A Web Application Vulnerability and CGI Scanner for Web Servers. Nikto Web Scanner is an another good to have tool for any Linux administrator’s arsenal. It’s an Open source web scanner released under the GPL license, which is used to perform comprehensive tests on Web servers for multiple items including over 6. 7. After WinPE x86 ISO file is completely transferred to Samba “install” shared directory go back to PXE Server console and move this image from root’s /windows. Nikto is an open source web scanner released under the GPL license, which is used to perform comprehensive tests on Web servers for multiple dangerous. SecurityFocus is designed to facilitate discussion on computer security related topics, create computer security awareness, and to provide the Internet's largest and. CGIs. Suggested Read: WPSeku – A Vulnerability Scanner to Find Security Issues in Word. Press. It’s written by Chris Solo and David Lodge for Vulnerability assessment, it checks for outdated versions over 1. Web servers and over 2. It also scans and reports for outdated web server software and plugins. Features of Nikto Web Scanner. Supports SSLSupports full HTTP proxy. Supports text, HTML, XML and CSV to save reports. Scan for multiple ports. Can scan on multiple servers by taking inputs from files like nmap output. Support Lib. Whisker IDSCapable enough to identify installed software with headers, files, and favicons. Logs for Metasploits. Reports for “unusual ” headers. Apache and cgiwrap user enumeration. Authenticate hosts with Basic and NTLMScans can be Auto- paused at a specified time. Nikto Requirements. A system with basic Perl, Perl Modules, Open. SSL installation should enable Nikto to run. It has been thoroughly tested on Windows, Mac OSX and various Unix/Linux distributions such as Red Hat, Debian, Ubuntu, Back. Track, etc. Installation of Nikto Web Scanner on Linux. Most of the today’s Linux systems comes with pre- installed Perl, Perl Modules, and Open. SSL packages. If not included, you can install them using the default system package manager utility called yum or apt- get. On Red Hat/Cent. OS/Fedora[[email protected] ]# yum install perl perl- Net- SSLeay openssl. On Debian/Ubuntu/Linux Mint[[email protected] ]# apt- get install perl openssl libnet- ssleay- perl. Next, clone the latest stable Nikto source files from its Github repository, move into Nikto/programs/ directory and run it using perl: $ git clone https: //github. Sample Output. Option host requires an argument. Use this config file. Display+ Turn on/off display outputs. Format+ save file (- o) format. Help Extended help information. Host authentication to use, format is id: pass or id: pass: realm. List all available plugins. Write output to this file. Disables using SSL. Disables 4. 04 checks. Plugins+ List of plugins to run (default: ALL). Port to use (default 8. Prepend root value to all requests, format is /directory. Force ssl mode on port. Tuning+ Scan tuning. Timeout for requests (default 1. Update databases and plugins from CIRT. Version Print plugin and database versions. Virtual host (for Host header). Note: This is the short help output. Use - H for full help text. The “Option host requires an argument” is clearly telling that we didn’t include the needed parameters while doing a test. So, we need to add a basic necessary parameter to do a test run. Basic Testing. The basic scan requires a host that you want to target, by default it scans port 8. The host can either be a hostname or an IP Address of a system. You can specify a host using “- h” option. For example, I want to do a scan on an IP 1. TCP port 8. 0.[[email protected] nikto- 2. Sample Output- Nikto v. Target IP: 1. Target Hostname: example. Target Port: 8. Start Time: 2. GMT5. 5). - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- . Server: Apache/2. Cent. OS). + Retrieved x- powered- by header: PHP/5. The anti- clickjacking X- Frame- Options header is not present. Server leaks inodes via ETags, header found with file /robots. File/dir '/' in robots. HTTP code (2. 00). Apache/2. 2. 1. 5 appears to be outdated (current is at least Apache/2. Apache 1. 3. 4. 2 (final release) and 2. Multiple index files found: index. DEBUG HTTP verb may show server debugging information. See http: //msdn. VS. 8. 0%2. 9. aspx for details. OSVDB- 8. 77: HTTP TRACE method is active, suggesting the host is vulnerable to XST. OSVDB- 3. 23. 3: /phpinfo. Contains PHP configuration information. OSVDB- 1. 21. 84: /index. PHPB8. B5. F2. A0- 3. C9. 2- 1. 1d. 3- A3. A9- 4. C7. B0. 8C1. PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. OSVDB- 3. 09. 2: /test. This might be interesting.. OSVDB- 3. 26. 8: /icons/: Directory indexing found. OSVDB- 3. 23. 3: /icons/README: Apache default file found. Potential PHP My. SQL database connection string found. OSVDB- 3. 09. 2: /test. This might be interesting.. End Time: 2. GMT5. 5) (1. 1 seconds). If you want to scan on a different port number, then add “- p” [- port] option. For example, I want to do a scan on IP 1. TCP port 4. 43.[[email protected] nikto- 2. Sample Output- Nikto v. Target IP: 1. Target Hostname: example. Target Port: 4. SSL Info: Subject: /O=*. OU=Domain Control Validated/CN=*. Ciphers: DHE- RSA- AES2. GCM- SHA3. 84. Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http: //certificates. CN=Starfield Secure Certification Authority/serial. Number=1. 06. 88. Start Time: 2. GMT5. 5). - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- . Server: Apache/2. Cent. OS). + Server leaks inodes via ETags, header found with file /, inode: 2. The anti- clickjacking X- Frame- Options header is not present. Apache/2. 