nikto
nikto copied to clipboard
sullo
Nikto not finding webserver
There is a webserver using self-signed certificate that Nikto does not recognize. I can however reach it via normal web browsers. I had to proxy Nikto through Burp to be able to scan it.
curl complains about that the dh key is too small:
$ curl -ik https://192.168.1.50:9043 curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
Is this something that should and can be fixed?
$ nikto -host 192.168.1.55 -port 9043 -D v
- Nikto v2.1.6
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_cookies V:Thu Nov 22 07:16:33 2018 - Loaded "HTTP Cookie Internal IP" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_subdomain V:Thu Nov 22 07:16:33 2018 - Loaded "Sub-domain forcer" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_outdated V:Thu Nov 22 07:16:33 2018 - Loaded "Outdated" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_tests V:Thu Nov 22 07:16:33 2018 - Loaded "Nikto Tests" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_clientaccesspolicy V:Thu Nov 22 07:16:33 2018 - Loaded "clientaccesspolicy.xml" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_sitefiles V:Thu Nov 22 07:16:33 2018 - Loaded "Site Files" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_cgi V:Thu Nov 22 07:16:33 2018 - Loaded "CGI" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_sqlg V:Thu Nov 22 07:16:33 2018 - Loaded "Generic SQL reports" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_ssl V:Thu Nov 22 07:16:33 2018 - Loaded "SSL and cert checks" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_csv V:Thu Nov 22 07:16:33 2018 - Loaded "CSV reports" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_put_del_test V:Thu Nov 22 07:16:33 2018 - Loaded "Put/Delete test" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_auth V:Thu Nov 22 07:16:33 2018 - Loaded "Guess authentication" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_text V:Thu Nov 22 07:16:33 2018 - Loaded "Text reports" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_dictionary_attack V:Thu Nov 22 07:16:33 2018 - Loaded "Dictionary attack" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_apacheusers V:Thu Nov 22 07:16:33 2018 - Loaded "Apache Users" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_embedded V:Thu Nov 22 07:16:33 2018 - Loaded "Embedded Detection" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_apache_expect_xss V:Thu Nov 22 07:16:33 2018 - Loaded "Apache Expect XSS" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_httpoptions V:Thu Nov 22 07:16:33 2018 - Loaded "HTTP Options" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_favicon V:Thu Nov 22 07:16:33 2018 - Loaded "Favicon" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_drupal V:Thu Nov 22 07:16:33 2018 - Loaded "Drupal Specific Tests" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_content_search V:Thu Nov 22 07:16:33 2018 - Loaded "Content Search" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_headers V:Thu Nov 22 07:16:33 2018 - Loaded "HTTP Headers" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_multiple_index V:Thu Nov 22 07:16:33 2018 - Loaded "Multiple Index" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_msgs V:Thu Nov 22 07:16:33 2018 - Loaded "Server Messages" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_nbe V:Thu Nov 22 07:16:33 2018 - Loaded "NBE reports" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_negotiate V:Thu Nov 22 07:16:33 2018 - Loaded "Negotiate" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_robots V:Thu Nov 22 07:16:33 2018 - Loaded "Robots" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_ms10_070 V:Thu Nov 22 07:16:33 2018 - Loaded "ms10-070 Check" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_siebel V:Thu Nov 22 07:16:33 2018 - Loaded "Siebel Checks" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_html V:Thu Nov 22 07:16:33 2018 - Loaded "Report as HTML" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_paths V:Thu Nov 22 07:16:33 2018 - Loaded "Path Search" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_xml V:Thu Nov 22 07:16:33 2018 - Loaded "Report as XML" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_parked V:Thu Nov 22 07:16:33 2018 - Loaded "Parked Detection" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_core V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_fileops V:Thu Nov 22 07:16:33 2018 - Loaded "File Operations" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_shellshock V:Thu Nov 22 07:16:33 2018 - Loaded "shellshock" plugin. V:Thu Nov 22 07:16:33 2018 - Getting targets V:Thu Nov 22 07:16:33 2018 - Target:192.168.1.55 port:9043 V:Thu Nov 22 07:16:33 2018 - Checking for HTTPS on port 192.168.1.55:9043, using HEAD V:Thu Nov 22 07:16:33 2018 - for HEAD: V:Thu Nov 22 07:16:33 2018 - Checking for HTTP on port 192.168.1.55:9043, using HEAD V:Thu Nov 22 07:16:33 2018 - for HEAD: V:Thu Nov 22 07:16:33 2018 - Checking for HTTPS on port 192.168.1.55:9043, using GET V:Thu Nov 22 07:16:33 2018 - for GET: V:Thu Nov 22 07:16:33 2018 - Checking for HTTP on port 192.168.1.55:9043, using GET V:Thu Nov 22 07:16:34 2018 - for GET:
- No web server found on 192.168.1.55:9043
V:Thu Nov 22 07:16:34 2018 - Opening reports (none, ) V:Thu Nov 22 07:16:34 2018 - 6934 server checks loaded V:Thu Nov 22 07:16:34 2018 - Running start for "Embedded Detection" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "Favicon" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "Drupal Specific Tests" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "HTTP Headers" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "Guess authentication" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "Content Search" plugin
- 0 host(s) tested V:Thu Nov 22 07:16:34 2018 + 8 requests made in 1 seconds
My best guess is this is an underlying OS/encryption issue since curl can't handle it (can wget?). It's possible the perl TLS modules and/or Libwhisker can't handle it--there are a lot of things that can wrong in that chain.
I'd make sure that your perl libraries for Net::SSLeay and Net::SSL are up to date.
Also, I'd force change the SSL library nikto is using, and try both rather than letting it auto select. See nikto.conf and update this bit:
# SSLeay - use Net::SSLeay
# SSL - use Net::SSL
# auto - automatically choose whats available
# (SSLeay wins if both are available)
LW_SSL_ENGINE=auto
wget finds it with --no-check-certificate. It didn't make any difference by changing LW_SSL_ENGINE. Everything from an updated Kali machine.
I've notice some problems with SSL and perl on Windows, but not on Linux. Could you try it with "-D d" instead of "-D v" as that will dump the actual request headers?
D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_parked_strings D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_404_strings D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_outdated D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_variables D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_tests
- Nikto v2.1.6
D:Thu Nov 29 05:12:42 2018 WARNING: No init found for nikto_core
D:Thu Nov 29 05:12:42 2018 'Request Hash' = {
'Connection' => 'Keep-Alive',
'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)',
'whisker' => {
'version' => '1.1',
'force_bodysnatch' => 0,
'method' => 'HEAD',
'host' => '192.168.1.50',
'lowercase_incoming_headers' => 1,
'MAGIC' => 31339,
'ssl_save_info' => 1,
'ssl' => 1,
'ignore_duplicate_headers' => 1,
'max_size' => 0,
'uri_param_sep' => '?',
'uri_prefix' => '',
'protocol' => 'HTTP',
'timeout' => 10,
'retry' => 0,
'http_eol' => "\r\n",
'http_space1' => ' ',
'keep-alive' => 1,
'uri_postfix' => '',
'port' => 9043,
'invalid_protocol_return_value' => 1,
'force_close' => 0,
'ssl_rsacertfile' => undef,
'http_space2' => ' ',
'include_host_in_uri' => 0,
'require_newline_after_headers' => 0,
'trailing_slurp' => 0,
'ssl_certfile' => undef,
'force_open' => 0,
'normalize_incoming_headers' => 1,
'uri' => '/'
},
'Host' => '192.168.1.50:9043'
};
D:Thu Nov 29 05:12:42 2018 'Result Hash' = {
'whisker' => {
'ssl_cert_altnames' => [
1,
'ProfileUUID:
- No web server found on 192.168.1.50:9043
- 0 host(s) tested
Here's the problem, this bugger: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
Basically the Diffie-Hellman key on the server is <1024 bits. This isn't supported in the version of openssl you're using. The ideal solution would be to get the server to match modern TLS standards
I am having the same issue. The target site is http so no SSL/TLS. I can see it making HEAD requests in wireshark, I dont see any RST packets or anything negative that the server responds with. I can navigate to the site manually just fine. First time ive seen this happen.
Here is a curl and response...Ive censored the domain.
curl -IL http://www.########.com
HTTP/1.1 200 OK Server: openresty/1.11.2.4 Date: Wed, 19 Dec 2018 15:38:42 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/5.3.29-pl0-gentoo Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Pingback: http://www.#######.com/xmlrpc.php Link: http://www.#######.com/; rel=shortlink Set-Cookie: PHPSESSID=5ab739ef1c3b9b1232263f5ead67158a; path=/ X-Webcom-Cache-Status: BYPASS
@ms08067 I don't see anything in that response that should be a problem. Can you post a debug dump in a file? If you use -D DS it should scrub the output of the hostname (verify though). I'm particularly looking for the first request or two to see the request/response. Thanks.
I think the two problems aren't related. I think @dsolstad's problem is the version of openssl and the server being scanned. We need more information from @ms08067.
Curl will accept tlsv1.0 if you remove CipherString = DEFAULT@SECLEVEL=2 from /etc/ssl/openssl.cnf. But nkito won't budge.
eg. curl https://example.com --tlsv1.0 -k
