Assembla home | Assembla project page
 

Ticket #70 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

Nikto 2.03 doesn't "find" a web server running.

Reported by: MadDaemon Assigned to: deity
Priority: low Milestone: Nikto 2.1.0
Component: Scanner Version: 2.03
Severity: minor Keywords:
Cc:

Description

On Wed, 14 Jan 2009 21:25:46 -0000, maddaemon@gmail.com <maddaemon@gmail.com> wrote: [results from a direct connection]

Headers show the following (using both 80 & 443) HTTP/1.1 301 Moved Permanently Date: Wed, 14 Jan 2009 21:16:02 GMT Server: Apache Location: https://tracker.mydomain.tld Connection: close Content-Type: text/html; charset=iso-8859-1

And that'll be the problem; the code from nikto does:

if (defined $result{'whisker'}{'data'} && $result{'whisker'}->{'data'}

=~ /speaking plain HTTP to an SSL/)

Of course, the 301 doesn't return any data so it doesn't think that it's a valid port. Looks like we have a bug, but I'm not 100% certain of how to fix it; maybe we should check for error code, then check the appropriate header (e.g. in this case Location).

Could you do me a favour and got to http://trac2.assembla.com/Nikto_2/newticket and raise a ticket for me so that I don't lose track of what I'm doing (you don't need an assembla account to raise a ticket, though you won't be able to track it automagically if you don't).

dave

Also, on this particular system (FreeBSD 7.0-RELEASE i386), it doesn't seem to find *any* servers:

Just a quick follow-up on this, I tried doing a scan on some public sites, and I keep getting the same error:

MadDaemon?@darkhorse [~]# nikto -h www.microsoft.com -D d - Nikto v2.03/2.04

D:Thu Jan 15 12:48:25 2009 - Target id:1:ident:www.microsoft.com:ports_in:80:vhost:=: D:Thu Jan 15 12:48:25 2009 - Target id:1:ident:www.microsoft.com:ports_in:80: + No web server found on 207.46.193.254:80

+ 1 host(s) tested

Test Options: -h www.microsoft.com -D d

D:Thu Jan 15 12:48:26 2009 T:Thu Jan 15 12:48:26 2009: Ending MadDaemon?@darkhorse [~]# nikto -h www.oracle.com -D d - Nikto v2.03/2.04

D:Thu Jan 15 12:51:06 2009 - Target id:1:ident:www.oracle.com:ports_in:80:vhost:=: D:Thu Jan 15 12:51:06 2009 - Target id:1:ident:www.oracle.com:ports_in:80: + No web server found on 141.146.8.66:80

+ 1 host(s) tested

Test Options: -h www.oracle.com -D d

D:Thu Jan 15 12:51:07 2009 T:Thu Jan 15 12:51:07 2009: Ending MadDaemon?@darkhorse [~]# nikto -h www.freebsd.org -D d - Nikto v2.03/2.04

D:Thu Jan 15 12:51:59 2009 - Target id:1:ident:www.freebsd.org:ports_in:80:vhost:=: D:Thu Jan 15 12:51:59 2009 - Target id:1:ident:www.freebsd.org:ports_in:80: + No web server found on 69.147.83.33:80

+ 1 host(s) tested

Test Options: -h www.freebsd.org -D d

D:Thu Jan 15 12:51:59 2009 T:Thu Jan 15 12:51:59 2009: Ending

MadDaemon?@darkhorse [~]# pkg_info | grep nikto nikto-2.03 Web and CGI vulnerability scanner with SSL support

MadDaemon?@darkhorse [~]# uname -rsm FreeBSD 7.0-RELEASE i386

MadDaemon?@darkhorse [~]# cat /usr/ports/security/nikto/distinfo MD5 (nikto-2.03.tar.bz2) = 8f286a7943b12a341088f005f832d087 SHA256 (nikto-2.03.tar.bz2) = 61b78434560c5c311f38c47e7e6816012c9c83a3cfdf4a978ceaaf34718a3b73 SIZE (nikto-2.03.tar.bz2) = 399643

Change History

01/16/09 13:16:57 changed by deity

  • owner set to deity.

I think I may have an idea what's going wrong - nikto isn't even checking the port (we should see hashes for whisker on the debug mode). The only way this can happen is if CHECKMETHODS isn't defined in nikto.conf. This could happen if you take a nikto 2.02 config file and use it on nikto 2.03.

Could you check your nikto.conf (as this is a package it'll be in /usr/local/etc/nikto.conf and check for the line:
CHECKMETHODS=HEAD GET

If it isn't present, you can just add the line and your problem should be fixed.

There is still a bug here, that nikto should always check for HEAD if this variable isn't defined. There may still be a bug if the server returns no data. In these cases, any bug fix will be rolled up into nikto 2.10 (release some day soon)...

01/21/09 14:04:37 changed by deity

From maddaemon: I tried to update the ticket, but I can't seem to find a way to do that.

The CHECKMETHODS=HEAD GET wasn't in the nikto.conf, so I added it and launched a scan. It now appears that Nikto automatically detects the redirect to SSL, and tests both port 80 as well as 443:

+ Target IP: 10.0.10.25 + Target Hostname: tracker.mydomain.tld + Target Port: 80 + Start Time: 2009-01-21 13:32:04

+ Server: Apache - Root page / redirects to: https://tracker.mydomain.tld - Allowed HTTP Methods: GET, HEAD, OPTIONS ... + End Time: 2009-01-21 13:32:35 (31 seconds)

+ 1 host(s) tested

+ Target IP: 10.0.10.25 + Target Hostname: tracker.mydomain.tld + Target Port: 443

+ SSL Info: Ciphers: Unknown

Info: Unknown Subject: Unknown

+ Start Time: 2009-01-21 13:32:36

It still isn't able to get the ciphers list, but that's another issue entirely.

01/21/09 14:08:16 changed by deity

  • priority changed from medium to low.
  • severity changed from normal to minor.

There is an issue to note in future, whenever nikto's config file changes, that some people reuse their old config files and to cope with this in future (e.g. set a default to be the old behaviour and/or provide a warning message).

So this bug is now changed to no standard defaults/or warnings for CHECKMETHODS not being present in the config file.

I'll probably set it to have a default of "HEAD" to mimic nikto 2.02 and send out a warning.

01/21/09 23:02:24 changed by deity

  • status changed from new to closed.
  • resolution set to fixed.

Fixed in version #94, it will now warn you about a missing CHECKMETHODS and set it to the (nikto 2.02) default of HEAD.

Also method added for future use.