經過連續十天的收集情報,體驗了各式工具,可以發現前面介紹的大部分工具都是單純的收集情報,少部分則可以做簡單的分析,但其實有些工具不只可以收集情報,更可以根據收集到的情報,主動向目標主機額外進行一些測試,進一步發現目標主機可利用的漏洞,今天要介紹的工具就屬於這類型的,我們可以在Kali第二個分類Vulnerability Analysis
找到它。
根據wiki的資料,nikto
是一個GPL開源的網頁伺服器掃描器,主要功能就是掃描目標網頁伺服器是否有以下問題
wiki有提到nikto
本身不太常更新,所以有可能無法掃描新的弱點或危險,實際測試工具自帶的update
功能
nikto -update
也的確發現更新功能處於即將被廢棄的狀態
-update is deprecated in git versions of Nikto; please pull directly from git.
+ ERROR (404): Unable to get cirt.net/nikto/UPDATES/2.1.6/versions.txt
因此到 nikto GitHub 查看目前狀態,其實還是有繼續在維護、更新,所以這邊就按照GitHub頁面上的建議先 git clone 下來
git clone https://github.com/sullo/nikto
# Main script is in program/
cd nikto/program
# Run using the shebang interpreter
./nikto.pl -h http://www.example.com
# Run using perl (if you forget to chmod)
perl nikto.pl -h http://www.example.com
實際測試從GitHub上抓下來的版本跟目前Kali內建的版本是一致的,所以接下來就直接用Day 2所建的靶機192.168.1.86
來實際測試看看
警告: nikto是一個用來發現、檢查網頁伺服器全問題的工具。對目標主機會使用大量請求,這些過量的請求可能會使遠程主機當機。另外從Cirt.net更新的插件也不能保證絕對系統無害,所以建議使用測試用的靶機來體驗。
nikto -host 192.168.1.86
測試結果會直接顯示在console上
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.86
+ Target Hostname: 192.168.1.86
+ Target Port: 80
+ Start Time: 2021-09-25 12:50:05 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec 9 12:24:00 2008
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8726 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2021-09-25 12:50:43 (GMT-4) (38 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
每一行都是一個偵測到潛在性問題,例如偵測到使用的網頁伺服器版本太過老舊,該版本已不再維護,所以可能存在沒有修復的漏洞
Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
或是存在已知問題,OSVDB
全名Open Source Vulnerability Database
,而這個問題揭露了如果透過瀏覽器連覽http://192.168.1.86/doc
這個URL,將可以看到、存取這個資料夾下所有的檔案,包含各種設定檔,隱藏的機敏資料
OSVDB-3268: /doc/: Directory indexing found.
今天介紹了nikto
這個工具,雖然有可能因為更新頻率無法應對最新的危險,但由於使用方式簡單,對於我們在學習漏洞分析,或是了解各式漏洞的歷史緣由,也是很有幫助的,如果自己有架站需求,也可以透過不同的工具來讓自己避開這些問題。