	(which in turn requires OpenSSL on the Unix platform). Windows support
119	for SSL is dependent on the installation package, but is rumored to
120	exist for ActiveState's Perl.</para>
121
122	<itemizedlist>
123	<listitem>
124	<para>PERL: <ulink
125	url="http://www.cpan.org/">http://www.cpan.org/</ulink></para>
126	</listitem>
127
128	<listitem>
129	<para>LibWhisker: <ulink
130	url="http://www.wiretrip.net/">http://www.wiretrip.net/</ulink></para>
131	</listitem>
132
133	<listitem>
134	<para>ActiveState Perl: <ulink
135	url="http://www.activestate.com/">http://www.activestate.com/</ulink></para>
136	</listitem>
137
138	<listitem>
139	<para>OpenSSL: <ulink
140	url="http://www.openssl.org/">http://www.openssl.org/</ulink></para>
141	</listitem>
142	</itemizedlist>
143	</section>
144
145	<section>
146	<title>Install</title>
147
148	<para>These instructions do not include information on installing PERL,
149	PERL Modules, OpenSSL, LibWhisker or any of the utilities that may be
150	needed during installation (such as gzip, tar, etc.). Please see the
151	distributor's documentation for information on how to install and
152	configure those software packages.</para>
153
154	<para>Unpack the download file:</para>
155
156	<screen>tar -xvfz nikto-current.tar.gz</screen>
157
158	<para>Assuming a standard OS/PERL installation, Nikto should now be
159	usable. See Chapter 4 (Options) or Chapter 8 (Troubleshooting) for
160	further configuration information.</para>
161	</section>
162	</chapter>
163
164	<chapter id="usage">
165	<title>Usage</title>
166
167	<section>
168	<title>Basic Testing</title>
169
170	<para>The most basic Nikto scan requires simply a host to target, since
171	port 80 is assumed if none is specified. The host can either be an IP or
172	a hostname of a machine, and is specified using the -h (-host) option.
173	This will scan the IP 192.168.0.1 on TCP port 80:</para>
174
175	<screen>perl nikto.pl -h 192.168.0.1</screen>
176
177	<para>To check on a different port, specify the port number with the -p
178	(-port) option. This will scan the IP 192.168.0.1 on TCP port
179	443:</para>
180
181	<screen>perl nikto.pl -h 192.168.0.1 -p 443</screen>
182
183	<para>Hosts, ports and protocols may also be specified by using a full
184	URL syntax, and it will be scanned:</para>
185
186	<screen>perl nikto.pl -h https://192.168.0.1:443/</screen>
187
188	<para>There is no need to specify that port 443 may be SSL, as Nikto
189	will first test regular HTTP and if that fails, HTTPS. If you are sure
190	it is an SSL server, specifying -s (-ssl) will speed up the test.</para>
191
192	<screen>perl nikto.pl -h 192.168.0.1 -p 443 -ssl</screen>
193
194	<note>
195	<para><parameter>-mutate</parameter> 1 increases the number of tests
196	so that all filenames are tested against all databases inc
197	<filename>db_tests</filename>. This will produce over 2,000,000 extra
198	tests, which will use up a massive amount of resource.</para>
199	</note>
200
201	<para>More complex tests can be performed using the
202	<parameter>-mutate</parameter> parameter, as detailed later. This can
203	produce extra tests, some of which may be provided with extra parameters
204	through the <parameter>-mutate-options</parameter> parameter. For
205	example, using <parameter>-mutate</parameter> 3, with or without a file
206	attempts to brute force usernames if the web server allows
207	~<replaceable>user</replaceable> URIs:</para>
208
209	<screen>perl nikto.pl -h 192.168.0.1 -mutate 3 -mutate-options user-list.txt</screen>
210	</section>
211
212	<section>
213	<title>Multiple Port Testing</title>
214
215	<para>Nikto can scan multiple ports in the same scanning session. To
216	test more than one port on the same host, specify the list of ports in
217	the -p (-port) option. Ports can be specified as a range (i.e., 80-90),
218	or as a comma-delimited list, (i.e., 80,88,90). This will scan the host
219	on ports 80, 88 and 443.</para>
220
221	<screen>perl nikto.pl -h 192.168.0.1 -p 80,88,443</screen>
222	</section>
223
224	<section>
225	<title>Multiple Host Testing</title>
226
227	<para>Nikto support scanning multiple hosts in the same session via a
228	text file of host names or IPs. Instead of giving a host name or IP for
229	the -h (-host) option, a file name can be given. A file of hosts must be
230	formatted as one host per line, with the port number(s) at the end of
231	each line. Ports can be separated from the host and other ports via a
232	colon or a comma. If no port is specified, port 80 is assumed.</para>
233
234	<para>This is an example of a valid hosts file:</para>
235
236	<example>
237	<title>Valid Hosts File</title>
238
239	<programlisting>192.168.0.1:80
240	http://192.168.0.1:8080/
241	192.168.0.3</programlisting>
242	</example>
243
244	<note>
245	<para>For win32 users: due to peculiaries in the way that cmd.exe
246	works with pipes, the above example may not work for you. In this case
247	a temporary file will have to be used to store the output from
248	nmap</para>
249	</note>
250
251	<para>A host file may also be an nmap output in "greppable" format (i.e.
252	from the output from -oG).</para>
253
254	<para>A file may be passed to Nikto through stdout/stdin using a "-" as
255	the filename. For example:</para>
256
257	<screen>nmap -p80 192.168.0.0/24 -oG - \| nikto.pl -h -</screen>
258	</section>
259
260	<section>
261	<title>Using a Proxy</title>
262
263	<para>If the machine running Nikto only has access to the target host
264	(or update server) via an HTTP proxy, the test can still be performed.
265	Set the <varname>PROXY*</varname> variables (as described in section 4),
266	then execute Nikto with the -u (-useproxy) command. All connections will
267	be relayed through the HTTP proxy specified in the configuration
268	file.</para>
269
270	<screen>perl nikto.pl -h 192.168.0.1 -p 80 -u</screen>
271	</section>
272
273	<section>
274	<title>Updating</title>
275
276	<para>Nikto can be automatically updated, assuming you have Internet
277	connectivity from the host Nikto is installed on. To update to the
278	latest plugins and databases, simply run Nikto with the -update
279	command.</para>
280
281	<note>
282	<para>The -update option cannot be abbreviated.</para>
283	</note>
284
285	<screen>perl nikto.pl -update</screen>
286
287	<para>If updates are required, you will see a list of the files
288	downloaded:</para>
289
290	<screen>
291	perl nikto.pl -update
292	+ Retrieving 'nikto_core.plugin'
293	+ Retrieving 'CHANGES.txt'
294	</screen>
295
296	<para>Updates may also be manually downloaded from <ulink
297	url="http://www.cirt.net/">http://www.cirt.net/</ulink></para>
298	</section>
299
300	<section>
301	<title>Integration with Nessus</title>
302
303	<para>Nessus (<ulink
304	url="http://www.nessus.org/">http://www.nessus.org/nessus/</ulink>) can
305	be configured to automatically launch Nikto when it finds a web server.
306	Ensure Nikto works properly, then place the directory containing
307	nikto.pl in root's PATH environment variable. When nessusd starts, it
308	should see the nikto.pl program and enable usage through the GUI.</para>
309	</section>
310	</chapter>
311
312	<chapter id="options">
313	<title>Command Line Options</title>
314
315	<section>
316	<title>All Options</title>
317
318	&options;
319	</section>
320
321	<section>
322	<title>Mutation Techniques</title>
323
324	<para>A mutation will cause Nikto to combine tests or attempt to guess
325	values. These techniques may cause a tremendous amount of tests to be
326	launched against the target. Use the reference number to specify the
327	type, multiple may be combined.</para>
328
329	<orderedlist>
330	<listitem>
331	<para>Test all files with all root directories. This takes each test
332	and splits it into a list of files and directories. A scan list is
333	then created by combining each file with each directory.</para>
334	</listitem>
335
336	<listitem>
337	<para>Guess for password file names. Takes a list of common password
338	file names (such as "passwd", "pass", "password") and file
339	extensions ("txt", "pwd", "bak", etc.) and builds a list of files to
340	check for.</para>
341	</listitem>
342
343	<listitem>
344	<para>Enumerate user names via Apache (/~user type requests).
345	Exploit a misconfiguration with Apache UserDir setups which allows
346	valid user names to be discovered. This will attempt to brute-force
347	guess user names. A file of known users can also be supplied by
348	supplying the file name in the
349	<parameter>-mutate-options</parameter> parameter.</para>
350	</listitem>
351
352	<listitem>
353	<para>Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type
354	requests). Exploit a flaw in cgiwrap which allows valid user names
355	to be discovered. This will attempt to brute-force guess user names.
356	A file of known users can also be supplied by supplying the file
357	name in the <parameter>-mutate-options</parameter> parameter.</para>
358	</listitem>
359
360	<listitem>
361	<para>Attempt to brute force sub-domain names. This will attempt to
362	brute force know domain names, it will assume the given host
363	(without a www) is the parent domain.</para>
364	</listitem>
365
366	<listitem>
367	<para>Attempt to brute directory names. This is the only mutate
368	option that requires a file to be passed in the
369	<parameter>-mutate-options</parameter> parameter. It will use the
370	given file to attempt to guess directory names. Lists of common
371	directories may be found in the OWASP DirBuster project.</para>
372	</listitem>
373	</orderedlist>
374	</section>
375
376	<section>
377	<title>Display</title>
378
379	<para>By default only some basic information about the target and
380	vulnerabilities is shown. Using the <parameter>-Display</parameter>
381	parameter can produce more information for debugging issues.</para>
382
383	<itemizedlist>
384	<listitem>
385	<para>1 - Show redirects. This will display all requests which
386	elicit a "redirect" response from the server.</para>
387	</listitem>
388
389	<listitem>
390	<para>2 - Show cookies received. This will display all cookies that
391	were sent by the remote host.</para>
392	</listitem>
393
394	<listitem>
395	<para>3 - Show all 200/OK responses. This will show all responses
396	which elicit an "okay" (200) response from the server. This could be
397	useful for debugging.</para>
398	</listitem>
399
400	<listitem>
401	<para>4 - Show URLs which require authentication. This will show all
402	responses which elicit an "authorization required" header.</para>
403	</listitem>
404
405	<listitem>
406	<para>D - Debug Output. Show debug output, which shows the verbose
407	output and extra information such as variable content.</para>
408	</listitem>
409
410	<listitem>
411	<para>V - Verbose Output. Show verbose output, which typically shows
412	where Nikto is during program execution.</para>
413	</listitem>
414	</itemizedlist>
415	</section>
416
417	<section>
418	<title>Scan Tuning</title>
419
420	<para>Scan tuning can be used to decrease the number of tests performed
421	against a target. By specifying the type of test to include or exclude,
422	faster, focused testing can be completed. This is useful in situations
423	where the presence of certain file types are undesired -- such as XSS or
424	simply "interesting" files.</para>
425
426	<para>Test types can be controlled at an individual level by specifying
427	their identifier to the <parameter>-T</parameter>
428	(<parameter>-Tuning</parameter>) option. In the default mode, if
429	<parameter>-T</parameter> is invoked only the test type(s) specified
430	will be executed. For example, only the tests for "Remote file
431	retrieval" and "Command execution" can performed against the
432	target:</para>
433
434	<screen>perl nikto.pl -h 192.168.0.1 -T 58</screen>
435
436	<para>If an "x" is passed to <parameter>-T</parameter> then this will
437	negate all tests of types following the x. This is useful where a test
438	may check several different types of exploit. For example:</para>
439
440	<screen>perl nikto.pl -h 192.168.0.1 -T 58xb</screen>
441
442	<para>The valid tuning options are:</para>
443
444	<itemizedlist>
445	<listitem>
446	<para>0 - File Upload. Exploits which allow a file to be uploaded to
447	the target server.</para>
448	</listitem>
449
450	<listitem>
451	<para>1 - Interesting File / Seen in logs. An unknown but suspicious
452	file or attack that has been seen in web server logs (note: if you
453	have information regarding any of these attacks, please contact
454	CIRT, Inc.).</para>
455	</listitem>
456
457	<listitem>
458	<para>2 - Misconfiguration / Default File. Default files or files
459	which have been misconfigured in some manner. This could be
460	documentation, or a resource which should be password
461	protected.</para>
462	</listitem>
463
464	<listitem>
465	<para>3 - Information Disclosure. A resource which reveals
466	information about the target. This could be a file system path or
467	account name.</para>
468	</listitem>
469
470	<listitem>
471	<para>4 - Injection (XSS/Script/HTML). Any manner of injection,
472	including cross site scripting (XSS) or content (HTML). This does
473	not include command injection.</para>
474	</listitem>
475
476	<listitem>
477	<para>5 - Remote File Retrieval - Inside Web Root. Resource allows
478	remote users to retrieve unauthorized files from within the web
479	server's root directory.</para>
480	</listitem>
481
482	<listitem>
483	<para>6 - Denial of Service. Resource allows a denial of service
484	against the target application, web server or host (note: no
485	intentional DoS attacks are attempted).</para>
486	</listitem>
487
488	<listitem>
489	<para>7 - Remote File Retrieval - Server Wide. Resource allows
490	remote users to retrieve unauthorized files from anywhere on the
491	target.</para>
492	</listitem>
493
494	<listitem>
495	<para>8 - Command Execution / Remote Shell. Resource allows the user
496	to execute a system command or spawn a remote shell.</para>
497	</listitem>
498
499	<listitem>
500	<para>9 - SQL Injection. Any type of attack which allows SQL to be
501	executed against a database.</para>
502	</listitem>
503
504	<listitem>
505	<para>a - Authentication Bypass. Allows client to access a resource
506	it should not be allowed to access.</para>
507	</listitem>
508
509	<listitem>
510	<para>b - Software Identification. Installed software or program
511	could be positively identified.</para>
512	</listitem>
513
514	<listitem>
515	<para>c - Remote source inclusion. Software allows remote inclusion
516	of source code.</para>
517	</listitem>
518
519	<listitem>
520	<para>x - Reverse Tuning Options. Perform exclusion of the specified
521	tuning type instead of inclusion of the specified tuning
522	type.</para>
523	</listitem>
524	</itemizedlist>
525	</section>
526
527	<section>
528	<title>Single Request Mode</title>
529
530	<para>Single request mode is designed to preform a solitary request
531	against the target. This is useful to confirm a test result using the
532	same resources Nikto used during a scan. The single option allows manual
533	setting of most variables used by Nikto and LibWhisker, and upon
534	completion will display both the request and the result of the
535	operation.</para>
536
537	<para>Most options have a default value or can be left blank. The most
538	common and required values are at the beginning of the "questions"
539	section for slightly easier use. True and false are specified by numeric
540	equivalents, 1 and 0 respectively. Please note that Single mode is not
541	very user-friendly. Here is an example Nikto run with the
542	<parameter>-Single</parameter> option.</para>
543
544	<screen>
545
546	[dave@yggdrasil nikto-2.03]$ ./nikto.pl -Single
547	-------------------------------------------- Nikto 2.1.1
548	-------------------------------------------- Single Request Mode
549	Hostname or IP: localhost
550	Port (80):
551	URI (/): /test.html
552	SSL (0):
553	Proxy host:
554	Proxy port:
555	Show HTML Response (1):
556	HTTP Version (1.1):
557	HTTP Method (GET):
558	User-Agent (Mozilla/4.75 (Nikto/2.1.1):
559	Connection (Keep-Alive):
560	Data:
561	force_bodysnatch (0):
562	force_close (1):
563	http_space1 ( ):
564	http_space2 ( ):
565	include_host_in_uri (0):
566	invalid_protocol_return_value (1):
567	max_size (0):
568	protocol (HTTP):
569	require_newline_after_headers (0):
570	retry (0):
571	ssl_save_info (0):
572	timeout (10):
573	uri_password ():
574	uri_postfix ():
575	uri_prefix ():
576	uri_user ():
577	Enable Anti-IDS (0):
578	-------------------------------------------- Done with questions
579	Host Name: localhost
580	Host IP: 127.0.0.1
581	HTTP Response Code: 404
582	-------------------------------------------- Connection Details
583	Connection: Keep-Alive
584	Host: localhost
585	User-Agent: Mozilla/4.75 (Nikto/2.1.1
586	data:
587	force_bodysnatch: 0
588	force_close: 1
589	force_open: 0
590	host: localhost
591	http_space1:
592	http_space2:
593	ignore_duplicate_headers: 1
594	include_host_in_uri: 0
595	invalid_protocol_return_value: 1
596	max_size: 0
597	method: GET
598	port: 80
599	protocol: HTTP
600	require_newline_after_headers: 0
601	retry: 0
602	ssl: 0
603	ssl_save_info: 0
604	timeout: 10
605	trailing_slurp: 0
606	uri: /test.html
607	uri_param_sep: ?
