Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

Scanning Websites Using Nikto

Nikto is a web scanning tool available on Kali. It performs

banner grabbing and runs a few basic HTTP security-header checks

to determine if the web server uses those security headers, which

mitigate known web vulnerabilities such as cross-site scripting

(XSS), a client-side injection vulnerability targeting web browsers,

and UI redressing (also known as clickjacking), a vulnerability that

lets attackers hijack user clicks by using decoy layers in a web page.

These headers indicate to browsers what to do and not do when

loading certain resources and opening URLs to protect the user from

falling victim to an attack.

After performing these security checks, Nikto also sends requests

to possible endpoints on the server using its built-in wordlist of

common paths to discover interesting endpoints that could be useful

for penetration testers. Let’s use it to perform a basic web

assessment of the three web servers we’ve identified on the IP

addresses 172.16.10.10 (p-web-01), 172.16.10.11 (p-ftp-01), and

172.16.10.12 (p-web-02).

We’ll run a Nikto scan against the web ports we found to be open

on the three target IP addresses. Open a terminal and run the

following commands one at a time, so you can dissect the output of

each IP address:

$ nikto -host 172.16.10.10 -port 8081

$ nikto -host 172.16.10.11 -port 80

$ nikto -host 172.16.10.12 -port 80

The output for 172.16.10.10 on port 8081 shouldn’t yield much

interesting information about discovered endpoints, but it should

indicate that the server doesn’t seem to be hardened, as it doesn’t use

security headers:

+ Server: Werkzeug/2.2.3 Python/3.11.1

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

--snip--

+ Allowed HTTP Methods: OPTIONS, GET, HEAD

+ 7891 requests: 0 error(s) and 4 item(s) reported on remote host

As you can see, Nikto was able to perform a banner grab of the

server, as indicated by the line that starts with the word Server. It

then listed a few missing security headers. These are useful pieces of

information, but not enough to take over a server just yet.