A Vulnerability Assessment NIKTO

1
A Vulnerability AssessmentNIKTO
2
Description

• Nikto is a web server scanner which performs
  comprehensive tests against web server for
  multiple items
• 2600 potentially dangerous files/CGIs
• Versions on over 625 servers
• Version specific problems on over 230 servers
• Nikto support for LibWhiskers anti-IDS methods
  (IDS evasion)

3
Description

• Nikto perform security or information checks
• Misconfigurations
• Default files and scripts
• Insecure files and scripts
• Outdate software

4
Purpose

• To understand what is vulnerability scanner, and
  why we need it
• To family with the operation of the Nikto
  vulnerability scanner.

5
Principle and Pre-study

• A look at whisker's anti-IDS tactics
• an HTTP request defined by RFC 1945
• Types of IDS
• Smart
• Raw

6
IDS evasion
Evasion type Evasion method
1 Method matching GET /cgi-bin/some.cgi ? HEAD /cgi-bin/some.cgi
2 URL encoding cgi-bin ? 6367692d62696e
3 Double slashes /cgi-bin/some.cgi ? //cgi-bin//some.cgi
4 Reverse traversal /cgi-bin/some.cgi ?    GET /cgi-bin/blahblah/../some.cgi HTTP/1.0
5 Self-reference directories cgi-bin/phf ? /./cgi-bin/./phf
6 Premature request ending GET /20HTTP/1.00d0aHeader20/../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n
7 Parameter hiding GET /index.htm3fparam/../cgi-bin/some.cgi HTTP/1.0
8 HTTP mis-formatting MethodltspacegtURIltspacegtHTTP/Version CRLF CRLF -gt MethodlttabgtURIlttabgtHTTP/ Version CRLF CRLF
9 Long URLs GET /rfprfpltlots of charactersgtrfprfp/../cgi-bin/some.cgi HTTP/1.0
10 DOS/Win directory syntax "/cgi-bin/some.cgi ? "/cgi-bin\some.cgi"
11 NULL method processing GET00 /cgi-bin/some.cgi HTTP/1.0
12 Case sensitivity /cgi-bin/some.cgi ? /CGI-BIN/SOME.CGI
13 Session splicing "GET / HTTP/1.0 ? "GE", "T ", "/", " H", "T", "TP", "/1", ".0"
14 In summary Combine multiple tactics together
7
Required Facilities

• Permission
• Do not proceed without receiving the
  necessary permissions
• Hardware
• PC or Workstation with UNIX-based OS
• Software
• Perl 5.004
• Nikto 1.32
• NETSSLeay
• LibWhisker
• OpenSSL

8
Step (I) install Nikto
Install nikto with port tree
After install nikto, patch /usr/local/bin/nikto.pl
to indicate the config.txt patch
/usr/local/etc/nikto/config.txt to indicate the
plugin directory
9
IDS evasion option
mutate checks option
IDS evasion method
10
Basic scan information
Web server banner and basic function
Report some vulnerability and suggest the solution
Report the result
11
Step (II) execute nikto
Basic scan information
Web server banner and basic function
Report some vulnerability and suggest the solution
Report the result
12
Step (III) IDS evasion
Detection with IDS evasion method 1 2 on target
140.123.113.86
13
Summary

• CGI exploits are everywhere. It is most important
  that you scan your own site so that you can see
  what attackers might see.
• Nikto is a PERL, open source web server scanner
  which supports SSL. It checks for remote web
  server vulnerabilities and misconfigurations.

14
Reference

• Nikto
• http//www.cirt.net/code/nikto.html
• Comprehensive Perl Archive Network
• http//www.cpan.org
• LibWhisker
• http//www.wiretrip.net/rfp/lw.asp
• A look at whiskers anti-IDS tactics
• http//www.wiretrip.net/rfp/txt/whiskerids.html

15
Outline

• A Real World Attack wu-ftp
• Vulnerability Scanners
• All-Purpose Tools
• Application Inspection
• TRIPWIRE MD5