最後更新: 2022-12-07
介紹
nikto 是一個測驗網站安全程度的工具來
它可以找出
- 3500 potentially dangerous files/CGIs
- version specific problems on over 250 servers.
測試完後 , 它會有個 report 佈告可能潛藏的問題出來
主頁: http://www.cirt.net/code/nikto.shtml
目錄
- V1
- V2
V1
安裝
apt-get install nikto
用法
nikto -h datahunter.org
V2
Nikto2 is built on LibWhisker2 (by RFP) and can run on any platform which has a Perl environment.
- Checks for outdated server components
- Save reports in plain text, XML, HTML, NBE or CSV
- LibWhisker's IDS encoding techniques
- Auto-pause at a specified time
- Authorization guessing handles any directory, not just the root directory
- Host authentication with Basic and NTLM
Installation
# Ubuntu-12.04 (Nikto v2.1.4)
apt-get install nikto
potentially dangerous files/CGIs: 6500
outdated versions of servers: 1250
version specific problems: 270
Usage Example
# Updating DB
nikto -update
+ Retrieving 'db_variables' + Retrieving 'db_favicon' + Retrieving 'db_server_msgs' + Retrieving 'nikto_robots.plugin' + Retrieving 'nikto_cookies.plugin' + Retrieving 'db_tests' + Retrieving 'db_outdated' + Retrieving 'CHANGES.txt'
# check database syntax errors
nikto -dbcheck
--> Nikto Databases Syntax Check: /var/lib/nikto/plugins/db_headers 67 entries Syntax Check: /var/lib/nikto/plugins/db_httpoptions 12 entries Syntax Check: /var/lib/nikto/plugins/db_multiple_index 29 entries Syntax Check: /var/lib/nikto/plugins/db_server_msgs 257 entries Syntax Check: /var/lib/nikto/plugins/db_subdomains 293 entries Syntax Check: /var/lib/nikto/plugins/db_favicon 97 entries Syntax Check: /var/lib/nikto/plugins/db_embedded 15 entries Syntax Check: /var/lib/nikto/plugins/db_404_strings 29 entries Syntax Check: /var/lib/nikto/plugins/db_outdated 1239 entries Syntax Check: /var/lib/nikto/plugins/db_realms 154 entries Syntax Check: /var/lib/nikto/plugins/db_tests 6456 entries Syntax Check: /var/lib/nikto/plugins/db_variables 12 entries Syntax Check: /var/lib/nikto/plugins/db_content_search 9 entries
Scan
perl nikto.pl -h 192.168.0.1 -p 80
perl nikto.pl -h https://192.168.0.1:443/
Scan subnet
nmap -p80 192.168.0.0/24 -oG - | nikto.pl -h -
-id
ID and password to use for host Basic host authentication. Format is "id:password".
Configuration Files
- /etc/nikto.conf
- $HOME/nikto.conf
Reports
# no -Format is specified, Nikto will try to guess the format from the file extension
-Format -output