Assembla home | Assembla project page

My Start Page

Context Navigation

source: trunk/docs/nikto_manual.html @ 242

Revision 242, 104.0 KB checked in by sullo, 3 years ago (diff)
Update version to 2.1.1

Line
1	<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Nikto v2.1.1 - The Manual</title><link rel="stylesheet" href="doc.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="id2762457"></a>Nikto v2.1.1 - The Manual</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="#introduction">1. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#id2841010">Overview</a></span></dt><dt><span class="section"><a href="#id2848880">Description</a></span></dt><dt><span class="section"><a href="#id2852958">Advanced Error Detection Logic</a></span></dt><dt><span class="section"><a href="#id2813639">History</a></span></dt></dl></dd><dt><span class="chapter"><a href="#installation">2. Installation</a></span></dt><dd><dl><dt><span class="section"><a href="#id2813669">Requirements</a></span></dt><dt><span class="section"><a href="#id2813788">Install</a></span></dt></dl></dd><dt><span class="chapter"><a href="#usage">3. Usage</a></span></dt><dd><dl><dt><span class="section"><a href="#id2813828">Basic Testing</a></span></dt><dt><span class="section"><a href="#id2818342">Multiple Port Testing</a></span></dt><dt><span class="section"><a href="#id2818363">Multiple Host Testing</a></span></dt><dt><span class="section"><a href="#id2818424">Using a Proxy</a></span></dt><dt><span class="section"><a href="#id2818450">Updating</a></span></dt><dt><span class="section"><a href="#id2818497">Integration with Nessus</a></span></dt></dl></dd><dt><span class="chapter"><a href="#options">4. Command Line Options</a></span></dt><dd><dl><dt><span class="section"><a href="#id2818527">All Options</a></span></dt><dt><span class="section"><a href="#id2863010">Mutation Techniques</a></span></dt><dt><span class="section"><a href="#id2863111">Display</a></span></dt><dt><span class="section"><a href="#id2863184">Scan Tuning</a></span></dt><dt><span class="section"><a href="#id2863380">Single Request Mode</a></span></dt></dl></dd><dt><span class="chapter"><a href="#configuration">5. Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#id2863426">Location</a></span></dt><dt><span class="section"><a href="#id2813104">Format</a></span></dt><dt><span class="section"><a href="#id2813117">Variables</a></span></dt></dl></dd><dt><span class="chapter"><a href="#reports">6. Output and Reports</a></span></dt><dd><dl><dt><span class="section"><a href="#id2864279">Export Formats</a></span></dt><dt><span class="section"><a href="#id2864309">HTML and XML Customisation</a></span></dt></dl></dd><dt><span class="chapter"><a href="#expanding">7. Test and Code Writing</a></span></dt><dd><dl><dt><span class="section"><a href="#id2864394">Scan Database Field Values</a></span></dt><dt><span class="section"><a href="#id2864561">User-Defined Tests</a></span></dt><dt><span class="section"><a href="#id2864625">Scan Database Syntax</a></span></dt><dt><span class="section"><a href="#id2864653">Plugins</a></span></dt><dd><dl><dt><span class="section"><a href="#id2864773">Initialisation Phase</a></span></dt><dt><span class="section"><a href="#id2865155">Reconnaisance Phase</a></span></dt><dt><span class="section"><a href="#id2865224">Scan Phase</a></span></dt><dt><span class="section"><a href="#id2865263">Reporting Phase</a></span></dt><dt><span class="section"><a href="#id2865588">Data Structures</a></span></dt><dt><span class="section"><a href="#id2865863">Standard Methods</a></span></dt><dt><span class="section"><a href="#id2866492">Global Variables</a></span></dt></dl></dd><dt><span class="section"><a href="#id2867005">Test Identifiers</a></span></dt><dt><span class="section"><a href="#id2867133">Code Copyrights</a></span></dt></dl></dd><dt><span class="chapter"><a href="#troubleshooting">8. Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="#id2867157">SOCKS Proxies</a></span></dt><dt><span class="section"><a href="#id2867167">Debugging</a></span></dt></dl></dd><dt><span class="chapter"><a href="#licences">9. Licences</a></span></dt><dd><dl><dt><span class="section"><a href="#id2867195">Nikto</a></span></dt><dt><span class="section"><a href="#id2867206">LibWhisker</a></span></dt><dt><span class="section"><a href="#id2867218">Tests</a></span></dt></dl></dd><dt><span class="chapter"><a href="#credits">10. Credits</a></span></dt><dd><dl><dt><span class="section"><a href="#id2867238">Nikto</a></span></dt><dt><span class="section"><a href="#id2867250">Thanks</a></span></dt></dl></dd></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>7.1. <a href="#id2864410">Scan Database Fields</a></dt><dt>7.2. <a href="#id2865614">Members of the Mark
2	structure</a></dt><dt>7.3. <a href="#id2865767">Members of the Vulnerability
3	structure</a></dt><dt>7.4. <a href="#id2866927">Members of the cache
4	structure</a></dt><dt>7.5. <a href="#id2867019">TID Scheme</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>3.1. <a href="#id2818383">Valid Hosts File</a></dt><dt>7.1. <a href="#id2865142">Example initialisation function</a></dt></dl></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="introduction"></a>Chapter 1. Introduction</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2841010">Overview</a></span></dt><dt><span class="section"><a href="#id2848880">Description</a></span></dt><dt><span class="section"><a href="#id2852958">Advanced Error Detection Logic</a></span></dt><dt><span class="section"><a href="#id2813639">History</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2841010"></a>Overview</h2></div></div></div><p>Nikto is a web server assessment tool. It is designed to find
5	various default and insecure files, configurations and programs on any
6	type of web server.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2848880"></a>Description</h2></div></div></div><p>Examine a web server to find potential problems and security vulnerabilities, including:
7	</p><div class="itemizedlist"><ul type="disc"><li><p>Server and software misconfigurations</p></li><li><p>Default files and programs</p></li><li><p>Insecure files and programs</p></li><li><p>Outdated servers and programs</p></li></ul></div><p>
8	</p><p>Nikto is built on LibWhisker (by RFP) and can run on any platform
9	which has a PERL environment. It supports SSL, proxies, host
10	authentication, IDS evasion and more. It can be updated automatically
11	from the command-line, and supports the optional submission of updated
12	version data back to the maintainers.</p><p>The name "Nikto" is taken from the movie "The Day the Earth Stood
13	Still", and of course subsequent abuse by Bruce Campbell in "Army of
14	Darkness". More information on the pop-culture popularity of Nikto can
15	be found at
16	<a class="ulink" href="http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html" target="_top">http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html</a></p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2852958"></a>Advanced Error Detection Logic</h2></div></div></div><p>Most web security tools, (including Nikto 1.32 and below), rely
17	heavily on the HTTP response to determine if a page or script exists on
18	the target. Because many servers do not properly adhere to RFC standards
19	and return a 200 "OK" response for requests which are not found or
20	forbidden, this can lead to many false-positives. In addition, error
21	responses for various file extensions can differ--the "not found"
22	response for a .html file is often different than a .cgi.</p><p>Some testing tools, such as Nessus, also look at the content of
23	the response to help eliminate these false positives. While often
24	effective, this method relies on pre-defined strings to help eliminate
25	false positives.</p><p>As of version 2.0 Nikto no longer assumes the error pages for
26	different file types will be the same. A list of unique file extensions
27	is generated at run-time (from the test database), and each of those
28	extensions is tested against the target. For every file type, the "best
29	method" of determining errors is found: standard RFC response, content
30	match or MD4 hash (in decreasing order of preference). This allows Nikto
31	to use the fastest and most accurate method for each individual file
32	type, and therefore help eliminate the false positives seen for some
33	servers in version 1.32 and below.</p><p>For example, if a server responds with a 404 "not found" error for
34	a non-existent .txt file, Nikto will match the HTTP response of "404" on
35	tests. If the server responds with a 200 "OK" response, it will try to
36	match on the content, and assuming it finds a match (for example, the
37	words "could not be found"), it will use this method for determining
38	missing .txt files. If the other methods fail, Nikto will attempt to
39	remove date and time strings (which can constantly change) from the
40	returned page's content, generate an MD5 hash of the content, and then
41	match that hash value against future .txt tests. The latter is by far
42	the slowest type of match, but in many cases will provide valid results
43	for a particular file type.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2813639"></a>History</h2></div></div></div><p>The Nikto 1.00 Beta was released on December 27, 2001, (followed
44	almost immediately by the 1.01 release). Over the course of two years
45	Nikto's code evolved into the most popular freely available web
46	vulnerability scanner. The 2.0 release, in November, 2007 represents
47	several years of improvements.</p><p>In 2008, due to other commitments, Sullo, the original author
48	couldn't continue to support Nikto and the code was released under the
49	GPL and passed to the community for support.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="installation"></a>Chapter 2. Installation</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2813669">Requirements</a></span></dt><dt><span class="section"><a href="#id2813788">Install</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2813669"></a>Requirements</h2></div></div></div><p>Any system which supports a basic PERL installation should allow
50	Nikto to run. It has been extensively tested on:</p><div class="itemizedlist"><ul type="disc"><li><p>Windows (using ActiveState Perl)</p></li><li><p>Mac OSX</p></li><li><p>Various Linux and Unix installations (including RedHat,
51	Solaris, Debian, Knoppix, etc.)</p></li></ul></div><p>The only required PERL module that does not come standard is
52	LibWhisker. Nikto comes with and is configured to use a local LW.pm file
53	(in the plugins directory), but users may wish to change Nikto to use a
54	version installed on the system. See Section 2 for further
55	information.</p><p>For SSL support the Net::SSLeay PERL module must be installed
56	(which in turn requires OpenSSL on the Unix platform). Windows support
57	for SSL is dependent on the installation package, but is rumored to
58	exist for ActiveState's Perl.</p><p>The nmap scanner can also be used, if desired. In some cases using
59	nmap will slow down Nikto execution, as it must call an external
60	program. For scanning many ports across one or more servers, using nmap
61	will be faster than using Nikto's internal PERL scanning.</p><div class="itemizedlist"><ul type="disc"><li><p>PERL: <a class="ulink" href="http://www.cpan.org/" target="_top">http://www.cpan.org/</a></p></li><li><p>LibWhisker: <a class="ulink" href="http://www.wiretrip.net/" target="_top">http://www.wiretrip.net/</a></p></li><li><p>ActiveState Perl: <a class="ulink" href="http://www.activestate.com/" target="_top">http://www.activestate.com/</a></p></li><li><p>OpenSSL: <a class="ulink" href="http://www.openssl.org/" target="_top">http://www.openssl.org/</a></p></li><li><p>nmap: <a class="ulink" href="http://www.insecure.org/" target="_top">http://insecure.org/</a></p></li></ul></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2813788"></a>Install</h2></div></div></div><p>These instructions do not include information on installing PERL,
62	PERL Modules, OpenSSL, LibWhisker or any of the utilities that may be
63	needed during installation (such as gzip, tar, etc.). Please see the
64	distributor's documentation for information on how to install and
65	configure those software packages.</p><p>Unpack the download file:</p><pre class="screen">tar -xvfz nikto-current.tar.gz</pre><p>Assuming a standard OS/PERL installation, Nikto should now be
66	usable. See Chapter 4 (Options) or Chapter 8 (Troubleshooting) for
67	further configuration information.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="usage"></a>Chapter 3. Usage</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2813828">Basic Testing</a></span></dt><dt><span class="section"><a href="#id2818342">Multiple Port Testing</a></span></dt><dt><span class="section"><a href="#id2818363">Multiple Host Testing</a></span></dt><dt><span class="section"><a href="#id2818424">Using a Proxy</a></span></dt><dt><span class="section"><a href="#id2818450">Updating</a></span></dt><dt><span class="section"><a href="#id2818497">Integration with Nessus</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2813828"></a>Basic Testing</h2></div></div></div><p>The most basic Nikto scan requires simply a host to target, since
68	port 80 is assumed if none is specified. The host can either be an IP or
69	a hostname of a machine, and is specified using the -h (-host) option.
70	This will scan the IP 192.168.0.1 on TCP port 80:</p><pre class="screen">perl nikto.pl -h 192.168.0.1</pre><p>To check on a different port, specify the port number with the -p
71	(-port) option. This will scan the IP 192.168.0.1 on TCP port
72	443:</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -p 443</pre><p>Hosts, ports and protocols may also be specified by using a full
73	URL syntax, and it will be scanned:</p><pre class="screen">perl nikto.pl -h https://192.168.0.1:443/</pre><p>There is no need to specify that port 443 may be SSL, as Nikto
74	will first test regular HTTP and if that fails, HTTPS. If you are sure
75	it is an SSL server, specifying -s (-ssl) will speed up the test.</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -p 443 -ssl</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p><em class="parameter"><code>-mutate</code></em> 1 increases the number of tests so
76	that all filenames are tested against all databases inc
77	<code class="filename">db_tests</code>. This will produce over 2,000,000 extra
78	tests, which will use up a massive amount of resource.</p></td></tr></table></div><p>More complex tests can be performed using the
79	<em class="parameter"><code>-mutate</code></em> parameter, as detailed later. This can
80	produce extra tests, some of which may be provided with extra parameters
81	through the <em class="parameter"><code>-mutate-options</code></em> parameter. For example,
82	using <em class="parameter"><code>-mutate</code></em> 3, with or without a file attempts
83	to brute force usernames if the web server allows
84	~<em class="replaceable"><code>user</code></em> URIs:</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -mutate 3 -mutate-options user-list.txt</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818342"></a>Multiple Port Testing</h2></div></div></div><p>Nikto can scan multiple ports in the same scanning session. To
85	test more than one port on the same host, specify the list of ports in
86	the -p (-port) option. Ports can be specified as a range (i.e., 80-90),
87	or as a comma-delimited list, (i.e., 80,88,90). This will scan the host
88	on ports 80, 88 and 443.</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -p 80,88,443</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818363"></a>Multiple Host Testing</h2></div></div></div><p>Nikto support scanning multiple hosts in the same session via a
89	text file of host names or IPs. Instead of giving a host name or IP for
90	the -h (-host) option, a file name can be given. A file of hosts must be
91	formatted as one host per line, with the port number(s) at the end of
92	each line. Ports can be separated from the host and other ports via a
93	colon or a comma. If no port is specified, port 80 is assumed.</p><p>This is an example of a valid hosts file:</p><div class="example"><a name="id2818383"></a><p class="title"><b>Example 3.1. Valid Hosts File</b></p><div class="example-contents"><pre class="programlisting">192.168.0.1:80
94	http://192.168.0.1:8080/
95	192.168.0.3</pre></div></div><br class="example-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>For win32 users: due to peculiaries in the way that cmd.exe
96	works with pipes, the above example may not work for you. In this case
97	a temporary file will have to be used to store the output from
98	nmap</p></td></tr></table></div><p>A host file may also be an nmap output in "greppable" format (i.e.
99	from the output from -oG).</p><p>A file may be passed to Nikto through stdout/stdin using a "-" as
100	the filename. For example:</p><pre class="screen">nmap -p80 192.168.0.0/24 -oG - \| nikto.pl -h -</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818424"></a>Using a Proxy</h2></div></div></div><p>If the machine running Nikto only has access to the target host
101	(or update server) via an HTTP proxy, the test can still be performed.
102	Set the <code class="varname">PROXY*</code> variables (as described in section
103	4), then execute Nikto with the -u (-useproxy) command. All connections
104	will be relayed through the HTTP proxy specified in the configuration
105	file.</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -p 80 -u</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818450"></a>Updating</h2></div></div></div><p>Nikto can be automatically updated, assuming you have Internet
106	connectivity from the host Nikto is installed on. To update to the
107	latest plugins and databases, simply run Nikto with the -update
108	command.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The -update option cannot be abbreviated.</p></td></tr></table></div><pre class="screen">perl nikto.pl -update</pre><p>If updates are required, you will see a list of the files
109	downloaded:</p><pre class="screen">
110	perl nikto.pl -update
111	+ Retrieving 'nikto_core.plugin'
112	+ Retrieving 'CHANGES.txt'
113	</pre><p>Updates may also be manually downloaded from <a class="ulink" href="http://www.cirt.net/" target="_top">http://www.cirt.net/</a></p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818497"></a>Integration with Nessus</h2></div></div></div><p>Nessus (<a class="ulink" href="http://www.nessus.org/" target="_top">http://www.nessus.org/nessus/</a>) can
114	be configured to automatically launch Nikto when it finds a web server.
115	Ensure Nikto works properly, then place the directory containing
116	nikto.pl in root's PATH environment variable. When nessusd starts, it
117	should see the nikto.pl program and enable usage through the
118	GUI.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="options"></a>Chapter 4. Command Line Options</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2818527">All Options</a></span></dt><dt><span class="section"><a href="#id2863010">Mutation Techniques</a></span></dt><dt><span class="section"><a href="#id2863111">Display</a></span></dt><dt><span class="section"><a href="#id2863184">Scan Tuning</a></span></dt><dt><span class="section"><a href="#id2863380">Single Request Mode</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2818527"></a>All Options</h2></div></div></div><p>Below are all of the Nikto command line options and explanations. A
119	brief version of this text is available by running Nikto with the -h
120	(-help) option.</p><div class="variablelist"><dl><dt><span class="term"><code class="option">-Cgidirs</code></span></dt><dd><p>Scan these CGI directories. Special words "none" or "all" may
121	be used to scan all CGI directories or none, (respectively). A
122	literal value for a CGI directory such as "/cgi-test/" may be
123	specified (must include trailing slash). If this is option is not
124	specified, all CGI directories listed in config.txt will be
125	tested.</p></dd><dt><span class="term"><code class="option">-config</code></span></dt><dd><p>Specify an alternative config file to use instead of the
126	config.txt located in the install directory.</p></dd><dt><span class="term"><code class="option">-dbcheck</code></span></dt><dd><p>Check the scan databases for syntax errors.</p></dd><dt><span class="term"><code class="option">-Display</code></span></dt><dd><p>Control the output that Nikto shows. See Chapter 5 for
127	detailed information on these options. Use the reference number or
128	letter to specify the type, multiple may be used:</p><p>1 - Show redirects</p><p>2 - Show cookies received</p><p>3 - Show all 200/OK responses</p><p>4 - Show URLs which require authentication</p><p>D - Debug Output</p><p>V - Verbose Output</p></dd><dt><span class="term"><code class="option">-evasion</code></span></dt><dd><p>Specify the LibWhisker IDS evasion technique to use (see the
129	LibWhisker docs for detailed information on these). Use the
130	reference number to specify the type, multiple may be used:</p><p>1 - Random URI encoding (non-UTF8)</p><p>2 - Directory self-reference (/./)</p><p>3 - Premature URL ending</p><p>4 - Prepend long random string</p><p>5 - Fake parameter</p><p>6 - TAB as request spacer</p><p>7 - Change the case of the URL</p><p>8 - Use Windows directory separator (\)</p></dd><dt><span class="term"><code class="option">-findonly</code></span></dt><dd><p>Only discover the HTTP(S) ports, do not perform a security scan.
131	This will attempt to connect with HTTP or HTTPS, and report the
132	Server header.</p></dd><dt><span class="term"><code class="option">-Format</code></span></dt><dd><p>Save the output file specified with -o (-output) option in
133	this format. If not specified, default is "txt". Valid formats
134	are:</p><p>csv - a comma-seperated list</p><p>htm - an HTML report</p><p>txt - a text report</p><p>xml - an XML report</p></dd><dt><span class="term"><code class="option">-host</code></span></dt><dd><p>Host(s) to target. Can be an IP address, hostname or text file
135	of hosts. A single dash (-) maybe used for stdout. Can also parse nmap -oG
136	style output</p></dd><dt><span class="term"><code class="option">-Help</code></span></dt><dd><p>Display extended help information.</p></dd><dt><span class="term"><code class="option">-id</code></span></dt><dd><p>ID and password to use for host Basic host authentication.
137	Format is "id:password".</p></dd><dt><span class="term"><code class="option">-mutate</code></span></dt><dd><p>Specify mutation technique. A mutation will cause Nikto to
138	combine tests or attempt to guess values. These techniques may cause
139	a tremendous amount of tests to be launched against the target. Use
140	the reference number to specify the type, multiple may be
141	used:</p><p>1 - Test all files with all root directories</p><p>2 - Guess for password file names</p><p>3 - Enumerate user names via Apache (/~user type
142	requests)</p><p>4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user
143	type requests)</p><p>5 - Attempt to brute force sub-domain names, assume that
144	the host name is the parent domain</p><p>6 - Attempt to guess directory names from the supplied
145	dictionary file</p></dd><dt><span class="term"><code class="option">-mutate-options</code></span></dt><dd><p>Provide extra information for mutates, e.g. a dictionary
146	file</p></dd><dt><span class="term"><code class="option">-nolookup</code></span></dt><dd><p>Do not perform name lookups on IP addresses.</p></dd><dt><span class="term"><code class="option">-nossl</code></span></dt><dd><p>Do not use SSL to connect to the server.</p></dd><dt><span class="term"><code class="option">-no404</code></span></dt><dd><p>Disable 404 (file not found) checking. This will reduce
147	the total number of requests made to the webserver and may be
148	preferable when checking a server over a slow link, or an embedded
149	device. This will generally lead to more false positives being
150	discovered.</p></dd><dt><span class="term"><code class="option">-output</code></span></dt><dd><p>Write output to the file specified. Format is defined in -F
151	(-Format), default is text. Existing files will have new information
152	appended.</p></dd><dt><span class="term"><code class="option">-port</code></span></dt><dd><p>TCP port(s) to target. To test more than one port on the same
153	host, specify the list of ports in the -p (-port) option. Ports can
154	be specified as a range (i.e., 80-90), or as a comma-delimited list,
155	(i.e., 80,88,90). If not specified, port 80 is used.</p></dd><dt><span class="term"><code class="option">-Pause</code></span></dt><dd><p>Seconds to delay between each test.</p></dd><dt><span class="term"><code class="option">-root</code></span></dt><dd><p>Prepend the value specified to the beginning of every request.
156	This is useful to test applications or web servers which have all of
157	their files under a certain directory.</p></dd><dt><span class="term"><code class="option">-ssl</code></span></dt><dd><p>Only test SSL on the ports specified. Using this option will
158	dramatically speed up requests to HTTPS ports, since otherwise the
159	HTTP request will have to timeout first.</p></dd><dt><span class="term"><code class="option">-Single</code></span></dt><dd><p>Perform a single request to a target server. Nikto will prompt
160	for all options which can be specified, and then report the detailed
161	output. See Chapter 5 for detailed information.</p></dd><dt><span class="term"><code class="option">-timeout</code></span></dt><dd><p>Seconds to wait before timing out a request. Default timeout
162	is 10 seconds.</p></dd><dt><span class="term"><code class="option">-Tuning</code></span></dt><dd><p>Tuning options will control the test that Nikto will use
163	against a target. By default, if any options are specified, only
164	those tests will be performed. If the "x" option is used, it will
165	reverse the logic and exclude only those tests. Use the reference
166	number or letter to specify the type, multiple may be used:</p><p>0 - File Upload</p><p>1 - Interesting File / Seen in logs</p><p>2 - Misconfiguration / Default File</p><p>3 - Information Disclosure</p><p>4 - Injection (XSS/Script/HTML)</p><p>5 - Remote File Retrieval - Inside Web Root</p><p>6 - Denial of Service</p><p>7 - Remote File Retrieval - Server Wide</p><p>8 - Command Execution / Remote Shell</p><p>9 - SQL Injection</p><p>a - Authentication Bypass</p><p>b - Software Identification</p><p>c - Remote Source Inclusion</p><p>x - Reverse Tuning Options (i.e., include all except
167	specified)</p><p>The given string will be parsed from left to right, any x
168	characters will apply to all characters to the right of the
169	character.</p></dd><dt><span class="term"><code class="option">-useproxy</code></span></dt><dd><p>Use the HTTP proxy defined in the configuration file.</p></dd><dt><span class="term"><code class="option">-update</code></span></dt><dd><p>Update the plugins and databases directly from
170	cirt.net.</p></dd><dt><span class="term"><code class="option">-Version</code></span></dt><dd><p>Display the Nikto software, plugin and database
171	versions.</p></dd><dt><span class="term"><code class="option">-vhost</code></span></dt><dd><p>Specify the Host header to be sent to the target.</p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2863010"></a>Mutation Techniques</h2></div></div></div><p>A mutation will cause Nikto to combine tests or attempt to guess
172	values. These techniques may cause a tremendous amount of tests to be
173	launched against the target. Use the reference number to specify the
174	type, multiple may be combined.</p><div class="orderedlist"><ol type="1"><li><p>Test all files with all root directories. This takes each test
175	and splits it into a list of files and directories. A scan list is
176	then created by combining each file with each directory.</p></li><li><p>Guess for password file names. Takes a list of common password
177	file names (such as "passwd", "pass", "password") and file
178	extensions ("txt", "pwd", "bak", etc.) and builds a list of files
179	to check for.</p></li><li><p>Enumerate user names via Apache (/~user type requests).
180	Exploit a misconfiguration with Apache UserDir setups which allows
181	valid user names to be discovered. This will attempt to brute-force
182	guess user names. A file of known users can also be supplied by
183	supplying the file name in the
184	<em class="parameter"><code>-mutate-options</code></em> parameter.</p></li><li><p>Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user
185	type requests). Exploit a flaw in cgiwrap which allows valid user
186	names to be discovered. This will attempt to brute-force guess user
187	names. A file of known users can also be supplied by supplying the
188	file name in the <em class="parameter"><code>-mutate-options</code></em>
189	parameter.</p></li><li><p>Attempt to brute force sub-domain names. This will
190	attempt to brute force know domain names, it will assume the given
191	host (without a www) is the parent domain.</p></li><li><p>Attempt to brute directory names. This is the only mutate
192	option that requires a file to be passed in the
193	<em class="parameter"><code>-mutate-options</code></em> parameter. It will use the
194	given file to attempt to guess directory names. Lists of common
195	directories may be found in the OWASP DirBuster project.</p></li></ol></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2863111"></a>Display</h2></div></div></div><p>By default only some basic information about the target and
196	vulnerabilities is shown. Using the <em class="parameter"><code>-Display</code></em>
197	parameter can produce more information for debugging issues.</p><div class="itemizedlist"><ul type="disc"><li><p>1 - Show redirects. This will display all requests which
198	elicit a "redirect" response from the server.</p></li><li><p>2 - Show cookies received. This will display all cookies that
199	were sent by the remote host.</p></li><li><p>3 - Show all 200/OK responses. This will show all responses
200	which elicit an "okay" (200) response from the server. This could be
201	useful for debugging.</p></li><li><p>4 - Show URLs which require authentication. This will show all
202	responses which elicit an "authorization required" header.</p></li><li><p>D - Debug Output. Show debug output, which shows the verbose
203	output and extra information such as variable content.</p></li><li><p>V - Verbose Output. Show verbose output, which typically shows
204	where Nikto is during program execution.</p></li></ul></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2863184"></a>Scan Tuning</h2></div></div></div><p>Scan tuning can be used to decrease the number of tests performed
205	against a target. By specifying the type of test to include or exclude,
206	faster, focused testing can be completed. This is useful in situations
207	where the presence of certain file types are undesired -- such as XSS or
208	simply "interesting" files.</p><p>Test types can be controlled at an individual level by specifying
209	their identifier to the <em class="parameter"><code>-T</code></em>
210	(<em class="parameter"><code>-Tuning</code></em>) option. In the default mode, if
211	<em class="parameter"><code>-T</code></em> is invoked only the test type(s) specified
212	will be executed. For example, only the tests for "Remote file
213	retrieval" and "Command execution" can performed against the
214	target:</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -T 58</pre><p>If an "x" is passed to <em class="parameter"><code>-T</code></em> then this will
215	negate all tests of types following the x. This is useful where a test
216	may check several different types of exploit. For example:</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -T 58xb</pre><p>The valid tuning options are:</p><div class="itemizedlist"><ul type="disc"><li><p>0 - File Upload. Exploits which allow a file to be
217	uploaded to the target server.</p></li><li><p>1 - Interesting File / Seen in logs. An unknown but suspicious
218	file or attack that has been seen in web server logs (note: if you
219	have information regarding any of these attacks, please contact
220	CIRT, Inc.).</p></li><li><p>2 - Misconfiguration / Default File. Default files or files
221	which have been misconfigured in some manner. This could be
222	documentation, or a resource which should be password
223	protected.</p></li><li><p>3 - Information Disclosure. A resource which reveals
224	information about the target. This could be a file system path or
225	account name.</p></li><li><p>4 - Injection (XSS/Script/HTML). Any manner of injection,
226	including cross site scripting (XSS) or content (HTML). This does
227	not include command injection.</p></li><li><p>5 - Remote File Retrieval - Inside Web Root. Resource allows
228	remote users to retrieve unauthorized files from within the web
229	server's root directory.</p></li><li><p>6 - Denial of Service. Resource allows a denial of service
230	against the target application, web server or host (note: no
231	intentional DoS attacks are attempted).</p></li><li><p>7 - Remote File Retrieval - Server Wide. Resource allows
232	remote users to retrieve unauthorized files from anywhere on the
233	target.</p></li><li><p>8 - Command Execution / Remote Shell. Resource allows the user
234	to execute a system command or spawn a remote shell.</p></li><li><p>9 - SQL Injection. Any type of attack which allows SQL to be
235	executed against a database.</p></li><li><p>a - Authentication Bypass. Allows client to access a
236	resource it should not be allowed to access.</p></li><li><p>b - Software Identification. Installed software or program
237	could be positively identified.</p></li><li><p>c - Remote source inclusion. Software allows remote inclusion
238	of source code.</p></li><li><p>x - Reverse Tuning Options. Perform exclusion of the specified
239	tuning type instead of inclusion of the specified tuning
240	type.</p></li></ul></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2863380"></a>Single Request Mode</h2></div></div></div><p>Single request mode is designed to preform a solitary request
241	against the target. This is useful to confirm a test result using the
242	same resources Nikto used during a scan. The single option allows manual
243	setting of most variables used by Nikto and LibWhisker, and upon
244	completion will display both the request and the result of the
245	operation.</p><p>Most options have a default value or can be left blank. The most
246	common and required values are at the beginning of the "questions"
247	section for slightly easier use. True and false are specified by numeric
248	equivalents, 1 and 0 respectively. Please note that Single mode is not
249	very user-friendly. Here is an example Nikto run with the
250	<em class="parameter"><code>-Single</code></em> option.</p><pre class="screen">
251
252	[dave@yggdrasil nikto-2.03]$ ./nikto.pl -Single
253	-------------------------------------------- Nikto 2.1.1
254	-------------------------------------------- Single Request Mode
255	Hostname or IP: localhost
256	Port (80):
257	URI (/): /test.html
258	SSL (0):
259	Proxy host:
260	Proxy port:
261	Show HTML Response (1):
262	HTTP Version (1.1):
263	HTTP Method (GET):
264	User-Agent (Mozilla/4.75 (Nikto/2.1.1):
265	Connection (Keep-Alive):
266	Data:
267	force_bodysnatch (0):
268	force_close (1):
269	http_space1 ( ):
270	http_space2 ( ):
271	include_host_in_uri (0):
272	invalid_protocol_return_value (1):
273	max_size (0):
274	protocol (HTTP):
275	require_newline_after_headers (0):
276	retry (0):
277	ssl_save_info (0):
278	timeout (10):
279	uri_password ():
280	uri_postfix ():
281	uri_prefix ():
282	uri_user ():
283	Enable Anti-IDS (0):
284	-------------------------------------------- Done with questions
285	Host Name: localhost
286	Host IP: 127.0.0.1
287	HTTP Response Code: 404
288	-------------------------------------------- Connection Details
289	Connection: Keep-Alive
290	Host: localhost
291	User-Agent: Mozilla/4.75 (Nikto/2.1.1)
292	data:
293	force_bodysnatch: 0
294	force_close: 1
295	force_open: 0
296	host: localhost
297	http_space1:
298	http_space2:
299	ignore_duplicate_headers: 1
300	include_host_in_uri: 0
301	invalid_protocol_return_value: 1
302	max_size: 0
303	method: GET
304	port: 80
305	protocol: HTTP
306	require_newline_after_headers: 0
307	retry: 0
308	ssl: 0
309	ssl_save_info: 0
310	timeout: 10
311	trailing_slurp: 0
312	uri: /test.html
313	uri_param_sep: ?
314	uri_postfix:
315	uri_prefix:
316	version: 1.1
317	-------------------------------------------- Response Headers
318	Connection: close
319	Content-Length: 268
320	Content-Type: text/html; charset=iso-8859-1
321	Date: Tue, 18 Aug 2009 10:13:57 GMT
322	Server: Apache/2
323	code: 404
324	http_data_sent: 1
325	http_eol:
326
327	http_space1:
328	http_space2:
329	message: Not Found
330	protocol: HTTP
331	uri: /test.html
332	version: 1.1
333	-------------------------------------------- Response Content
334	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
335	<html><head>
336	<title>404 Not Found</title>
337	</head><body>
338	<h1>Not Found</h1>
339	<p>The requested URL /test.html was not found on this server.</p>
340	<hr>
341	<address>Apache/2 Server at localhost Port 80</address>
342	</body></html>
343
344	</pre></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="configuration"></a>Chapter 5. Configuration Files</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2863426">Location</a></span></dt><dt><span class="section"><a href="#id2813104">Format</a></span></dt><dt><span class="section"><a href="#id2813117">Variables</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2863426"></a>Location</h2></div></div></div><p>Nikto, like any non-trivial program needs to know a few things
345	about how to work with the current environment. For most situations the
346	default configuration file will work. Sometimes, tuning may be required,
347	or some things may need to be changes.</p><p>Nikto will look for a configuration file in three places and if it
348	finds one, will apply it in the strict order, listed below. A later found
349	configuration file will overwrite any variables set in an earlier
350	configuration file. The locations are:</p><div class="orderedlist"><ol type="1"><li><p>/etc/nikto.conf (this may be altered depending on
351	platform)</p></li><li><p>$HOME/nikto.conf</p></li><li><p>nikto.conf</p></li></ol></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2813104"></a>Format</h2></div></div></div><p>The configuration files are formated like a standard Unix
352	configuration file: blank lines are ignored, any line starting with a #
353	is ignored, variables are set with VariableName=Value line.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2813117"></a>Variables</h2></div></div></div><p>The following variables may be set within the configuration
354	file:</p><div class="variablelist"><dl><dt><span class="term"><code class="varname">CLIOPTS</code></span></dt><dd><p>Default options that should always be passed to the
355	command line. For example:</p><pre class="screen">CLIOPTS=-output results.txt -Format text</pre><p>Default Setting</p><pre class="screen">CLIOPTS=</pre></dd><dt><span class="term"><code class="varname">NIKTODTD</code></span></dt><dd><p>Path to the location of the DTD used for XML output. If the
356	path is not absolute then it will be relative to the directory
357	where Nikto is executed.</p><p>Default Setting</p><pre class="screen">NIKTODTD=docs/nikto.dtd</pre></dd><dt><span class="term"><code class="varname">NMAP</code>, </span><span class="term"><code class="varname">NMAPOPTS</code></span></dt><dd><p><span class="emphasis"><em>Deprecated</em></span></p><p>Location of nmap and the default nmap options. Nikto used
358	to use nmap to aid in checking for valid HTTP ports on any
359	targets. From Nikto 2.10, nmap is no longer used from within
360	Nikto and this variable will do nothing. This variable may be
361	removed in a later version.</p><p>Default Setting</p><pre class="screen">NMAP=/usr/local/bin/nmap
362	NMPOPTS=-P0</pre></dd><dt><span class="term"><code class="varname">SKIPPORTS</code></span></dt><dd><p><span class="emphasis"><em>Deprecated</em></span></p><p>This configuration item originally defined ports that
363	would never be scanned by Nikto. This is currently unused and
364	deprecated.</p><p>Default Setting</p><pre class="screen">SKIPPORTS=21 111</pre></dd><dt><span class="term"><code class="varname">SKIPIDS</code></span></dt><dd><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Note, this filter only applies to tests in the
365	<code class="filename">db_tests</code> database</p></td></tr></table></div><p>Contains a space separated list of Test IDs (tids) that
366	Nikto will not run on the system, for example:</p><pre class="screen">SKIPIDS=000045 000345</pre><p>Default Setting</p><pre class="screen">SKIPIDS=</pre></dd><dt><span class="term"><code class="varname">DEFAULTHTTPVER</code></span></dt><dd><p>Defines the default version of HTTP that Nikto will use,
367	unless superceded by a specific test. Usually keeping this to
368	the default will suffice, though some web servers may only work
369	with later versions of the HTTP protocol.</p><p>Default Setting</p><pre class="screen">DEFAULTHTTPVER=1.0</pre></dd><dt><span class="term"><code class="varname">UPDATES</code></span></dt><dd><p>If the outdated Nikto plugin sees a web server it doesn't
370	know of, or a version that is later than that defined in
371	<code class="filename">db_outdated</code>, then it will send this
372	information back to cirt.net for inclusion in future versions of
373	Nikto. Server specific information (e.g. IP addresses or
374	hostnames) are not sent.</p><p>This item can be set to one of the below values:</p><div class="blockquote"><blockquote class="blockquote"><div class="variablelist"><dl><dt><span class="term"><code class="varname">UPDATES=yes</code></span></dt><dd><p>Display each submission and ask for permission
375	before it is sent</p></dd><dt><span class="term"><code class="varname">UPDATES=no</code></span></dt><dd><p>Do not send any data back to cirt.net</p></dd><dt><span class="term"><code class="varname">UPDATES=auto</code></span></dt><dd><p>Send data back to cirt.net with no
376	prompting</p></dd></dl></div></blockquote></div><p>Default Setting</p><pre class="screen">UPDATES=yes</pre></dd><dt><span class="term"><code class="varname">MAX_WARN</code></span></dt><dd><p><span class="emphasis"><em>Unused</em></span></p><p>Produces a warning of a number of MOVED responses are
377	retrieved. This is currently unused.</p><p>Default Setting</p><pre class="screen">MAX_WARN=20</pre></dd><dt><span class="term"><code class="varname">PROMPTS</code></span></dt><dd><p><span class="emphasis"><em>Deprecated</em></span></p><p>Disables Nikto prompts if set to "no". This is currently
378	unused and has been deprecated by the UPDATES item.</p><p>Default Setting</p><pre class="screen">PROMPTS=</pre></dd><dt><span class="term"><code class="varname">CIRT</code></span></dt><dd><p>The IP address that Nikto will use to update the databases
379	and plugins, or will send version information back to (as
380	described in the <code class="varname">UPDATES</code> item).</p><p>Default Setting</p><pre class="screen">CIRT=209.172.49.178</pre></dd><dt><span class="term"><code class="varname">PROXYHOST</code>, </span><span class="term"><code class="varname">PROXYPORT</code>, </span><span class="term"><code class="varname">PROXYUSER</code>, </span><span class="term"><code class="varname">PROXYPASS</code></span></dt><dd><p>Address, port and username password of a proxy to relay all
381	requests through. Note, to use a proxy, you must set the
382	configuration items in the configuration file and supply the
383	<em class="parameter"><code>-useproxy</code></em> switch to the command
384	line.</p><p>Default Setting</p><pre class="screen">PROXYHOST=
385	PROXYPORT=
386	PROXYUSER=
387	PROXYPASS=</pre></dd><dt><span class="term"><code class="varname">STATIC-COOKIE</code></span></dt><dd><p>Adds the supplied cookie to all requests made via Nikto,
388	this is generally useful is an authentication cookie is required
389	for a website. For example:</p><pre class="screen">STATIC-COOKIE=userid=0</pre><p>Default Setting</p><pre class="screen">STATIC-COOKIE=</pre></dd><dt><span class="term"><code class="varname">CHECKMETHODS</code></span></dt><dd><p>Nikto will attempt to identify targets as webservers by
390	sending a request to fetch the / URI via certain HTTP methods.
391	Some web servers do not implement all HTTP methods and may cause
392	Nikto to fail to identify the web server correctly if it doesn't
393	support the method being used.</p><p>If this setting is missing from the configuration file,
394	then Nikto will default back to the Nikto 2.02 default of
395	HEAD.</p><p>Default Setting</p><pre class="screen">CHECKMETHODS=HEAD GET</pre></dd><dt><span class="term"><code class="varname">EXECDIR</code>, </span><span class="term"><code class="varname">PLUGINDIR</code>, </span><span class="term"><code class="varname">TEMPLATEDIR</code>, </span><span class="term"><code class="varname">DOCDIR</code></span></dt><dd><p>Defines where to find the location of Nikto, its plugins,
396	XML/HTML templates and documents. This should only normally be
397	changed if repackaging Nikto to work with different file system
398	standards. Nikto will use the EXECDIR item to guess the other
399	directories.</p><p>Default Setting</p><pre class="screen">EXECDIR=.
400	PLUGINDIR=EXECDIR/plugins
401	TEMPLATEDIR=EXECDIR/templates
402	DOCDIR=EXECDIR/docs</pre></dd></dl></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="reports"></a>Chapter 6. Output and Reports</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2864279">Export Formats</a></span></dt><dt><span class="section"><a href="#id2864309">HTML and XML Customisation</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2864279"></a>Export Formats</h2></div></div></div><p>Nikto saved output comes in four flavours: text, CSV, XML or HTML.
403	When using <em class="parameter"><code>-output</code></em>, an output format may be
404	specified with <em class="parameter"><code>-Format</code></em>. Text format is assumed if
405	nothing is specified with <em class="parameter"><code>-Format</code></em>. The DTD for the
406	Nikto XML format can be found in the 'docs' directory (nikto.dtd).</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2864309"></a>HTML and XML Customisation</h2></div></div></div><p>HTML reports are generated from template files located in the
407	<code class="filename">templates</code> directory. Variables are defined as
408	<code class="varname">#variable-name</code>, and are replaced when the report is
409	generated. The files <code class="filename">htm_start.tmpl</code> and
410	<code class="filename">htm_end.tmpl</code> are included at the beginning and end
411	of the report (respectively). The <code class="filename">htm_summary.tmpl</code>
412	also appears at the beginning of the report. The
413	<code class="filename">htm_host_head</code> appears once for every host, and the
414	<code class="filename">htm_host_item.tmpl</code> and
415	<code class="filename">htm_host_im.tmpl</code> appear once for each item
416	found on a host and each "informational message" per host
417	(respectively).</p><p>All valid variables are used in these templates. Future versions
418	of this documentation will include a list of variables and their
419	meaning.</p><p>The copyright statements must not be removed from the
420	<code class="filename">htm_end.tmpl</code> without placing them in another of the
421	templates. It is a violation of the Nikto licence to remove these
422	notices.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="expanding"></a>Chapter 7. Test and Code Writing</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2864394">Scan Database Field Values</a></span></dt><dt><span class="section"><a href="#id2864561">User-Defined Tests</a></span></dt><dt><span class="section"><a href="#id2864625">Scan Database Syntax</a></span></dt><dt><span class="section"><a href="#id2864653">Plugins</a></span></dt><dd><dl><dt><span class="section"><a href="#id2864773">Initialisation Phase</a></span></dt><dt><span class="section"><a href="#id2865155">Reconnaisance Phase</a></span></dt><dt><span class="section"><a href="#id2865224">Scan Phase</a></span></dt><dt><span class="section"><a href="#id2865263">Reporting Phase</a></span></dt><dt><span class="section"><a href="#id2865588">Data Structures</a></span></dt><dt><span class="section"><a href="#id2865863">Standard Methods</a></span></dt><dt><span class="section"><a href="#id2866492">Global Variables</a></span></dt></dl></dd><dt><span class="section"><a href="#id2867005">Test Identifiers</a></span></dt><dt><span class="section"><a href="#id2867133">Code Copyrights</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2864394"></a>Scan Database Field Values</h2></div></div></div><p>Though some checks can be found in other plugins, the
423	<code class="filename">scan_database.db</code> contains the bulk of the web test
424	information. Here is a description of the field values:</p><div class="table"><a name="id2864410"></a><p class="title"><b>Table 7.1. Scan Database Fields</b></p><div class="table-contents"><table summary="Scan Database Fields" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Test ID</td><td>Nikto test ID</td></tr><tr><td>OSVDB-ID</td><td>Corresponding vulnerability entry number for
425	osvdb.org</td></tr><tr><td>Server Type</td><td>Generic server matching type</td></tr><tr><td>URI</td><td>URI to retrieve</td></tr><tr><td>HTTP Method</td><td>HTTP method to use for URI</td></tr><tr><td>Match 1</td><td>String or code to match for successful test</td></tr><tr><td>Match 1 (Or)</td><td>String or code to alternatively match for successful
426	test</td></tr><tr><td>Match1 (And)</td><td>String or code to also match for successful
427	test</td></tr><tr><td>Fail 1</td><td>String or code to match for test failure</td></tr><tr><td>Fail 2</td><td>String or code to match for test failure
428	(alternative)</td></tr><tr><td>Summary</td><td>Summary message to report for successful test</td></tr><tr><td>HTTP Data</td><td>HTTP data to be sent during POST tests</td></tr><tr><td>Headers</td><td>Additional headers to send during test</td></tr></tbody></table></div></div><br class="table-break"></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2864561"></a>User-Defined Tests</h2></div></div></div><p>Users can create their own, private tests for any of the
429	databases. By placing a syntactically correct database file in the
430	<code class="filename">plugins</code> directory, with a file name prefaced with a
431	"u", the data will be loaded along with the built-in checks.</p><p>For example, create the file
432	<code class="filename">plugins/udb_tests</code> and it will be loaded at the
433	same time <code class="filename">plugins/db_tests</code> is loaded. These files
434	will also be checked for syntax when <em class="parameter"><code>-dbcheck</code></em> is
435	used.</p><p>For tests which require a "private" OSVDB ID, use the OSVDB ID 0
436	(zero). This should be used for all vulnerabilities that do not (or
437	should not) exist in OSVDB, as ID 0 is for testing only. You are
438	encouraged to send missing information to OSVDB at
439	moderators@osvdb.org.</p><p>For the "Test ID", it is recommended you use unique numbers
440	between 400000 and 499999 to allow for growth of the Nikto database
441	without interfering with your own tests (note: numbers above 500000 are
442	reserved for other tests).</p><p>Please help Nikto's continued success by sending test updates to
443	<code class="email"><<a class="email" href="mailto:sullo@cirt.net">sullo@cirt.net</a>></code>.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2864625"></a>Scan Database Syntax</h2></div></div></div><p>The scan database is a CSV delimited file which contains most of
444	the tests. Fields are enclosed by quotes and separated by commas. The
445	field order is:</p><p>Test-ID, OSVDB-ID, Tuning Type, URI, HTTP Method, Match 1, Match 1
446	Or, Match1 And, Fail 1, Fail 2, Summary, HTTP Data, Headers</p><p>Here is an example test:</p><pre class="screen">"120","3092","2","/manual/","GET","200","","","","","Web server manual","",""</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2864653"></a>Plugins</h2></div></div></div><p>To allow a bit more flexibility, Nikto allows plugins so that there
447	is easy expansion of existing capabilities and some future
448	proofing.</p><p>Plugins are run in four different phases, these are:</p><div class="blockquote"><blockquote class="blockquote"><div class="variablelist"><dl><dt><span class="term">Initialisation (mandatory)</span></dt><dd><p>Plugin initialisation is performed before targets are
449	assigned. During this phase, the plugin should tell Nikto
450	about its existence and capabilities. It may optionally
451	set up any later required variables.</p></dd><dt><span class="term">Reconnaisance (optional)</span></dt><dd><p>During the reconnaisance phase, the plugin should look
452	for interesting information that may be of use during the scan
453	phase. It may report vulnerablities, though this is
454	discouraged.</p></dd><dt><span class="term">Scan (optional)</span></dt><dd><p>The scan phase should perform the meat of the plugin - this
455	is where it should look at the web server and return any
456	potential vulnerabilities.</p></dd><dt><span class="term">Reporting (optional)</span></dt><dd><p>The reporting phase is used to export any found
457	vulnerabilities into a format that they can be used later, for
458	example written as a file report, or imported into a database.
459	No testing of the web server, or reporting of new vulnerbilies
460	should be performed in this phase.</p><p>This phase is slightly more complex than the others and may
461	be called at several points during Nikto's execution, as detailed
462	later</p></dd></dl></div></blockquote></div><p>Plugins are written in standard perl in the current context. They
463	should be placed within the <code class="varname">PLUGINDIR</code> defined in the
464	Nikto configuration file and must have a filename ending in
465	<code class="filename">.plugin</code>.</p><p>An important concept to grasp about plugins and the order that are
466	executed in is plugin weight: each phase will execute all defined
467	plugins in the order defined by the weight. A plugin's weight is defined
468	as a number between 1 and 100, where 1 is high priority and 100 is low
469	priority. Plugins of equal weight will be executed in an undefined
470	order.</p><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2864773"></a>Initialisation Phase</h3></div></div></div><p>As described above, all plugins must be able to execute in the
471	initialisation phase or they will be ignored.</p><p>A perl sub must exist called
472	<code class="function"><em class="replaceable"><code>filename</code></em>_init</code>. The
473	sub is passed no parameters and should return a hash reference to a
474	hash that should contain the following entries:</p><div class="variablelist"><dl><dt><span class="term"><em class="structfield"><code>name</code></em> (mandatory)</span></dt><dd><p>The short name of the plugin. This is used to identify
475	the plugin during verbose logging and will, in future
476	versions, be used to select plugin execution. The name
477	should be one word and, ideally, lower case.</p></dd><dt><span class="term"><em class="structfield"><code>full_name</code></em> (mandatory)</span></dt><dd><p>The full name of the plugin. This is used to identify
478	the plugin during verbose logging and may be used in
479	reporting modules to identify tests run against the web
480	server.</p></dd><dt><span class="term"><em class="structfield"><code>author</code></em> (mandatory)</span></dt><dd><p>The name or handle of the author of the plugin. This
481	may be used during reporting to identify ownerships of
482	copyright of tests run against the web server.</p></dd><dt><span class="term"><em class="structfield"><code>description</code></em> (mandatory)</span></dt><dd><p>A short sentence to describe the purpose of the plugin.
483	This may be used during reporting, or by a front end to describe
484	the purpose of the plugin.</p></dd><dt><span class="term"><em class="structfield"><code>copyright</code></em> (mandatory)</span></dt><dd><p>The copyright string (or lack of it) of the plugin. This
485	may be used during reporting to ensure that appropriate
486	copyright is assigned to reports.</p></dd><dt><span class="term"><em class="structfield"><code>recon_method</code></em> (optional)</span></dt><dd><p>This should be a reference to a function used during the
487	reconnaisance phase of the plugin's execution. If this is left
488	undefined then the plugin will not execute during the
489	reconnaisance phase.</p></dd><dt><span class="term"><em class="structfield"><code>recon_cond</code></em> (optional)</span></dt><dd><p>This is an expression to be evaluated before the plugin
490	is executed; if true, the plugins is executed, if false, the
491	plugin is skipped. This can be used to minimise plugin
492	execution.</p></dd><dt><span class="term"><em class="structfield"><code>recon_weight</code></em> (optional)</span></dt><dd><p>This is the weight used to schedule the running of the
493	plugin during the reconnaisance phase. If this is left
494	undefined it will default to 50.</p></dd><dt><span class="term"><em class="structfield"><code>scan_method</code></em> (optional)</span></dt><dd><p>This should be a reference to a function used during the
495	scan phase of the plugin's execution. If this is left
496	undefined then the plugin will not execute during the
497	scan phase.</p></dd><dt><span class="term"><em class="structfield"><code>scan_cond</code></em> (optional)</span></dt><dd><p>This is an expression to be evaluated before the plugin
498	is executed; if true, the plugins is executed, if false, the
499	plugin is skipped. This can be used to minimise plugin
500	execution.</p></dd><dt><span class="term"><em class="structfield"><code>scan_weight</code></em> (optional)</span></dt><dd><p>This is the weight used to schedule the running of the
501	plugin during the scan phase. If this is left undefined it
502	will default to 50.</p></dd><dt><span class="term"><em class="structfield"><code>report_head</code></em> (optional)</span></dt><dd><p>This should be a reference to a function executed
503	before any testing commences. If this is left undefined then
504	the plugin will not be called to produce a report
505	header.</p></dd><dt><span class="term"><em class="structfield"><code>report_host_start</code></em>
506	(optional)</span></dt><dd><p>This should be a reference to a function executed before
507	the reconnaisance phase of each host. If this is left
508	undefined then the plugin will not be called to produce a host
509	header.</p></dd><dt><span class="term"><em class="structfield"><code>report_host_end</code></em>
510	(optional)</span></dt><dd><p>This should be a reference to a function executed after
511	the scan phase of each host. If this is left undefined then
512	the plugin will not be called to produce a host footer.</p></dd><dt><span class="term"><em class="structfield"><code>report_item</code></em> (optional)</span></dt><dd><p>This should be a reference to a function executed after
513	each found vulnerability. If this is left undefined then
514	the plugin will not be called to produce an item
515	record.</p></dd><dt><span class="term"><em class="structfield"><code>report_close</code></em> (optional)</span></dt><dd><p>This should be a reference to a function executed after
516	testing of all hosts has been finished. If this is left
517	undefined then the plugin will not be called to close the
518	report.</p></dd><dt><span class="term"><em class="structfield"><code>report_format</code></em> (optional)</span></dt><dd><p>This should describe the file format that the plugin
519	handles. This is internally matched with the contents of the
520	<em class="parameter"><code>-output</code></em> switch to reduce excessive
521	calls to plugins.</p></dd><dt><span class="term"><em class="structfield"><code>report_weight</code></em> (optional)</span></dt><dd><p>This is the weight used to schedule the running of the
522	plugin during the reporting phase. If this is left undefined
523	it will default to 50.</p></dd></dl></div><div class="example"><a name="id2865142"></a><p class="title"><b>Example 7.1. Example initialisation function</b></p><div class="example-contents"><pre class="programlisting"> sub nikto_dictionary_attack_init
524	{
525	my $id =
526	{
527	name => "dictionary",
528	full_name => "Dictionary attack",
529	author => "Deity",
530	description => "Attempts to dictionary attack commonly known directories/files",
531	recon_method => \&nikto_dictionary_attack,
532	recon_cond => '$CLI{mutate} =~ /6/',
533	recon_weight => 20,
534	copyright => "2009 CIRT Inc"
535	};
536
537	return $id;
538	} </pre></div></div><br class="example-break"></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2865155"></a>Reconnaisance Phase</h3></div></div></div><p>The reconnaisance phase is executed for each target at the start
539	of each scan.</p><p>Each reconnaisance method such expect to take a
540	<code class="varname">mark</code> hash ref. It should return nothing.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">void <b class="fsfunc">recon_method</b>(</code></td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>hashref <var class="pdparam">mark</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>The reconnaisance phase is intended to be used to pull
541	information about the web server for later use by the plugin, or by
542	other plugins. Reporting vulnerabilities in this phase is
543	discouraged.</p><p>Example uses of the reconnaisance phase are to spider a site,
544	check for known applications etc.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2865224"></a>Scan Phase</h3></div></div></div><p>The scan phase is the meat of the plugin's life, this is run,
545	for each target, immediately after the reconnaisance phase.</p><p>Each scan should check for vulnerabilities it knows about and
546	report on them as it finds one.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">void <b class="fsfunc">scan_method</b>(</code></td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>hashref <var class="pdparam">mark</var></code>;</div><div class="funcprototype-spacer"> </div></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2865263"></a>Reporting Phase</h3></div></div></div><p>This is potentially the most convoluted phase as it has several
547	hooks that may be used for each section in the scan's lifetime.</p><p>The hooks are:</p><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2865277"></a>Report Head</h4></div></div></div><p>This hook is called immediately after target acquisition and
548	before the reconnaisance phase. It is designed to allow the
549	reporting plugin to open the report and ensure that any headers
550	are appropiately written.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">handle <b class="fsfunc">report_head</b>(</code></td><td><var class="pdparam">filename</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">filename</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>The <em class="parameter"><code>filename</code></em> parameter is a bit of a
551	misnomer; it will be a copy of the string passed to the
552	<em class="parameter"><code>-output</code></em> switch and may indicate, for
553	example, a database name.</p><p>The <em class="parameter"><code>handle</code></em> is a handle that will be
554	passed to other reporting functions for this plugin so should be
555	internally consistent.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2865340"></a>Report Host Start</h4></div></div></div><p>This hook is called immediately before the reconnaisance
556	phase for each target. It is designed to allow the reporting plugin
557	to write any host specfic information.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">void <b class="fsfunc">report_host_start</b>(</code></td><td><var class="pdparam">rhandle</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>handle <var class="pdparam">rhandle</var></code>;<br><code>hashref <var class="pdparam">mark</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>The <em class="parameter"><code>rhandle</code></em> parameter is the output
558	of the plugin's Report Head function.</p><p>The <em class="parameter"><code>mark</code></em> parameter is a hashref for the
559	target information (described below).</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2865402"></a>Report Host End</h4></div></div></div><p>This hook is called immediately after the scan phase for
560	each target. It is designed to allow the reporting plugin to close
561	any host specfic information.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">void <b class="fsfunc">report_host_end</b>(</code></td><td><var class="pdparam">rhandle</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>handle <var class="pdparam">rhandle</var></code>;<br><code>hashref <var class="pdparam">mark</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>The <em class="parameter"><code>rhandle</code></em> parameter is the output
562	of the plugin's Report Head function.</p><p>The <em class="parameter"><code>mark</code></em> parameter is a hashref for the
563	target information (described below).</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2865464"></a>Report Item</h4></div></div></div><p>This hook is called once for each vulnerability found on the
564	target This should report details about the vulnerability.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">void <b class="fsfunc">report_item</b>(</code></td><td><var class="pdparam">rhandle</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">mark</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">vulnerbility</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>handle <var class="pdparam">rhandle</var></code>;<br><code>hashref <var class="pdparam">mark</var></code>;<br><code>hashref <var class="pdparam">vulnerbility</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>The <em class="parameter"><code>rhandle</code></em> parameter is the output of
565	the plugin's Report Head function.</p><p>The <em class="parameter"><code>mark</code></em> parameter is a hashref for
566	the target information (described below).</p><p>The <em class="parameter"><code>vulnerability</code></em> parameter is a
567	hashref for the vulnerability information (described below).</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2865542"></a>Report Close</h4></div></div></div><p>This hook is called immediately after all targets have been
568	scanned. It is designed to allow the reporting plugin to elegantly
569	close the report.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">void <b class="fsfunc">report_close</b>(</code></td><td><var class="pdparam">rhandle</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>handle <var class="pdparam">rhandle</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>The <em class="parameter"><code>rhandle</code></em> parameter is the output of
570	the plugin's Report Head function.</p></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2865588"></a>Data Structures</h3></div></div></div><p>The below data structures are used to communicate between the
571	various plugin methods. Unless otherwise mentioned, they are all
572	standard perl hash references with the detailed members.</p><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2865600"></a><span class="structname">Mark</span></h4></div></div></div><p>The mark hash contains all information about a target. It
573	contains the below members. It should be read-only.</p><div class="blockquote"><blockquote class="blockquote"><div class="table"><a name="id2865614"></a><p class="title"><b>Table 7.2. Members of the <span class="structname">Mark</span>
574	structure</b></p><div class="table-contents"><table summary="Members of the Mark
575	structure" border="1"><colgroup><col><col></colgroup><tbody><tr><td><em class="structfield"><code>ident</code></em></td><td>
576	Host identifier, usually equivalent to what was
577	passed on the command line.
578	</td></tr><tr><td><em class="structfield"><code>hostname</code></em></td><td>
579	Host name of the target.
580	</td></tr><tr><td><em class="structfield"><code>ip</code></em></td><td>
581	IP address of the target.
582	</td></tr><tr><td><em class="structfield"><code>port</code></em></td><td>
583	TCP port of the target.
584	</td></tr><tr><td><em class="structfield"><code>display_name</code></em></td><td>
585	Either the hostname, or the IP address of the
586	target, dependant on whether a hostname has been
587	discovered.
588	</td></tr><tr><td><em class="structfield"><code>ssl</code></em></td><td>
589	Flag to indicate whether the target runs over SSL.
590	If it is set to 0, then the plugin should not use SSL. Any
591	other value indicates SSL should be used.
592	</td></tr><tr><td><em class="structfield"><code>vhost</code></em></td><td>
593	Virtual hostname to use for the target.
594	</td></tr><tr><td><em class="structfield"><code>root</code></em></td><td>
595	Root URI to use for the target.
596	</td></tr><tr><td><em class="structfield"><code>banner</code></em></td><td>
597	Banner of the target's web server.
598	</td></tr></tbody></table></div></div><br class="table-break"></blockquote></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2865747"></a>Vulnerability</h4></div></div></div><p>The vulnerability hash contains all information about a
599	vulnerability. It contains the below members. It should be
600	read-only and should only be written using the
601	<code class="function">add_vulnerability</code> method.</p><div class="blockquote"><blockquote class="blockquote"><div class="table"><a name="id2865767"></a><p class="title"><b>Table 7.3. Members of the <span class="structname">Vulnerability</span>
602	structure</b></p><div class="table-contents"><table summary="Members of the Vulnerability
603	structure" border="1"><colgroup><col><col></colgroup><tbody><tr><td>mark</td><td>Hash ref to a mark data structure.</td></tr><tr><td>message</td><td>Message for the vulnerability.</td></tr><tr><td>nikto_id</td><td>Test ID (tid) of the vulnerability, this should be
604	a unique number which'll identify the vulnerability.</td></tr><tr><td>osvdb</td><td>OSVDB reference to the vulnerability in the Open
605	Source Vulnerability Database. This may be 0 if an OSVDB
606	reference is not relevant or doesn't exist.</td></tr><tr><td>method</td><td>HTTP method used to find the vulnerability.</td></tr><tr><td>uri</td><td>URI for the result.</td></tr><tr><td>result</td><td>Any HTTP data, excluding headers.</td></tr></tbody></table></div></div><br class="table-break"></blockquote></div></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2865863"></a>Standard Methods</h3></div></div></div><p>Several standard methods are defined in
607	<code class="filename">nikto_core.plugin</code> that can be used for all
608	plugins. It is strongly advised that these should be used where
609	possible instead of writing new methods.</p><p>For some methods, such as <code class="function">add_vulnerability</code>
610	which write to global variables, these <span class="emphasis"><em>must</em></span> be
611	the only interface to those global variables.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">array <b class="fsfunc">change_variables</b>(</code></td><td><var class="pdparam">line</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">line</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Expands any variables in the line parameter. The expansions are
612	variables defined in the global array <code class="varname">@VARIABLES</code>,
613	which may be read from <code class="filename">db_variables</code>, or added by
614	reconnaisance plugin methods.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">int <b class="fsfunc">is_404</b>(</code></td><td><var class="pdparam">uri</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">content</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">HTTPcode</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">uri</var></code>;<br><code>string <var class="pdparam">content</var></code>;<br><code>string <var class="pdparam">HTTPcode</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Makes a guess whether the result is a real web page or an error
615	page. As several web servers are badly configured and don't return
616	HTTP 404 codes when a page isn't found, Nikto attempts to look for
617	common error pages. Returns 1 if the page looks like an error.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">string <b class="fsfunc">get_ext</b>(</code></td><td><var class="pdparam">uri</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">uri</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Attempts to work out the extension of the uri. Will return the
618	extension or the special cases: DIRECTORY, DOTFILE, NONE.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">string <b class="fsfunc">date_disp</b>(</code></td><td><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>void</code>;</div><div class="funcprototype-spacer"> </div></div><p>Returns the current time in a human readable format
619	(YYYY-mm-dd hh:mm:ss)</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">string <b class="fsfunc">rm_active</b>(</code></td><td><var class="pdparam">content</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">content</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Attempts to remove active content (e.g. dates, adverts etc.)
620	from a page. Returns a filtered version of the content.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">string <b class="fsfunc">get_banner</b>(</code></td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>hashref <var class="pdparam">mark</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Pulls the web servers banner. This is automatically performed
621	for all targets before a mark is passed to the plugin.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">boolean <b class="fsfunc">content_present</b>(</code></td><td><var class="pdparam">HTTPcode</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">HTTPcode</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Checks the HTTPresponse against known "found" responses. TRUE
622	indicates that the request was probably successful.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">string HTTPCode, string content <b class="fsfunc">fetch</b>(</code></td><td><var class="pdparam">uri</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">method</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">content</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">headers</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">noclean</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">uri</var></code>;<br><code>string <var class="pdparam">method</var></code>;<br><code>string <var class="pdparam">content</var></code>;<br><code>hashref <var class="pdparam">headers</var></code>;<br><code>boolean <var class="pdparam">noclean</var></code>;</div><div class="funcprototype-spacer"> </div></div><p><span class="emphasis"><em>Deprecated</em></span></p><p>Performs a simple HTTP request to URI using the HTTP method,
623	<em class="parameter"><code>method</code></em>. <em class="parameter"><code>content</code></em> supplies
624	any data to pass in the HTTP body. <em class="parameter"><code>headers</code></em>
625	allows any custom headers to be placed in the request.
626	<em class="parameter"><code>noclean</code></em> is a flag specifying that the request
627	shouldn't be cleaned up before being sent (e.g. if the Host: header
628	is blank).</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">string HTTPCode, string content <b class="fsfunc">nfetch</b>(</code></td><td><var class="pdparam">uri</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">method</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">content</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">headers</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">noclean</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">uri</var></code>;<br><code>string <var class="pdparam">method</var></code>;<br><code>string <var class="pdparam">content</var></code>;<br><code>hashref <var class="pdparam">headers</var></code>;<br><code>boolean <var class="pdparam">noclean</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>An updated version of fetch that uses a local, rather than a
629	global request/result structure. This should be used in preference to
630	fetch.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">hashref <b class="fsfunc">setup_hash</b>(</code></td><td><var class="pdparam">requesthash</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>hashref <var class="pdparam">requesthash</var></code>;<br><code>hashref <var class="pdparam">mark</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Sets up up a libwhisker hash with the normal Nikto variables.
631	This should be used if any custom calls to libwhisker are used.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">string <b class="fsfunc">char_escape</b>(</code></td><td><var class="pdparam">line</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">line</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Escapes any characters within line.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">array <b class="fsfunc">parse_csv</b>(</code></td><td><var class="pdparam">text</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">text</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Breaks a line of CSV text into an array of items.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">arrayref <b class="fsfunc">initialise_db</b>(</code></td><td><var class="pdparam">dbname</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">dbname</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Initialises a database that is in <code class="varname">PLUGINDIR</code>
632	and returns an arrayref. The arrayref is to an array of hashrefs, each
633	hash member is configured by the first line in the database file, for
634	example:</p><pre class="screen">"nikto_id","md5hash","description"</pre><p>This will result in an array of hashrefs with parameters:</p><pre class="screen">array[0]->{nikto_id}
635	array[0]->{md5hash}
636	array[0]->{description}</pre><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">void <b class="fsfunc">add_vulnerability</b>(</code></td><td><var class="pdparam">mark</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">message</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">nikto_id</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">osvdb</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">method</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">uri</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">data</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>hashref <var class="pdparam">mark</var></code>;<br><code>string <var class="pdparam">message</var></code>;<br><code>string <var class="pdparam">nikto_id</var></code>;<br><code>string <var class="pdparam">osvdb</var></code>;<br><code>string <var class="pdparam">method</var></code>;<br><code>string <var class="pdparam">uri</var></code>;<br><code>string <var class="pdparam">data</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Adds a vulnerability for the mark, displays it to standard out
637	and sends it to any reporting plugins.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" class="funcprototype-table"><tr><td><code class="funcdef">void <b class="fsfunc">nprint</b>(</code></td><td><var class="pdparam">message</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">display</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>string <var class="pdparam">message</var></code>;<br><code>string <var class="pdparam">display</var></code>;</div><div class="funcprototype-spacer"> </div></div><p>Prints <em class="parameter"><code>message</code></em> to standard out.
638	<em class="parameter"><code>Display</code></em> specifies a filter for the message,
639	currently this can be "v" for verbose and "d" for debug
640	output.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2866492"></a>Global Variables</h3></div></div></div><p>The following global variables exist within Nikto, most of
641	them are defined for internal use and their use by plugins is not
642	advised. Several have been deprecated, these should not be used by
643	plugins.</p><div class="variablelist"><dl><dt><span class="term"><code class="varname">%TEMPLATES</code> (read/write)</span></dt><dd><p>Hash to store the HTML and XML report templates.</p></dd><dt><span class="term"><code class="varname">%ERRSTRINGS</code> (read)</span></dt><dd><p>Hash to contain all the entries in db_404 - a list of
644	strings that may indicate a 404.</p></dd><dt><span class="term"><code class="varname">%CLI</code> (read)</span></dt><dd><p>Hash of passed CLI parameters</p></dd><dt><span class="term"><code class="varname">%VARIABLES</code> (read) (write)</span></dt><dd><p>Hash of contents of the entries in db_variables. Plugins
645	should only write to this hash in the reconnaisance
646	phase.</p></dd><dt><span class="term"><code class="varname">%TESTS</code> (read) (write)</span></dt><dd><p>Hash of the db_tests database. This is only intended
647	to be used by the tests plugin, though it could be used by a
648	reconnaisance plugin to add tests on the fly.</p></dd><dt><span class="term"><code class="varname">$CONTENT</code> (read) (write)
649	(deprecated)</span></dt><dd><p>Global variable to store data from a fetch or nfetch. A
650	local variable should be used instead</p></dd><dt><span class="term"><code class="varname">%NIKTO</code> (read)</span></dt><dd><p>Hash which contains internal Nikto data, such as help
651	for the command line parameters.</p></dd><dt><span class="term"><code class="varname">%REALMS</code> (read)</span></dt><dd><p>Hash of data from db_realms.</p></dd><dt><span class="term"><code class="varname">%NIKTOCONFIG</code> (read)</span></dt><dd><p>Hash containing the data read from the configuration
652	files.</p></dd><dt><span class="term"><code class="varname">%request</code> (read) (write)
653	(deprecated), </span><span class="term"><code class="varname">%result</code> (read) (write)
654	(deprecated)</span></dt><dd><p>Global libwhisker hash. This should not be used; nfetch
655	or a local hash should be used.</p></dd><dt><span class="term"><code class="varname">%COUNTERS</code> (read) (write)</span></dt><dd><p>Hash containing various global counters (e.g. number of
656	requests)</p></dd><dt><span class="term"><code class="varname">%db_extensions</code> (read)
657	(deprecated)</span></dt><dd><p>Hash containing a list of common extensions</p></dd><dt><span class="term"><code class="varname">%FoF</code> (read) (write)</span></dt><dd><p>Hash containing data for each extension and what the
658	server produces if a request for a non-existent file is
659	requested.</p></dd><dt><span class="term"><code class="varname">%UPDATES</code> (read) (write)</span></dt><dd><p>Hash containing any updates that need to be sent back
660	to cirt.net</p></dd><dt><span class="term"><code class="varname">$DIV</code> (read)</span></dt><dd><p>Divider mark for the items sent to standard out.</p></dd><dt><span class="term"><code class="varname">@DBFILE</code> (read)</span></dt><dd><p>Placeholder used to hold the contents of
661	<code class="filename">db_tests</code>.</p></dd><dt><span class="term"><code class="varname">@BUILDITEMS</code> (read) (write)
662	(deprecated)</span></dt><dd><p>Array to hold information for tests to act on later.
663	Use should be avoided, a local variable should be used
664	instead.</p></dd><dt><span class="term"><code class="varname">$PROXYCHECKED</code> (read)</span></dt><dd><p>Flag to see whether connection through the proxy has
665	been checked.</p></dd><dt><span class="term"><code class="varname">$http_eol</code> (read) (deprecated)</span></dt><dd><p>Contains the http end of line pattern.</p></dd><dt><span class="term"><code class="varname">@RESULTS</code> (read)</span></dt><dd><p>Array of reported vulnerabilities, should only be
666	written to through
667	<code class="function">add_vulnerability.</code></p></dd><dt><span class="term"><code class="varname">@PLUGINS</code> (read)</span></dt><dd><p>Array of hashrefs for each plugin. Used internally to
668	run plugins.</p></dd><dt><span class="term"><code class="varname">@MARKS</code> (read)</span></dt><dd><p>Array of marks to indicate each target.</p></dd><dt><span class="term"><code class="varname">@REPORTS</code> (read)</span></dt><dd><p>Ordered array that reporting plugins should be run in.
669	Used for efficency on calling reporting plugins.</p></dd><dt><span class="term"><code class="varname">%CACHE</code> (read) (write)</span></dt><dd><p>Containing the URI cache, should only be read/written
670	through <code class="function">nfetch</code>. Members:</p><div class="blockquote"><blockquote class="blockquote"><div class="table"><a name="id2866927"></a><p class="title"><b>Table 7.4. Members of the <span class="structname">cache</span>
671	structure</b></p><div class="table-contents"><table summary="Members of the cache
672	structure" border="1"><colgroup><col><col></colgroup><tbody><tr><td><em class="structfield"><code>{uri}</code></em></td><td>URI for the cache</td></tr><tr><td><em class="structfield"><code>{uri}{method}</code></em></td><td>HTTP method used</td></tr><tr><td><em class="structfield"><code>{uri}{res}</code></em></td><td>HTTP result for URI</td></tr><tr><td><em class="structfield"><code>{uri}{content}</code></em></td><td>data for URI</td></tr><tr><td><em class="structfield"><code>{uri}{mark}</code></em></td><td>mark hashref for URI</td></tr></tbody></table></div></div><br class="table-break"></blockquote></div></dd></dl></div></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867005"></a>Test Identifiers</h2></div></div></div><p>Each test, whether it comes from one of the databases or in code,
673	must have a unique identifier. The numbering scheme for writing tests is
674	as follows:</p><div class="blockquote"><blockquote class="blockquote"><div class="table"><a name="id2867019"></a><p class="title"><b>Table 7.5. TID Scheme</b></p><div class="table-contents"><table summary="TID Scheme" border="1"><colgroup><col><col></colgroup><tbody><tr><td>000000</td><td>db_tests</td></tr><tr><td>400000</td><td>user defined tests (<code class="filename">udb*</code>
675	files)</td></tr><tr><td>500000</td><td>db_favicon</td></tr><tr><td>600000</td><td>db_outdated</td></tr><tr><td>700000</td><td>db_realms</td></tr><tr><td>800000</td><td>db_server_msgs</td></tr><tr><td>900000</td><td>tests defined in code</td></tr></tbody></table></div></div><br class="table-break"></blockquote></div><p>As much data as possible in the <code class="varname">%TESTS</code> hash
676	should be populated for each new test that is defined in code (plugins).
677	These fields include URI for the test, message to print on success,
678	HTTP method and OSVDB ID. Without a 'message' value in
679	<code class="varname">%TESTS</code> output will not be saved in HTML or XML
680	reports. Not all tests are expected to have a uri, method or OSVDB ID.
681	Here is an example of setting those fields:</p><pre class="screen">$TESTS{999999}{uri}="/~root";
682	$TESTS{999999}{message}="Enumeration of users is possible by requesting ~username";
683	$TESTS{999999}{method}="GET";
684	$TESTS{999999}{osvdb}=637;</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867133"></a>Code Copyrights</h2></div></div></div><p>Any new or updated code, tests or information sent to the author
685	is assumed to free of copyrights. By sending new or updated code, tests
686	or information to the author you relinquish all claims of copyright on
687	the material, and agree that this code can be claimed under the same
688	copyright as Nikto.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="troubleshooting"></a>Chapter 8. Troubleshooting</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2867157">SOCKS Proxies</a></span></dt><dt><span class="section"><a href="#id2867167">Debugging</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867157"></a>SOCKS Proxies</h2></div></div></div><p>Nikto does not currently support SOCKS proxies.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867167"></a>Debugging</h2></div></div></div><p>The major route to debugging Nikto requests is to use the
689	<em class="parameter"><code>-Display</code></em> with v (verbose) or d (debug). This
690	will output a vast amount of extra information to the screen, so
691	it is advised to redirect output to a file when using them.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="licences"></a>Chapter 9. Licences</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2867195">Nikto</a></span></dt><dt><span class="section"><a href="#id2867206">LibWhisker</a></span></dt><dt><span class="section"><a href="#id2867218">Tests</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867195"></a>Nikto</h2></div></div></div><p>Nikto is licensed under the GNU General Public License (GPL), and
692	copyrighted by CIRT, Inc.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867206"></a>LibWhisker</h2></div></div></div><p>LibWhisker is licensed under the GNU General Public License (GPL),
693	and copyrighted by Rain Forrest Puppy.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867218"></a>Tests</h2></div></div></div><p>The web tests are licensed for use with Nikto only, and may not be
694	reused without written consent from CIRT, Inc.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="credits"></a>Chapter 10. Credits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2867238">Nikto</a></span></dt><dt><span class="section"><a href="#id2867250">Thanks</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867238"></a>Nikto</h2></div></div></div><p>Nikto was originally written and maintained by Sullo, CIRT, Inc.
695	It is currently maintained by David Lodge. LibWhisker was written
696	by Rain Forrest Puppy</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867250"></a>Thanks</h2></div></div></div><p>Many people have provided feedback, fixes, and suggestions. This
697	list attempts to make note of those people, though not all contributors
698	are listed. In no particular order:</p><div class="itemizedlist"><ul type="disc"><li><p>Nikto 2 Testing: Paul Woroshow, Mark G. Spencer, Michel
699	Arboi, Jericho, rfp</p></li><li><p>Jericho (attrition.org/OSVDB/OSF).
700	Support/ideas/tests/corrections/spam and help matching OSVDB IDs
701	to tests.</p></li><li><p>rfp (wiretrip.net). LibWhisker and continuing
702	support.</p></li><li><p>Erik Cabetas for many updates and fixes.</p></li><li><p>Jake Kouns (OSVDB/OSF).</p></li><li><p>Jabra (spl0it.org) for XML DTD, XML templates and supporting
703	code.</p></li><li><p>Stephen Valdez. Extensive testing. We all miss you.</p></li><li><p>S Saady. Extensive testing.</p></li><li><p>Zeno (cgisecurity.com). Nikto mirroring.</p></li><li><p>P Eronen (nixu.com). Provided many code fixes.</p></li><li><p>M Arboi. Great support by writing the code to make Nikto
704	work within Nessus, as well as bug reports.</p></li><li><p>T Seyrat. Maintains Nikto for the Debian releases.</p></li><li><p>J DePriest. Ideas/fixes.</p></li><li><p>P Woroshow. Ideas/fixes.</p></li><li><p>fr0stman. Tests.</p></li><li><p>H Heimann. Tests.</p></li><li><p>Xiola (xiola.net). Web design and more.</p></li><li><p>Ryan Dewhurst. Domain guessing code.</p></li></ul></div><p>This document is © 2009 CIRT, Inc. and may not be reused without
705	permission.</p></div></div></div></body></html>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: