【安全牛学习笔记】扫描工具-Nikto

╋━━━━━━━╋

┃实验环境      ┃

┃Metasploitable┃

┃    Dvwa      ┃

╋━━━━━━━╋

Username admin

password password

╋━━━━━━━━━━━╋

┃侦查                  ┃

┃Httrack               ┃

┃    减少与目标系统互  ┃ 

╋━━━━━━━━━━━╋

root@kali:~# mkdir dvwa

root@kali:~# httrack

welcom to HTTrack Website Coier (Offline Brower) 3.48-20

Copyright (C) 1998-2014 Xavier Roche and other contributors

To see the option list, enter a blank line or try httrack --help

Enter project name :dvwa

Base path (return=/root/websites/) :/root/dvwa

Enter URLs (separated by commas or blank spaces) :http://192.168.1.109/dvwa/

Action:

(enter) 1        Mirror Web Site(s)

        2        Mirror Web Site(s) with Wizard

        3        Just Get Files Indicated

        4        Mirror ALL links in URLs (Multiple Mirror)

        5        Test Links In URLs (Bookmark Test)

        0        Quit

:2

Proxy (return=none) :

You can define wildcards, like: -*.gif +www.*.com/*.zip -*img_*.zip

Wildcards (return=none) :*

You can define additional options, such as recurse leve (-r),separedy blank space

To see the option list, type help

Additional options (return=none) :

---> Wizard command line: httrack http://192.168.1.109/dvwa/ -W -O "/root/dvwa/dvwa" -%v  *

Ready to lauch the mirror? (Y/n) :

WARNING! You are runing this program as root!

It might be a good idea to run as a differrnt user

Mirror launched to Thu, 03 Dec 2015 19:47:12 by HTTrack Website Copier/3.48-20 [XR&CO'2014]

Mirroring http:192.168.1.109/dvwa/ * with the wizard help..

╋━━━━━━━╋

┃扫描工具      ┃

┃Nikto         ┃

┃Vega          ┃

┃Skipfish      ┃

┃W3af          ┃

┃Arachni       ┃

┃Owasp-zap     ┃

╋━━━━━━━╋

推荐《web Pentration Testing with Kali Linux》

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

┃NIKTO                                                     ┃

┃Perl语言开发的开源web安全扫描器                           ┃

┃软件版本                                                  ┃

┃搜索存在安全隐患的文件                                    ┃

┃服务器配置漏洞                                            ┃

┃WEB Application层面的安全隐患                             ┃

┃避免404误判                                               ┃

┃    很多服务器不遵守RFC标准,对于不存在的对象返回200响应码┃

┃    依据响应文件内容判断,不同扩展名的文件404响应内容不同 ┃

┃    去除时间信息后的内容取MD5值                           ┃

┃    -no404                                                ┃

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

root@kali:~# nikto

- Nikto v2.1.6

---------------------------------------------------------------------------

+ ERROR: No host specified

       -config+            Use this config file

       -Display+           Turn on/off display outputs

       -dbcheck            check database and other key files for syntax errors

       -Format+            save file (-o) format

       -Help               Extended help information

       -host+              target host

       -id+                Host authentication to use, format is id:pass or id:pass:realm

       -list-plugins       List all available plugins

       -output+            Write output to this file

       -nossl              Disables using SSL

       -no404              Disables 404 checks

       -Plugins+           List of plugins to run (default: ALL)

       -port+              Port to use (default 80)

       -root+              Prepend root value to all requests, format is /directory 

       -ssl                Force ssl mode on port

       -Tuning+            Scan tuning

       -timeout+           Timeout for requests (default 10 seconds)

       -update             Update databases and plugins from CIRT.net

       -Version            Print plugin and database versions

       -vhost+             Virtual host (for Host header)

    + requires a value

Note: This is the short help output. Use -H for full help text.

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

┃nikto -list-plugins                                     ┃

┃nikto -update                                           ┃

┃    cirt.net                                            ┃

┃    http://cirt.net/nikto/UPDATES                       ┃     192.168.60.90:80

┃nikto -host http://1.1.1.1                              ┃     https://192.168.60.90:443

┃nikto -host 192.168.1.1 -ssl -port 443,8443,995         ┃     192.168.60.90

┃nikto -host host.txt                                    ┃

┃nmap -p80 192.168.1.0/24 -oG - | nikto -host -          ┃

┃nikto -host 192.168.1.1 -useproxy http://localhost:8087 ┃

┃-vhost                                                  ┃

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

root@kali:~# nikto -update

+ ERROR (302): Unable to get cirt.net/nikto/UPDATES/2.1.6/versions.txt

root@kali:~# nikto -list-plugins

Plugin: auth

 Guess authentication - Attempt to guess authentication realms

 Written by Sullo/Tautology, Copyright (C) 2010 CIRT Inc

Plugin: put_del_test

 Put/Delete test - Attempts to upload and delete files through the PUT and DELETE HTTP methods.

 Written by Sullo, Copyright (C) 2008 CIRT Inc.

Plugin: clientaccesspolicy

 clientaccesspolicy.xml - Checks whether a client access file exists, and if it contains a wildcard entry.

 Written by Sullo, Dirk, Copyright (C) 2012 CIRT, Inc. and Dr. Wetter IT-Consulting

Plugin: apache_expect_xss

 Apache Expect XSS - Checks whether the web servers has a cross-site scripting vulnerability through the Expect: HTTP header

 Written by Sullo, Copyright (C) 2008 CIRT Inc.

Plugin: fileops

 File Operations - Saves results to a text file.

 Written by Sullo, Copyright (C) 2012 CIRT Inc.

Plugin: msgs

 Server Messages - Checks the server version against known issues.

 Written by Sullo, Copyright (C) 2008 CIRT Inc.

Plugin: report_nbe

 NBE reports - Produces a NBE report.

 Written by Seccubus, Copyright (C) 2010 CIRT Inc.

Plugin: embedded

 Embedded Detection - Checks to see whether the host is an embedded server.

 Written by Tautology, Copyright (C) 2009 CIRT Inc.

Plugin: report_csv

 CSV reports - Produces a CSV report.

 Written by Tautology, Copyright (C) 2008 CIRT Inc.

Plugin: drupal

 Drupal Specific Tests - Performs a selection of drupal specific tests

 Written by Tautology, Copyright (C) 2014 CIRT Inc.

 Options:

  0: Flag to tell plugin to enumerate modules

  path: Basic path for modules (can usually be found in page source).

Plugin: ssl

 SSL and cert checks - Perform checks on SSL/Certificates

 Written by Sullo, Copyright (C) 2010 CIRT Inc.

Plugin: subdomain

 Sub-domain forcer - Attempts to bruteforce commonly known sub-domains

 Written by Ryan Dewhurst, Copyright (C) 2009 Ryan Dewhurst

Plugin: mutiple_index

 Multiple Index - Checks for multiple index files

 Written by Tautology, Copyright (C) 2009 CIRT Inc

Plugin: cgi

 CGI - Enumerates possible CGI directories.

 Written by Sullo, Copyright (C) 2008 CIRT Inc.

Plugin: report_xml

 Report as XML - Produces an XML report.

 Written by Sullo/Jabra, Copyright (C) 2008 CIRT Inc.

Plugin: apacheusers

 Apache Users - Checks whether we can enumerate usernames directly from the web server

 Written by Javier Fernandez-Sanguinoi Pena, Copyright (C) 2008 CIRT Inc.

 Options:

  dictionary: Filename for a dictionary file of users

  home: Look for ~user to enumerate

  size: Maximum size of username if bruteforcing

  enumerate: Flag to indicate whether to attempt to enumerate users

  cgiwrap: User cgi-bin/cgiwrap to enumerate

Plugin: report_text

 Text reports - Produces a text report.

 Written by Tautology, Copyright (C) 2008 CIRT Inc.

Plugin: shellshock

 shellshock - Look for the bash 'shellshock' vulnerability.

 Written by sullo, Copyright (C) 2014 CIRT Inc

 Options:

  uri: uri to assess

Plugin: outdated

 Outdated - Checks to see whether the web server is the latest version.

 Written by Sullo, Copyright (C) 2008 CIRT Inc.

Plugin: report_sqlg

 Generic SQL reports - Produces SQL inserts into a generic database.

 Written by Sullo, Copyright (C) 2013 CIRT Inc.

Plugin: robots

 Robots - Checks whether there's anything within the robots.txt file and analyses it for other paths to pass to other scripts.

 Written by Sullo, Copyright (C) 2008 CIRT Inc.

 Options:

  nocheck: Flag to disable checking entries in robots file.

Plugin: report_html

 Report as HTML - Produces an HTML report.

 Written by Sullo/Jabra, Copyright (C) 2008 CIRT Inc.

Plugin: sitefiles

 Site Files - Look for interesting files based on the site's IP/name

 Written by sullo, Copyright (C) 2014 CIRT Inc

Plugin: httpoptions

 HTTP Options - Performs a variety of checks against the HTTP options returned from the server.

 Written by Sullo, Copyright (C) 2008 CIRT Inc.

Plugin: parked

 Parked Detection - Checks to see whether the host is parked at a registrar or ad location.

 Written by Sullo, Copyright (C) 2011 CIRT Inc.

Plugin: negotiate

 Negotiate - Checks the mod_negotiation MultiViews.

 Written by Sullo, Copyright (C) 2013 CIRT Inc.

Plugin: dictionary

 Dictionary attack - Attempts to dictionary attack commonly known directories/files

 Written by Tautology, Copyright (C) 2009 CIRT Inc

 Options:

  method: Method to use to enumerate.

  dictionary: Dictionary of paths to look for.

Plugin: favicon

 Favicon - Checks the web server's favicon against known favicons.

 Written by Sullo, Copyright (C) 2008 CIRT Inc.

Plugin: siebel

 Siebel Checks - Performs a set of checks against an installed Siebel application

 Written by Tautology, Copyright (C) 2011 CIRT Inc.

 Options:

  languages: List of Languages

  enumerate: Flag to indicate whether we shall attempt to enumerate known apps

  applications: List of applications

  application: Application to attack

Plugin: cookies

 HTTP Cookie Internal IP - Looks for internal IP addresses in cookies returned from an HTTP request.

 Written by Sullo, Copyright (C) 2010 CIRT Inc.

Plugin: paths

 Path Search - Look at link paths to help populate variables

 Written by Sullo, Copyright (C) 2012 CIRT Inc.

Plugin: ms10_070

 http://www.microsoft.com/technet/security/bulletin/ms10-070.asp Check - Determine if a site is vulnerable to http://www.microsoft.com/technet/security/bulletin/ms10-070.asp

 Written by Sullo, Copyright (C) 2013 CIRT Inc

Plugin: content_search

 Content Search - Search resultant content for interesting strings

 Written by Sullo, Copyright (C) 2010 CIRT Inc

Plugin: tests

 Nikto Tests - Test host with the standard Nikto tests

 Written by Sullo, Tautology, Copyright (C) 2008 CIRT Inc.

 Options:

  tids: A range of testids that will only be run

  passfiles: Flag to indicate whether to check for common password files

  report: Report a status after the passed number of tests

  all: Flag to indicate whether to check all files with all directories

Plugin: headers

 HTTP Headers - Performs various checks against the headers returned from an HTTP request.

 Written by Sullo, Copyright (C) 2008 CIRT Inc.

Defined plugin macros:

 @@MUTATE = "dictionary;subdomain"

 @@DEFAULT = "@@ALL;-@@MUTATE;tests(report:500)"

  (expanded) = "apacheusers;mutiple_index;put_del_test;tests(report:500);report_nbe;parked;report_html;apache_expect_xss;content_search;cookies;shellshock;fileops;negotiate;msgs;siebel;outdated;drupal;report_sqlg;sitefiles;auth;headers;favicon;ms10_070;clientaccesspolicy;report_csv;embedded;paths;report_text;report_xml;httpoptions;cgi;ssl;robots"

 @@NONE = ""

 @@ALL = "auth;put_del_test;clientaccesspolicy;apache_expect_xss;fileops;msgs;report_nbe;embedded;report_csv;drupal;ssl;subdomain;mutiple_index;cgi;report_xml;apacheusers;report_text;shellshock;outdated;report_sqlg;robots;report_html;sitefiles;httpoptions;parked;negotiate;dictionary;favicon;siebel;cookies;paths;ms10_070;content_search;tests;headers"

root@kali:~# nikto -host http://192.168.1.109/dvwa/

root@kali:~# nikto -host 192.168.1.109 -port 80

root@kali:~# nikto -host www.baidu.com -port 443 -ssl

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP:          180.97.33.107

+ Target Hostname:    www.baidu.com

+ Target Port:        443

---------------------------------------------------------------------------

+ SSL Info:        Subject:  /C=CN/ST=Beijing/L=Beijing/O=Beijing Baidu Netcom Science Technology Co., Ltd./OU=service operation department/CN=baidu.com

                   Ciphers:  ECDHE-RSA-AES128-GCM-SHA256

                   Issuer:   /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3

+ Start Time:         2016-03-03 14:42:02 (GMT8)

---------------------------------------------------------------------------

+ Server: bfe/1.0.8.14

+ Cookie BAIDUID created without the secure flag

+ Cookie BAIDUID created without the httponly flag

+ Cookie BIDUPSID created without the secure flag

+ Cookie BIDUPSID created without the httponly flag

+ Cookie PSTM created without the secure flag

+ Cookie PSTM created without the httponly flag

+ Cookie BDSVRTM created without the secure flag

+ Cookie BDSVRTM created without the httponly flag

+ Cookie __bsi created without the secure flag

+ Cookie __bsi created without the httponly flag

+ IP address found in the 'server' header. The IP is "1.0.8.14".

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ Uncommon header 'bdqid' found, with contents: 0xd83f739e00019f43

+ Uncommon header 'bdpagetype' found, with contents: 1

+ Uncommon header 'bduserid' found, with contents: 0

+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Server leaks inodes via ETags, header found with file /crossdomain.xml, fields: 0x54532a74 0x131 

+ /crossdomain.xml contains 2 lines which include the following domains: *.baidu.com *.bdstatic.com 

+ Cookie BD_NOT_HTTPS created without the secure flag

+ Cookie BD_NOT_HTTPS created without the httponly flag

......

root@kali:~# nmap -p80 192.168.1.0/24 -oG - | nikto -host -

- Nikto v2.1.6

---------------------------------------------------------------------------

+ nmap Input Queued: 192.168.1.1:80

+ nmap Input Queued: 192.168.1.103:80

+ Target IP:          192.168.1.1

+ Target Hostname:    192.168.1.1

+ Target Port:        80

+ Start Time:         2016-03-03 16:45:55 (GMT8)

---------------------------------------------------------------------------

+ Server: No banner retrieved

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directiories found (use '-C all' to force check all possible dirs)

+ Web Server returns a valid response with junk HTTP methonds, this may cause false positives.

......

root@kali:~# nikto -host http://www.baidu.com -useproxy http://localhost:8087

root@kali:~# -vhost

╋━━━━━━━━━━━━━━━━╋

┃Nikto-interactive               ┃

┃Space-report current scan status┃

┃v - verbose mode on/off         ┃

┃d - debug mode on/off           ┃

┃e - error reporting on/off      ┃

┃p - progress reporting on/off   ┃

┃r - redirect display on/off     ┃

┃c - cookie display on/off       ┃

┃a - auth display on/off         ┃

┃q - quit                        ┃

┃N - next host                   ┃

┃p - Pause                       ┃

╋━━━━━━━━━━━━━━━━╋

root@kali:~# vi /etc/nikto.conf

#########################################################################################################

# CONFIG STUFF

# $Id: config.txt 94 2009-01-21 22:47:25Z deity $

#########################################################################################################

# default command line options, can't be an option that requires a value.  used for ALL runs.

# CLIOPTS=-g -a

# ports never to scan

SKIPPORTS=21 111

# User-Agent variables:

 # @VERSION     - Nikto version

 # @TESTID      - Test identifier

 # @EVASIONS    - List of active evasions

USERAGENT=Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)

# RFI URL. This remote file should return a phpinfo call, for example:

# You may use the one below, if you like.

RFIURL=http://cirt.net/rfiinc.txt?

# IDs never to alert on (Note: this only works for IDs loaded from db_tests)

#SKIPIDS=

# The DTD

NIKTODTD=/var/lib/nikto/docs/nikto.dtd

# the default HTTP version to try... can/will be changed as necessary

DEFAULTHTTPVER=1.0

# Nikto can submit updated version strings to CIRT.net. It won't do this w/o permission. You should

# send updates because it makes the data better for everyone ;)  *NO* server specific information

# such as IP or name is sent, just the relevant version information.

# UPDATES=yes   - ask before each submission if it should send

# UPDATES=no    - don't ask, don't send

# UPDATES=auto  - automatically attempt submission *without prompting*

UPDATES=yes

# Warning if MAX_WARN OK or MOVED responses are retrieved

MAX_WARN=20

# Prompt... if set to 'no' you'll never be asked for anything. Good for automation.

#PROMPTS=no

# cirt.net : set the IP so that updates can work without name resolution -- just in case

# Proxy settings -- still must be enabled by -useproxy

#PROXYHOST=127.0.0.1

#PROXYPORT=8080

#PROXYUSER=proxyuserid

#PROXYPASS=proxypassword

# Cookies: send cookies with all requests

# Multiple can be set by separating with a semi-colon, e.g.:

# "cookie1"="cookie value";"cookie2"="cookie val"

#STATIC-COOKIE=

# The below allows you to vary which HTTP methods are used to check whether an HTTP(s) server

# is running. Some web servers, such as the autopsy web server do not implement the HEAD method

CHECKMETHODS=HEAD GET

# If you want to specify the location of any of the files, specify them here

EXECDIR=/var/lib/nikto                          # Location of Nikto

PLUGINDIR=/var/lib/nikto/plugins                        # Location of plugin dir

DBDIR=/var/lib//nikto/databases                 # Location of database dir

TEMPLATEDIR=/var/lib/nikto/templates            # Location of template dir

DOCDIR=/var/lib/nikto/docs                      # Location of docs dir

# Default plugin macros

@@MUTATE=dictionary;subdomain

@@DEFAULT=@@ALL;-@@MUTATE;tests(report:500)

# Choose SSL libs:

# SSLeay        - use Net::SSLeay

# SSL           - use Net::SSL

# auto          - automatically choose whats available

#                 (SSLeay wins if both are available)

LW_SSL_ENGINE=auto

# Number of failures before giving up

FAILURES=20

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

┃nikto                                                             ┃

┃配置文件                                                          ┃

┃    /etc/nikto.conf                                               ┃

┃    STATIC-COOKIE="cookie1"="cookie value";"cookie2"="cookie valu"┃

┃-evasion : 使用LibWhisker中对IDS的躲避技术,可使用以下几种类型:   ┃

┃    1 随机URL编码(非UTF-8方式)                                  ┃

┃    2 自选择路径(/./)                                           ┃

┃    3 过早结束的URL                                               ┃

┃    4 优先考虑长随机字符串                                        ┃

┃    5 参数欺骗                                                    ┃

┃    6 使用TAB作为命令的分隔符                                     ┃

┃    7 使用变化的URL                                               ┃

┃    8 使用Windows路径分隔符"\"                                    ┃

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂


Security+认证为什么是互联网+时代最火爆的认证?

      牛妹先给大家介绍一下Security+


        Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。

       通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。

Security+认证如此火爆的原因?  

       原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。

      目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。

       原因二: IT运维人员工作与翻身的利器。

       在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。

        原因三:接地气、国际范儿、考试方便、费用适中!

CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。

        在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。


你可能感兴趣的:(信息安全)