Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Published byShauna Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:"— Presentation transcript:

1 Nikto LUCA ALEXANDRA ADELA

2 Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release: 2.1.5 / December 17, 2012  Development status Active  Written in Perl  Open Source (GPL)  Works natively on Linux, Apple Mac OS X, Microsoft Windows  Requirements: system with basic Perl, Perl Modules, OpenSSL installation

3 Vulnerabilities  Server and software misconfigurations  Default files and programs  Insecure files and programs  Outdated servers and programs

4 Tests  Over 6400 potentially dangerous files/CGIs  Outdated versions of over 1250 servers  Version specific problems on over 270 servers  Server configuration items  Captures and prints any cookies received  Installed software and web servers

5 Features  Supports SSL  Supports full http proxy  Supports text, HTML, XML and CSV to save reports.  Scans multiple ports on a server or multiple servers via input file (including Nmap output)  Easily updated via command line  Thorough documentation  It can be integrated in Nessus (Nessus can be configured to automatically launch Nikto when it finds a web server)  Can log in to Metasploit  Capable of sending data along with requests to servers (cross site scripting and SQL injection)

6 Advanced Error Detection Logic  Most web security tools rely on the HTTP response to determine if a page or script exists  Many servers do not properly adhere to RFC standards  false-positives  Nikto uses: - Standard RFC response - Content match - MD5 hash

7 Use  Update ◦perl nikto.pl -update  Run ◦perl nikto.pl -h 192.168.0.110  Setting the display to verbose ◦perl nikto.pl -display V  Save output to file ◦perl nikto.pl -h 192.168.0.110 -output results.html

8 Case studies  Virtualization: Oracle VM VirtualBox  OS: Kali Linux 1.0.9 (64bit)  Web vulnerability scanner: Nikto 2.1.6  Tested software: Drupal Joomla OSCommerce Wordpress  www.turnkeylinux.org

9 Output - Drupal

10

11

12 Output - Joomla

13

14 Output - OSCommerce

15 Output - Wordpress

16 Nikto  Advantages - Fast, versatile tool - Written in Perl, can be run in any host operating system - Open source - it can be easily extended and customized - Diverse output formats - easy to integrate with other penetration testing tools - Non-invasive scanner - doesn’t exploit vulnerabilities  Disadvantages - Runs at the command line, without any graphical user interface

17 Sources  http://sectools.org/tag/web-scanners/  https://en.wikipedia.org/wiki/Nikto_Web_Scanner  https://cirt.net/Nikto2  https://cirt.net/nikto2-docs/  http://www.tecmint.com/nikto-a-web-application-vulnerability-and-cgi- scanner-for-web-servers/  http://www.madirish.net/547  http://www.turnkeylinux.org/

Download ppt "Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:"

Similar presentations

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Intensive Web Day Making something out of nothing: Useful free software for the non-profit organisation Kathy Reid

Intensive Web Day Making something out of nothing: Useful free software for the non-profit organisation Kathy Reid
Vulnerability Assessments with Nessus 3 Columbia Area LUG January 10 2007.

Vulnerability Assessments with Nessus 3 Columbia Area LUG January
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Vulnerability Assessment NIKTO.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Vulnerability Assessment NIKTO.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.

EValid Getting Started. Agenda Introduction to eValid First experience of using eValid Recording and Site Analysis in eValid.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Bar|Scan ® Asset Inventory System The leader in asset and inventory management.

Bar|Scan ® Asset Inventory System The leader in asset and inventory management.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Dynamic Web site With PHP and MySQL. MySQL The combination of MySQL database and PHP scripting language is optimum for building dynamic websites. MySQL.

Dynamic Web site With PHP and MySQL. MySQL The combination of MySQL database and PHP scripting language is optimum for building dynamic websites. MySQL.
 Chirita Ionel  Application Security  OWASP Chapter board member.

 Chirita Ionel  Application Security  OWASP Chapter board member.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Similar presentations

Ads by Google