608	uri_postfix:
609	uri_prefix:
610	version: 1.1
611	-------------------------------------------- Response Headers
612	Connection: close
613	Content-Length: 268
614	Content-Type: text/html; charset=iso-8859-1
615	Date: Tue, 18 Aug 2009 10:13:57 GMT
616	Server: Apache/2
617	code: 404
618	http_data_sent: 1
619	http_eol:
620
621	http_space1:
622	http_space2:
623	message: Not Found
624	protocol: HTTP
625	uri: /test.html
626	version: 1.1
627	-------------------------------------------- Response Content
628	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
629	<html><head>
630	<title>404 Not Found</title>
631	</head><body>
632	<h1>Not Found</h1>
633	<p>The requested URL /test.html was not found on this server.</p>
634	<hr>
635	<address>Apache/2 Server at localhost Port 80</address>
636	</body></html>
637
638	</screen>
639	</section>
640	</chapter>
641
642	<chapter id="configuration">
643	<title>Configuration Files</title>
644
645	<section>
646	<title>Location</title>
647
648	<para>Nikto, like any non-trivial program needs to know a few things
649	about how to work with the current environment. For most situations the
650	default configuration file will work. Sometimes, tuning may be required,
651	or some things may need to be changes.</para>
652
653	<para>Nikto will look for a configuration file in three places and if it
654	finds one, will apply it in the strict order, listed below. A later
655	found configuration file will overwrite any variables set in an earlier
656	configuration file. The locations are:</para>
657
658	<orderedlist>
659	<listitem>
660	<para>/etc/nikto.conf (this may be altered depending on
661	platform)</para>
662	</listitem>
663
664	<listitem>
665	<para>$HOME/nikto.conf</para>
666	</listitem>
667
668	<listitem>
669	<para>nikto.conf</para>
670	</listitem>
671	</orderedlist>
672	</section>
673
674	<section>
675	<title>Format</title>
676
677	<para>The configuration files are formated like a standard Unix
678	configuration file: blank lines are ignored, any line starting with a #
679	is ignored, variables are set with VariableName=Value line.</para>
680	</section>
681
682	<section>
683	<title>Variables</title>
684
685	<para>The following variables may be set within the configuration
686	file:</para>
687
688	<variablelist>
689	<varlistentry>
690	<term><varname>CLIOPTS</varname></term>
691
692	<listitem>
693	<para>Default options that should always be passed to the command
694	line. For example:</para>
695
696	<screen>CLIOPTS=-output results.txt -Format text</screen>
697
698	<para>Default Setting</para>
699
700	<screen>CLIOPTS=</screen>
701	</listitem>
702	</varlistentry>
703
704	<varlistentry>
705	<term><varname>NIKTODTD</varname></term>
706
707	<listitem>
708	<para>Path to the location of the DTD used for XML output. If the
709	path is not absolute then it will be relative to the directory
710	where Nikto is executed.</para>
711
712	<para>Default Setting</para>
713
714	<screen>NIKTODTD=docs/nikto.dtd</screen>
715	</listitem>
716	</varlistentry>
717
718	<varlistentry>
719	<term><varname>RFIURL</varname></term>
720
721	<listitem>
722	<para>Full URL to an file for remote file inclusion. This file
723	should contain a call to phpinfo(), as Nikto will look for the
724	output of that command to determine that the RFI succeeded. You
725	may use the default cirt.net file, but please keep in mind there
726	must be connectivity from the target server to cirt.net, it's
727	subject to cirt.net's availability, and successful requests will
728	be logged (by Apache). We recommend you use your own. </para>
729
730	<para>Default Setting</para>
731
732	<screen>RFIURL=http://cirt.net/rfiinc.txt?</screen>
733	</listitem>
734	</varlistentry>
735
736	<varlistentry>
737	<term><varname>SKIPPORTS</varname></term>
738
739	<listitem>
740	<para>This configuration item defines ports that would never be
741	scanned by Nikto. </para>
742
743	<para>Default Setting</para>
744
745	<screen>SKIPPORTS=21 111</screen>
746	</listitem>
747	</varlistentry>
748
749	<varlistentry>
750	<term><varname>SKIPIDS</varname></term>
751
752	<listitem>
753	<note>
754	<para>Note, this filter only applies to tests in the
755	<filename>db_tests</filename> database</para>
756	</note>
757
758	<para>Contains a space separated list of Test IDs (tids) that
759	Nikto will not run on the system, for example:</para>
760
761	<screen>SKIPIDS=000045 000345</screen>
762
763	<para>Default Setting</para>
764
765	<screen>SKIPIDS=</screen>
766	</listitem>
767	</varlistentry>
768
769	<varlistentry>
770	<term><varname>DEFAULTHTTPVER</varname></term>
771
772	<listitem>
773	<para>Defines the default version of HTTP that Nikto will use,
774	unless superceded by a specific test. Usually keeping this to the
775	default will suffice, though some web servers may only work with
776	later versions of the HTTP protocol.</para>
777
778	<para>Default Setting</para>
779
780	<screen>DEFAULTHTTPVER=1.0</screen>
781	</listitem>
782	</varlistentry>
783
784	<varlistentry>
785	<term><varname>UPDATES</varname></term>
786
787	<listitem>
788	<para>If the outdated Nikto plugin sees a web server it doesn't
789	know of, or a version that is later than that defined in
790	<filename>db_outdated</filename>, then it will send this
791	information back to cirt.net for inclusion in future versions of
792	Nikto. Server specific information (e.g. IP addresses or
793	hostnames) are not sent.</para>
794
795	<para>This item can be set to one of the below values:</para>
796
797	<blockquote>
798	<variablelist>
799	<varlistentry>
800	<term><varname>UPDATES=yes</varname></term>
801
802	<listitem>
803	<para>Display each submission and ask for permission
804	before it is sent</para>
805	</listitem>
806	</varlistentry>
807
808	<varlistentry>
809	<term><varname>UPDATES=no</varname></term>
810
811	<listitem>
812	<para>Do not send any data back to cirt.net</para>
813	</listitem>
814	</varlistentry>
815
816	<varlistentry>
817	<term><varname>UPDATES=auto</varname></term>
818
819	<listitem>
820	<para>Send data back to cirt.net with no prompting</para>
821	</listitem>
822	</varlistentry>
823	</variablelist>
824	</blockquote>
825
826	<para>Default Setting</para>
827
828	<screen>UPDATES=yes</screen>
829	</listitem>
830	</varlistentry>
831
832	<varlistentry>
833	<term><varname>MAX_WARN</varname></term>
834
835	<listitem>
836	<para><emphasis>Unused</emphasis></para>
837
838	<para>Produces a warning of a number of MOVED responses are
839	retrieved. This is currently unused.</para>
840
841	<para>Default Setting</para>
842
843	<screen>MAX_WARN=20</screen>
844	</listitem>
845	</varlistentry>
846
847	<varlistentry>
848	<term><varname>PROMPTS</varname></term>
849
850	<listitem>
851	<para><emphasis>Deprecated</emphasis></para>
852
853	<para>Disables Nikto prompts if set to "no". This is currently
854	unused and has been deprecated by the UPDATES item.</para>
855
856	<para>Default Setting</para>
857
858	<screen>PROMPTS=</screen>
859	</listitem>
860	</varlistentry>
861
862	<varlistentry>
863	<term><varname>CIRT</varname></term>
864
865	<listitem>
866	<para>The IP address that Nikto will use to update the databases
867	and plugins, or will send version information back to (as
868	described in the <varname>UPDATES</varname> item).</para>
869
870	<para>Default Setting</para>
871
872	<screen>CIRT=209.172.49.178</screen>
873	</listitem>
874	</varlistentry>
875
876	<varlistentry>
877	<term><varname>PROXYHOST</varname></term>
878
879	<term><varname>PROXYPORT</varname></term>
880
881	<term><varname>PROXYUSER</varname></term>
882
883	<term><varname>PROXYPASS</varname></term>
884
885	<listitem>
886	<para>Address, port and username password of a proxy to relay all
887	requests through. Note, to use a proxy, you must set the
888	configuration items in the configuration file and supply the
889	<parameter>-useproxy</parameter> switch to the command
890	line.</para>
891
892	<para>Default Setting</para>
893
894	<screen>PROXYHOST=
895	PROXYPORT=
896	PROXYUSER=
897	PROXYPASS=</screen>
898	</listitem>
899	</varlistentry>
900
901	<varlistentry>
902	<term><varname>STATIC-COOKIE</varname></term>
903
904	<listitem>
905	<para>Adds the supplied cookie to all requests made via Nikto,
906	this is generally useful is an authentication cookie is required
907	for a website. For example:</para>
908
909	<screen>STATIC-COOKIE=userid=0</screen>
910
911	<para>Default Setting</para>
912
913	<screen>STATIC-COOKIE=</screen>
914	</listitem>
915	</varlistentry>
916
917	<varlistentry>
918	<term><varname>CHECKMETHODS</varname></term>
919
920	<listitem>
921	<para>Nikto will attempt to identify targets as webservers by
922	sending a request to fetch the / URI via certain HTTP methods.
923	Some web servers do not implement all HTTP methods and may cause
924	Nikto to fail to identify the web server correctly if it doesn't
925	support the method being used.</para>
926
927	<para>If this setting is missing from the configuration file, then
928	Nikto will default back to the Nikto 2.02 default of HEAD.</para>
929
930	<para>Default Setting</para>
931
932	<screen>CHECKMETHODS=HEAD GET</screen>
933	</listitem>
934	</varlistentry>
935
936	<varlistentry>
937	<term><varname>EXECDIR</varname></term>
938
939	<term><varname>PLUGINDIR</varname></term>
940
941	<term><varname>TEMPLATEDIR</varname></term>
942
943	<term><varname>DOCDIR</varname></term>
944
945	<listitem>
946	<para>Defines where to find the location of Nikto, its plugins,
947	XML/HTML templates and documents. This should only normally be
948	changed if repackaging Nikto to work with different file system
949	standards. Nikto will use the EXECDIR item to guess the other
950	directories.</para>
951
952	<para>Default Setting</para>
953
954	<screen>EXECDIR=.
955	PLUGINDIR=EXECDIR/plugins
956	TEMPLATEDIR=EXECDIR/templates
957	DOCDIR=EXECDIR/docs</screen>
958	</listitem>
959	</varlistentry>
960	</variablelist>
961	</section>
962	</chapter>
963
964	<chapter id="reports">
965	<title>Output and Reports</title>
966
967	<section>
968	<title>Export Formats</title>
969
970	<para>Nikto saved output comes in four flavours: text, CSV, XML or HTML.
