Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Slides:

Advertisements

Similar presentations

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.

Advertisements

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Intensive Web Day Making something out of nothing: Useful free software for the non-profit organisation Kathy Reid

Vulnerability Assessments with Nessus 3 Columbia Area LUG January

Vulnerability Analysis Borrowed from the CLICS group.

Server-Side vs. Client-Side Scripting Languages

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Vulnerability Assessment NIKTO.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Browser Exploitation Framework (BeEF) Lab

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Bar|Scan ® Asset Inventory System The leader in asset and inventory management.

Maintaining and Updating Windows Server 2008

Dynamic Web site With PHP and MySQL. MySQL The combination of MySQL database and PHP scripting language is optimum for building dynamic websites. MySQL.

 Chirita Ionel  Application Security  OWASP Chapter board member.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Build a CMS Website. The topics this chapter covers are: What is CMS ? What you can do with CMS The benefits and disadvantages of using a content management.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Linux Operations and Administration

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

INTRODUCTION TO WEB DATABASE PROGRAMMING

Web Server Configuration Alokes Chattopadhyay Computer & Informatics Centre IIT Kharagpur.

Web Sites for amateur radio. So You want to make a Web Site? There are several things you need to know about web sites before you start to think about.

Linux Operations and Administration

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .

Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.

Rsv-control Marco Mambelli – Site Coordination meeting October 1, 2009.

Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

Marcel Casado NCAR/RAP WEATHER WARNING TOOL NCAR.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

1 AutoCAD Electrical 2008 What’s New Name Company AutoCAD Electrical 2008 What’s New AMS CAD Solutions

Integrating and Troubleshooting Citrix Access Gateway.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

TOPIC 7.0 LINUX SERVICES AND CONFIGURATION. ROOT USER Root user is called “super user” because it has power far beyond those of mortal user. As root,

Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.

8 th Semester, Batch 2009 Department Of Computer Science SSUET.

4000 Imaje 4020 – Software Imaje 4020 – Content ■ Content of Chapter Software: 1. Flash Up 2. Netcenter 3. FTP 4. Active X 5. XCL commands 6. Exercise.

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

CGS 3066: Web Programming and Design Spring 2016 Introduction to Server-Side Programming.

Maintaining and Updating Windows Server 2008 Lesson 8.

Welcome to Xandros Desktop Version 2.0. What is Xandros? The New Standard – Xandros is the award winning new standard for Desktop Operating System software.

A S P. Outline  The introduction of ASP  Why we choose ASP  How ASP works  Basic syntax rule of ASP  ASP’S object model  Limitations of ASP  Summary.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.

Unit 2: Cyber Security Part 3 Monitoring Tools & other Security Products.

1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.

CGS 3066: Web Programming and Design Spring 2017

Web Application Security

Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou

CITA 352 Chapter 5 Port Scanning.

Penetration Test Debrief

SQL Server Reporting Service & Power BI

Penetration Testing Karen Miller.

CIT 480: Securing Computer Systems

Intro to Ethical Hacking

Everything You Need To Know About Penetration Testing.

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Zach Garcia Keith Reiter

Cyber Operation and Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack Cliff Zou University of Central Florida.

Web Application Development Using PHP

Presentation transcript:

Nikto LUCA ALEXANDRA ADELA

Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release: / December 17, 2012  Development status Active  Written in Perl  Open Source (GPL)  Works natively on Linux, Apple Mac OS X, Microsoft Windows  Requirements: system with basic Perl, Perl Modules, OpenSSL installation

Vulnerabilities  Server and software misconfigurations  Default files and programs  Insecure files and programs  Outdated servers and programs

Tests  Over 6400 potentially dangerous files/CGIs  Outdated versions of over 1250 servers  Version specific problems on over 270 servers  Server configuration items  Captures and prints any cookies received  Installed software and web servers

Features  Supports SSL  Supports full http proxy  Supports text, HTML, XML and CSV to save reports.  Scans multiple ports on a server or multiple servers via input file (including Nmap output)  Easily updated via command line  Thorough documentation  It can be integrated in Nessus (Nessus can be configured to automatically launch Nikto when it finds a web server)  Can log in to Metasploit  Capable of sending data along with requests to servers (cross site scripting and SQL injection)

Advanced Error Detection Logic  Most web security tools rely on the HTTP response to determine if a page or script exists  Many servers do not properly adhere to RFC standards  false-positives  Nikto uses: - Standard RFC response - Content match - MD5 hash

Use  Update ◦perl nikto.pl -update  Run ◦perl nikto.pl -h  Setting the display to verbose ◦perl nikto.pl -display V  Save output to file ◦perl nikto.pl -h output results.html

Case studies  Virtualization: Oracle VM VirtualBox  OS: Kali Linux (64bit)  Web vulnerability scanner: Nikto  Tested software: Drupal Joomla OSCommerce Wordpress 

Output - Drupal

Output - Joomla

Output - OSCommerce

Output - Wordpress

Nikto  Advantages - Fast, versatile tool - Written in Perl, can be run in any host operating system - Open source - it can be easily extended and customized - Diverse output formats - easy to integrate with other penetration testing tools - Non-invasive scanner - doesn’t exploit vulnerabilities  Disadvantages - Runs at the command line, without any graphical user interface

Sources      scanner-for-web-servers/  