From dave at cirt.net Sat Aug 1 11:37:59 2009 From: dave at cirt.net (David Lodge) Date: Sat, 01 Aug 2009 12:37:59 +0100 Subject: [Nikto-discuss] Recent changes in trunk Message-ID: To fix the reporting bug I created earlier that was found by Jabra, I've made some massive changes to the way Nikto handles targets and reporting, a quick synopsis is below: * Nikto will now work out and assign "marks" (the variable target had already been used :-) before it starts scanning * Nikto will call reporter plugins for each item found * Nikto will no longer use nmap to portscan ports How you will see this when running nikto is that, the inputs to -host and -port have been changed. You used to be able to supply: nikto.pl -host nikto.pl -host nikto.pl -host "hostname1 hostname2" -port 80-81 This now looks like: nikto.pl -host hostname1,file,url -port port1,port2 Where the host list can be any number of hosts, urls or files containing hosts or urls. If ports are supplied they are applied to all hosts/urls which don't already have ports. For example if we have the files host1.txt containing: http://fred/ jim:8081 And host2.txt containing: http://shelia:89/ Then we can do: nikto.pl -host host1.txt,host2.txt,arabella -port 80,443 This will set the marks as: http://fred:80 https://fred:443 http://jim:8081 http://shelia:89 http://arabella:80 https://arabella:443 I ended up removing nmap from the code, as this was only use in certain cases to do a prelude to a test that Nikto would do anyway. This removes some functionality that would allow Nikto to do a portscan. In my opinion, Nikto shouldn't be doing portscans, nmap (or your favourite portscanner) can do a much better job than Nikto can do and I'd rather take a feed from nmap, rather than have Nikto spawn nmap, so instead of doing: nikto.pl -host 192.168.0.0/24 -port 80,443,8000-9000 We should do: nmap -p80,443,8000-9000 192.168.0.0/24 -oG - | nikto.pl -host - Nikto can already do the second. Should Nikto do the first? I certainly don't use it like this, but is this how other people use it? Finally reporting is now done on the fly, so items are written to the report as they're found. This means that you can now CTRL+C in the middle of a scan and not lose your results (this is a big positive for me). Though, it will not write host and file closing statements on HTML or XML types. Comments/opinions? dave From davidkl at ivision.com.au Sun Aug 2 22:30:17 2009 From: davidkl at ivision.com.au (David Klein) Date: Mon, 3 Aug 2009 08:30:17 +1000 Subject: [Nikto-discuss] Recent changes in trunk References: Message-ID: <9156AD947C46864F88EAE1858D3DE90302024EE8@ivx2.ivision.com.au> Hi David, I agree, if a system has Nikto installed it will most likely have access to NMAP as well. Personally I have never used Nikto to target more than one specific port at a time, I guess it's a paranoia thing.. Regards, David Klein -----Original Message----- From: nikto-discuss-bounces at attrition.org [mailto:nikto-discuss-bounces at attrition.org] On Behalf Of David Lodge Sent: Saturday, August 01, 2009 9:38 PM To: nikto-discuss at attrition.org Subject: [Nikto-discuss] Recent changes in trunk To fix the reporting bug I created earlier that was found by Jabra, I've made some massive changes to the way Nikto handles targets and reporting, a quick synopsis is below: * Nikto will now work out and assign "marks" (the variable target had already been used :-) before it starts scanning * Nikto will call reporter plugins for each item found * Nikto will no longer use nmap to portscan ports How you will see this when running nikto is that, the inputs to -host and -port have been changed. You used to be able to supply: nikto.pl -host nikto.pl -host nikto.pl -host "hostname1 hostname2" -port 80-81 This now looks like: nikto.pl -host hostname1,file,url -port port1,port2 Where the host list can be any number of hosts, urls or files containing hosts or urls. If ports are supplied they are applied to all hosts/urls which don't already have ports. For example if we have the files host1.txt containing: http://fred/ jim:8081 And host2.txt containing: http://shelia:89/ Then we can do: nikto.pl -host host1.txt,host2.txt,arabella -port 80,443 This will set the marks as: http://fred:80 https://fred:443 http://jim:8081 http://shelia:89 http://arabella:80 https://arabella:443 I ended up removing nmap from the code, as this was only use in certain cases to do a prelude to a test that Nikto would do anyway. This removes some functionality that would allow Nikto to do a portscan. In my opinion, Nikto shouldn't be doing portscans, nmap (or your favourite portscanner) can do a much better job than Nikto can do and I'd rather take a feed from nmap, rather than have Nikto spawn nmap, so instead of doing: nikto.pl -host 192.168.0.0/24 -port 80,443,8000-9000 We should do: nmap -p80,443,8000-9000 192.168.0.0/24 -oG - | nikto.pl -host - Nikto can already do the second. Should Nikto do the first? I certainly don't use it like this, but is this how other people use it? Finally reporting is now done on the fly, so items are written to the report as they're found. This means that you can now CTRL+C in the middle of a scan and not lose your results (this is a big positive for me). Though, it will not write host and file closing statements on HTML or XML types. Comments/opinions? dave _______________________________________________ Nikto-discuss mailing list Nikto-discuss at attrition.org https://attrition.org/mailman/listinfo/nikto-discuss From csullo at gmail.com Mon Aug 3 16:16:39 2009 From: csullo at gmail.com (Sullo) Date: Mon, 3 Aug 2009 12:16:39 -0400 Subject: [Nikto-discuss] Recent changes in trunk In-Reply-To: References: Message-ID: Regarding the ports, what will happen if someone puts in "8000-9000" as ports--will it error, or it will it assign all of them as 'marks' and simply try them (which would likely be slow as hell)? I ask only because of backward compatibility issues, and it may be worth noting this in the docs (outside the changelog). Regarding reporting: On Sat, Aug 1, 2009 at 7:37 AM, David Lodge wrote: > Though, it will not write host and file closing statements on HTML or XML > types. This is why it was originally queued, though I didn't much like it (version 1.x of nikto did it in "real time," but 2.0 introduced the templates). This is probably better--good call. -Sullo -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090803/70499e29/attachment.html From dave at cirt.net Mon Aug 3 17:16:36 2009 From: dave at cirt.net (David Lodge) Date: Mon, 03 Aug 2009 18:16:36 +0100 Subject: [Nikto-discuss] Recent changes in trunk In-Reply-To: References: Message-ID: On Mon, 03 Aug 2009 17:16:39 +0100, Sullo wrote: > Regarding the ports, what will happen if someone puts in "8000-9000" as > ports--will it error, or it will it assign all of them as 'marks' and > simply > try them (which would likely be slow as hell)? I ask only because of > backward compatibility issues, and it may be worth noting this in the > docs > (outside the changelog). Good point, originally it'd have barfed on it. I've just added a basic patch to allow port ranges (e.g. -80, 80-90 65530-) But no warnings for stupidity, e.g. - will check all 65536 ports! I may put a quick warning in, e.g. if more that 100 ports, tell them that they may want to use a port scanner first! > Regarding reporting: >> Though, it will not write host and file closing statements on HTML or >> XML >> types. > This is why it was originally queued, though I didn't much like it > (version > 1.x of nikto did it in "real time," but 2.0 introduced the templates). > This > is probably better--good call. I've just put in a basic signal handler for SIGINT (CTRL+C) that'll close reporting nicely. I put this in as I was on a test, testing lots of dodgy IIS web servers and getting annoyed that I couldn't break out nikto and keep my output at the same time without messing around with stdout (which then meant I couldn't see the results until after the scan had finished). dave