971	When using <parameter>-output</parameter>, an output format may be
972	specified with <parameter>-Format</parameter>. Text format is assumed if
973	nothing is specified with <parameter>-Format</parameter>. The DTD for
974	the Nikto XML format can be found in the 'docs' directory
975	(nikto.dtd).</para>
976	</section>
977
978	<section>
979	<title>HTML and XML Customisation</title>
980
981	<para>HTML reports are generated from template files located in the
982	<filename>templates</filename> directory. Variables are defined as
983	<varname>#variable-name</varname>, and are replaced when the report is
984	generated. The files <filename>htm_start.tmpl</filename> and
985	<filename>htm_end.tmpl</filename> are included at the beginning and end
986	of the report (respectively). The <filename>htm_summary.tmpl</filename>
987	also appears at the beginning of the report. The
988	<filename>htm_host_head</filename> appears once for every host, and the
989	<filename>htm_host_item.tmpl</filename> and
990	<filename>htm_host_im.tmpl</filename> appear once for each item found on
991	a host and each "informational message" per host (respectively).</para>
992
993	<para>All valid variables are used in these templates. Future versions
994	of this documentation will include a list of variables and their
995	meaning.</para>
996
997	<para>The copyright statements must not be removed from the
998	<filename>htm_end.tmpl</filename> without placing them in another of the
999	templates. It is a violation of the Nikto licence to remove these
1000	notices.</para>
1001	</section>
1002	</chapter>
1003
1004	<chapter id="expanding">
1005	<title>Test and Code Writing</title>
1006
1007	<section>
1008	<title>Scan Database Field Values</title>
1009
1010	<para>Though some checks can be found in other plugins, the
1011	<filename>scan_database.db</filename> contains the bulk of the web test
1012	information. Here is a description of the field values:</para>
1013
1014	<table>
1015	<title>Scan Database Fields</title>
1016
1017	<tgroup cols="2">
1018	<tbody>
1019	<row>
1020	<entry>Test ID</entry>
1021
1022	<entry>Nikto test ID</entry>
1023	</row>
1024
1025	<row>
1026	<entry>OSVDB-ID</entry>
1027
1028	<entry>Corresponding vulnerability entry number for
1029	osvdb.org</entry>
1030	</row>
1031
1032	<row>
1033	<entry>Server Type</entry>
1034
1035	<entry>Generic server matching type</entry>
1036	</row>
1037
1038	<row>
1039	<entry>URI</entry>
1040
1041	<entry>URI to retrieve</entry>
1042	</row>
1043
1044	<row>
1045	<entry>HTTP Method</entry>
1046
1047	<entry>HTTP method to use for URI</entry>
1048	</row>
1049
1050	<row>
1051	<entry>Match 1</entry>
1052
1053	<entry>String or code to match for successful test</entry>
1054	</row>
1055
1056	<row>
1057	<entry>Match 1 (Or)</entry>
1058
1059	<entry>String or code to alternatively match for successful
1060	test</entry>
1061	</row>
1062
1063	<row>
1064	<entry>Match1 (And)</entry>
1065
1066	<entry>String or code to also match for successful test</entry>
1067	</row>
1068
1069	<row>
1070	<entry>Fail 1</entry>
1071
1072	<entry>String or code to match for test failure</entry>
1073	</row>
1074
1075	<row>
1076	<entry>Fail 2</entry>
1077
1078	<entry>String or code to match for test failure
1079	(alternative)</entry>
1080	</row>
1081
1082	<row>
1083	<entry>Summary</entry>
1084
1085	<entry>Summary message to report for successful test</entry>
1086	</row>
1087
1088	<row>
1089	<entry>HTTP Data</entry>
1090
1091	<entry>HTTP data to be sent during POST tests</entry>
1092	</row>
1093
1094	<row>
1095	<entry>Headers</entry>
1096
1097	<entry>Additional headers to send during test</entry>
1098	</row>
1099	</tbody>
1100	</tgroup>
1101	</table>
1102	</section>
1103
1104	<section>
1105	<title>User-Defined Tests</title>
1106
1107	<para>Users can create their own, private tests for any of the
1108	databases. By placing a syntactically correct database file in the
1109	<filename>plugins</filename> directory, with a file name prefaced with a
1110	"u", the data will be loaded along with the built-in checks.</para>
1111
1112	<para>For example, create the file
1113	<filename>plugins/udb_tests</filename> and it will be loaded at the same
1114	time <filename>plugins/db_tests</filename> is loaded. These files will
1115	also be checked for syntax when <parameter>-dbcheck</parameter> is
1116	used.</para>
1117
1118	<para>For tests which require a "private" OSVDB ID, use the OSVDB ID 0
1119	(zero). This should be used for all vulnerabilities that do not (or
1120	should not) exist in OSVDB, as ID 0 is for testing only. You are
1121	encouraged to send missing information to OSVDB at
1122	moderators@osvdb.org.</para>
1123
1124	<para>For the "Test ID", it is recommended you use unique numbers
1125	between 400000 and 499999 to allow for growth of the Nikto database
1126	without interfering with your own tests (note: numbers above 500000 are
1127	reserved for other tests).</para>
1128
1129	<para>Please help Nikto's continued success by sending test updates to
1130	<email>sullo@cirt.net</email>.</para>
1131	</section>
1132
1133	<section>
1134	<title>Scan Database Syntax</title>
1135
1136	<para>The scan database is a CSV delimited file which contains most of
1137	the tests. Fields are enclosed by quotes and separated by commas. The
1138	field order is:</para>
1139
1140	<para>Test-ID, OSVDB-ID, Tuning Type, URI, HTTP Method, Match 1, Match 1
1141	Or, Match1 And, Fail 1, Fail 2, Summary, HTTP Data, Headers</para>
1142
1143	<para>Here is an example test:</para>
1144
1145	<screen>"120","3092","2","/manual/","GET","200","","","","","Web server manual","",""</screen>
1146	</section>
1147
1148	<section>
1149	<title>Plugins</title>
1150
1151	<para>To allow a bit more flexibility, Nikto allows plugins so that
1152	there is easy expansion of existing capabilities and some future
1153	proofing.</para>
1154
1155	<para>Plugins are run in four different phases, these are:</para>
1156
1157	<blockquote>
1158	<variablelist>
1159	<varlistentry>
1160	<term>Initialisation (mandatory)</term>
1161
1162	<listitem>
1163	<para>Plugin initialisation is performed before targets are
1164	assigned. During this phase, the plugin should tell Nikto about
1165	its existence and capabilities. It may optionally set up any
1166	later required variables.</para>
1167	</listitem>
1168	</varlistentry>
1169
1170	<varlistentry>
1171	<term>Reconnaisance (optional)</term>
1172
1173	<listitem>
1174	<para>During the reconnaisance phase, the plugin should look for
1175	interesting information that may be of use during the scan
1176	phase. It may report vulnerablities, though this is
1177	discouraged.</para>
1178	</listitem>
1179	</varlistentry>
1180
1181	<varlistentry>
1182	<term>Scan (optional)</term>
1183
1184	<listitem>
1185	<para>The scan phase should perform the meat of the plugin -
1186	this is where it should look at the web server and return any
1187	potential vulnerabilities.</para>
1188	</listitem>
1189	</varlistentry>
1190
1191	<varlistentry>
1192	<term>Reporting (optional)</term>
1193
1194	<listitem>
1195	<para>The reporting phase is used to export any found
1196	vulnerabilities into a format that they can be used later, for
1197	example written as a file report, or imported into a database.
1198	No testing of the web server, or reporting of new vulnerbilies
1199	should be performed in this phase.</para>
1200
1201	<para>This phase is slightly more complex than the others and
1202	may be called at several points during Nikto's execution, as
1203	detailed later</para>
1204	</listitem>
1205	</varlistentry>
1206	</variablelist>
1207	</blockquote>
1208
1209	<para>Plugins are written in standard perl in the current context. They
1210	should be placed within the <varname>PLUGINDIR</varname> defined in the
1211	Nikto configuration file and must have a filename ending in
1212	<filename>.plugin</filename>.</para>
1213
1214	<para>An important concept to grasp about plugins and the order that are
1215	executed in is plugin weight: each phase will execute all defined
1216	plugins in the order defined by the weight. A plugin's weight is defined
1217	as a number between 1 and 100, where 1 is high priority and 100 is low
1218	priority. Plugins of equal weight will be executed in an undefined
1219	order.</para>
1220
1221	<section>
1222	<title>Initialisation Phase</title>
1223
1224	<para>As described above, all plugins must be able to execute in the
1225	initialisation phase or they will be ignored.</para>
1226
1227	<para>A perl sub must exist called
1228	<function><replaceable>filename</replaceable>_init</function>. The sub
1229	is passed no parameters and should return a hash reference to a hash
1230	that should contain the following entries:</para>
1231
1232	<variablelist>
1233	<varlistentry>
1234	<term><structfield>name</structfield> (mandatory)</term>
1235
1236	<listitem>
1237	<para>The short name of the plugin. This is used to identify the
1238	plugin during verbose logging and will, in future versions, be
1239	used to select plugin execution. The name should be one word
1240	and, ideally, lower case.</para>
1241	</listitem>
1242	</varlistentry>
1243
1244	<varlistentry>
1245	<term><structfield>full_name</structfield> (mandatory)</term>
1246
1247	<listitem>
1248	<para>The full name of the plugin. This is used to identify the
1249	plugin during verbose logging and may be used in reporting
1250	modules to identify tests run against the web server.</para>
1251	</listitem>
1252	</varlistentry>
1253
1254	<varlistentry>
1255	<term><structfield>author</structfield> (mandatory)</term>
1256
1257	<listitem>
1258	<para>The name or handle of the author of the plugin. This may
1259	be used during reporting to identify ownerships of copyright of
1260	tests run against the web server.</para>
1261	</listitem>
1262	</varlistentry>
1263
1264	<varlistentry>
1265	<term><structfield>description</structfield> (mandatory)</term>
1266
1267	<listitem>
1268	<para>A short sentence to describe the purpose of the plugin.
