Context Navigation

nikto_manual.html @ 386

Revision 248, 107.2 KB checked in by deity, 3 years ago (diff)
Update to manual

Line
1	<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Nikto v2.1.0 - The Manual</title><link rel="stylesheet" href="doc.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.73.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="id186254"></a>Nikto v2.1.0 - The Manual</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="#introduction">1. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#id264630">Overview</a></span></dt><dt><span class="section"><a href="#id272958">Description</a></span></dt><dt><span class="section"><a href="#id276660">Advanced Error Detection Logic</a></span></dt><dt><span class="section"><a href="#id238011">History</a></span></dt></dl></dd><dt><span class="chapter"><a href="#installation">2. Installation</a></span></dt><dd><dl><dt><span class="section"><a href="#id238042">Requirements</a></span></dt><dt><span class="section"><a href="#id238232">Install</a></span></dt></dl></dd><dt><span class="chapter"><a href="#usage">3. Usage</a></span></dt><dd><dl><dt><span class="section"><a href="#id238272">Basic Testing</a></span></dt><dt><span class="section"><a href="#id238384">Multiple Port Testing</a></span></dt><dt><span class="section"><a href="#id238405">Multiple Host Testing</a></span></dt><dt><span class="section"><a href="#id238466">Using a Proxy</a></span></dt><dt><span class="section"><a href="#id238782">Updating</a></span></dt><dt><span class="section"><a href="#id238829">Integration with Nessus</a></span></dt></dl></dd><dt><span class="chapter"><a href="#options">4. Command Line Options</a></span></dt><dd><dl><dt><span class="section"><a href="#id238858">All Options</a></span></dt><dt><span class="section"><a href="#id286918">Mutation Techniques</a></span></dt><dt><span class="section"><a href="#id287020">Display</a></span></dt><dt><span class="section"><a href="#id287094">Scan Tuning</a></span></dt><dt><span class="section"><a href="#id287290">Single Request Mode</a></span></dt></dl></dd><dt><span class="chapter"><a href="#configuration">5. Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#id287336">Location</a></span></dt><dt><span class="section"><a href="#id237396">Format</a></span></dt><dt><span class="section"><a href="#id237410">Variables</a></span></dt></dl></dd><dt><span class="chapter"><a href="#reports">6. Output and Reports</a></span></dt><dd><dl><dt><span class="section"><a href="#id288190">Export Formats</a></span></dt><dt><span class="section"><a href="#id288220">HTML and XML Customisation</a></span></dt></dl></dd><dt><span class="chapter"><a href="#expanding">7. Test and Code Writing</a></span></dt><dd><dl><dt><span class="section"><a href="#id288304">Scan Database Field Values</a></span></dt><dt><span class="section"><a href="#id288472">User-Defined Tests</a></span></dt><dt><span class="section"><a href="#id288536">Scan Database Syntax</a></span></dt><dt><span class="section"><a href="#id288564">Plugins</a></span></dt><dd><dl><dt><span class="section"><a href="#id288684">Initialisation Phase</a></span></dt><dt><span class="section"><a href="#id289066">Reconnaisance Phase</a></span></dt><dt><span class="section"><a href="#id289135">Scan Phase</a></span></dt><dt><span class="section"><a href="#id289174">Reporting Phase</a></span></dt><dt><span class="section"><a href="#id289499">Data Structures</a></span></dt><dt><span class="section"><a href="#id289774">Standard Methods</a></span></dt><dt><span class="section"><a href="#id290403">Global Variables</a></span></dt></dl></dd><dt><span class="section"><a href="#id290916">Test Identifiers</a></span></dt><dt><span class="section"><a href="#id291044">Code Copyrights</a></span></dt></dl></dd><dt><span class="chapter"><a href="#troubleshooting">8. Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="#id291068">SOCKS Proxies</a></span></dt><dt><span class="section"><a href="#id291078">Debugging</a></span></dt></dl></dd><dt><span class="chapter"><a href="#licences">9. Licences</a></span></dt><dd><dl><dt><span class="section"><a href="#id291106">Nikto</a></span></dt><dt><span class="section"><a href="#id291117">LibWhisker</a></span></dt><dt><span class="section"><a href="#id291129">Tests</a></span></dt></dl></dd><dt><span class="chapter"><a href="#credits">10. Credits</a></span></dt><dd><dl><dt><span class="section"><a href="#id291149">Nikto</a></span></dt><dt><span class="section"><a href="#id291161">Thanks</a></span></dt></dl></dd></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>7.1. <a href="#id288321">Scan Database Fields</a></dt><dt>7.2. <a href="#id289525">Members of the <span class="structname">Mark</span>
2	structure</a></dt><dt>7.3. <a href="#id289678">Members of the <span class="structname">Vulnerability</span>
3	structure</a></dt><dt>7.4. <a href="#id290838">Members of the <span class="structname">cache</span>
4	structure</a></dt><dt>7.5. <a href="#id290930">TID Scheme</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>3.1. <a href="#id238425">Valid Hosts File</a></dt><dt>7.1. <a href="#id289053">Example initialisation function</a></dt></dl></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="introduction"></a>Chapter 1. Introduction</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id264630">Overview</a></span></dt><dt><span class="section"><a href="#id272958">Description</a></span></dt><dt><span class="section"><a href="#id276660">Advanced Error Detection Logic</a></span></dt><dt><span class="section"><a href="#id238011">History</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id264630"></a>Overview</h2></div></div></div><p>Nikto is a web server assessment tool. It is designed to find
5	various default and insecure files, configurations and programs on any
6	type of web server.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id272958"></a>Description</h2></div></div></div><p>Examine a web server to find potential problems and security vulnerabilities, including:
7	</p><div class="itemizedlist"><ul type="disc"><li><p>Server and software misconfigurations</p></li><li><p>Default files and programs</p></li><li><p>Insecure files and programs</p></li><li><p>Outdated servers and programs</p></li></ul></div><p>
8	</p><p>Nikto is built on LibWhisker (by RFP) and can run on any platform
9	which has a PERL environment. It supports SSL, proxies, host
10	authentication, IDS evasion and more. It can be updated automatically
11	from the command-line, and supports the optional submission of updated
12	version data back to the maintainers.</p><p>The name "Nikto" is taken from the movie "The Day the Earth Stood
13	Still", and of course subsequent abuse by Bruce Campbell in "Army of
14	Darkness". More information on the pop-culture popularity of Nikto can
15	be found at
16	<a class="ulink" href="http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html" target="_top">http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html</a></p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id276660"></a>Advanced Error Detection Logic</h2></div></div></div><p>Most web security tools, (including Nikto 1.32 and below), rely
17	heavily on the HTTP response to determine if a page or script exists on
18	the target. Because many servers do not properly adhere to RFC standards
19	and return a 200 "OK" response for requests which are not found or
20	forbidden, this can lead to many false-positives. In addition, error
21	responses for various file extensions can differ--the "not found"
22	response for a .html file is often different than a .cgi.</p><p>Some testing tools, such as Nessus, also look at the content of
23	the response to help eliminate these false positives. While often
24	effective, this method relies on pre-defined strings to help eliminate
25	false positives.</p><p>As of version 2.0 Nikto no longer assumes the error pages for
26	different file types will be the same. A list of unique file extensions
27	is generated at run-time (from the test database), and each of those
28	extensions is tested against the target. For every file type, the "best
29	method" of determining errors is found: standard RFC response, content
30	match or MD4 hash (in decreasing order of preference). This allows Nikto
31	to use the fastest and most accurate method for each individual file
32	type, and therefore help eliminate the false positives seen for some
33	servers in version 1.32 and below.</p><p>For example, if a server responds with a 404 "not found" error for
34	a non-existent .txt file, Nikto will match the HTTP response of "404" on
35	tests. If the server responds with a 200 "OK" response, it will try to
36	match on the content, and assuming it finds a match (for example, the
37	words "could not be found"), it will use this method for determining
38	missing .txt files. If the other methods fail, Nikto will attempt to
39	remove date and time strings (which can constantly change) from the
40	returned page's content, generate an MD5 hash of the content, and then
41	match that hash value against future .txt tests. The latter is by far
42	the slowest type of match, but in many cases will provide valid results
43	for a particular file type.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238011"></a>History</h2></div></div></div><p>The Nikto 1.00 Beta was released on December 27, 2001, (followed
44	almost immediately by the 1.01 release). Over the course of two years
45	Nikto's code evolved into the most popular freely available web
46	vulnerability scanner. The 2.0 release, in November, 2007 represents
47	several years of improvements.</p><p>In 2008, due to other commitments, Sullo, the original author
48	couldn't continue to support Nikto and the code was released under the
49	GPL and passed to the community for support.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="installation"></a>Chapter 2. Installation</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id238042">Requirements</a></span></dt><dt><span class="section"><a href="#id238232">Install</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238042"></a>Requirements</h2></div></div></div><p>Any system which supports a basic PERL installation should allow
50	Nikto to run. It has been extensively tested on:</p><div class="itemizedlist"><ul type="disc"><li><p>Windows (using ActiveState Perl)</p></li><li><p>Mac OSX</p></li><li><p>Various Linux and Unix installations (including RedHat,
51	Solaris, Debian, Knoppix, etc.)</p></li></ul></div><p>The only required PERL module that does not come standard is
52	LibWhisker. Nikto comes with and is configured to use a local LW.pm file
53	(in the plugins directory), but users may wish to change Nikto to use a
54	version installed on the system. See Section 2 for further
55	information.</p><p>For SSL support the Net::SSLeay PERL module must be installed
56	(which in turn requires OpenSSL on the Unix platform). Windows support
57	for SSL is dependent on the installation package, but is rumored to
58	exist for ActiveState's Perl.</p><p>The nmap scanner can also be used, if desired. In some cases using
59	nmap will slow down Nikto execution, as it must call an external
60	program. For scanning many ports across one or more servers, using nmap
61	will be faster than using Nikto's internal PERL scanning.</p><div class="itemizedlist"><ul type="disc"><li><p>PERL: <a class="ulink" href="http://www.cpan.org/" target="_top">http://www.cpan.org/</a></p></li><li><p>LibWhisker: <a class="ulink" href="http://www.wiretrip.net/" target="_top">http://www.wiretrip.net/</a></p></li><li><p>ActiveState Perl: <a class="ulink" href="http://www.activestate.com/" target="_top">http://www.activestate.com/</a></p></li><li><p>OpenSSL: <a class="ulink" href="http://www.openssl.org/" target="_top">http://www.openssl.org/</a></p></li><li><p>nmap: <a class="ulink" href="http://www.insecure.org/" target="_top">http://insecure.org/</a></p></li></ul></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238232"></a>Install</h2></div></div></div><p>These instructions do not include information on installing PERL,
62	PERL Modules, OpenSSL, LibWhisker or any of the utilities that may be
63	needed during installation (such as gzip, tar, etc.). Please see the
64	distributor's documentation for information on how to install and
65	configure those software packages.</p><p>Unpack the download file:</p><pre class="screen">tar -xvfz nikto-current.tar.gz</pre><p>Assuming a standard OS/PERL installation, Nikto should now be
66	usable. See Chapter 4 (Options) or Chapter 8 (Troubleshooting) for
67	further configuration information.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="usage"></a>Chapter 3. Usage</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id238272">Basic Testing</a></span></dt><dt><span class="section"><a href="#id238384">Multiple Port Testing</a></span></dt><dt><span class="section"><a href="#id238405">Multiple Host Testing</a></span></dt><dt><span class="section"><a href="#id238466">Using a Proxy</a></span></dt><dt><span class="section"><a href="#id238782">Updating</a></span></dt><dt><span class="section"><a href="#id238829">Integration with Nessus</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238272"></a>Basic Testing</h2></div></div></div><p>The most basic Nikto scan requires simply a host to target, since
68	port 80 is assumed if none is specified. The host can either be an IP or
69	a hostname of a machine, and is specified using the -h (-host) option.
70	This will scan the IP 192.168.0.1 on TCP port 80:</p><pre class="screen">perl nikto.pl -h 192.168.0.1</pre><p>To check on a different port, specify the port number with the -p
71	(-port) option. This will scan the IP 192.168.0.1 on TCP port
72	443:</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -p 443</pre><p>Hosts, ports and protocols may also be specified by using a full
73	URL syntax, and it will be scanned:</p><pre class="screen">perl nikto.pl -h https://192.168.0.1:443/</pre><p>There is no need to specify that port 443 may be SSL, as Nikto
74	will first test regular HTTP and if that fails, HTTPS. If you are sure
75	it is an SSL server, specifying -s (-ssl) will speed up the test.</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -p 443 -ssl</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p><em class="parameter"><code>-mutate</code></em> 1 increases the number of tests so
76	that all filenames are tested against all databases inc
77	<code class="filename">db_tests</code>. This will produce over 2,000,000 extra
78	tests, which will use up a massive amount of resource.</p></td></tr></table></div><p>More complex tests can be performed using the
79	<em class="parameter"><code>-mutate</code></em> parameter, as detailed later. This can
80	produce extra tests, some of which may be provided with extra parameters
81	through the <em class="parameter"><code>-mutate-options</code></em> parameter. For example,
82	using <em class="parameter"><code>-mutate</code></em> 3, with or without a file attempts
83	to brute force usernames if the web server allows
84	~<em class="replaceable"><code>user</code></em> URIs:</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -mutate 3 -mutate-options user-list.txt</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238384"></a>Multiple Port Testing</h2></div></div></div><p>Nikto can scan multiple ports in the same scanning session. To
85	test more than one port on the same host, specify the list of ports in
86	the -p (-port) option. Ports can be specified as a range (i.e., 80-90),
87	or as a comma-delimited list, (i.e., 80,88,90). This will scan the host
88	on ports 80, 88 and 443.</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -p 80,88,443</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238405"></a>Multiple Host Testing</h2></div></div></div><p>Nikto support scanning multiple hosts in the same session via a
89	text file of host names or IPs. Instead of giving a host name or IP for
90	the -h (-host) option, a file name can be given. A file of hosts must be
91	formatted as one host per line, with the port number(s) at the end of
92	each line. Ports can be separated from the host and other ports via a
93	colon or a comma. If no port is specified, port 80 is assumed.</p><p>This is an example of a valid hosts file:</p><div class="example"><a name="id238425"></a><p class="title"><b>Example 3.1. Valid Hosts File</b></p><div class="example-contents"><pre class="programlisting">192.168.0.1:80
94	http://192.168.0.1:8080/
95	192.168.0.3</pre></div></div><br class="example-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>For win32 users: due to peculiaries in the way that cmd.exe
96	works with pipes, the above example may not work for you. In this case
97	a temporary file will have to be used to store the output from
98	nmap</p></td></tr></table></div><p>A host file may also be an nmap output in "greppable" format (i.e.
99	from the output from -oG).</p><p>A file may be passed to Nikto through stdout/stdin using a "-" as
100	the filename. For example:</p><pre class="screen">nmap -p80 192.168.0.0/24 -oG - \| nikto.pl -h -</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238466"></a>Using a Proxy</h2></div></div></div><p>If the machine running Nikto only has access to the target host
101	(or update server) via an HTTP proxy, the test can still be performed.
102	Set the <code class="varname">PROXY*</code> variables (as described in section
103	4), then execute Nikto with the -u (-useproxy) command. All connections
104	will be relayed through the HTTP proxy specified in the configuration
105	file.</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -p 80 -u</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238782"></a>Updating</h2></div></div></div><p>Nikto can be automatically updated, assuming you have Internet
106	connectivity from the host Nikto is installed on. To update to the
107	latest plugins and databases, simply run Nikto with the -update
108	command.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The -update option cannot be abbreviated.</p></td></tr></table></div><pre class="screen">perl nikto.pl -update</pre><p>If updates are required, you will see a list of the files
109	downloaded:</p><pre class="screen">
110	perl nikto.pl -update
111	+ Retrieving 'nikto_core.plugin'
112	+ Retrieving 'CHANGES.txt'
113	</pre><p>Updates may also be manually downloaded from <a class="ulink" href="http://www.cirt.net/" target="_top">http://www.cirt.net/</a></p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238829"></a>Integration with Nessus</h2></div></div></div><p>Nessus (<a class="ulink" href="http://www.nessus.org/" target="_top">http://www.nessus.org/nessus/</a>) can
114	be configured to automatically launch Nikto when it finds a web server.
115	Ensure Nikto works properly, then place the directory containing
116	nikto.pl in root's PATH environment variable. When nessusd starts, it
117	should see the nikto.pl program and enable usage through the
118	GUI.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="options"></a>Chapter 4. Command Line Options</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id238858">All Options</a></span></dt><dt><span class="section"><a href="#id286918">Mutation Techniques</a></span></dt><dt><span class="section"><a href="#id287020">Display</a></span></dt><dt><span class="section"><a href="#id287094">Scan Tuning</a></span></dt><dt><span class="section"><a href="#id287290">Single Request Mode</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id238858"></a>All Options</h2></div></div></div><p>Below are all of the Nikto command line options and explanations. A
119	brief version of this text is available by running Nikto with the -h
120	(-help) option.</p><div class="variablelist"><dl><dt><span class="term"><code class="option">-Cgidirs</code></span></dt><dd><p>Scan these CGI directories. Special words "none" or "all" may
121	be used to scan all CGI directories or none, (respectively). A
122	literal value for a CGI directory such as "/cgi-test/" may be
123	specified (must include trailing slash). If this is option is not
124	specified, all CGI directories listed in config.txt will be
125	tested.</p></dd><dt><span class="term"><code class="option">-config</code></span></dt><dd><p>Specify an alternative config file to use instead of the
126	config.txt located in the install directory.</p></dd><dt><span class="term"><code class="option">-dbcheck</code></span></dt><dd><p>Check the scan databases for syntax errors.</p></dd><dt><span class="term"><code class="option">-Display</code></span></dt><dd><p>Control the output that Nikto shows. See Chapter 5 for
127	detailed information on these options. Use the reference number or
128	letter to specify the type, multiple may be used:</p><p>1 - Show redirects</p><p>2 - Show cookies received</p><p>3 - Show all 200/OK responses</p><p>4 - Show URLs which require authentication</p><p>D - Debug Output</p><p>V - Verbose Output</p></dd><dt><span class="term"><code class="option">-evasion</code></span></dt><dd><p>Specify the LibWhisker IDS evasion technique to use (see the
129	LibWhisker docs for detailed information on these). Use the
130	reference number to specify the type, multiple may be used:</p><p>1 - Random URI encoding (non-UTF8)</p><p>2 - Directory self-reference (/./)</p><p>3 - Premature URL ending</p><p>4 - Prepend long random string</p><p>5 - Fake parameter</p><p>6 - TAB as request spacer</p><p>7 - Change the case of the URL</p><p>8 - Use Windows directory separator (\)</p></dd><dt><span class="term"><code class="option">-findonly</code></span></dt><dd><p>Only discover the HTTP(S) ports, do not perform a security scan.
131	This will attempt to connect with HTTP or HTTPS, and report the
132	Server header.</p></dd><dt><span class="term"><code class="option">-Format</code></span></dt><dd><p>Save the output file specified with -o (-output) option in
133	this format. If not specified, the default will be taken from the file
134	extension specified in the -output option. Valid formats are:</p><p>csv - a comma-seperated list</p><p>htm - an HTML report</p><p>txt - a text report</p><p>xml - an XML report</p></dd><dt><span class="term"><code class="option">-host</code></span></dt><dd><p>Host(s) to target. Can be an IP address, hostname or text file
135	of hosts. A single dash (-) maybe used for stdout. Can also parse nmap -oG
136	style output</p></dd><dt><span class="term"><code class="option">-Help</code></span></dt><dd><p>Display extended help information.</p></dd><dt><span class="term"><code class="option">-id</code></span></dt><dd><p>ID and password to use for host Basic host authentication.
137	Format is "id:password".</p></dd><dt><span class="term"><code class="option">-list-plugins</code></span></dt><dd><p>Will list all plugins that Nikto can run against targets and
138	then will exit without performing a scan. These can be tuned for a
139	session using the -plugins option.</p><p>The output format is:</p><p>Plugin <code class="varname">name</code></p><p> <code class="varname">full name</code> - <code class="varname">description</code>
140	</p><p> Written by <code class="varname">author</code>, Copyright (C)
141	<code class="varname">copyright</code></p></dd><dt><span class="term"><code class="option">-mutate</code></span></dt><dd><p>Specify mutation technique. A mutation will cause Nikto to
142	combine tests or attempt to guess values. These techniques may cause
143	a tremendous amount of tests to be launched against the target. Use
144	the reference number to specify the type, multiple may be
145	used:</p><p>1 - Test all files with all root directories</p><p>2 - Guess for password file names</p><p>3 - Enumerate user names via Apache (/~user type
146	requests)</p><p>4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user
147	type requests)</p><p>5 - Attempt to brute force sub-domain names, assume that
148	the host name is the parent domain</p><p>6 - Attempt to guess directory names from the supplied
149	dictionary file</p></dd><dt><span class="term"><code class="option">-mutate-options</code></span></dt><dd><p>Provide extra information for mutates, e.g. a dictionary
150	file</p></dd><dt><span class="term"><code class="option">-nolookup</code></span></dt><dd><p>Do not perform name lookups on IP addresses.</p></dd><dt><span class="term"><code class="option">-nossl</code></span></dt><dd><p>Do not use SSL to connect to the server.</p></dd><dt><span class="term"><code class="option">-no404</code></span></dt><dd><p>Disable 404 (file not found) checking. This will reduce
151	the total number of requests made to the webserver and may be
152	preferable when checking a server over a slow link, or an embedded
153	device. This will generally lead to more false positives being
154	discovered.</p></dd><dt><span class="term"><code class="option">-output</code></span></dt><dd><p>Write output to the file specified. The format used will be
155	taken from the file extension. This can be over-riden by using the
156	-Format option (e.g. to write text files with a different extenstion.
157	Existing files will have new information appended.</p></dd><dt><span class="term"><code class="option">-plugins</code></span></dt><dd><p>Select which plugins will be run on the specified targets. A
158	comma separated list should be provided which lists the names of the
159	plugins. The names can be found by using -list-plugins.</p><p>There are two special entries: ALL, which specifies all plugins
160	shall be run and NONE, which specifies no plugins shall be run. The
161	default is ALL</p></dd><dt><span class="term"><code class="option">-port</code></span></dt><dd><p>TCP port(s) to target. To test more than one port on the same
162	host, specify the list of ports in the -p (-port) option. Ports can
163	be specified as a range (i.e., 80-90), or as a comma-delimited list,
164	(i.e., 80,88,90). If not specified, port 80 is used.</p></dd><dt><span class="term"><code class="option">-Pause</code></span></dt><dd><p>Seconds to delay between each test.</p></dd><dt><span class="term"><code class="option">-root</code></span></dt><dd><p>Prepend the value specified to the beginning of every request.
165	This is useful to test applications or web servers which have all of
166	their files under a certain directory.</p></dd><dt><span class="term"><code class="option">-ssl</code></span></dt><dd><p>Only test SSL on the ports specified. Using this option will
167	dramatically speed up requests to HTTPS ports, since otherwise the
168	HTTP request will have to timeout first.</p></dd><dt><span class="term"><code class="option">-Single</code></span></dt><dd><p>Perform a single request to a target server. Nikto will prompt
169	for all options which can be specified, and then report the detailed
170	output. See Chapter 5 for detailed information.</p></dd><dt><span class="term"><code class="option">-timeout</code></span></dt><dd><p>Seconds to wait before timing out a request. Default timeout
171	is 10 seconds.</p></dd><dt><span class="term"><code class="option">-Tuning</code></span></dt><dd><p>Tuning options will control the test that Nikto will use
172	against a target. By default, if any options are specified, only
173	those tests will be performed. If the "x" option is used, it will
174	reverse the logic and exclude only those tests. Use the reference
175	number or letter to specify the type, multiple may be used:</p><p>0 - File Upload</p><p>1 - Interesting File / Seen in logs</p><p>2 - Misconfiguration / Default File</p><p>3 - Information Disclosure</p><p>4 - Injection (XSS/Script/HTML)</p><p>5 - Remote File Retrieval - Inside Web Root</p><p>6 - Denial of Service</p><p>7 - Remote File Retrieval - Server Wide</p><p>8 - Command Execution / Remote Shell</p><p>9 - SQL Injection</p><p>a - Authentication Bypass</p><p>b - Software Identification</p><p>c - Remote Source Inclusion</p><p>x - Reverse Tuning Options (i.e., include all except
176	specified)</p><p>The given string will be parsed from left to right, any x
177	characters will apply to all characters to the right of the
178	character.</p></dd><dt><span class="term"><code class="option">-useproxy</code></span></dt><dd><p>Use the HTTP proxy defined in the configuration file.</p></dd><dt><span class="term"><code class="option">-update</code></span></dt><dd><p>Update the plugins and databases directly from
179	cirt.net.</p></dd><dt><span class="term"><code class="option">-Version</code></span></dt><dd><p>Display the Nikto software, plugin and database
180	versions.</p></dd><dt><span class="term"><code class="option">-vhost</code></span></dt><dd><p>Specify the Host header to be sent to the target.</p></dd></dl></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id286918"></a>Mutation Techniques</h2></div></div></div><p>A mutation will cause Nikto to combine tests or attempt to guess
181	values. These techniques may cause a tremendous amount of tests to be
182	launched against the target. Use the reference number to specify the
183	type, multiple may be combined.</p><div class="orderedlist"><ol type="1"><li><p>Test all files with all root directories. This takes each test
184	and splits it into a list of files and directories. A scan list is
185	then created by combining each file with each directory.</p></li><li><p>Guess for password file names. Takes a list of common password
186	file names (such as "passwd", "pass", "password") and file
187	extensions ("txt", "pwd", "bak", etc.) and builds a list of files
188	to check for.</p></li><li><p>Enumerate user names via Apache (/~user type requests).
189	Exploit a misconfiguration with Apache UserDir setups which allows
190	valid user names to be discovered. This will attempt to brute-force
191	guess user names. A file of known users can also be supplied by
192	supplying the file name in the
193	<em class="parameter"><code>-mutate-options</code></em> parameter.</p></li><li><p>Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user
194	type requests). Exploit a flaw in cgiwrap which allows valid user
195	names to be discovered. This will attempt to brute-force guess user
196	names. A file of known users can also be supplied by supplying the
197	file name in the <em class="parameter"><code>-mutate-options</code></em>
198	parameter.</p></li><li><p>Attempt to brute force sub-domain names. This will
199	attempt to brute force know domain names, it will assume the given
200	host (without a www) is the parent domain.</p></li><li><p>Attempt to brute directory names. This is the only mutate
201	option that requires a file to be passed in the
202	<em class="parameter"><code>-mutate-options</code></em> parameter. It will use the
203	given file to attempt to guess directory names. Lists of common
204	directories may be found in the OWASP DirBuster project.</p></li></ol></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id287020"></a>Display</h2></div></div></div><p>By default only some basic information about the target and
205	vulnerabilities is shown. Using the <em class="parameter"><code>-Display</code></em>
206	parameter can produce more information for debugging issues.</p><div class="itemizedlist"><ul type="disc"><li><p>1 - Show redirects. This will display all requests which
207	elicit a "redirect" response from the server.</p></li><li><p>2 - Show cookies received. This will display all cookies that
208	were sent by the remote host.</p></li><li><p>3 - Show all 200/OK responses. This will show all responses
209	which elicit an "okay" (200) response from the server. This could be
210	useful for debugging.</p></li><li><p>4 - Show URLs which require authentication. This will show all
211	responses which elicit an "authorization required" header.</p></li><li><p>D - Debug Output. Show debug output, which shows the verbose
212	output and extra information such as variable content.</p></li><li><p>V - Verbose Output. Show verbose output, which typically shows
213	where Nikto is during program execution.</p></li></ul></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id287094"></a>Scan Tuning</h2></div></div></div><p>Scan tuning can be used to decrease the number of tests performed
214	against a target. By specifying the type of test to include or exclude,
215	faster, focused testing can be completed. This is useful in situations
216	where the presence of certain file types are undesired -- such as XSS or
217	simply "interesting" files.</p><p>Test types can be controlled at an individual level by specifying
218	their identifier to the <em class="parameter"><code>-T</code></em>
219	(<em class="parameter"><code>-Tuning</code></em>) option. In the default mode, if
220	<em class="parameter"><code>-T</code></em> is invoked only the test type(s) specified
221	will be executed. For example, only the tests for "Remote file
222	retrieval" and "Command execution" can performed against the
223	target:</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -T 58</pre><p>If an "x" is passed to <em class="parameter"><code>-T</code></em> then this will
224	negate all tests of types following the x. This is useful where a test
225	may check several different types of exploit. For example:</p><pre class="screen">perl nikto.pl -h 192.168.0.1 -T 58xb</pre><p>The valid tuning options are:</p><div class="itemizedlist"><ul type="disc"><li><p>0 - File Upload. Exploits which allow a file to be
226	uploaded to the target server.</p></li><li><p>1 - Interesting File / Seen in logs. An unknown but suspicious
227	file or attack that has been seen in web server logs (note: if you
228	have information regarding any of these attacks, please contact
229	CIRT, Inc.).</p></li><li><p>2 - Misconfiguration / Default File. Default files or files
230	which have been misconfigured in some manner. This could be
231	documentation, or a resource which should be password
232	protected.</p></li><li><p>3 - Information Disclosure. A resource which reveals
233	information about the target. This could be a file system path or
234	account name.</p></li><li><p>4 - Injection (XSS/Script/HTML). Any manner of injection,
235	including cross site scripting (XSS) or content (HTML). This does
236	not include command injection.</p></li><li><p>5 - Remote File Retrieval - Inside Web Root. Resource allows
237	remote users to retrieve unauthorized files from within the web
238	server's root directory.</p></li><li><p>6 - Denial of Service. Resource allows a denial of service
239	against the target application, web server or host (note: no
240	intentional DoS attacks are attempted).</p></li><li><p>7 - Remote File Retrieval - Server Wide. Resource allows
241	remote users to retrieve unauthorized files from anywhere on the
242	target.</p></li><li><p>8 - Command Execution / Remote Shell. Resource allows the user
243	to execute a system command or spawn a remote shell.</p></li><li><p>9 - SQL Injection. Any type of attack which allows SQL to be
244	executed against a database.</p></li><li><p>a - Authentication Bypass. Allows client to access a
245	resource it should not be allowed to access.</p></li><li><p>b - Software Identification. Installed software or program
246	could be positively identified.</p></li><li><p>c - Remote source inclusion. Software allows remote inclusion
247	of source code.</p></li><li><p>x - Reverse Tuning Options. Perform exclusion of the specified
248	tuning type instead of inclusion of the specified tuning
249	type.</p></li></ul></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id287290"></a>Single Request Mode</h2></div></div></div><p>Single request mode is designed to preform a solitary request
250	against the target. This is useful to confirm a test result using the
251	same resources Nikto used during a scan. The single option allows manual
252	setting of most variables used by Nikto and LibWhisker, and upon
253	completion will display both the request and the result of the
254	operation.</p><p>Most options have a default value or can be left blank. The most
255	common and required values are at the beginning of the "questions"
256	section for slightly easier use. True and false are specified by numeric
257	equivalents, 1 and 0 respectively. Please note that Single mode is not
258	very user-friendly. Here is an example Nikto run with the
259	<em class="parameter"><code>-Single</code></em> option.</p><pre class="screen">
260
261	[dave@yggdrasil nikto-2.03]$ ./nikto.pl -Single
262	-------------------------------------------- Nikto 2.1.0
263	-------------------------------------------- Single Request Mode
264	Hostname or IP: localhost
265	Port (80):
266	URI (/): /test.html
267	SSL (0):
268	Proxy host:
269	Proxy port:
270	Show HTML Response (1):
271	HTTP Version (1.1):
272	HTTP Method (GET):
273	User-Agent (Mozilla/4.75 (Nikto/2.1.0):
274	Connection (Keep-Alive):
275	Data:
276	force_bodysnatch (0):
277	force_close (1):
278	http_space1 ( ):
279	http_space2 ( ):
280	include_host_in_uri (0):
281	invalid_protocol_return_value (1):
282	max_size (0):
283	protocol (HTTP):
284	require_newline_after_headers (0):
285	retry (0):
286	ssl_save_info (0):
287	timeout (10):
288	uri_password ():
289	uri_postfix ():
290	uri_prefix ():
291	uri_user ():
292	Enable Anti-IDS (0):
293	-------------------------------------------- Done with questions
294	Host Name: localhost
295	Host IP: 127.0.0.1
296	HTTP Response Code: 404
297	-------------------------------------------- Connection Details
298	Connection: Keep-Alive
299	Host: localhost
300	User-Agent: Mozilla/4.75 (Nikto/2.1.0
301	data:
302	force_bodysnatch: 0
303	force_close: 1
304	force_open: 0
305	host: localhost
306	http_space1:
307	http_space2:
308	ignore_duplicate_headers: 1
309	include_host_in_uri: 0
310	invalid_protocol_return_value: 1
311	max_size: 0
312	method: GET
313	port: 80
314	protocol: HTTP
315	require_newline_after_headers: 0
316	retry: 0
317	ssl: 0
318	ssl_save_info: 0
319	timeout: 10
320	trailing_slurp: 0
321	uri: /test.html
322	uri_param_sep: ?
323	uri_postfix:
324	uri_prefix:
325	version: 1.1
326	-------------------------------------------- Response Headers
327	Connection: close
328	Content-Length: 268
329	Content-Type: text/html; charset=iso-8859-1
330	Date: Tue, 18 Aug 2009 10:13:57 GMT
331	Server: Apache/2
332	code: 404
333	http_data_sent: 1
334	http_eol:
335
336	http_space1:
337	http_space2:
338	message: Not Found
339	protocol: HTTP
340	uri: /test.html
341	version: 1.1
342	-------------------------------------------- Response Content
343	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
344	<html><head>
345	<title>404 Not Found</title>
346	</head><body>
347	<h1>Not Found</h1>
348	<p>The requested URL /test.html was not found on this server.</p>
349	<hr>
350	<address>Apache/2 Server at localhost Port 80</address>
351	</body></html>
352
353	</pre></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="configuration"></a>Chapter 5. Configuration Files</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id287336">Location</a></span></dt><dt><span class="section"><a href="#id237396">Format</a></span></dt><dt><span class="section"><a href="#id237410">Variables</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id287336"></a>Location</h2></div></div></div><p>Nikto, like any non-trivial program needs to know a few things
354	about how to work with the current environment. For most situations the
355	default configuration file will work. Sometimes, tuning may be required,
356	or some things may need to be changes.</p><p>Nikto will look for a configuration file in three places and if it
357	finds one, will apply it in the strict order, listed below. A later found
358	configuration file will overwrite any variables set in an earlier
359	configuration file. The locations are:</p><div class="orderedlist"><ol type="1"><li><p>/etc/nikto.conf (this may be altered depending on
360	platform)</p></li><li><p>$HOME/nikto.conf</p></li><li><p>nikto.conf</p></li></ol></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id237396"></a>Format</h2></div></div></div><p>The configuration files are formated like a standard Unix
361	configuration file: blank lines are ignored, any line starting with a #
362	is ignored, variables are set with VariableName=Value line.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id237410"></a>Variables</h2></div></div></div><p>The following variables may be set within the configuration
363	file:</p><div class="variablelist"><dl><dt><span class="term"><code class="varname">CLIOPTS</code></span></dt><dd><p>Default options that should always be passed to the
364	command line. For example:</p><pre class="screen">CLIOPTS=-output results.txt -Format text</pre><p>Default Setting</p><pre class="screen">CLIOPTS=</pre></dd><dt><span class="term"><code class="varname">NIKTODTD</code></span></dt><dd><p>Path to the location of the DTD used for XML output. If the
365	path is not absolute then it will be relative to the directory
366	where Nikto is executed.</p><p>Default Setting</p><pre class="screen">NIKTODTD=docs/nikto.dtd</pre></dd><dt><span class="term"><code class="varname">NMAP</code>, </span><span class="term"><code class="varname">NMAPOPTS</code></span></dt><dd><p><span class="emphasis"><em>Deprecated</em></span></p><p>Location of nmap and the default nmap options. Nikto used
367	to use nmap to aid in checking for valid HTTP ports on any
368	targets. From Nikto 2.10, nmap is no longer used from within
369	Nikto and this variable will do nothing. This variable may be
370	removed in a later version.</p><p>Default Setting</p><pre class="screen">NMAP=/usr/local/bin/nmap
371	NMPOPTS=-P0</pre></dd><dt><span class="term"><code class="varname">SKIPPORTS</code></span></dt><dd><p><span class="emphasis"><em>Deprecated</em></span></p><p>This configuration item originally defined ports that
372	would never be scanned by Nikto. This is currently unused and
373	deprecated.</p><p>Default Setting</p><pre class="screen">SKIPPORTS=21 111</pre></dd><dt><span class="term"><code class="varname">SKIPIDS</code></span></dt><dd><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Note, this filter only applies to tests in the
374	<code class="filename">db_tests</code> database</p></td></tr></table></div><p>Contains a space separated list of Test IDs (tids) that
375	Nikto will not run on the system, for example:</p><pre class="screen">SKIPIDS=000045 000345</pre><p>Default Setting</p><pre class="screen">SKIPIDS=</pre></dd><dt><span class="term"><code class="varname">DEFAULTHTTPVER</code></span></dt><dd><p>Defines the default version of HTTP that Nikto will use,
376	unless superceded by a specific test. Usually keeping this to
377	the default will suffice, though some web servers may only work
378	with later versions of the HTTP protocol.</p><p>Default Setting</p><pre class="screen">DEFAULTHTTPVER=1.0</pre></dd><dt><span class="term"><code class="varname">UPDATES</code></span></dt><dd><p>If the outdated Nikto plugin sees a web server it doesn't
379	know of, or a version that is later than that defined in
380	<code class="filename">db_outdated</code>, then it will send this
381	information back to cirt.net for inclusion in future versions of
382	Nikto. Server specific information (e.g. IP addresses or
383	hostnames) are not sent.</p><p>This item can be set to one of the below values:</p><div class="blockquote"><blockquote class="blockquote"><div class="variablelist"><dl><dt><span class="term"><code class="varname">UPDATES=yes</code></span></dt><dd><p>Display each submission and ask for permission
384	before it is sent</p></dd><dt><span class="term"><code class="varname">UPDATES=no</code></span></dt><dd><p>Do not send any data back to cirt.net</p></dd><dt><span class="term"><code class="varname">UPDATES=auto</code></span></dt><dd><p>Send data back to cirt.net with no
385	prompting</p></dd></dl></div></blockquote></div><p>Default Setting</p><pre class="screen">UPDATES=yes</pre></dd><dt><span class="term"><code class="varname">MAX_WARN</code></span></dt><dd><p><span class="emphasis"><em>Unused</em></span></p><p>Produces a warning of a number of MOVED responses are
386	retrieved. This is currently unused.</p><p>Default Setting</p><pre class="screen">MAX_WARN=20</pre></dd><dt><span class="term"><code class="varname">PROMPTS</code></span></dt><dd><p><span class="emphasis"><em>Deprecated</em></span></p><p>Disables Nikto prompts if set to "no". This is currently
387	unused and has been deprecated by the UPDATES item.</p><p>Default Setting</p><pre class="screen">PROMPTS=</pre></dd><dt><span class="term"><code class="varname">CIRT</code></span></dt><dd><p>The IP address that Nikto will use to update the databases
388	and plugins, or will send version information back to (as
389	described in the <code class="varname">UPDATES</code> item).</p><p>Default Setting</p><pre class="screen">CIRT=209.172.49.178</pre></dd><dt><span class="term"><code class="varname">PROXYHOST</code>, </span><span class="term"><code class="varname">PROXYPORT</code>, </span><span class="term"><code class="varname">PROXYUSER</code>, </span><span class="term"><code class="varname">PROXYPASS</code></span></dt><dd><p>Address, port and username password of a proxy to relay all
390	requests through. Note, to use a proxy, you must set the
391	configuration items in the configuration file and supply the
392	<em class="parameter"><code>-useproxy</code></em> switch to the command
393	line.</p><p>Default Setting</p><pre class="screen">PROXYHOST=
394	PROXYPORT=
395	PROXYUSER=
396	PROXYPASS=</pre></dd><dt><span class="term"><code class="varname">STATIC-COOKIE</code></span></dt><dd><p>Adds the supplied cookie to all requests made via Nikto,
397	this is generally useful is an authentication cookie is required
398	for a website. For example:</p><pre class="screen">STATIC-COOKIE=userid=0</pre><p>Default Setting</p><pre class="screen">STATIC-COOKIE=</pre></dd><dt><span class="term"><code class="varname">CHECKMETHODS</code></span></dt><dd><p>Nikto will attempt to identify targets as webservers by
399	sending a request to fetch the / URI via certain HTTP methods.
400	Some web servers do not implement all HTTP methods and may cause
401	Nikto to fail to identify the web server correctly if it doesn't
402	support the method being used.</p><p>If this setting is missing from the configuration file,
403	then Nikto will default back to the Nikto 2.02 default of
404	HEAD.</p><p>Default Setting</p><pre class="screen">CHECKMETHODS=HEAD GET</pre></dd><dt><span class="term"><code class="varname">EXECDIR</code>, </span><span class="term"><code class="varname">PLUGINDIR</code>, </span><span class="term"><code class="varname">TEMPLATEDIR</code>, </span><span class="term"><code class="varname">DOCDIR</code></span></dt><dd><p>Defines where to find the location of Nikto, its plugins,
405	XML/HTML templates and documents. This should only normally be
406	changed if repackaging Nikto to work with different file system
407	standards. Nikto will use the EXECDIR item to guess the other
408	directories.</p><p>Default Setting</p><pre class="screen">EXECDIR=.
409	PLUGINDIR=EXECDIR/plugins
410	TEMPLATEDIR=EXECDIR/templates
411	DOCDIR=EXECDIR/docs</pre></dd></dl></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="reports"></a>Chapter 6. Output and Reports</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id288190">Export Formats</a></span></dt><dt><span class="section"><a href="#id288220">HTML and XML Customisation</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id288190"></a>Export Formats</h2></div></div></div><p>Nikto saved output comes in four flavours: text, CSV, XML or HTML.
412	When using <em class="parameter"><code>-output</code></em>, an output format may be
413	specified with <em class="parameter"><code>-Format</code></em>. Text format is assumed if
414	nothing is specified with <em class="parameter"><code>-Format</code></em>. The DTD for the
415	Nikto XML format can be found in the 'docs' directory (nikto.dtd).</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id288220"></a>HTML and XML Customisation</h2></div></div></div><p>HTML reports are generated from template files located in the
416	<code class="filename">templates</code> directory. Variables are defined as
417	<code class="varname">#variable-name</code>, and are replaced when the report is
418	generated. The files <code class="filename">htm_start.tmpl</code> and
419	<code class="filename">htm_end.tmpl</code> are included at the beginning and end
420	of the report (respectively). The <code class="filename">htm_summary.tmpl</code>
421	also appears at the beginning of the report. The
422	<code class="filename">htm_host_head</code> appears once for every host, and the
423	<code class="filename">htm_host_item.tmpl</code> and
424	<code class="filename">htm_host_im.tmpl</code> appear once for each item
425	found on a host and each "informational message" per host
426	(respectively).</p><p>All valid variables are used in these templates. Future versions
427	of this documentation will include a list of variables and their
428	meaning.</p><p>The copyright statements must not be removed from the
429	<code class="filename">htm_end.tmpl</code> without placing them in another of the
430	templates. It is a violation of the Nikto licence to remove these
431	notices.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="expanding"></a>Chapter 7. Test and Code Writing</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id288304">Scan Database Field Values</a></span></dt><dt><span class="section"><a href="#id288472">User-Defined Tests</a></span></dt><dt><span class="section"><a href="#id288536">Scan Database Syntax</a></span></dt><dt><span class="section"><a href="#id288564">Plugins</a></span></dt><dd><dl><dt><span class="section"><a href="#id288684">Initialisation Phase</a></span></dt><dt><span class="section"><a href="#id289066">Reconnaisance Phase</a></span></dt><dt><span class="section"><a href="#id289135">Scan Phase</a></span></dt><dt><span class="section"><a href="#id289174">Reporting Phase</a></span></dt><dt><span class="section"><a href="#id289499">Data Structures</a></span></dt><dt><span class="section"><a href="#id289774">Standard Methods</a></span></dt><dt><span class="section"><a href="#id290403">Global Variables</a></span></dt></dl></dd><dt><span class="section"><a href="#id290916">Test Identifiers</a></span></dt><dt><span class="section"><a href="#id291044">Code Copyrights</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id288304"></a>Scan Database Field Values</h2></div></div></div><p>Though some checks can be found in other plugins, the
432	<code class="filename">scan_database.db</code> contains the bulk of the web test
433	information. Here is a description of the field values:</p><div class="table"><a name="id288321"></a><p class="title"><b>Table 7.1. Scan Database Fields</b></p><div class="table-contents"><table summary="Scan Database Fields" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Test ID</td><td>Nikto test ID</td></tr><tr><td>OSVDB-ID</td><td>Corresponding vulnerability entry number for
434	osvdb.org</td></tr><tr><td>Server Type</td><td>Generic server matching type</td></tr><tr><td>URI</td><td>URI to retrieve</td></tr><tr><td>HTTP Method</td><td>HTTP method to use for URI</td></tr><tr><td>Match 1</td><td>String or code to match for successful test</td></tr><tr><td>Match 1 (Or)</td><td>String or code to alternatively match for successful
435	test</td></tr><tr><td>Match1 (And)</td><td>String or code to also match for successful
436	test</td></tr><tr><td>Fail 1</td><td>String or code to match for test failure</td></tr><tr><td>Fail 2</td><td>String or code to match for test failure
437	(alternative)</td></tr><tr><td>Summary</td><td>Summary message to report for successful test</td></tr><tr><td>HTTP Data</td><td>HTTP data to be sent during POST tests</td></tr><tr><td>Headers</td><td>Additional headers to send during test</td></tr></tbody></table></div></div><br class="table-break"></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id288472"></a>User-Defined Tests</h2></div></div></div><p>Users can create their own, private tests for any of the
438	databases. By placing a syntactically correct database file in the
439	<code class="filename">plugins</code> directory, with a file name prefaced with a
440	"u", the data will be loaded along with the built-in checks.</p><p>For example, create the file
441	<code class="filename">plugins/udb_tests</code> and it will be loaded at the
442	same time <code class="filename">plugins/db_tests</code> is loaded. These files
443	will also be checked for syntax when <em class="parameter"><code>-dbcheck</code></em> is
444	used.</p><p>For tests which require a "private" OSVDB ID, use the OSVDB ID 0
445	(zero). This should be used for all vulnerabilities that do not (or
446	should not) exist in OSVDB, as ID 0 is for testing only. You are
447	encouraged to send missing information to OSVDB at
448	moderators@osvdb.org.</p><p>For the "Test ID", it is recommended you use unique numbers
449	between 400000 and 499999 to allow for growth of the Nikto database
450	without interfering with your own tests (note: numbers above 500000 are
451	reserved for other tests).</p><p>Please help Nikto's continued success by sending test updates to
452	<code class="email"><<a class="email" href="mailto:sullo@cirt.net">sullo@cirt.net</a>></code>.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id288536"></a>Scan Database Syntax</h2></div></div></div><p>The scan database is a CSV delimited file which contains most of
453	the tests. Fields are enclosed by quotes and separated by commas. The
454	field order is:</p><p>Test-ID, OSVDB-ID, Tuning Type, URI, HTTP Method, Match 1, Match 1
455	Or, Match1 And, Fail 1, Fail 2, Summary, HTTP Data, Headers</p><p>Here is an example test:</p><pre class="screen">"120","3092","2","/manual/","GET","200","","","","","Web server manual","",""</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id288564"></a>Plugins</h2></div></div></div><p>To allow a bit more flexibility, Nikto allows plugins so that there
456	is easy expansion of existing capabilities and some future
457	proofing.</p><p>Plugins are run in four different phases, these are:</p><div class="blockquote"><blockquote class="blockquote"><div class="variablelist"><dl><dt><span class="term">Initialisation (mandatory)</span></dt><dd><p>Plugin initialisation is performed before targets are
458	assigned. During this phase, the plugin should tell Nikto
459	about its existence and capabilities. It may optionally
460	set up any later required variables.</p></dd><dt><span class="term">Reconnaisance (optional)</span></dt><dd><p>During the reconnaisance phase, the plugin should look
461	for interesting information that may be of use during the scan
462	phase. It may report vulnerablities, though this is
463	discouraged.</p></dd><dt><span class="term">Scan (optional)</span></dt><dd><p>The scan phase should perform the meat of the plugin - this
464	is where it should look at the web server and return any
465	potential vulnerabilities.</p></dd><dt><span class="term">Reporting (optional)</span></dt><dd><p>The reporting phase is used to export any found
466	vulnerabilities into a format that they can be used later, for
467	example written as a file report, or imported into a database.
468	No testing of the web server, or reporting of new vulnerbilies
469	should be performed in this phase.</p><p>This phase is slightly more complex than the others and may
470	be called at several points during Nikto's execution, as detailed
471	later</p></dd></dl></div></blockquote></div><p>Plugins are written in standard perl in the current context. They
472	should be placed within the <code class="varname">PLUGINDIR</code> defined in the
473	Nikto configuration file and must have a filename ending in
474	<code class="filename">.plugin</code>.</p><p>An important concept to grasp about plugins and the order that are
475	executed in is plugin weight: each phase will execute all defined
476	plugins in the order defined by the weight. A plugin's weight is defined
477	as a number between 1 and 100, where 1 is high priority and 100 is low
478	priority. Plugins of equal weight will be executed in an undefined
479	order.</p><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id288684"></a>Initialisation Phase</h3></div></div></div><p>As described above, all plugins must be able to execute in the
480	initialisation phase or they will be ignored.</p><p>A perl sub must exist called
481	<code class="function"><em class="replaceable"><code>filename</code></em>_init</code>. The
482	sub is passed no parameters and should return a hash reference to a
483	hash that should contain the following entries:</p><div class="variablelist"><dl><dt><span class="term"><em class="structfield"><code>name</code></em> (mandatory)</span></dt><dd><p>The short name of the plugin. This is used to identify
484	the plugin during verbose logging and will, in future
485	versions, be used to select plugin execution. The name
486	should be one word and, ideally, lower case.</p></dd><dt><span class="term"><em class="structfield"><code>full_name</code></em> (mandatory)</span></dt><dd><p>The full name of the plugin. This is used to identify
487	the plugin during verbose logging and may be used in
488	reporting modules to identify tests run against the web
489	server.</p></dd><dt><span class="term"><em class="structfield"><code>author</code></em> (mandatory)</span></dt><dd><p>The name or handle of the author of the plugin. This
490	may be used during reporting to identify ownerships of
491	copyright of tests run against the web server.</p></dd><dt><span class="term"><em class="structfield"><code>description</code></em> (mandatory)</span></dt><dd><p>A short sentence to describe the purpose of the plugin.
492	This may be used during reporting, or by a front end to describe
493	the purpose of the plugin.</p></dd><dt><span class="term"><em class="structfield"><code>copyright</code></em> (mandatory)</span></dt><dd><p>The copyright string (or lack of it) of the plugin. This
494	may be used during reporting to ensure that appropriate
495	copyright is assigned to reports.</p></dd><dt><span class="term"><em class="structfield"><code>recon_method</code></em> (optional)</span></dt><dd><p>This should be a reference to a function used during the
496	reconnaisance phase of the plugin's execution. If this is left
497	undefined then the plugin will not execute during the
498	reconnaisance phase.</p></dd><dt><span class="term"><em class="structfield"><code>recon_cond</code></em> (optional)</span></dt><dd><p>This is an expression to be evaluated before the plugin
499	is executed; if true, the plugins is executed, if false, the
500	plugin is skipped. This can be used to minimise plugin
501	execution.</p></dd><dt><span class="term"><em class="structfield"><code>recon_weight</code></em> (optional)</span></dt><dd><p>This is the weight used to schedule the running of the
502	plugin during the reconnaisance phase. If this is left
503	undefined it will default to 50.</p></dd><dt><span class="term"><em class="structfield"><code>scan_method</code></em> (optional)</span></dt><dd><p>This should be a reference to a function used during the
504	scan phase of the plugin's execution. If this is left
505	undefined then the plugin will not execute during the
506	scan phase.</p></dd><dt><span class="term"><em class="structfield"><code>scan_cond</code></em> (optional)</span></dt><dd><p>This is an expression to be evaluated before the plugin
507	is executed; if true, the plugins is executed, if false, the
508	plugin is skipped. This can be used to minimise plugin
509	execution.</p></dd><dt><span class="term"><em class="structfield"><code>scan_weight</code></em> (optional)</span></dt><dd><p>This is the weight used to schedule the running of the
510	plugin during the scan phase. If this is left undefined it
511	will default to 50.</p></dd><dt><span class="term"><em class="structfield"><code>report_head</code></em> (optional)</span></dt><dd><p>This should be a reference to a function executed
512	before any testing commences. If this is left undefined then
513	the plugin will not be called to produce a report
514	header.</p></dd><dt><span class="term"><em class="structfield"><code>report_host_start</code></em>
515	(optional)</span></dt><dd><p>This should be a reference to a function executed before
516	the reconnaisance phase of each host. If this is left
517	undefined then the plugin will not be called to produce a host
518	header.</p></dd><dt><span class="term"><em class="structfield"><code>report_host_end</code></em>
519	(optional)</span></dt><dd><p>This should be a reference to a function executed after
520	the scan phase of each host. If this is left undefined then
521	the plugin will not be called to produce a host footer.</p></dd><dt><span class="term"><em class="structfield"><code>report_item</code></em> (optional)</span></dt><dd><p>This should be a reference to a function executed after
522	each found vulnerability. If this is left undefined then
523	the plugin will not be called to produce an item
524	record.</p></dd><dt><span class="term"><em class="structfield"><code>report_close</code></em> (optional)</span></dt><dd><p>This should be a reference to a function executed after
525	testing of all hosts has been finished. If this is left
526	undefined then the plugin will not be called to close the
527	report.</p></dd><dt><span class="term"><em class="structfield"><code>report_format</code></em> (optional)</span></dt><dd><p>This should describe the file format that the plugin
528	handles. This is internally matched with the contents of the
529	<em class="parameter"><code>-output</code></em> switch to reduce excessive
530	calls to plugins.</p></dd><dt><span class="term"><em class="structfield"><code>report_weight</code></em> (optional)</span></dt><dd><p>This is the weight used to schedule the running of the
531	plugin during the reporting phase. If this is left undefined
532	it will default to 50.</p></dd></dl></div><div class="example"><a name="id289053"></a><p class="title"><b>Example 7.1. Example initialisation function</b></p><div class="example-contents"><pre class="programlisting"> sub nikto_dictionary_attack_init
533	{
534	my $id =
535	{
536	name => "dictionary",
537	full_name => "Dictionary attack",
538	author => "Deity",
539	description => "Attempts to dictionary attack commonly known directories/files",
540	recon_method => \&nikto_dictionary_attack,
541	recon_cond => '$CLI{mutate} =~ /6/',
542	recon_weight => 20,
543	copyright => "2009 CIRT Inc"
544	};
545
546	return $id;
547	} </pre></div></div><br class="example-break"></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id289066"></a>Reconnaisance Phase</h3></div></div></div><p>The reconnaisance phase is executed for each target at the start
548	of each scan.</p><p>Each reconnaisance method such expect to take a
549	<code class="varname">mark</code> hash ref. It should return nothing.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">void <b class="fsfunc">recon_method</b>(</code></td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>hashref </code> </td><td><code><var class="pdparam">mark</var>;</code></td></tr></table></div><p>The reconnaisance phase is intended to be used to pull
550	information about the web server for later use by the plugin, or by
551	other plugins. Reporting vulnerabilities in this phase is
552	discouraged.</p><p>Example uses of the reconnaisance phase are to spider a site,
553	check for known applications etc.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id289135"></a>Scan Phase</h3></div></div></div><p>The scan phase is the meat of the plugin's life, this is run,
554	for each target, immediately after the reconnaisance phase.</p><p>Each scan should check for vulnerabilities it knows about and
555	report on them as it finds one.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">void <b class="fsfunc">scan_method</b>(</code></td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>hashref </code> </td><td><code><var class="pdparam">mark</var>;</code></td></tr></table></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id289174"></a>Reporting Phase</h3></div></div></div><p>This is potentially the most convoluted phase as it has several
556	hooks that may be used for each section in the scan's lifetime.</p><p>The hooks are:</p><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id289188"></a>Report Head</h4></div></div></div><p>This hook is called immediately after target acquisition and
557	before the reconnaisance phase. It is designed to allow the
558	reporting plugin to open the report and ensure that any headers
559	are appropiately written.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">handle <b class="fsfunc">report_head</b>(</code></td><td><var class="pdparam">filename</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">filename</var>;</code></td></tr></table></div><p>The <em class="parameter"><code>filename</code></em> parameter is a bit of a
560	misnomer; it will be a copy of the string passed to the
561	<em class="parameter"><code>-output</code></em> switch and may indicate, for
562	example, a database name.</p><p>The <em class="parameter"><code>handle</code></em> is a handle that will be
563	passed to other reporting functions for this plugin so should be
564	internally consistent.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id289251"></a>Report Host Start</h4></div></div></div><p>This hook is called immediately before the reconnaisance
565	phase for each target. It is designed to allow the reporting plugin
566	to write any host specfic information.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">void <b class="fsfunc">report_host_start</b>(</code></td><td><var class="pdparam">rhandle</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>handle </code> </td><td><code><var class="pdparam">rhandle</var>;</code></td></tr><tr><td><code>hashref </code> </td><td><code><var class="pdparam">mark</var>;</code></td></tr></table></div><p>The <em class="parameter"><code>rhandle</code></em> parameter is the output
567	of the plugin's Report Head function.</p><p>The <em class="parameter"><code>mark</code></em> parameter is a hashref for the
568	target information (described below).</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id289313"></a>Report Host End</h4></div></div></div><p>This hook is called immediately after the scan phase for
569	each target. It is designed to allow the reporting plugin to close
570	any host specfic information.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">void <b class="fsfunc">report_host_end</b>(</code></td><td><var class="pdparam">rhandle</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>handle </code> </td><td><code><var class="pdparam">rhandle</var>;</code></td></tr><tr><td><code>hashref </code> </td><td><code><var class="pdparam">mark</var>;</code></td></tr></table></div><p>The <em class="parameter"><code>rhandle</code></em> parameter is the output
571	of the plugin's Report Head function.</p><p>The <em class="parameter"><code>mark</code></em> parameter is a hashref for the
572	target information (described below).</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id289375"></a>Report Item</h4></div></div></div><p>This hook is called once for each vulnerability found on the
573	target This should report details about the vulnerability.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">void <b class="fsfunc">report_item</b>(</code></td><td><var class="pdparam">rhandle</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">mark</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">vulnerbility</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>handle </code> </td><td><code><var class="pdparam">rhandle</var>;</code></td></tr><tr><td><code>hashref </code> </td><td><code><var class="pdparam">mark</var>;</code></td></tr><tr><td><code>hashref </code> </td><td><code><var class="pdparam">vulnerbility</var>;</code></td></tr></table></div><p>The <em class="parameter"><code>rhandle</code></em> parameter is the output of
574	the plugin's Report Head function.</p><p>The <em class="parameter"><code>mark</code></em> parameter is a hashref for
575	the target information (described below).</p><p>The <em class="parameter"><code>vulnerability</code></em> parameter is a
576	hashref for the vulnerability information (described below).</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id289453"></a>Report Close</h4></div></div></div><p>This hook is called immediately after all targets have been
577	scanned. It is designed to allow the reporting plugin to elegantly
578	close the report.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">void <b class="fsfunc">report_close</b>(</code></td><td><var class="pdparam">rhandle</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>handle </code> </td><td><code><var class="pdparam">rhandle</var>;</code></td></tr></table></div><p>The <em class="parameter"><code>rhandle</code></em> parameter is the output of
579	the plugin's Report Head function.</p></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id289499"></a>Data Structures</h3></div></div></div><p>The below data structures are used to communicate between the
580	various plugin methods. Unless otherwise mentioned, they are all
581	standard perl hash references with the detailed members.</p><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id289511"></a><span class="structname">Mark</span></h4></div></div></div><p>The mark hash contains all information about a target. It
582	contains the below members. It should be read-only.</p><div class="blockquote"><blockquote class="blockquote"><div class="table"><a name="id289525"></a><p class="title"><b>Table 7.2. Members of the <span class="structname">Mark</span>
583	structure</b></p><div class="table-contents"><table summary="Members of the Mark
584	structure" border="1"><colgroup><col><col></colgroup><tbody><tr><td><em class="structfield"><code>ident</code></em></td><td>
585	Host identifier, usually equivalent to what was
586	passed on the command line.
587	</td></tr><tr><td><em class="structfield"><code>hostname</code></em></td><td>
588	Host name of the target.
589	</td></tr><tr><td><em class="structfield"><code>ip</code></em></td><td>
590	IP address of the target.
591	</td></tr><tr><td><em class="structfield"><code>port</code></em></td><td>
592	TCP port of the target.
593	</td></tr><tr><td><em class="structfield"><code>display_name</code></em></td><td>
594	Either the hostname, or the IP address of the
595	target, dependant on whether a hostname has been
596	discovered.
597	</td></tr><tr><td><em class="structfield"><code>ssl</code></em></td><td>
598	Flag to indicate whether the target runs over SSL.
599	If it is set to 0, then the plugin should not use SSL. Any
600	other value indicates SSL should be used.
601	</td></tr><tr><td><em class="structfield"><code>vhost</code></em></td><td>
602	Virtual hostname to use for the target.
603	</td></tr><tr><td><em class="structfield"><code>root</code></em></td><td>
604	Root URI to use for the target.
605	</td></tr><tr><td><em class="structfield"><code>banner</code></em></td><td>
606	Banner of the target's web server.
607	</td></tr></tbody></table></div></div><br class="table-break"></blockquote></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id289658"></a>Vulnerability</h4></div></div></div><p>The vulnerability hash contains all information about a
608	vulnerability. It contains the below members. It should be
609	read-only and should only be written using the
610	<code class="function">add_vulnerability</code> method.</p><div class="blockquote"><blockquote class="blockquote"><div class="table"><a name="id289678"></a><p class="title"><b>Table 7.3. Members of the <span class="structname">Vulnerability</span>
611	structure</b></p><div class="table-contents"><table summary="Members of the Vulnerability
612	structure" border="1"><colgroup><col><col></colgroup><tbody><tr><td>mark</td><td>Hash ref to a mark data structure.</td></tr><tr><td>message</td><td>Message for the vulnerability.</td></tr><tr><td>nikto_id</td><td>Test ID (tid) of the vulnerability, this should be
613	a unique number which'll identify the vulnerability.</td></tr><tr><td>osvdb</td><td>OSVDB reference to the vulnerability in the Open
614	Source Vulnerability Database. This may be 0 if an OSVDB
615	reference is not relevant or doesn't exist.</td></tr><tr><td>method</td><td>HTTP method used to find the vulnerability.</td></tr><tr><td>uri</td><td>URI for the result.</td></tr><tr><td>result</td><td>Any HTTP data, excluding headers.</td></tr></tbody></table></div></div><br class="table-break"></blockquote></div></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id289774"></a>Standard Methods</h3></div></div></div><p>Several standard methods are defined in
616	<code class="filename">nikto_core.plugin</code> that can be used for all
617	plugins. It is strongly advised that these should be used where
618	possible instead of writing new methods.</p><p>For some methods, such as <code class="function">add_vulnerability</code>
619	which write to global variables, these <span class="emphasis"><em>must</em></span> be
620	the only interface to those global variables.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">array <b class="fsfunc">change_variables</b>(</code></td><td><var class="pdparam">line</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">line</var>;</code></td></tr></table></div><p>Expands any variables in the line parameter. The expansions are
621	variables defined in the global array <code class="varname">@VARIABLES</code>,
622	which may be read from <code class="filename">db_variables</code>, or added by
623	reconnaisance plugin methods.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">int <b class="fsfunc">is_404</b>(</code></td><td><var class="pdparam">uri</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">content</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">HTTPcode</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">uri</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">content</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">HTTPcode</var>;</code></td></tr></table></div><p>Makes a guess whether the result is a real web page or an error
624	page. As several web servers are badly configured and don't return
625	HTTP 404 codes when a page isn't found, Nikto attempts to look for
626	common error pages. Returns 1 if the page looks like an error.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">string <b class="fsfunc">get_ext</b>(</code></td><td><var class="pdparam">uri</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">uri</var>;</code></td></tr></table></div><p>Attempts to work out the extension of the uri. Will return the
627	extension or the special cases: DIRECTORY, DOTFILE, NONE.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">string <b class="fsfunc">date_disp</b>(</code></td><td><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code></code> </td><td><code>;</code></td></tr></table></div><p>Returns the current time in a human readable format
628	(YYYY-mm-dd hh:mm:ss)</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">string <b class="fsfunc">rm_active</b>(</code></td><td><var class="pdparam">content</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">content</var>;</code></td></tr></table></div><p>Attempts to remove active content (e.g. dates, adverts etc.)
629	from a page. Returns a filtered version of the content.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">string <b class="fsfunc">get_banner</b>(</code></td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>hashref </code> </td><td><code><var class="pdparam">mark</var>;</code></td></tr></table></div><p>Pulls the web servers banner. This is automatically performed
630	for all targets before a mark is passed to the plugin.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">boolean <b class="fsfunc">content_present</b>(</code></td><td><var class="pdparam">HTTPcode</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">HTTPcode</var>;</code></td></tr></table></div><p>Checks the HTTPresponse against known "found" responses. TRUE
631	indicates that the request was probably successful.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">string HTTPCode, string content <b class="fsfunc">fetch</b>(</code></td><td><var class="pdparam">uri</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">method</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">content</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">headers</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">noclean</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">uri</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">method</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">content</var>;</code></td></tr><tr><td><code>hashref </code> </td><td><code><var class="pdparam">headers</var>;</code></td></tr><tr><td><code>boolean </code> </td><td><code><var class="pdparam">noclean</var>;</code></td></tr></table></div><p><span class="emphasis"><em>Deprecated</em></span></p><p>Performs a simple HTTP request to URI using the HTTP method,
632	<em class="parameter"><code>method</code></em>. <em class="parameter"><code>content</code></em> supplies
633	any data to pass in the HTTP body. <em class="parameter"><code>headers</code></em>
634	allows any custom headers to be placed in the request.
635	<em class="parameter"><code>noclean</code></em> is a flag specifying that the request
636	shouldn't be cleaned up before being sent (e.g. if the Host: header
637	is blank).</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">string HTTPCode, string content <b class="fsfunc">nfetch</b>(</code></td><td><var class="pdparam">uri</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">method</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">content</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">headers</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">noclean</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">uri</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">method</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">content</var>;</code></td></tr><tr><td><code>hashref </code> </td><td><code><var class="pdparam">headers</var>;</code></td></tr><tr><td><code>boolean </code> </td><td><code><var class="pdparam">noclean</var>;</code></td></tr></table></div><p>An updated version of fetch that uses a local, rather than a
638	global request/result structure. This should be used in preference to
639	fetch.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">hashref <b class="fsfunc">setup_hash</b>(</code></td><td><var class="pdparam">requesthash</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">mark</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>hashref </code> </td><td><code><var class="pdparam">requesthash</var>;</code></td></tr><tr><td><code>hashref </code> </td><td><code><var class="pdparam">mark</var>;</code></td></tr></table></div><p>Sets up up a libwhisker hash with the normal Nikto variables.
640	This should be used if any custom calls to libwhisker are used.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">string <b class="fsfunc">char_escape</b>(</code></td><td><var class="pdparam">line</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">line</var>;</code></td></tr></table></div><p>Escapes any characters within line.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">array <b class="fsfunc">parse_csv</b>(</code></td><td><var class="pdparam">text</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">text</var>;</code></td></tr></table></div><p>Breaks a line of CSV text into an array of items.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">arrayref <b class="fsfunc">init_db</b>(</code></td><td><var class="pdparam">dbname</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">dbname</var>;</code></td></tr></table></div><p>Initialises a database that is in <code class="varname">PLUGINDIR</code>
641	and returns an arrayref. The arrayref is to an array of hashrefs, each
642	hash member is configured by the first line in the database file, for
643	example:</p><pre class="screen">"nikto_id","md5hash","description"</pre><p>This will result in an array of hashrefs with parameters:</p><pre class="screen">array[0]->{nikto_id}
644	array[0]->{md5hash}
645	array[0]->{description}</pre><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">void <b class="fsfunc">add_vulnerability</b>(</code></td><td><var class="pdparam">mark</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">message</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">nikto_id</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">osvdb</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">method</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">uri</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">data</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>hashref </code> </td><td><code><var class="pdparam">mark</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">message</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">nikto_id</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">osvdb</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">method</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">uri</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">data</var>;</code></td></tr></table></div><p>Adds a vulnerability for the mark, displays it to standard out
646	and sends it to any reporting plugins.</p><div class="funcsynopsis"><table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr><td><code class="funcdef">void <b class="fsfunc">nprint</b>(</code></td><td><var class="pdparam">message</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">display</var><code>)</code>;</td><td> </td></tr></table><table border="0" summary="Function argument synopsis" cellspacing="0" cellpadding="0"><tr><td><code>string </code> </td><td><code><var class="pdparam">message</var>;</code></td></tr><tr><td><code>string </code> </td><td><code><var class="pdparam">display</var>;</code></td></tr></table></div><p>Prints <em class="parameter"><code>message</code></em> to standard out.
647	<em class="parameter"><code>Display</code></em> specifies a filter for the message,
648	currently this can be "v" for verbose and "d" for debug
649	output.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id290403"></a>Global Variables</h3></div></div></div><p>The following global variables exist within Nikto, most of
650	them are defined for internal use and their use by plugins is not
651	advised. Several have been deprecated, these should not be used by
652	plugins.</p><div class="variablelist"><dl><dt><span class="term"><code class="varname">%TEMPLATES</code> (read/write)</span></dt><dd><p>Hash to store the HTML and XML report templates.</p></dd><dt><span class="term"><code class="varname">%ERRSTRINGS</code> (read)</span></dt><dd><p>Hash to contain all the entries in db_404 - a list of
653	strings that may indicate a 404.</p></dd><dt><span class="term"><code class="varname">%CLI</code> (read)</span></dt><dd><p>Hash of passed CLI parameters</p></dd><dt><span class="term"><code class="varname">%VARIABLES</code> (read) (write)</span></dt><dd><p>Hash of contents of the entries in db_variables. Plugins
654	should only write to this hash in the reconnaisance
655	phase.</p></dd><dt><span class="term"><code class="varname">%TESTS</code> (read) (write)</span></dt><dd><p>Hash of the db_tests database. This is only intended
656	to be used by the tests plugin, though it could be used by a
657	reconnaisance plugin to add tests on the fly.</p></dd><dt><span class="term"><code class="varname">$CONTENT</code> (read) (write)
658	(deprecated)</span></dt><dd><p>Global variable to store data from a fetch or nfetch. A
659	local variable should be used instead</p></dd><dt><span class="term"><code class="varname">%NIKTO</code> (read)</span></dt><dd><p>Hash which contains internal Nikto data, such as help
660	for the command line parameters.</p></dd><dt><span class="term"><code class="varname">%REALMS</code> (read)</span></dt><dd><p>Hash of data from db_realms.</p></dd><dt><span class="term"><code class="varname">%NIKTOCONFIG</code> (read)</span></dt><dd><p>Hash containing the data read from the configuration
661	files.</p></dd><dt><span class="term"><code class="varname">%request</code> (read) (write)
662	(deprecated), </span><span class="term"><code class="varname">%result</code> (read) (write)
663	(deprecated)</span></dt><dd><p>Global libwhisker hash. This should not be used; nfetch
664	or a local hash should be used.</p></dd><dt><span class="term"><code class="varname">%COUNTERS</code> (read) (write)</span></dt><dd><p>Hash containing various global counters (e.g. number of
665	requests)</p></dd><dt><span class="term"><code class="varname">%db_extensions</code> (read)
666	(deprecated)</span></dt><dd><p>Hash containing a list of common extensions</p></dd><dt><span class="term"><code class="varname">%FoF</code> (read) (write)</span></dt><dd><p>Hash containing data for each extension and what the
667	server produces if a request for a non-existent file is
668	requested.</p></dd><dt><span class="term"><code class="varname">%UPDATES</code> (read) (write)</span></dt><dd><p>Hash containing any updates that need to be sent back
669	to cirt.net</p></dd><dt><span class="term"><code class="varname">$DIV</code> (read)</span></dt><dd><p>Divider mark for the items sent to standard out.</p></dd><dt><span class="term"><code class="varname">@DBFILE</code> (read)</span></dt><dd><p>Placeholder used to hold the contents of
670	<code class="filename">db_tests</code>.</p></dd><dt><span class="term"><code class="varname">@BUILDITEMS</code> (read) (write)
671	(deprecated)</span></dt><dd><p>Array to hold information for tests to act on later.
672	Use should be avoided, a local variable should be used
673	instead.</p></dd><dt><span class="term"><code class="varname">$PROXYCHECKED</code> (read)</span></dt><dd><p>Flag to see whether connection through the proxy has
674	been checked.</p></dd><dt><span class="term"><code class="varname">$http_eol</code> (read) (deprecated)</span></dt><dd><p>Contains the http end of line pattern.</p></dd><dt><span class="term"><code class="varname">@RESULTS</code> (read)</span></dt><dd><p>Array of reported vulnerabilities, should only be
675	written to through
676	<code class="function">add_vulnerability.</code></p></dd><dt><span class="term"><code class="varname">@PLUGINS</code> (read)</span></dt><dd><p>Array of hashrefs for each plugin. Used internally to
677	run plugins.</p></dd><dt><span class="term"><code class="varname">@MARKS</code> (read)</span></dt><dd><p>Array of marks to indicate each target.</p></dd><dt><span class="term"><code class="varname">@REPORTS</code> (read)</span></dt><dd><p>Ordered array that reporting plugins should be run in.
678	Used for efficency on calling reporting plugins.</p></dd><dt><span class="term"><code class="varname">%CACHE</code> (read) (write)</span></dt><dd><p>Containing the URI cache, should only be read/written
679	through <code class="function">nfetch</code>. Members:</p><div class="blockquote"><blockquote class="blockquote"><div class="table"><a name="id290838"></a><p class="title"><b>Table 7.4. Members of the <span class="structname">cache</span>
680	structure</b></p><div class="table-contents"><table summary="Members of the cache
681	structure" border="1"><colgroup><col><col></colgroup><tbody><tr><td><em class="structfield"><code>{uri}</code></em></td><td>URI for the cache</td></tr><tr><td><em class="structfield"><code>{uri}{method}</code></em></td><td>HTTP method used</td></tr><tr><td><em class="structfield"><code>{uri}{res}</code></em></td><td>HTTP result for URI</td></tr><tr><td><em class="structfield"><code>{uri}{content}</code></em></td><td>data for URI</td></tr><tr><td><em class="structfield"><code>{uri}{mark}</code></em></td><td>mark hashref for URI</td></tr></tbody></table></div></div><br class="table-break"></blockquote></div></dd></dl></div></div></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id290916"></a>Test Identifiers</h2></div></div></div><p>Each test, whether it comes from one of the databases or in code,
682	must have a unique identifier. The numbering scheme for writing tests is
683	as follows:</p><div class="blockquote"><blockquote class="blockquote"><div class="table"><a name="id290930"></a><p class="title"><b>Table 7.5. TID Scheme</b></p><div class="table-contents"><table summary="TID Scheme" border="1"><colgroup><col><col></colgroup><tbody><tr><td>000000</td><td>db_tests</td></tr><tr><td>400000</td><td>user defined tests (<code class="filename">udb*</code>
684	files)</td></tr><tr><td>500000</td><td>db_favicon</td></tr><tr><td>600000</td><td>db_outdated</td></tr><tr><td>700000</td><td>db_realms</td></tr><tr><td>800000</td><td>db_server_msgs</td></tr><tr><td>900000</td><td>tests defined in code</td></tr></tbody></table></div></div><br class="table-break"></blockquote></div><p>As much data as possible in the <code class="varname">%TESTS</code> hash
685	should be populated for each new test that is defined in code (plugins).
686	These fields include URI for the test, message to print on success,
687	HTTP method and OSVDB ID. Without a 'message' value in
688	<code class="varname">%TESTS</code> output will not be saved in HTML or XML
689	reports. Not all tests are expected to have a uri, method or OSVDB ID.
690	Here is an example of setting those fields:</p><pre class="screen">$TESTS{999999}{uri}="/~root";
691	$TESTS{999999}{message}="Enumeration of users is possible by requesting ~username";
692	$TESTS{999999}{method}="GET";
693	$TESTS{999999}{osvdb}=637;</pre></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id291044"></a>Code Copyrights</h2></div></div></div><p>Any new or updated code, tests or information sent to the author
694	is assumed to free of copyrights. By sending new or updated code, tests
695	or information to the author you relinquish all claims of copyright on
696	the material, and agree that this code can be claimed under the same
697	copyright as Nikto.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="troubleshooting"></a>Chapter 8. Troubleshooting</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id291068">SOCKS Proxies</a></span></dt><dt><span class="section"><a href="#id291078">Debugging</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id291068"></a>SOCKS Proxies</h2></div></div></div><p>Nikto does not currently support SOCKS proxies.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id291078"></a>Debugging</h2></div></div></div><p>The major route to debugging Nikto requests is to use the
698	<em class="parameter"><code>-Display</code></em> with v (verbose) or d (debug). This
699	will output a vast amount of extra information to the screen, so
700	it is advised to redirect output to a file when using them.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="licences"></a>Chapter 9. Licences</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id291106">Nikto</a></span></dt><dt><span class="section"><a href="#id291117">LibWhisker</a></span></dt><dt><span class="section"><a href="#id291129">Tests</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id291106"></a>Nikto</h2></div></div></div><p>Nikto is licensed under the GNU General Public License (GPL), and
701	copyrighted by CIRT, Inc.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id291117"></a>LibWhisker</h2></div></div></div><p>LibWhisker is licensed under the GNU General Public License (GPL),
702	and copyrighted by Rain Forrest Puppy.</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id291129"></a>Tests</h2></div></div></div><p>The web tests are licensed for use with Nikto only, and may not be
703	reused without written consent from CIRT, Inc.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="credits"></a>Chapter 10. Credits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id291149">Nikto</a></span></dt><dt><span class="section"><a href="#id291161">Thanks</a></span></dt></dl></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id291149"></a>Nikto</h2></div></div></div><p>Nikto was originally written and maintained by Sullo, CIRT, Inc.
704	It is currently maintained by David Lodge. LibWhisker was written
705	by Rain Forrest Puppy</p></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id291161"></a>Thanks</h2></div></div></div><p>Many people have provided feedback, fixes, and suggestions. This
706	list attempts to make note of those people, though not all contributors
707	are listed. In no particular order:</p><div class="itemizedlist"><ul type="disc"><li><p>Nikto 2 Testing: Paul Woroshow, Mark G. Spencer, Michel
708	Arboi, Jericho, rfp</p></li><li><p>Jericho (attrition.org/OSVDB/OSF).
709	Support/ideas/tests/corrections/spam and help matching OSVDB IDs
710	to tests.</p></li><li><p>rfp (wiretrip.net). LibWhisker and continuing
711	support.</p></li><li><p>Erik Cabetas for many updates and fixes.</p></li><li><p>Jake Kouns (OSVDB/OSF).</p></li><li><p>Jabra (spl0it.org) for XML DTD, XML templates and supporting
712	code.</p></li><li><p>Stephen Valdez. Extensive testing. We all miss you.</p></li><li><p>S Saady. Extensive testing.</p></li><li><p>Zeno (cgisecurity.com). Nikto mirroring.</p></li><li><p>P Eronen (nixu.com). Provided many code fixes.</p></li><li><p>M Arboi. Great support by writing the code to make Nikto
713	work within Nessus, as well as bug reports.</p></li><li><p>T Seyrat. Maintains Nikto for the Debian releases.</p></li><li><p>J DePriest. Ideas/fixes.</p></li><li><p>P Woroshow. Ideas/fixes.</p></li><li><p>fr0stman. Tests.</p></li><li><p>H Heimann. Tests.</p></li><li><p>Xiola (xiola.net). Web design and more.</p></li><li><p>Ryan Dewhurst. Domain guessing code.</p></li></ul></div><p>This document is © 2009 CIRT, Inc. and may not be reused without
714	permission.</p></div></div></div></body></html>

Note: See TracBrowser for help on using the repository browser.

Nikto 2

Context Navigation

source: trunk/docs/nikto_manual.html @ 386

Download in other formats: