VULNERABILITY: nikto: Search Web Vulnerability (en)
Before attacking any website, it's crucial to conduct good reconnaissance. A few minutes of reconnaissance can save hours of hacking time. Trying various hacking techniques without first identifying a site's vulnerabilities is sheer folly.
There are numerous tools and applications for finding vulnerabilities on a website, but one of the simplest is Nikto.
This small and straightforward tool scans a website and reports back to us about potential vulnerabilities found that we can use to exploit or hack the site. Additionally, it is one of the most widely used website vulnerability tools in the industry and is considered a standard by many.
Although this tool is very useful and effective, it can be detected (not hidden). Any website with IDS or other security measures will detect that we are scanning. Originally designed for security testing, it was never intended to be done stealthily.
Step 1: Run Kali & Open Nikto
To run Nikto, we need to run Kali. Once Kali is running, go to:
Kali Linux -> Vulnerability Analysis -> Misc Scanners -> nikto
Although there are many options in using nikto, we will limit ourselves here to the basic syntax, like this:
nikto -h <IP or hostname>
Step 2: Scan Web Server
Let's start with a secure web server on our own network. In this case, we can run an http service on another computer in the network. No website is hosted by this machine, just the web server. Let's scan its vulnerabilities by typing:
nikto -h 192.168.1.104
Nikto will likely respond with lots of information, for example:
- First, it tells us that the server is Apache 2.2.14, likely on Ubuntu. It nails this info and provides more information about other potential vulnerabilities on this web server.
- Notice near the bottom that it identifies several vulnerabilities with the OSVDB prefix. This is the Open Source Vulnerability Database. It's a managed database of known vulnerabilities at www.osvdb.org, in addition to other databases we discuss, such as SecurityFocus and Microsoft's Technet.
Step 3: Scan Sites
Let's try another site. Here we will try to hack a web server named webscantest.com. Let's see what nikto can tell us about this site.
nikto -h webscantest.com
Once again, it identifies the server (Apache) and then begins to identify various potential vulnerabilities that were previously fixed with OSVDB. We can view the website at www.osvdb.org to learn more about these vulnerabilities.
Now, let's use this site to find information about one of the vulnerabilities identified by nikto as OSVDB-877. We can enter that reference number into the search function and it retrieves the following page.
Note, at the bottom of this page there are cross-references to various information sources about this vulnerability, as well as references to tools and filters like Nikto, Nessus, and Snort.
Scan WonderHowTo
Let's scan some more sites and see what they can tell us about those sites. Let's see what we can find out about the site, www.wonderhowto.com.
nikto -h wonderhowto.com
As we can see, this tells us that WonderHowTo uses Microsoft IIS 8.5 as a web server and then noted many potential vulnerabilities.
However, any attempt to exploit the listed vulnerabilities will reveal that they are all false-positives because WonderHowTo simply returns a harmless 404 page. This is because WonderHowTo is not built on php or asp as expected by the recorded exploits.
False positives like this can appear because the scanner doesn't actually execute each potential vulnerability, rather scans to see if the server responds without error to URLs known to be exploitable.
Scan Facebook
Finally, let's try scanning www.facebook.com.
nikto -h facebook.com
As we can see, Facebook is very secure with few vulnerabilities. As we might imagine, if Facebook were insecure, every script-kiddie on the planet would hack it to see who their true love is chatting with online.