1269	This may be used during reporting, or by a front end to describe
1270	the purpose of the plugin.</para>
1271	</listitem>
1272	</varlistentry>
1273
1274	<varlistentry>
1275	<term><structfield>copyright</structfield> (mandatory)</term>
1276
1277	<listitem>
1278	<para>The copyright string (or lack of it) of the plugin. This
1279	may be used during reporting to ensure that appropriate
1280	copyright is assigned to reports.</para>
1281	</listitem>
1282	</varlistentry>
1283
1284	<varlistentry>
1285	<term><structfield>recon_method</structfield> (optional)</term>
1286
1287	<listitem>
1288	<para>This should be a reference to a function used during the
1289	reconnaisance phase of the plugin's execution. If this is left
1290	undefined then the plugin will not execute during the
1291	reconnaisance phase.</para>
1292	</listitem>
1293	</varlistentry>
1294
1295	<varlistentry>
1296	<term><structfield>recon_cond</structfield> (optional)</term>
1297
1298	<listitem>
1299	<para>This is an expression to be evaluated before the plugin is
1300	executed; if true, the plugins is executed, if false, the plugin
1301	is skipped. This can be used to minimise plugin
1302	execution.</para>
1303	</listitem>
1304	</varlistentry>
1305
1306	<varlistentry>
1307	<term><structfield>recon_weight</structfield> (optional)</term>
1308
1309	<listitem>
1310	<para>This is the weight used to schedule the running of the
1311	plugin during the reconnaisance phase. If this is left undefined
1312	it will default to 50.</para>
1313	</listitem>
1314	</varlistentry>
1315
1316	<varlistentry>
1317	<term><structfield>scan_method</structfield> (optional)</term>
1318
1319	<listitem>
1320	<para>This should be a reference to a function used during the
1321	scan phase of the plugin's execution. If this is left undefined
1322	then the plugin will not execute during the scan phase.</para>
1323	</listitem>
1324	</varlistentry>
1325
1326	<varlistentry>
1327	<term><structfield>scan_cond</structfield> (optional)</term>
1328
1329	<listitem>
1330	<para>This is an expression to be evaluated before the plugin is
1331	executed; if true, the plugins is executed, if false, the plugin
1332	is skipped. This can be used to minimise plugin
1333	execution.</para>
1334	</listitem>
1335	</varlistentry>
1336
1337	<varlistentry>
1338	<term><structfield>scan_weight</structfield> (optional)</term>
1339
1340	<listitem>
1341	<para>This is the weight used to schedule the running of the
1342	plugin during the scan phase. If this is left undefined it will
1343	default to 50.</para>
1344	</listitem>
1345	</varlistentry>
1346
1347	<varlistentry>
1348	<term><structfield>report_head</structfield> (optional)</term>
1349
1350	<listitem>
1351	<para>This should be a reference to a function executed before
1352	any testing commences. If this is left undefined then the plugin
1353	will not be called to produce a report header.</para>
1354	</listitem>
1355	</varlistentry>
1356
1357	<varlistentry>
1358	<term><structfield>report_host_start</structfield>
1359	(optional)</term>
1360
1361	<listitem>
1362	<para>This should be a reference to a function executed before
1363	the reconnaisance phase of each host. If this is left undefined
1364	then the plugin will not be called to produce a host
1365	header.</para>
1366	</listitem>
1367	</varlistentry>
1368
1369	<varlistentry>
1370	<term><structfield>report_host_end</structfield> (optional)</term>
1371
1372	<listitem>
1373	<para>This should be a reference to a function executed after
1374	the scan phase of each host. If this is left undefined then the
1375	plugin will not be called to produce a host footer.</para>
1376	</listitem>
1377	</varlistentry>
1378
1379	<varlistentry>
1380	<term><structfield>report_item</structfield> (optional)</term>
1381
1382	<listitem>
1383	<para>This should be a reference to a function executed after
1384	each found vulnerability. If this is left undefined then the
1385	plugin will not be called to produce an item record.</para>
1386	</listitem>
1387	</varlistentry>
1388
1389	<varlistentry>
1390	<term><structfield>report_close</structfield> (optional)</term>
1391
1392	<listitem>
1393	<para>This should be a reference to a function executed after
1394	testing of all hosts has been finished. If this is left
1395	undefined then the plugin will not be called to close the
1396	report.</para>
1397	</listitem>
1398	</varlistentry>
1399
1400	<varlistentry>
1401	<term><structfield>report_format</structfield> (optional)</term>
1402
1403	<listitem>
1404	<para>This should describe the file format that the plugin
1405	handles. This is internally matched with the contents of the
1406	<parameter>-output</parameter> switch to reduce excessive calls
1407	to plugins.</para>
1408	</listitem>
1409	</varlistentry>
1410
1411	<varlistentry>
1412	<term><structfield>report_weight</structfield> (optional)</term>
1413
1414	<listitem>
1415	<para>This is the weight used to schedule the running of the
1416	plugin during the reporting phase. If this is left undefined it
1417	will default to 50.</para>
1418	</listitem>
1419	</varlistentry>
1420	</variablelist>
1421
1422	<example>
1423	<title>Example initialisation function</title>
1424
1425	<programlisting> sub nikto_dictionary_attack_init
1426	{
1427	my $id =
1428	{
1429	name => "dictionary",
1430	full_name => "Dictionary attack",
1431	author => "Deity",
1432	description => "Attempts to dictionary attack commonly known directories/files",
1433	recon_method => \&nikto_dictionary_attack,
1434	recon_cond => '$CLI{mutate} =~ /6/',
1435	recon_weight => 20,
1436	copyright => "2009 CIRT Inc"
1437	};
1438
1439	return $id;
1440	} </programlisting>
1441	</example>
1442	</section>
1443
1444	<section>
1445	<title>Reconnaisance Phase</title>
1446
1447	<para>The reconnaisance phase is executed for each target at the start
1448	of each scan.</para>
1449
1450	<para>Each reconnaisance method such expect to take a
1451	<varname>mark</varname> hash ref. It should return nothing.</para>
1452
1453	<funcsynopsis>
1454	<funcprototype>
1455	<funcdef>void
1456	<function><replaceable>recon_method</replaceable></function></funcdef>
1457
1458	<paramdef>hashref <parameter>mark</parameter></paramdef>
1459	</funcprototype>
1460	</funcsynopsis>
1461
1462	<para>The reconnaisance phase is intended to be used to pull
1463	information about the web server for later use by the plugin, or by
1464	other plugins. Reporting vulnerabilities in this phase is
1465	discouraged.</para>
1466
1467	<para>Example uses of the reconnaisance phase are to spider a site,
1468	check for known applications etc.</para>
1469	</section>
1470
1471	<section>
1472	<title>Scan Phase</title>
1473
1474	<para>The scan phase is the meat of the plugin's life, this is run,
1475	for each target, immediately after the reconnaisance phase.</para>
1476
1477	<para>Each scan should check for vulnerabilities it knows about and
1478	report on them as it finds one.</para>
1479
1480	<funcsynopsis>
1481	<funcprototype>
1482	<funcdef>void
1483	<function><replaceable>scan_method</replaceable></function></funcdef>
1484
1485	<paramdef>hashref <parameter>mark</parameter></paramdef>
1486	</funcprototype>
1487	</funcsynopsis>
1488	</section>
1489
1490	<section>
1491	<title>Reporting Phase</title>
1492
1493	<para>This is potentially the most convoluted phase as it has several
1494	hooks that may be used for each section in the scan's lifetime.</para>
1495
1496	<para>The hooks are:</para>
1497
1498	<section>
1499	<title>Report Head</title>
1500
1501	<para>This hook is called immediately after target acquisition and
1502	before the reconnaisance phase. It is designed to allow the
1503	reporting plugin to open the report and ensure that any headers are
1504	appropiately written.</para>
1505
1506	<funcsynopsis>
1507	<funcprototype>
1508	<funcdef>handle
1509	<function><replaceable>report_head</replaceable></function></funcdef>
1510
1511	<paramdef>string <parameter>filename</parameter></paramdef>
1512	</funcprototype>
1513	</funcsynopsis>
1514
1515	<para>The <parameter>filename</parameter> parameter is a bit of a
1516	misnomer; it will be a copy of the string passed to the
1517	<parameter>-output</parameter> switch and may indicate, for example,
1518	a database name.</para>
1519
1520	<para>The <parameter>handle</parameter> is a handle that will be
1521	passed to other reporting functions for this plugin so should be
1522	internally consistent.</para>
1523	</section>
1524
1525	<section>
1526	<title>Report Host Start</title>
1527
1528	<para>This hook is called immediately before the reconnaisance phase
1529	for each target. It is designed to allow the reporting plugin to
1530	write any host specfic information.</para>
1531
1532	<funcsynopsis>
1533	<funcprototype>
1534	<funcdef>void
1535	<function><replaceable>report_host_start</replaceable></function></funcdef>
1536
1537	<paramdef>handle <parameter>rhandle</parameter></paramdef>
1538
1539	<paramdef>hashref <parameter>mark</parameter></paramdef>
1540	</funcprototype>
1541	</funcsynopsis>
1542
1543	<para>The <parameter>rhandle</parameter> parameter is the output of
1544	the plugin's Report Head function.</para>
1545
1546	<para>The <parameter>mark</parameter> parameter is a hashref for the
1547	target information (described below).</para>
1548	</section>
1549
1550	<section>
1551	<title>Report Host End</title>
1552
1553	<para>This hook is called immediately after the scan phase for each
1554	target. It is designed to allow the reporting plugin to close any
1555	host specfic information.</para>
1556
1557	<funcsynopsis>
1558	<funcprototype>
1559	<funcdef>void
1560	<function><replaceable>report_host_end</replaceable></function></funcdef>
1561
1562	<paramdef>handle <parameter>rhandle</parameter></paramdef>
1563
1564	<paramdef>hashref <parameter>mark</parameter></paramdef>
1565	</funcprototype>
1566	</funcsynopsis>
1567
1568	<para>The <parameter>rhandle</parameter> parameter is the output of
1569	the plugin's Report Head function.</para>
1570
1571	<para>The <parameter>mark</parameter> parameter is a hashref for the
1572	target information (described below).</para>
1573	</section>
1574
1575	<section>
1576	<title>Report Item</title>
1577
1578	<para>This hook is called once for each vulnerability found on the
1579	target This should report details about the vulnerability.</para>
1580
1581	<funcsynopsis>
1582	<funcprototype>
1583	<funcdef>void
1584	<function><replaceable>report_item</replaceable></function></funcdef>
1585
1586	<paramdef>handle <parameter>rhandle</parameter></paramdef>
1587
1588	<paramdef>hashref <parameter>mark</parameter></paramdef>
1589
1590	<paramdef>hashref <parameter>vulnerbility</parameter></paramdef>
1591	</funcprototype>
1592	</funcsynopsis>
1593
1594	<para>The <parameter>rhandle</parameter> parameter is the output of
1595	the plugin's Report Head function.</para>
1596
1597	<para>The <parameter>mark</parameter> parameter is a hashref for the
1598	target information (described below).</para>
1599
1600	<para>The <parameter>vulnerability</parameter> parameter is a
1601	hashref for the vulnerability information (described below).</para>
1602	</section>
1603
1604	<section>
1605	<title>Report Close</title>
1606
1607	<para>This hook is called immediately after all targets have been
1608	scanned. It is designed to allow the reporting plugin to elegantly
1609	close the report.</para>
1610
1611	<funcsynopsis>
1612	<funcprototype>
1613	<funcdef>void
1614	<function><replaceable>report_close</replaceable></function></funcdef>
1615
1616	<paramdef>handle <parameter>rhandle</parameter></paramdef>
1617	</funcprototype>
1618	</funcsynopsis>
1619
1620	<para>The <parameter>rhandle</parameter> parameter is the output of
1621	the plugin's Report Head function.</para>
1622	</section>
1623	</section>
1624
1625	<section>
1626	<title>Data Structures</title>
1627
1628	<para>The below data structures are used to communicate between the
1629	various plugin methods. Unless otherwise mentioned, they are all
1630	standard perl hash references with the detailed members.</para>
1631
1632	<section>
1633	<title><structname>Mark</structname></title>
1634
1635	<para>The mark hash contains all information about a target. It
1636	contains the below members. It should be read-only.</para>
1637
1638	<blockquote>
1639	<table>
1640	<title>Members of the <structname>Mark</structname>
1641	structure</title>
1642
1643	<tgroup cols="2">
1644	<tbody>
1645	<row>
1646	<entry><structfield>ident</structfield></entry>
1647
1648	<entry>Host identifier, usually equivalent to what was
1649	passed on the command line.</entry>
1650	</row>
1651
1652	<row>
1653	<entry><structfield>hostname</structfield></entry>
1654
1655	<entry>Host name of the target.</entry>
1656	</row>
1657
1658	<row>
1659	<entry><structfield>ip</structfield></entry>
1660
1661	<entry>IP address of the target.</entry>
1662	</row>
1663
1664	<row>
1665	<entry><structfield>port</structfield></entry>
1666
1667	<entry>TCP port of the target.</entry>
1668	</row>
1669
1670	<row>
1671	<entry><structfield>display_name</structfield></entry>
1672
1673	<entry>Either the hostname, or the IP address of the
1674	target, dependant on whether a hostname has been
1675	discovered.</entry>
1676	</row>
1677
1678	<row>
1679	<entry><structfield>ssl</structfield></entry>
1680
1681	<entry>Flag to indicate whether the target runs over SSL.
1682	If it is set to 0, then the plugin should not use SSL. Any
1683	other value indicates SSL should be used.</entry>
1684	</row>
1685
1686	<row>
1687	<entry><structfield>vhost</structfield></entry>
1688
1689	<entry>Virtual hostname to use for the target.</entry>
1690	</row>
1691
1692	<row>
1693	<entry><structfield>root</structfield></entry>
1694
1695	<entry>Root URI to use for the target.</entry>
1696	</row>
1697
1698	<row>
1699	<entry><structfield>banner</structfield></entry>
1700
1701	<entry>Banner of the target's web server.</entry>
1702	</row>
1703	</tbody>
1704	</tgroup>
1705	</table>
1706	</blockquote>
1707	</section>
1708
1709	<section>
1710	<title>Vulnerability</title>
1711
1712	<para>The vulnerability hash contains all information about a
1713	vulnerability. It contains the below members. It should be read-only
1714	and should only be written using the
1715	<function>add_vulnerability</function> method.</para>
1716
1717	<blockquote>
1718	<table>
1719	<title>Members of the <structname>Vulnerability</structname>
1720	structure</title>
1721
1722	<tgroup cols="2">
1723	<tbody>
1724	<row>
1725	<entry>mark</entry>
1726
1727	<entry>Hash ref to a mark data structure.</entry>
1728	</row>
1729
1730	<row>
1731	<entry>message</entry>
1732
1733	<entry>Message for the vulnerability.</entry>
1734	</row>
1735
1736	<row>
1737	<entry>nikto_id</entry>
1738
1739	<entry>Test ID (tid) of the vulnerability, this should be
1740	a unique number which'll identify the
1741	vulnerability.</entry>
1742	</row>
1743
1744	<row>
1745	<entry>osvdb</entry>
1746
1747	<entry>OSVDB reference to the vulnerability in the Open
1748	Source Vulnerability Database. This may be 0 if an OSVDB
1749	reference is not relevant or doesn't exist.</entry>
1750	</row>
1751
1752	<row>
1753	<entry>method</entry>
1754
1755	<entry>HTTP method used to find the vulnerability.</entry>
1756	</row>
1757
1758	<row>
1759	<entry>uri</entry>
1760
1761	<entry>URI for the result.</entry>
1762	</row>
1763
1764	<row>
1765	<entry>result</entry>
1766
1767	<entry>Any HTTP data, excluding headers.</entry>
1768	</row>
1769	</tbody>
1770	</tgroup>
1771	</table>
1772	</blockquote>
1773	</section>
1774	</section>
1775
1776	<section>
1777	<title>Standard Methods</title>
1778
1779	<para>Several standard methods are defined in
1780	<filename>nikto_core.plugin</filename> that can be used for all
1781	plugins. It is strongly advised that these should be used where
1782	possible instead of writing new methods.</para>
1783
1784	<para>For some methods, such as <function>add_vulnerability</function>
1785	which write to global variables, these <emphasis>must</emphasis> be
1786	the only interface to those global variables.</para>
1787
1788	<funcsynopsis>
1789	<funcprototype>
1790	<funcdef>array <function>change_variables</function></funcdef>
1791
1792	<paramdef>string <parameter>line</parameter></paramdef>
1793	</funcprototype>
1794	</funcsynopsis>
1795
1796	<para>Expands any variables in the line parameter. The expansions are
1797	variables defined in the global array <varname>@VARIABLES</varname>,
1798	which may be read from <filename>db_variables</filename>, or added by
1799	reconnaisance plugin methods.</para>
1800
1801	<funcsynopsis>
1802	<funcprototype>
1803	<funcdef>int <function>is_404</function></funcdef>
1804
1805	<paramdef>string <parameter>uri</parameter></paramdef>
1806
1807	<paramdef>string <parameter>content</parameter></paramdef>
1808
1809	<paramdef>string <parameter>HTTPcode</parameter></paramdef>
1810	</funcprototype>
1811	</funcsynopsis>
1812
1813	<para>Makes a guess whether the result is a real web page or an error
1814	page. As several web servers are badly configured and don't return
1815	HTTP 404 codes when a page isn't found, Nikto attempts to look for
1816	common error pages. Returns 1 if the page looks like an error.</para>
1817
1818	<funcsynopsis>
1819	<funcprototype>
1820	<funcdef>string <function>get_ext</function></funcdef>
1821
1822	<paramdef>string <parameter>uri</parameter></paramdef>
1823	</funcprototype>
1824	</funcsynopsis>
1825
1826	<para>Attempts to work out the extension of the uri. Will return the
1827	extension or the special cases: DIRECTORY, DOTFILE, NONE.</para>
1828
1829	<funcsynopsis>
1830	<funcprototype>
1831	<funcdef>string <function>date_disp</function></funcdef>
1832
1833	<paramdef>void</paramdef>
1834	</funcprototype>
1835	</funcsynopsis>
1836
1837	<para>Returns the current time in a human readable format (YYYY-mm-dd
1838	hh:mm:ss)</para>
1839
1840	<funcsynopsis>
1841	<funcprototype>
1842	<funcdef>string <function>rm_active</function></funcdef>
1843
1844	<paramdef>string <parameter>content</parameter></paramdef>
1845	</funcprototype>
1846	</funcsynopsis>
1847
1848	<para>Attempts to remove active content (e.g. dates, adverts etc.)
1849	from a page. Returns a filtered version of the content.</para>
1850
1851	<funcsynopsis>
1852	<funcprototype>
1853	<funcdef>string <function>get_banner</function></funcdef>
1854
1855	<paramdef>hashref <parameter>mark</parameter></paramdef>
1856	</funcprototype>
1857	</funcsynopsis>
1858
1859	<para>Pulls the web servers banner. This is automatically performed
1860	for all targets before a mark is passed to the plugin.</para>
1861
1862	<funcsynopsis>
1863	<funcprototype>
1864	<funcdef>boolean <function>content_present</function></funcdef>
1865
1866	<paramdef>string <parameter>HTTPcode</parameter></paramdef>
1867	</funcprototype>
1868	</funcsynopsis>
1869
1870	<para>Checks the HTTPresponse against known "found" responses. TRUE
1871	indicates that the request was probably successful.</para>
1872
1873	<funcsynopsis>
1874	<funcprototype>
1875	<funcdef>string HTTPCode, string content
1876	<function>fetch</function></funcdef>
1877
1878	<paramdef>string <parameter>uri</parameter></paramdef>
1879
1880	<paramdef>string <parameter>method</parameter></paramdef>
1881
1882	<paramdef>string <parameter>content</parameter></paramdef>
1883
1884	<paramdef>hashref <parameter>headers</parameter></paramdef>
1885
1886	<paramdef>boolean <parameter>noclean</parameter></paramdef>
1887	</funcprototype>
1888	</funcsynopsis>
1889
1890	<para><emphasis>Deprecated</emphasis></para>
1891
1892	<para>Performs a simple HTTP request to URI using the HTTP method,
1893	<parameter>method</parameter>. <parameter>content</parameter> supplies
1894	any data to pass in the HTTP body. <parameter>headers</parameter>
1895	allows any custom headers to be placed in the request.
1896	<parameter>noclean</parameter> is a flag specifying that the request
1897	shouldn't be cleaned up before being sent (e.g. if the Host: header is
1898	blank).</para>
1899
1900	<funcsynopsis>
1901	<funcprototype>
1902	<funcdef>string HTTPCode, string content
1903	<function>nfetch</function></funcdef>
1904
1905	<paramdef>string <parameter>uri</parameter></paramdef>
1906
1907	<paramdef>string <parameter>method</parameter></paramdef>
1908
1909	<paramdef>string <parameter>content</parameter></paramdef>
1910
1911	<paramdef>hashref <parameter>headers</parameter></paramdef>
1912
1913	<paramdef>boolean <parameter>noclean</parameter></paramdef>
1914	</funcprototype>
1915	</funcsynopsis>
1916
1917	<para>An updated version of fetch that uses a local, rather than a
1918	global request/result structure. This should be used in preference to
1919	fetch.</para>
1920
1921	<funcsynopsis>
1922	<funcprototype>
1923	<funcdef>hashref <function>setup_hash</function></funcdef>
1924
1925	<paramdef>hashref <parameter>requesthash</parameter></paramdef>
1926
1927	<paramdef>hashref <parameter>mark</parameter></paramdef>
1928	</funcprototype>
1929	</funcsynopsis>
1930
1931	<para>Sets up up a libwhisker hash with the normal Nikto variables.
1932	This should be used if any custom calls to libwhisker are used.</para>
1933
1934	<funcsynopsis>
1935	<funcprototype>
1936	<funcdef>string <function>char_escape</function></funcdef>
1937
1938	<paramdef>string <parameter>line</parameter></paramdef>
1939	</funcprototype>
1940	</funcsynopsis>
1941
1942	<para>Escapes any characters within line.</para>
1943
1944	<funcsynopsis>
1945	<funcprototype>
1946	<funcdef>array <function>parse_csv</function></funcdef>
1947
1948	<paramdef>string <parameter>text</parameter></paramdef>
1949	</funcprototype>
1950	</funcsynopsis>
1951
1952	<para>Breaks a line of CSV text into an array of items.</para>
1953
1954	<funcsynopsis>
1955	<funcprototype>
1956	<funcdef>arrayref <function>init_db</function></funcdef>
1957
1958	<paramdef>string <parameter>dbname</parameter></paramdef>
1959	</funcprototype>
1960	</funcsynopsis>
1961
1962	<para>Initialises a database that is in <varname>PLUGINDIR</varname>
1963	and returns an arrayref. The arrayref is to an array of hashrefs, each
1964	hash member is configured by the first line in the database file, for
1965	example:</para>
1966
1967	<screen>"nikto_id","md5hash","description"</screen>
1968
1969	<para>This will result in an array of hashrefs with parameters:</para>
1970
1971	<screen>array[0]->{nikto_id}
1972	array[0]->{md5hash}
1973	array[0]->{description}</screen>
1974
1975	<funcsynopsis>
1976	<funcprototype>
1977	<funcdef>void <function>add_vulnerability</function></funcdef>
1978
1979	<paramdef>hashref <parameter>mark</parameter></paramdef>
1980
1981	<paramdef>string <parameter>message</parameter></paramdef>
1982
1983	<paramdef>string <parameter>nikto_id</parameter></paramdef>
1984
1985	<paramdef>string <parameter>osvdb</parameter></paramdef>
1986
1987	<paramdef>string <parameter>method</parameter></paramdef>
1988
1989	<paramdef>string <parameter>uri</parameter></paramdef>
1990
1991	<paramdef>string <parameter>data</parameter></paramdef>
1992	</funcprototype>
1993	</funcsynopsis>
1994
1995	<para>Adds a vulnerability for the mark, displays it to standard out
1996	and sends it to any reporting plugins.</para>
1997
1998	<funcsynopsis>
1999	<funcprototype>
2000	<funcdef>void <function>nprint</function></funcdef>
2001
2002	<paramdef>string <parameter>message</parameter></paramdef>
2003
2004	<paramdef>string <parameter>display</parameter></paramdef>
2005	</funcprototype>
2006	</funcsynopsis>
2007
2008	<para>Prints <parameter>message</parameter> to standard out.
2009	<parameter>Display</parameter> specifies a filter for the message,
2010	currently this can be "v" for verbose and "d" for debug output.</para>
2011	</section>
2012
2013	<section>
2014	<title>Global Variables</title>
2015
2016	<para>The following global variables exist within Nikto, most of them
2017	are defined for internal use and their use by plugins is not advised.
2018	Several have been deprecated, these should not be used by
2019	plugins.</para>
2020
2021	<variablelist>
2022	<varlistentry>
2023	<term><varname>%TEMPLATES</varname> (read/write)</term>
2024
2025	<listitem>
2026	<para>Hash to store the HTML and XML report templates.</para>
2027	</listitem>
2028	</varlistentry>
2029
2030	<varlistentry>
2031	<term><varname>%ERRSTRINGS</varname> (read)</term>
2032
2033	<listitem>
2034	<para>Hash to contain all the entries in db_404 - a list of
2035	strings that may indicate a 404.</para>
2036	</listitem>
2037	</varlistentry>
2038
2039	<varlistentry>
2040	<term><varname>%CLI</varname> (read)</term>
2041
2042	<listitem>
2043	<para>Hash of passed CLI parameters</para>
2044	</listitem>
2045	</varlistentry>
2046
2047	<varlistentry>
2048	<term><varname>%VARIABLES</varname> (read) (write)</term>
2049
2050	<listitem>
2051	<para>Hash of contents of the entries in db_variables. Plugins
2052	should only write to this hash in the reconnaisance
2053	phase.</para>
2054	</listitem>
2055	</varlistentry>
2056
2057	<varlistentry>
2058	<term><varname>%TESTS</varname> (read) (write)</term>
2059
2060	<listitem>
2061	<para>Hash of the db_tests database. This is only intended to be
2062	used by the tests plugin, though it could be used by a
2063	reconnaisance plugin to add tests on the fly.</para>
2064	</listitem>
2065	</varlistentry>
2066
2067	<varlistentry>
2068	<term><varname>$CONTENT</varname> (read) (write)
2069	(deprecated)</term>
2070
2071	<listitem>
2072	<para>Global variable to store data from a fetch or nfetch. A
2073	local variable should be used instead</para>
2074	</listitem>
2075	</varlistentry>
2076
2077	<varlistentry>
2078	<term><varname>%NIKTO</varname> (read)</term>
2079
2080	<listitem>
2081	<para>Hash which contains internal Nikto data, such as help for
2082	the command line parameters.</para>
2083	</listitem>
2084	</varlistentry>
2085
2086	<varlistentry>
2087	<term><varname>%REALMS</varname> (read)</term>
2088
2089	<listitem>
2090	<para>Hash of data from db_realms.</para>
2091	</listitem>
2092	</varlistentry>
2093
2094	<varlistentry>
2095	<term><varname>%NIKTOCONFIG</varname> (read)</term>
2096
2097	<listitem>
2098	<para>Hash containing the data read from the configuration
2099	files.</para>
2100	</listitem>
2101	</varlistentry>
2102
2103	<varlistentry>
2104	<term><varname>%request</varname> (read) (write)
2105	(deprecated)</term>
2106
2107	<term><varname>%result</varname> (read) (write)
2108	(deprecated)</term>
2109
2110	<listitem>
2111	<para>Global libwhisker hash. This should not be used; nfetch or
2112	a local hash should be used.</para>
2113	</listitem>
2114	</varlistentry>
2115
2116	<varlistentry>
2117	<term><varname>%COUNTERS</varname> (read) (write)</term>
2118
2119	<listitem>
2120	<para>Hash containing various global counters (e.g. number of
2121	requests)</para>
2122	</listitem>
2123	</varlistentry>
2124
2125	<varlistentry>
2126	<term><varname>%db_extensions</varname> (read) (deprecated)</term>
2127
2128	<listitem>
2129	<para>Hash containing a list of common extensions</para>
2130	</listitem>
2131	</varlistentry>
2132
2133	<varlistentry>
2134	<term><varname>%FoF</varname> (read) (write)</term>
2135
2136	<listitem>
2137	<para>Hash containing data for each extension and what the
2138	server produces if a request for a non-existent file is
2139	requested.</para>
2140	</listitem>
2141	</varlistentry>
2142
2143	<varlistentry>
2144	<term><varname>%UPDATES</varname> (read) (write)</term>
2145
2146	<listitem>
2147	<para>Hash containing any updates that need to be sent back to
2148	cirt.net</para>
2149	</listitem>
2150	</varlistentry>
2151
2152	<varlistentry>
2153	<term><varname>$DIV</varname> (read)</term>
2154
2155	<listitem>
2156	<para>Divider mark for the items sent to standard out.</para>
2157	</listitem>
2158	</varlistentry>
2159
2160	<varlistentry>
2161	<term><varname>@DBFILE</varname> (read)</term>
2162
2163	<listitem>
2164	<para>Placeholder used to hold the contents of
2165	<filename>db_tests</filename>.</para>
2166	</listitem>
2167	</varlistentry>
2168
2169	<varlistentry>
2170	<term><varname>@BUILDITEMS</varname> (read) (write)
2171	(deprecated)</term>
2172
2173	<listitem>
2174	<para>Array to hold information for tests to act on later. Use
2175	should be avoided, a local variable should be used
2176	instead.</para>
2177	</listitem>
2178	</varlistentry>
2179
2180	<varlistentry>
2181	<term><varname>$PROXYCHECKED</varname> (read) (deprecated)</term>
2182
2183	<listitem>
2184	<para>Flag to see whether connection through the proxy has been
2185	checked.</para>
2186	</listitem>
2187	</varlistentry>
2188
2189	<varlistentry>
2190	<term><varname>$http_eol</varname> (read) (deprecated)</term>
2191
2192	<listitem>
2193	<para>Contains the http end of line pattern.</para>
2194	</listitem>
2195	</varlistentry>
2196
2197	<varlistentry>
2198	<term><varname>@RESULTS</varname> (read)</term>
2199
2200	<listitem>
2201	<para>Array of reported vulnerabilities, should only be written
2202	to through <function>add_vulnerability.</function></para>
2203	</listitem>
2204	</varlistentry>
2205
2206	<varlistentry>
2207	<term><varname>@PLUGINS</varname> (read)</term>
2208
2209	<listitem>
2210	<para>Array of hashrefs for each plugin. Used internally to run
2211	plugins.</para>
2212	</listitem>
2213	</varlistentry>
2214
2215	<varlistentry>
2216	<term><varname>@MARKS</varname> (read)</term>
2217
2218	<listitem>
2219	<para>Array of marks to indicate each target.</para>
2220	</listitem>
2221	</varlistentry>
2222
2223	<varlistentry>
2224	<term><varname>@REPORTS</varname> (read)</term>
2225
2226	<listitem>
2227	<para>Ordered array that reporting plugins should be run in.
