Team LiB
Previous Section Next Section

4.4. Existing Nikto Plug-ins

Now let's examine the plug-ins that come bundled with Nikto. This will help you understand how the existing plug-ins function, before you write your own.


The core plug-in, as the name suggests, contains the core functionality for the main vulnerability-checking routines. These routines are available for use within the rest of the plug-ins. This plug-in and its exported routines were discussed in detail in the previous section.


This plug-in checks whether the web server uses HTTP Basic authentication. If it does, it loads default usernames and passwords and attempts to guess valid credentials.


This plug-in iterates through the returned HTTP headers in the server response and reports back any that are interesting from a security perspective; these include X-Powered-By, Content-Location, Servlet-Engine, and DAAP-Server.


This plug-in retrieves the robots.txt file if it is available and reports back interesting entries, such as Disallow. The robots.txt file is checked by "friendly" web site crawlers to determine if it should follow any rules when crawling the web site.


This plug-in reviews the allowed HTTP methods, as reported via an OPTIONS request to the web server. Dangerous methods include PUT, CONNECT, and DELETE, among others.


This plug-in focuses on the Server HTTP header and uses a "best-guess" parser that determines the web server version, then checks that version against a list of up-to-date web server versions found in the outdated.db file.


As with the nikto_outdated plug-in, this plug-in focuses on the Server HTTP header but it uses the web server version to determine if there are any version-specific security warnings.


This plug-in checks to see if the UserDir option in Apache, or the equivalent in another web server, is enabled. If this option is enabled, you can enumerate valid system users by generating URIs such as /~root for use in requests.


This plug-in is enabled only if -m 1 is specified on the command line. If the MUTATEDIRS and MUTATEFILES variables are set in Nikto's configuration, each request is mutated three times. The first time is the standard request, the second has the MUTATEDIRS item prepended to the URI, and the third has a MUTATEFILES entry appended to the URI. You should not use this plug-in with its default settings because the mutation engine is extremely slow.


This plug-in is enabled only if -m 2 is specified on the command line. This plug-in has an array of common password filenames such as passwd, .htpasswd, etc. It combines the filenames with common file extensions and directory names to make requests in an attempt to check for files with interesting information (usually credentials). Be aware that using this plug-in with its default settings yields more than 2,000 checks.


This plug-in is enabled only if -m 3 is specified on the command line. This plug-in guesses usernames with the same URI formatting technique as the nikto_apacheusers plug-in. It's not recommend for general use because the default generation engine is set for five-character alphabetic usernames and thus produces 11,881,376 checks.


This plug-in is enabled only if -m 4 is specified on the command line. Its logic is very similar to that of the nikto_user_enum_apache plug-in. The key difference is that this plug-in uses an enumeration technique specific to the CGIWrap program. CGIWrap is a web server extension that allows for better security by running CGI scripts as the user that created them instead of as the web server user. The plug-in generates URIs such as /cgi-bin/cgiwrap/userguess. Keeping in mind that the username generation routine is the same as in nikto_user_enum_apache, the same warnings apply.

    Team LiB
    Previous Section Next Section