iT邦幫忙

2021 iThome 鐵人賽

DAY 11
2
Security

Kali Linux 工具筆記系列 第 11

Day 11 漏洞分析 - Vulnerability Analysis (nikto)

經過連續十天的收集情報,體驗了各式工具,可以發現前面介紹的大部分工具都是單純的收集情報,少部分則可以做簡單的分析,但其實有些工具不只可以收集情報,更可以根據收集到的情報,主動向目標主機額外進行一些測試,進一步發現目標主機可利用的漏洞,今天要介紹的工具就屬於這類型的,我們可以在Kali第二個分類Vulnerability Analysis找到它。

工具介紹

根據wiki的資料,nikto是一個GPL開源的網頁伺服器掃描器,主要功能就是掃描目標網頁伺服器是否有以下問題

  • 錯誤的配置
  • 預設文件和腳本
  • 不安全的文件和腳本
  • 過時軟體

wiki有提到nikto本身不太常更新,所以有可能無法掃描新的弱點或危險,實際測試工具自帶的update功能

nikto -update

也的確發現更新功能處於即將被廢棄的狀態

-update is deprecated in git versions of Nikto; please pull directly from git.
+ ERROR (404): Unable to get cirt.net/nikto/UPDATES/2.1.6/versions.txt

因此到 nikto GitHub 查看目前狀態,其實還是有繼續在維護、更新,所以這邊就按照GitHub頁面上的建議先 git clone 下來

git clone https://github.com/sullo/nikto

# Main script is in program/
cd nikto/program

# Run using the shebang interpreter
./nikto.pl -h http://www.example.com

# Run using perl (if you forget to chmod)
perl nikto.pl -h http://www.example.com

實際測試從GitHub上抓下來的版本跟目前Kali內建的版本是一致的,所以接下來就直接用Day 2所建的靶機192.168.1.86來實際測試看看

警告: nikto是一個用來發現、檢查網頁伺服器全問題的工具。對目標主機會使用大量請求,這些過量的請求可能會使遠程主機當機。另外從Cirt.net更新的插件也不能保證絕對系統無害,所以建議使用測試用的靶機來體驗。

nikto -host 192.168.1.86

測試結果會直接顯示在console上

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.86
+ Target Hostname:    192.168.1.86
+ Target Port:        80
+ Start Time:         2021-09-25 12:50:05 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec  9 12:24:00 2008
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8726 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time:           2021-09-25 12:50:43 (GMT-4) (38 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

每一行都是一個偵測到潛在性問題,例如偵測到使用的網頁伺服器版本太過老舊,該版本已不再維護,所以可能存在沒有修復的漏洞

Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.

或是存在已知問題,OSVDB全名Open Source Vulnerability Database,而這個問題揭露了如果透過瀏覽器連覽http://192.168.1.86/doc這個URL,將可以看到、存取這個資料夾下所有的檔案,包含各種設定檔,隱藏的機敏資料

OSVDB-3268: /doc/: Directory indexing found.

結語

今天介紹了nikto這個工具,雖然有可能因為更新頻率無法應對最新的危險,但由於使用方式簡單,對於我們在學習漏洞分析,或是了解各式漏洞的歷史緣由,也是很有幫助的,如果自己有架站需求,也可以透過不同的工具來讓自己避開這些問題。


上一篇
Day 10 情報收集 - Information Gathering (Maltego)
下一篇
Day 12 漏洞分析 - Vulnerability Analysis (legion)
系列文
Kali Linux 工具筆記31

尚未有邦友留言

立即登入留言