Web server security is an increasingly pressing matter for organizations of all sizes. Attackers have turned their sights on Web server vulnerabilities, taking advantage of everything from insecure WordPress implementations to outdated Apache servers. Not only do such vulnerabilities give attackers an inroad to an organization, but they can also be used to participate in distributed denial-of-service attacks on other organizations. How can IT security teams gain a better understanding of the server security at their enterprises? Nikto, the free and open source Web server security scanner, may just represent the answer.
In this SearchSecurity screencast, Keith Barker, a Certified Information Systems Security Professional (CISSP) and trainer for CBT Nuggets LLC, provides a brief Nikto tutorial. Learn how to use Nikto to find vulnerabilities, misconfigurations and outdated software versions on Web servers. The tool enables security pros to scan either one port or a range of ports for Web servers, which provides the additional benefit of finding rogue servers that weren't set up by the enterprise. Once a server is found, Nikto displays any known vulnerabilities from the open sourced vulnerability database; it can also scan for over 65,000 potentially dangerous files and 1,250 outdated server software versions. With this level of visibility, enterprises will be able to measure the insecurity of their Web servers and take concrete steps toward patching and updating systems.
Check out the full transcript below.
Learn more about detecting and preventing website vulnerabilities.
Read about open source website vulnerability scanner and recon tools.
Discover more about the top website vulnerabilities.
Check out our website vulnerabilities blog archive.
About CBT Nuggets:
CBT Nuggets is a computer-based technology company specializing in cutting-edge online IT training. Founded in 1999 by current CEO Dan Charbonneau, CBT Nuggets provides quick, easy and affordable learning by renowned instructors for individuals, small teams and large organizations. CBT Nuggets also offers free videos on a variety of IT topics on the CBT Nuggets YouTube video channel.
About Keith Barker:
Keith Barker, CISSP, is a trainer for CBT Nuggets and has more than 27 years of IT experience. He is a double CCIE and has been named a Cisco Designated VIP. Keith is also the author of numerous Cisco Press books and articles.
Transcript - How to use Nikto to scan for Web server vulnerabilities
Hello, and welcome to the SearchSecurity.com Screencast. I'm Keith Barker with CBT Nuggets and today we're going to feature a very cool web server scanner called Nikto.
I'd like you to imagine that you and I are in charge of a whole fleet of web servers and their applications and a strange thing happens over time is that new updates come out, maybe vulnerabilities or security issues are found, new software versions come out and the updates help protect the server against those vulnerabilities that have been discovered. And so what you and I want to do, is we want to find out if there are potential problems and security vulnerabilities, we want to look for server misconfigurations, see if there are some defaults that have been left in place from those servers that we might want to remove to make them more secure, identify if there's any insecure files or programs that are running on those servers, and at the same time we want to identify servers and programs that are outdated so we can make sure we have the latest and greatest version on those systems.
Now fortunately for us, there's a very cool open source tool that can do a great job at helping us in this task, and that tool is called Nikto. One of the cool things about Nikto, besides the name which is cool by itself, Nikto is one of the key words that the gal spoke to the robot in the movie "The Day The Earth Stood Still" that stopped the robot from taking further action. In any event, besides the cool name it also is open source, it is written by these gentlemen, and it can run on a Windows, Mac, and Linux. It does require some Perl to be on the system you're running it from and it's built to be a web server scanner.
Now it wasn't built to be a really stealthy or secret web server scanner, it's going to leave a big footprint, and the intention of course is to run these against your own systems that you are in charge of, not somebody else's to help you identify on your own systems where you're authorized to run a scanner. Regarding what out dated software or security vulnerabilities may exist on your systems and with the additional visibility, a tool like this can give us regarding our systems, you and I can then take measurable steps to improve the security on those systems whether it's an update, or removing some files that were there by default for a server, etc. It has the ability to look for over 65,000 potentially dangerous files and CGI's, it's going to look and make us aware of multiple index files, and another really cool thing is that it can help us identify of maybe a web server that we did not put in place inside of our infrastructure because we can scan on multiple ports.