2228	Used for efficency on calling reporting plugins.</para>
2229	</listitem>
2230	</varlistentry>
2231
2232	<varlistentry>
2233	<term><varname>%CACHE</varname> (read) (write)</term>
2234
2235	<listitem>
2236	<para>Containing the URI cache, should only be read/written
2237	through <function>nfetch</function>. Members:</para>
2238
2239	<blockquote>
2240	<table>
2241	<title>Members of the <structname>cache</structname>
2242	structure</title>
2243
2244	<tgroup cols="2">
2245	<tbody>
2246	<row>
2247	<entry><structfield>{uri}</structfield></entry>
2248
2249	<entry>URI for the cache</entry>
2250	</row>
2251
2252	<row>
2253	<entry><structfield>{uri}{method}</structfield></entry>
2254
2255	<entry>HTTP method used</entry>
2256	</row>
2257
2258	<row>
2259	<entry><structfield>{uri}{res}</structfield></entry>
2260
2261	<entry>HTTP result for URI</entry>
2262	</row>
2263
2264	<row>
2265	<entry><structfield>{uri}{content}</structfield></entry>
2266
2267	<entry>data for URI</entry>
2268	</row>
2269
2270	<row>
2271	<entry><structfield>{uri}{mark}</structfield></entry>
2272
2273	<entry>mark hashref for URI</entry>
2274	</row>
2275	</tbody>
2276	</tgroup>
2277	</table>
2278	</blockquote>
2279	</listitem>
2280	</varlistentry>
2281	</variablelist>
2282	</section>
2283	</section>
2284
2285	<section>
2286	<title>Test Identifiers</title>
2287
2288	<para>Each test, whether it comes from one of the databases or in code,
2289	must have a unique identifier. The numbering scheme for writing tests is
2290	as follows:</para>
2291
2292	<blockquote>
2293	<table>
2294	<title>TID Scheme</title>
2295
2296	<tgroup cols="2">
2297	<tbody>
2298	<row>
2299	<entry>000000</entry>
2300
2301	<entry>db_tests</entry>
2302	</row>
2303
2304	<row>
2305	<entry>400000</entry>
2306
2307	<entry>user defined tests (<filename>udb*</filename>
2308	files)</entry>
2309	</row>
2310
2311	<row>
2312	<entry>500000</entry>
2313
2314	<entry>db_favicon</entry>
2315	</row>
2316
2317	<row>
2318	<entry>600000</entry>
2319
2320	<entry>db_outdated</entry>
2321	</row>
2322
2323	<row>
2324	<entry>700000</entry>
2325
2326	<entry>db_realms</entry>
2327	</row>
2328
2329	<row>
2330	<entry>800000</entry>
2331
2332	<entry>db_server_msgs</entry>
2333	</row>
2334
2335	<row>
2336	<entry>900000</entry>
2337
2338	<entry>tests defined in code</entry>
2339	</row>
2340	</tbody>
2341	</tgroup>
2342	</table>
2343	</blockquote>
2344
2345	<para>As much data as possible in the <varname>%TESTS</varname> hash
2346	should be populated for each new test that is defined in code (plugins).
2347	These fields include URI for the test, message to print on success, HTTP
2348	method and OSVDB ID. Without a 'message' value in
2349	<varname>%TESTS</varname> output will not be saved in HTML or XML
2350	reports. Not all tests are expected to have a uri, method or OSVDB ID.
2351	Here is an example of setting those fields:</para>
2352
2353	<screen>$TESTS{999999}{uri}="/~root";
2354	$TESTS{999999}{message}="Enumeration of users is possible by requesting ~username";
2355	$TESTS{999999}{method}="GET";
2356	$TESTS{999999}{osvdb}=637;</screen>
2357	</section>
2358
2359	<section>
2360	<title>Code Copyrights</title>
2361
2362	<para>Any new or updated code, tests or information sent to the author
2363	is assumed to free of copyrights. By sending new or updated code, tests
2364	or information to the author you relinquish all claims of copyright on
2365	the material, and agree that this code can be claimed under the same
2366	copyright as Nikto.</para>
2367	</section>
2368	</chapter>
2369
2370	<chapter id="troubleshooting">
2371	<title>Troubleshooting</title>
2372
2373	<section>
2374	<title>SOCKS Proxies</title>
2375
2376	<para>Nikto does not currently support SOCKS proxies.</para>
2377	</section>
2378
2379	<section>
2380	<title>Debugging</title>
2381
2382	<para>The major route to debugging Nikto requests is to use the
2383	<parameter>-Display</parameter> with v (verbose) or d (debug). This will
2384	output a vast amount of extra information to the screen, so it is
2385	advised to redirect output to a file when using them.</para>
2386	</section>
2387	</chapter>
2388
2389	<chapter id="licences">
2390	<title>Licences</title>
2391
2392	<section>
2393	<title>Nikto</title>
2394
2395	<para>Nikto is licensed under the GNU General Public License (GPL), and
2396	copyrighted by CIRT, Inc.</para>
2397	</section>
2398
2399	<section>
2400	<title>LibWhisker</title>
2401
2402	<para>LibWhisker is licensed under the GNU General Public License (GPL),
2403	and copyrighted by Rain Forrest Puppy.</para>
2404	</section>
2405
2406	<section>
2407	<title>Tests</title>
2408
2409	<para>The web tests are licensed for use with Nikto only, and may not be
2410	reused without written consent from CIRT, Inc.</para>
2411	</section>
2412	</chapter>
2413
2414	<chapter id="credits">
2415	<title>Credits</title>
2416
2417	<section>
2418	<title>Nikto</title>
2419
2420	<para>Nikto was originally written and maintained by Sullo, CIRT, Inc.
2421	It is currently maintained by David Lodge. LibWhisker was written by
2422	Rain Forrest Puppy</para>
2423	</section>
2424
2425	<section>
2426	<title>Thanks</title>
2427
2428	<para>Many people have provided feedback, fixes, and suggestions. This
2429	list attempts to make note of those people, though not all contributors
2430	are listed. In no particular order:</para>
2431
2432	<itemizedlist>
2433	<listitem>
2434	<para>Nikto 2 Testing: Paul Woroshow, Mark G. Spencer, Michel Arboi,
2435	Jericho, rfp</para>
2436	</listitem>
2437
2438	<listitem>
2439	<para>Jericho (attrition.org/OSVDB/OSF).
2440	Support/ideas/tests/corrections/spam and help matching OSVDB IDs to
2441	tests.</para>
2442	</listitem>
2443
2444	<listitem>
2445	<para>rfp (wiretrip.net). LibWhisker and continuing support.</para>
2446	</listitem>
2447
2448	<listitem>
2449	<para>Erik Cabetas for many updates and fixes.</para>
2450	</listitem>
2451
2452	<listitem>
2453	<para>Jake Kouns (OSVDB/OSF).</para>
2454	</listitem>
2455
2456	<listitem>
2457	<para>Jabra (spl0it.org) for XML DTD, XML templates and supporting
2458	code.</para>
2459	</listitem>
2460
2461	<listitem>
2462	<para>Stephen Valdez. Extensive testing. We all miss you.</para>
2463	</listitem>
2464
2465	<listitem>
2466	<para>S Saady. Extensive testing.</para>
2467	</listitem>
2468
2469	<listitem>
2470	<para>Zeno (cgisecurity.com). Nikto mirroring.</para>
2471	</listitem>
2472
2473	<listitem>
2474	<para>P Eronen (nixu.com). Provided many code fixes.</para>
2475	</listitem>
2476
2477	<listitem>
2478	<para>M Arboi. Great support by writing the code to make Nikto work
2479	within Nessus, as well as bug reports.</para>
2480	</listitem>
2481
2482	<listitem>
2483	<para>T Seyrat. Maintains Nikto for the Debian releases.</para>
2484	</listitem>
2485
2486	<listitem>
2487	<para>J DePriest. Ideas/fixes.</para>
2488	</listitem>
2489
2490	<listitem>
2491	<para>P Woroshow. Ideas/fixes.</para>
2492	</listitem>
2493
2494	<listitem>
2495	<para>fr0stman. Tests.</para>
2496	</listitem>
2497
2498	<listitem>
2499	<para>H Heimann. Tests.</para>
2500	</listitem>
2501
2502	<listitem>
2503	<para>Xiola (xiola.net). Web design and more.</para>
2504	</listitem>
2505
2506	<listitem>
2507	<para>Ryan Dewhurst. Domain guessing code.</para>
2508	</listitem>
2509	</itemizedlist>
2510
2511	<para>This document is © 2009 CIRT, Inc. and may not be reused without
2512	permission.</para>
2513	</section>
2514	</chapter>
2515	</book>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: