Changeset 292
- Timestamp:
- 01/29/2010 04:44:00 AM (3 years ago)
- Location:
- trunk
- Files:
-
- 18 edited
-
docs/CHANGES.txt (modified) (1 diff)
-
nikto.conf (modified) (1 diff)
-
plugins/nikto_apache_expect_xss.plugin (modified) (1 diff)
-
plugins/nikto_apacheusers.plugin (modified) (1 diff)
-
plugins/nikto_cgi.plugin (modified) (1 diff)
-
plugins/nikto_core.plugin (modified) (11 diffs)
-
plugins/nikto_dictionary_attack.plugin (modified) (1 diff)
-
plugins/nikto_embedded.plugin (modified) (2 diffs)
-
plugins/nikto_favicon.plugin (modified) (1 diff)
-
plugins/nikto_headers.plugin (modified) (4 diffs)
-
plugins/nikto_httpoptions.plugin (modified) (5 diffs)
-
plugins/nikto_msgs.plugin (modified) (2 diffs)
-
plugins/nikto_multiple_index.plugin (modified) (1 diff)
-
plugins/nikto_put_del_test.plugin (modified) (2 diffs)
-
plugins/nikto_robots.plugin (modified) (1 diff)
-
plugins/nikto_subdomain.plugin (modified) (1 diff)
-
plugins/nikto_tests.plugin (modified) (2 diffs)
-
plugins/nikto_user_enum_apache.plugin (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/docs/CHANGES.txt
r278 r292 1 1 2010-01-20 Nikto 2.1.1 2 - Moved User-Agent string to nikto.conf 3 - Added dynamic variables to User-Agent (Testid, Evasion methods) 2 4 - Reporting: simplify xml/html code, fix a bug when a space is in the uri, and load ony needed templates 3 5 - Enable 2 new LW evasion tacticts (carriage return or binary value as request spacer) -
trunk/nikto.conf
r174 r292 13 13 14 14 # ports never to scan 15 SKIPPORTS=21 111 15 #SKIPPORTS=21 111 16 17 # User-Agent variables: 18 # @VERSION - Nikto version 19 # @TESTID - Test identifier 20 # @EVASIONS - List of active evasions 21 USERAGENT="Mozilla/4.75 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)"; 16 22 17 23 # IDs never to alert on (Note: this only works for IDs loaded from db_tests) -
trunk/plugins/nikto_apache_expect_xss.plugin
r240 r292 39 39 my ($mark) = @_; 40 40 my %headers=('Expect', '<script>alert(xss)</script>'); 41 (my $RES, $CONTENT) = nfetch($mark, "/", "GET", "", \%headers);41 (my $RES, $CONTENT) = nfetch($mark, "/", "GET", "", \%headers, "", "apache_expect_xss"); 42 42 43 43 if ($CONTENT =~ /<script>alert\(xss\)<\/script>/) -
trunk/plugins/nikto_apacheusers.plugin
r240 r292 38 38 { 39 39 my ($mark) = @_; 40 (my $RES, $CONTENT) = nfetch($mark, "/~root", "GET");40 (my $RES, $CONTENT) = nfetch($mark, "/~root", "GET", "", "", "", "apacheusers: known user"); 41 41 42 42 $CONTENT = char_escape($CONTENT); 43 43 if ($CONTENT =~ /forbidden/i) # good on "root" 44 44 { 45 (my $RES, $CONTENT) = nfetch($mark, "/~" . LW2::utils_randstr(8), "GET");45 (my $RES, $CONTENT) = nfetch($mark, "/~" . LW2::utils_randstr(8), "GET", "", "", "", "apacheusers: invalid user"); 46 46 47 47 $CONTENT = char_escape($CONTENT); -
trunk/plugins/nikto_cgi.plugin
r284 r292 62 62 foreach $possiblecgidir (@CFGCGI) 63 63 { 64 ($res, $content)=nfetch($mark, $possiblecgidir,"GET");64 ($res, $content)=nfetch($mark, $possiblecgidir, "GET", "", "", "", "cgi dir check"); 65 65 nprint("Checked for CGI dir\t$possiblecgidir\tgot:$res","d"); 66 66 if (content_present($res) eq TRUE) -
trunk/plugins/nikto_core.plugin
r291 r292 660 660 if (defined $CLI{'evasion'}) 661 661 { 662 $CLI{'evasion'}=~s/[^ 0-9]//g;662 $CLI{'evasion'}=~s/[^1-8AB]//g; 663 663 } 664 664 … … 670 670 $NIKTO{'timeout'}=$CLI{'timeout'} || 10; 671 671 672 $NIKTO{'useragent'}="Mozilla/4.75 ($NIKTO{'name'}/$NIKTO{'version'})"; 672 # Set up User-Agent 673 $NIKTO{'useragent'} = $NIKTOCONFIG{'USERAGENT'}; 674 $NIKTO{'useragent'} =~ s/\@VERSION/$NIKTO{'version'}/g; 675 my $ev = $CLI{'evasion'} || "None"; 676 $NIKTO{'useragent'} =~ s/\@EVASIONS/$ev/g; 673 677 674 678 # SSL Test … … 1187 1191 my %headers; 1188 1192 1189 (my $res, $content) = nfetch($mark, "/","GET","",\%headers);1193 (my $res, $content) = nfetch($mark, "/", "GET", "", \%headers, "", "Get Banner"); 1190 1194 1191 1195 return $headers{server}; … … 1214 1218 $m->{ssl}=($checkssl eq "HTTP")?0:1; 1215 1219 proxy_check($m); 1216 my ($res, $content)=nfetch($m, "/", $method, "", \%headers );1220 my ($res, $content)=nfetch($m, "/", $method, "", \%headers, "", "Port Check"); 1217 1221 1218 1222 if ($res) … … 1770 1774 { 1771 1775 LW2::http_close(\%request); # force-close any old connections 1772 setup_hash(\%request, $mark );1776 setup_hash(\%request, $mark, "Proxy Check"); 1773 1777 $request{'whisker'}->{'method'}="GET"; 1774 1778 $request{'whisker'}->{'uri'}="/"; … … 1891 1895 $request{'whisker'}->{'uri'} = $CLI{'root'} . $_[0]; # prepend -root option value 1892 1896 } 1897 1898 # Set testid in UA 1899 my $temp_ua = $request{'User-Agent'}; 1900 my $testid = $_[3]; 1901 $request{'User-Agent'}=~s/\@TESTID/$testid/g; 1902 1893 1903 $request{'whisker'}->{'method'} = $_[1]; 1894 1904 delete $request{'whisker'}->{'data'}; … … 1956 1966 } 1957 1967 } 1968 $request{'User-Agent'}=$temp_ua; # reset UA 1958 1969 return $result{'whisker'}->{'code'}, $result{'whisker'}->{'data'}; 1959 1970 } … … 1961 1972 sub setup_hash 1962 1973 { 1963 my ($reqhash, $mark) = @_;1974 my ($reqhash, $mark, $testid) = @_; 1964 1975 1965 1976 # Do the standard set up for the hash … … 1968 1979 $reqhash->{whisker}->{lowercase_incoming_headers}=1; 1969 1980 $reqhash->{whisker}->{timeout}=$NIKTO{'timeout'}; 1970 if (defined $CLI{'evasion'}) 1971 { 1972 $reqhash->{whisker}->{encode_anti_ids}=$CLI{'evasion'}; 1973 } 1981 if (defined $CLI{'evasion'}) { 1982 $reqhash->{whisker}->{encode_anti_ids}=$CLI{'evasion'}; 1983 } 1974 1984 $reqhash->{'User-Agent'}=$NIKTO{'useragent'}; 1985 $reqhash->{'User-Agent'}=~s/\@TESTID/$testid/g; 1975 1986 $reqhash->{whisker}->{retry}=0; 1976 $reqhash->{whisker}->{host} = $mark->{hostname} || $mark->{ip}; 1977 1978 if ($mark->{vhost}) 1979 { 1980 $request{Host} = $mark->{vhost}; 1981 } 1987 $reqhash->{whisker}->{host}=$mark->{hostname} || $mark->{ip}; 1988 1989 if ($mark->{vhost}) { 1990 $request{Host} = $mark->{vhost}; 1991 } 1982 1992 $reqhash->{whisker}->{port} = $mark->{port}; 1983 1993 $reqhash->{whisker}->{ssl} = $mark->{ssl}; 1984 1994 1985 1995 # Proxy stuff 1986 if (defined $NIKTOCONFIG{PROXYHOST} && defined $CLI{'useproxy'}) 1987 { 1988 $reqhash->{'whisker'}->{'proxy_host'}=$NIKTOCONFIG{PROXYHOST}; 1989 $reqhash->{'whisker'}->{'proxy_port'}=$NIKTOCONFIG{PROXYPORT}; 1990 LW2::auth_set("proxy-basic",$reqhash,$NIKTOCONFIG{PROXYUSER}, 1991 $NIKTOCONFIG{PROXYPASS}); # set auth 1992 } 1996 if (defined $NIKTOCONFIG{PROXYHOST} && defined $CLI{'useproxy'}) { 1997 $reqhash->{'whisker'}->{'proxy_host'}=$NIKTOCONFIG{PROXYHOST}; 1998 $reqhash->{'whisker'}->{'proxy_port'}=$NIKTOCONFIG{PROXYPORT}; 1999 LW2::auth_set("proxy-basic",$reqhash,$NIKTOCONFIG{PROXYUSER}, $NIKTOCONFIG{PROXYPASS}); 2000 } 1993 2001 1994 2002 return $reqhash; … … 1997 2005 sub nfetch 1998 2006 { 1999 my ($mark, $uri, $method, $data, $headers, $noclean ) = @_;2007 my ($mark, $uri, $method, $data, $headers, $noclean, $testid) = @_; 2000 2008 if ($CLI{'pause'} > 0) { sleep $CLI{'pause'}; } 2001 2009 my (%request, %result); 2002 setup_hash(\%request, $mark );2010 setup_hash(\%request, $mark, $testid); 2003 2011 2004 2012 $request{whisker}->{uri} = $uri; … … 2323 2331 $request{'Host'}="www.cirt.net"; 2324 2332 LW2::http_fixup_request(\%request); 2325 ($RES, $CONTENT) = fetch("/cgi-bin/versions?DATA=$updated_version","GET");2333 ($RES, $CONTENT) = fetch("/cgi-bin/versions?DATA=$updated_version","GET"); 2326 2334 } 2327 2335 -
trunk/plugins/nikto_dictionary_attack.plugin
r284 r292 67 67 my $dir=$_; 68 68 if (($ctr % 100) == 0) { nprint("- Directory enumeration guess $ctr ($dir): /$dir/", "v"); } 69 my ($result, $content) = nfetch($mark, "/$dir/", "HEAD");69 my ($result, $content) = nfetch($mark, "/$dir/", "HEAD", "", "", "", "dictionary_attack"); 70 70 foreach my $found (split(/ /, $VARIABLES{"\@HTTPFOUND"})) 71 71 { -
trunk/plugins/nikto_embedded.plugin
r284 r292 33 33 { 34 34 name => "embedded", 35 full_name => "Embedded De stection",35 full_name => "Embedded Detection", 36 36 author => "Deity", 37 37 description => "Checks to see whether the host is an embedded server.", … … 50 50 foreach my $item (@$dbarray) 51 51 { 52 (my $res, $content) = nfetch($mark, $item->{uri},"GET");52 (my $res, $content) = nfetch($mark, $item->{uri}, "GET", "", "", "", "embedded detection"); 53 53 if ($res eq "200") 54 54 { -
trunk/plugins/nikto_favicon.plugin
r240 r292 38 38 { 39 39 my ($mark)=@_; 40 my ($RES, $CONTENT) = nfetch($mark, "/favicon.ico","GET");40 my ($RES, $CONTENT) = nfetch($mark, "/favicon.ico", "GET", "", "", "", "favicon"); 41 41 my $dbarray = init_db("db_favicon"); 42 42 -
trunk/plugins/nikto_headers.plugin
r284 r292 49 49 foreach my $f (qw/\/index.php \/junk999.php \/ \/index.php3 \/ \/junk999.php3 \/index.cfm \/junk999.cfm \/index.asp \/junk999.asp \/index.aspx \/junk988.aspx/ ) 50 50 { 51 (my $res, $content) = nfetch($mark, $f, "GET", "", \%headers);51 (my $res, $content) = nfetch($mark, $f, "GET", "", \%headers, "", "headers: powered-by"); 52 52 if (defined $headers{'x-powered-by'}) { $xpb{ $headers{'x-powered-by'} } = 1; } 53 53 } … … 69 69 foreach my $f (qw/\/index.asp \/junk999.asp \/index.aspx \/junk988.aspx \/login.asp \/login.aspx/ ) 70 70 { 71 (my $res, $content) = nfetch($mark, $f , "GET", "", \%transheaders );71 (my $res, $content) = nfetch($mark, $f , "GET", "", \%transheaders, "", "headers: Translate-f #1"); 72 72 if ($res eq "200") 73 73 { 74 74 $transheaders{'Translate'}="f"; 75 ($res, $content) = nfetch($mark, $f . "\\", "GET", "", \%transheaders);75 ($res, $content) = nfetch($mark, $f . "\\", "GET", "", \%transheaders, "", "headers: Translate-f #2"); 76 76 if ($res eq "200") 77 77 { … … 168 168 169 169 # First let's hit something we know should return something 170 my ($res, $content)=nfetch($mark, "/","GET","",\%headers);170 my ($res, $content)=nfetch($mark, "/", "GET" ,"" ,\%headers, "", "headers: base"); 171 171 172 172 foreach my $header (@interesting_headers) … … 210 210 foreach my $f (qw/\/index.html \/index.htm \/robots.txt/) 211 211 { 212 (my $res, $content) = nfetch($mark, $f, "GET","", \%headers);212 (my $res, $content) = nfetch($mark, $f, "GET", "", \%headers, "", "headers: etag"); 213 213 last if (defined $headers{'etag'}); 214 214 } -
trunk/plugins/nikto_httpoptions.plugin
r285 r292 42 42 my %headers; 43 43 # test for both OPTIONS / and OPTIONS * as they may give different results 44 (my $res, $content) = nfetch($mark, "*", "OPTIONS", "", \%headers);44 (my $res, $content) = nfetch($mark, "*", "OPTIONS", "", \%headers, "", "httpoptions: OPTIONS *"); 45 45 my $aoptions = "$headers{allow}, "; 46 46 my $poptions = "$headers{public}, "; … … 51 51 $dbarray=init_db("db_httpoptions"); 52 52 53 ($res, $content) = nfetch($mark, "/", "OPTIONS", "", \%headers);53 ($res, $content) = nfetch($mark, "/", "OPTIONS", "", \%headers, "", "httpoptions: OPTIONS /"); 54 54 $aoptions .= $headers{allow}; 55 55 $poptions .= $headers{public}; … … 78 78 # IIS Debug 79 79 80 ($res, $content) = nfetch($mark, "/","DEBUG",);80 ($res, $content) = nfetch($mark, "/" ,"DEBUG", "" ,"" ,"" ,"httpoptions: DEBUG"); 81 81 if ($res == 200) 82 82 { … … 88 88 "Content-Length" => "0", 89 89 ); 90 ($res, $content) = nfetch($mark, "/","PROPFIND","",\%headers,1);90 ($res, $content) = nfetch($mark, "/", "PROPFIND", "", \%headers, 1, "httpoptions: PROPFIND"); 91 91 if ($res == 207) 92 92 { … … 110 110 { 111 111 $request{whisker}{version} = $version; 112 ($res, $content) = nfetch($mark, "/","$method","",\%headers);112 ($res, $content) = nfetch($mark, "/", $method, "", \%headers, "", "httpoptions: $method"); 113 113 if ($res == 200) 114 114 { -
trunk/plugins/nikto_msgs.plugin
r285 r292 60 60 if ($mark->{banner} =~ /(Agent-ListenServer-HttpSvr\/1\.0)\b/i) 61 61 { 62 my ($RES, $CONTENT) = nfetch($mark, "/","GET");62 my ($RES, $CONTENT) = nfetch($mark, "/", "GET", "", "", "", "msgs: Agent-ListenServer-HttpSvr"); 63 63 next unless ($RES == 200); 64 64 # Computer name … … 72 72 if ($mark->{banner} =~ /(CompaqHTTPServer)/i) 73 73 { 74 my ($RES, $CONTENT) = nfetch($mark, "/cpqlogin.htm","GET");74 my ($RES, $CONTENT) = nfetch($mark, "/cpqlogin.htm", "GET", "", "", "", "msgs: CompaqHTTPServer"); 75 75 next unless ($RES == 200); 76 76 my $ipaddrs=""; -
trunk/plugins/nikto_multiple_index.plugin
r264 r292 42 42 my ($found, $hashes); 43 43 foreach my $item (@$dbarray) { 44 # Use fetch to minimise extra code44 # Use nfetch to minimise extra code 45 45 # First we need to mangle the host. 46 my ($res, $content) = nfetch($mark, "/$item->{index}", "GET");46 my ($res, $content) = nfetch($mark, "/$item->{index}", "GET", "", "", "", "multiple_index"); 47 47 48 48 if (($res == 200) || ($res == 404)) { -
trunk/plugins/nikto_put_del_test.plugin
r240 r292 42 42 # PUT a page 43 43 my $uri = "/nikto-test-" . LW2::utils_randstr(8) . ".html"; 44 (my $RES, $CONTENT) = nfetch($mark, $uri, "PUT", "This was a Nikto test.");44 (my $RES, $CONTENT) = nfetch($mark, $uri, "PUT", "This was a Nikto test.", "", "", "put_del_test: PUT"); 45 45 46 46 # Request it back 47 47 if ($RES eq 201) 48 48 { 49 (my $RES, $CONTENT) = nfetch($mark, $uri, "GET");49 (my $RES, $CONTENT) = nfetch($mark, $uri, "GET", "", "", "", "put_del_test: GET"); 50 50 if ($CONTENT =~ /This was a Nikto test/) 51 51 { … … 53 53 54 54 # we were able to put it there--can we delete it? 55 (my $RES, $CONTENT) = nfetch($mark, $uri, "DELETE");55 (my $RES, $CONTENT) = nfetch($mark, $uri, "DELETE", "", "", "", "put_del_test: DELETE"); 56 56 if ($RES eq 200) 57 57 { 58 (my $RES, $CONTENT) = nfetch($mark, $uri, "GET");58 (my $RES, $CONTENT) = nfetch($mark, $uri, "GET", "", "", "", "put_del_test: GET"); 59 59 if ($CONTENT !~ /This was a Nikto test/) # gone now 60 60 { -
trunk/plugins/nikto_robots.plugin
r240 r292 39 39 { 40 40 my ($mark) = @_; 41 (my $RES, $CONTENT) = nfetch($mark, "/robots.txt", "GET");41 (my $RES, $CONTENT) = nfetch($mark, "/robots.txt", "GET", "", "", "", "robots"); 42 42 43 43 if (($RES eq 200) || ($RES eq $FoF{okay}{response})) # got one! -
trunk/plugins/nikto_subdomain.plugin
r283 r292 70 70 my $newhost=$item->{subdomain} . "." . $host; 71 71 $request{whisker}{host} = $newhost; 72 my ($result, $content) = fetch("/", "HEAD" );72 my ($result, $content) = fetch("/", "HEAD", "", "subdomain"); 73 73 74 74 if ($result{whisker}{error} eq "") -
trunk/plugins/nikto_tests.plugin
r269 r292 50 50 foreach my $uri (@urilist) 51 51 { 52 (my $RES, $CONTENT) = fetch($uri,$TESTS{$CHECKID}{method},$TESTS{$CHECKID}{data} );52 (my $RES, $CONTENT) = fetch($uri,$TESTS{$CHECKID}{method},$TESTS{$CHECKID}{data}, $CHECKID); 53 53 nprint("- $RES for $TESTS{$CHECKID}{method}:\t$request{whisker}{uri}","v"); 54 54 # Check for errors to reduce false positives … … 58 58 # Try it again before we report it fully 59 59 sleep(1); 60 ($RES, $CONTENT) = fetch($uri,$TESTS{$CHECKID}{method},$TESTS{$CHECKID}{data} );60 ($RES, $CONTENT) = fetch($uri,$TESTS{$CHECKID}{method},$TESTS{$CHECKID}{data}, $CHECKID); 61 61 nprint("- $RES for $TESTS{$CHECKID}{method}:\t$request{whisker}{uri}","v"); 62 62 -
trunk/plugins/nikto_user_enum_apache.plugin
r284 r292 74 74 { 75 75 my $curl = "$cgidir" . "cgiwrap"; 76 (my $result, $content) = nfetch($mark, "$curl", "GET");76 (my $result, $content) = nfetch($mark, $curl, "GET", "", "", "", "user_enum_apache: cgiwrap"); 77 77 if ($content =~ /check your URL/i) 78 78 { … … 123 123 { 124 124 if (($ctr % 500) eq 0) { nprint("- User enumeration guess $ctr ($text)", "v"); } 125 ($result, $content) = nfetch($mark, $url . $text, "HEAD" );125 ($result, $content) = nfetch($mark, $url . $text, "HEAD", "", "", "", "user_enum_apache: enumeration"); 126 126 my $user = nikto_user_enum_apache_check($result, $text); 127 127 if (defined $user) … … 164 164 if ($_ eq "" ) { next }; 165 165 if (($ctr % 500) == 0) { nprint("- User enumeration guess $ctr ($_)", "v"); } 166 ($result, $content) = nfetch($mark, $url . $_, "HEAD" );166 ($result, $content) = nfetch($mark, $url . $_, "HEAD", "", "", "", "user_enum_apache: dictionary"); 167 167 my $user = nikto_user_enum_apache_check($result, $_); 168 168 if ($user)
Note: See TracChangeset
for help on using the changeset viewer.