Now the output is sent to the screen but we can also redirect that to a file of course for later review. And the Nikto software can be downloaded from the site cirt.net/nikto2. So to get started we need to download and run Nikto. Now you may be working with Linux distribution like Kali Linux that already has the perl infrastructure in place and Nikto as well so all you have to do is run it, or if you need to go up to the website ,download Nikto, install it, and run it, that would be an option as well.
So here is the website and there's hyperlinks right here, so you can go ahead and download the software. By default it's going to be looking at port 80, but if we want to use a non standard port or a different port other than 80, there are several options of doing it. After the IP address or website we can use colon, colon for example, 8080 that would do it or we use the -p for port and put 8080, or we can do a range, we can do -p and then we say 8080 - for example 8090, it would scan that range looking for web services. If we had a couple specific we could use -p and say 8080, 80 and that would scan just on those two ports. So we have lots of options regarding which ports we want to look for.
For this demonstration, we're connected to a Kali Linux box which already has perl installed and it already has Nikto installed as well. So we're going to change folders to the user bin directory, and let's just verify that Nikto is there for us, and here it is right there. And as with most commands inside of Unix, if we want to get help we can use a help option. Now sometimes it's an -h, or a -help, or a --h, with Nikto, to get the full help it's -H. So we'll go ahead and use that option and if we scroll up, here's the syntax we used which is showing us a bunch of options that we can use with Nikto. Probably the one we're going to use most frequently is this one right here, the- host. Which we would simply follow with either the DNS name or the IP address of the device that we're going to scan. And as a reminder we're only going to scan servers that we own, that we're authorized to scan.
So for example, on this Kali Linux box that we're currently running, I believe there's a web server currently running on it, so we could do Nikto-h local host which is referring to this device 12701 is our loop back, and it will go ahead and do the scan against that address. So there's the target IP which is this local machine, there's the name that we used, by default it's scanning on port 80, it found and Apache server, these are the allowed HTTP methods supported on the server, and the OSVDB is the Open Source Vulnerability Data Base number 561 and it's simply showing us that this web server's revealing the Apache information regarding the web server. And it gives us little ideas on how we could remove or restrict that function on this web server. So if I remove the PIN and let the screen continue, it gives us a summary saying it took 11 seconds, there's four items reported about this host, and the other Open Source Vulnerability Data Base 3233 is referring to the Apache default file found on the system.
So if you and I wanted to dig in deeper regarding this, we could open up a browser and search on OSVDB 3233 to get more details on that vulnerability. So for example, that one right there, I simply did a Google search for OSVDB 3233, and it brought me to this page which is osvdb.org/ and then the actual vulnerability number and that can give us more details on exactly what's going on with that so we can research it and look into it. And now with this visibility you and I can make a conscious decision about okay is that something that we need to correct or modify, or are we okay with it as it is. If we wanted to check another system for example I've got another server running at the IP address of .233. And so we type in Nikto-h that IP address and it will go ahead and take a look. Now there's a lot more going on with this one than the previous one. So it says we're running Apache, and it says it's outdated to begin with, and there's a whole bunch of comments and output referring to things that very likely we'd want to be corrected on this system to make sure we're updated and not vulnerable.
Now that was on port 80, I also have a web server running on port 8080 on that same device with the host address ending in 233 so if we wanted to search for port 8080, we simply tack it on there with a :8080 and now it's searching there. Another way of doing that exact same thing, let me go ahead and stop this with a control C, we could simply say Nikto-h the IP address and then the -port or - p command with the port we want to scan. And instead of just having one port we can have a range of ports with a dash or a listing of specific ports separated by a comma. And I'll do a control C to stop that one as well. So in summary, Nikto is a free open source tool, it's not intended to be stealthy or to hide what it's doing, it's very obvious for anybody who is looking at log files for your servers, but it does a fantastic job of helping us to identify and get that visibility into some things that we probably would want to correct if we knew about on our web servers.
My name is Keith Barker with CBT Nuggets, hey thanks for watching this Search Security Screencast. For more Screencasts visit searchsecurity.com/screencast.