From csullo at gmail.com  Tue Jan 12 05:03:45 2010
From: csullo at gmail.com (Sullo)
Date: Tue, 12 Jan 2010 00:03:45 -0500
Subject: [Nikto-discuss] Mutation & Databases & Memory
Message-ID: <f9ef603b1001112103n8e87689qfbe9dbd1423bd62c@mail.gmail.com>

Ok, been messing around with using some type of flat-file database for
storage of mutation (m=1) attacks. Here are some preliminary findings.
 I'm looking for feedback on things I missed or should try...

I tried perl's BerkeleyDB and DBM::Deep modules.  Both offer flat-file
databases which can store serialized data (though berkeley requires
Data::Serializer). Both also offer optional compression using Zlib.

- Compression isn't worth the overhead since it is on a per-field basis
- BerkeleyDB offers best overall file size for the data set (stored
Data::Serializer arrays) using testid as the key
- BerkeleyDB is significantly (many orders of magnitude) faster than DBM::Deep
- A full BerkeleyDB file with over 3 million mutated tests takes
approximately 20 minutes to generate and uses 660mb of disk space

So, BerkeleyDB comes out the winner if just from speed alone (that
said, DBM::Deep shouldn't be ignored if you need something easy and
lightweight with smaller file sizes--it's easier on dependencies and
works quite well).

Anyway...

Questions for the crowd:
- If we convert all the databases into a binary format using
BerkelyDB, do we "lose" anything... besides them being grepable?
- We'll have to craft a way to still support user databases (does
anyone use them?) if we make all the dbs binary.
- Any other modules recommended for testing?

-- 

http://www.cirt.net     |      http://www.osvdb.org/

From michel.arboi at gmail.com  Tue Jan 12 21:25:31 2010
From: michel.arboi at gmail.com (Michel Arboi)
Date: Tue, 12 Jan 2010 22:25:31 +0100
Subject: [Nikto-discuss] Mutation & Databases & Memory
In-Reply-To: <f9ef603b1001112103n8e87689qfbe9dbd1423bd62c@mail.gmail.com>
References: <f9ef603b1001112103n8e87689qfbe9dbd1423bd62c@mail.gmail.com>
Message-ID: <c002bd961001121325k454efcb9m9e266ab49060d47d@mail.gmail.com>

On Tue, Jan 12, 2010 at 6:03 AM, Sullo <csullo at gmail.com> wrote:
> - If we convert all the databases into a binary format using
> BerkelyDB, do we "lose" anything... besides them being grepable?

Make sure that this format is portable (different word size, endianness,...)

From mrheckman at yahoo.com  Fri Jan 15 19:05:44 2010
From: mrheckman at yahoo.com (Mark Heckman)
Date: Fri, 15 Jan 2010 11:05:44 -0800 (PST)
Subject: [Nikto-discuss] Multiple STATIC-COOKIEs?
Message-ID: <294878.15753.qm@web55408.mail.re4.yahoo.com>

I'm new to Nikto and want to do a scan of a site that uses multiple cookies as part of a session. Can I have multiple STATIC-COOKIE lines in the config file, or can I use a list of cookies in the STATIC-COOKIE parameter?

Thanks for your help

From csullo at gmail.com  Fri Jan 15 19:17:48 2010
From: csullo at gmail.com (Sullo)
Date: Fri, 15 Jan 2010 14:17:48 -0500
Subject: [Nikto-discuss] Multiple STATIC-COOKIEs?
In-Reply-To: <294878.15753.qm@web55408.mail.re4.yahoo.com>
References: <294878.15753.qm@web55408.mail.re4.yahoo.com>
Message-ID: <f9ef603b1001151117r3a84ea7cka5aa63258ce505c2@mail.gmail.com>

On Fri, Jan 15, 2010 at 2:05 PM, Mark Heckman <mrheckman at yahoo.com> wrote:
> I'm new to Nikto and want to do a scan of a site that uses multiple cookies as part of a session. Can I have multiple STATIC-COOKIE lines in the config file, or can I use a list of cookies in the STATIC-COOKIE parameter?
>

You can set them all on the same line. If you put them on different
lines only one will be used, so just do...

STATIC-COOKIE=cookie1=cookie1value; cookie2=cookie2value



-- 

http://www.cirt.net     |      http://www.osvdb.org/

From csullo at gmail.com  Fri Jan 15 20:09:52 2010
From: csullo at gmail.com (Sullo)
Date: Fri, 15 Jan 2010 15:09:52 -0500
Subject: [Nikto-discuss] Multiple STATIC-COOKIEs?
In-Reply-To: <f9ef603b1001151117r3a84ea7cka5aa63258ce505c2@mail.gmail.com>
References: <294878.15753.qm@web55408.mail.re4.yahoo.com>
	<f9ef603b1001151117r3a84ea7cka5aa63258ce505c2@mail.gmail.com>
Message-ID: <f9ef603b1001151209x5f3f81b0i708fefb15c827507@mail.gmail.com>

I noticed a pretty major bug to the proxy handling while I was looking
at this. If you're using proxies you want to apply the following
changes to nikto_core.plugin:
http://trac2.assembla.com/Nikto_2/changeset?new=trunk%2Fplugins%2Fnikto_core.plugin%40229&old=trunk%2Fplugins%2Fnikto_core.plugin%40225

We'll try to push out a new release ASAP.

-Sullo


On Fri, Jan 15, 2010 at 2:17 PM, Sullo <csullo at gmail.com> wrote:
> On Fri, Jan 15, 2010 at 2:05 PM, Mark Heckman <mrheckman at yahoo.com> wrote:
>> I'm new to Nikto and want to do a scan of a site that uses multiple cookies as part of a session. Can I have multiple STATIC-COOKIE lines in the config file, or can I use a list of cookies in the STATIC-COOKIE parameter?
>>
>
> You can set them all on the same line. If you put them on different
> lines only one will be used, so just do...
>
> STATIC-COOKIE=cookie1=cookie1value; cookie2=cookie2value
>
>
>
> --
>
> http://www.cirt.net ? ? | ? ? ?http://www.osvdb.org/
>



-- 

http://www.cirt.net     |      http://www.osvdb.org/

From rudi.kramer at gmail.com  Mon Jan 18 07:29:05 2010
From: rudi.kramer at gmail.com (Rudi Kramer)
Date: Mon, 18 Jan 2010 09:29:05 +0200
Subject: [Nikto-discuss] MyWebServer Vulnerability on RedHat q
Message-ID: <6ca2dcd71001172329h76563830u4fecc164f7eb68f2@mail.gmail.com>

Good Morning,

A client's website has been hacked and I have been asked to help see how the
site was attacked. It looks like the attacked used some sort of  HTML
injection method to replace certain pages.

The server is running Redhat 5.3, Apache 2.2.3 and PHP 5.1.6.

Here is the results after running Nikto:

# perl nikto.pl -C all -h localhost
- Nikto v2.1.0/2.1.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        80
+ Start Time:         2010-01-19 9:12:09
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (Red Hat)
+ OSVDB-0: Apache/2.2.3 appears to be outdated (current is at least
Apache/2.2.14). Apache 1.3.41 and 2.0.63 are also current.
+ OSVDB-0: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable
to XST
+ OSVDB-6659:
/bLkjN0GcpsIVBsvYB4CcZLGBywbNJC4TDnAklbt4zTA8gLwJn25bpt5mEkS8SVr0I94eIYm4KAhngx6wEpUPzqIAz5wnbuvirLbw83LOxGlpUJ5yO2EZC0JwoOQZ8kM8viHbDXF7HEf2eQ1Bjixo675Ovds3ylcTXxJtQGALIFdagefzKMdhhHwGaSIXKXBIPOt8BLONllaTvmHfe1KNm0icfZEuiNO<font%20size=50>DEFACED<!--//--:
MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later
version.
+ 3582 items checked: 4 item(s) reported on remote host
+ End Time:           2010-01-19 9:13:09 (24 seconds)
---------------------------------------------------------------------------

As I suspected the server is vulnerable to HTML injection but as far as I
can tell MyWebServer is not running on the server and there is no Linux
version of the application.

Any ideas on why Nikto is reporting this?

Regards
Rudi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/nikto-discuss/attachments/20100118/8fa4f8b6/attachment.html 

From resident.deity at gmail.com  Mon Jan 18 13:01:59 2010
From: resident.deity at gmail.com (david lodge)
Date: Mon, 18 Jan 2010 13:01:59 +0000
Subject: [Nikto-discuss] MyWebServer Vulnerability on RedHat q
In-Reply-To: <6ca2dcd71001172329h76563830u4fecc164f7eb68f2@mail.gmail.com>
References: <6ca2dcd71001172329h76563830u4fecc164f7eb68f2@mail.gmail.com>
Message-ID: <e2225da01001180501k443d9ae8u99fa40ffb934bf59@mail.gmail.com>

> + OSVDB-6659:
> /bLkjN0GcpsIVBsvYB4CcZLGBywbNJC4TDnAklbt4zTA8gLwJn25bpt5mEkS8SVr0I94eIYm4KAhngx6wEpUPzqIAz5wnbuvirLbw83LOxGlpUJ5yO2EZC0JwoOQZ8kM8viHbDXF7HEf2eQ1Bjixo675Ovds3ylcTXxJtQGALIFdagefzKMdhhHwGaSIXKXBIPOt8BLONllaTvmHfe1KNm0icfZEuiNO<font%20size=50>DEFACED<!--//--:
> MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later
> version.

> As I suspected the server is vulnerable to HTML injection but as far as I
> can tell MyWebServer is not running on the server and there is no Linux
> version of the application.
>
> Any ideas on why Nikto is reporting this?

Basically Nikto sends the above URL and then checks whether the
response has DEFACED on it. It sounds like your 404 page (or whatever
error page you use for a file not found) has some flavour of HTML
injection vulnerability.

Have you tried running the above URL manually? URL:
http://server/bLkjN0GcpsIVBsvYB4CcZLGBywbNJC4TDnAklbt4zTA8gLwJn25bpt5mEkS8SVr0I94eIYm4KAhngx6wEpUPzqIAz5wnbuvirLbw83LOxGlpUJ5yO2EZC0JwoOQZ8kM8viHbDXF7HEf2eQ1Bjixo675Ovds3ylcTXxJtQGALIFdagefzKMdhhHwGaSIXKXBIPOt8BLONllaTvmHfe1KNm0icfZEuiNO<font%20size=50>DEFACED<!--//--

I hate to say it as well, but you should really look at the server
logs to see where the attack has come in from - these'll generally be
much more specific than using a vulnerability assessment tool.