2. 1. 5 appears to be outdated (current is at least Apache/2. Apache 1. 3. 4. 2 (final release) and 2. Server is using a wildcard certificate: '*. Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE. OSVDB- 8. 77: HTTP TRACE method is active, suggesting the host is vulnerable to XST. OSVDB- 3. 26. 8: /icons/: Directory indexing found. OSVDB- 3. 23. 3: /icons/README: Apache default file found. End Time: 2. GMT5. 5) (1. 74 seconds). You can also specify hosts, ports and protocols using a full URL syntax, and it will be scanned.[[email protected] nikto- 2. You can also scan any website. For example, here I did a scan on google. Sample Output- Nikto v. Target IP: 1. Target Hostname: www. Target Port: 8. Start Time: 2. GMT5. 5). - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- . Cookie PREF created without the httponly flag. Cookie NID created without the httponly flag. Uncommon header 'x- frame- options' found, with contents: SAMEORIGIN. Uncommon header 'x- xss- protection' found, with contents: 1; mode=block. Uncommon header 'alternate- protocol' found, with contents: 8. Root page / redirects to: http: //www. Ir. OUoms. Co. XBr. Aee. 34. Dw. CQ. + Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place. Uncommon header 'x- content- type- options' found, with contents: nosniff. No CGI Directories found (use '- C all' to force check all possible dirs). File/dir '/groups/' in robots. HTTP code (3. 02). The above command will perform a bunch of http requests (i. Multiple Port Testing. You can also perform multiple ports scanning in the same session. To scan multiple ports on the same host, add “- p” [- port] option and specify the list of ports. Ports can be defined as a range (i. For example, I want to scan a ports 8. Sample Output- Nikto v. No web server found on cmsstage. Target IP: 1. Target Hostname: example. Target Port: 8. Start Time: 2. GMT5. 5). - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- . Server: Apache/2. Cent. OS). + Retrieved x- powered- by header: PHP/5. The anti- clickjacking X- Frame- Options header is not present. Target IP: 1. Target Hostname: example. Target Port: 4. SSL Info: Subject: /O=*. OU=Domain Control Validated/CN=*. Ciphers: DHE- RSA- AES2. GCM- SHA3. 84. Issuer: /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http: //certificates. CN=Starfield Secure Certification Authority/serial. Number=1. 06. 88. Start Time: 2. GMT5. 5). - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- . Server: Apache/2. Cent. OS). + All CGI directories 'found', use '- C none' to test none. Apache/2. 2. 1. 5 appears to be outdated (current is at least Apache/2. Apache 1. 3. 4. 2 (final release) and 2. Using a Proxy. Let’s say a system where Nikto is running only has access to the target host via an HTTP proxy, the test can still be performed using two different ways. One is using nikto. Using Nikto. conf File. PTES Technical Guidelines - The Penetration Testing Execution Standard. This section is designed to be the PTES technical guidelines that help define certain procedures to follow during a penetration test. Something to be aware of is that these are only baseline methods that have been used in the industry. They will need to be continuously updated and changed upon by the community as well as within your own standard. Guidelines are just that, something to drive you in a direction and help during certain scenarios, but not an all encompassing set of instructions on how to perform a penetration test. Think outside of the box. Tools Required. Selecting the tools required during a penetration test depends on several factors such as the type and the depth of the engagement. In general terms, the following tools are mandatory to complete a penetration test with the expected results. Operating Systems. Selecting the operating platforms to use during a penetration test is often critical to the successfully exploitation of a network and associated system. As such it is a requirement to have the ability to use the three major operating systems at one time. This is not possible without virtualization. Mac. OS XMac. OS X is a BSD- derived operating. With standard command shells (such as sh, csh, and bash) and native network utilities that can be used during a penetration test (including telnet, ftp, rpcinfo, snmpwalk, host, and dig) it is the system of choice and is the underlying host system for our penetration testing tools. Since this is a hardware platform as well, this makes the selection of specific hardware extremely simple and ensures that all tools will work as designed. VMware Workstation. VMware Workstation is an absolute requirement to allow multiple instances of operating systems easily on a workstation. VMware Workstation is a fully supported commercial package, and offers encryption capabilities and snapshot capabilities that are not available in the free versions available from VMware. Without the ability to encrypt the data collected on a VM confidential information will be at risk, therefore versions that do not support encryption are not to be used. The operating systems listed below should be run as a guest system within VMware. Linux. Linux is the choice of most security consultants. The Linux platform is versatile, and the system kernel provides low- level support for leading- edge technologies and protocols. All mainstream IP- based attack and penetration tools can be built and run under Linux with no problems. For this reason, Back. Track is the platform of choice as it comes with all the tools required to perform a penetration test. Windows XP/7. Windows XP/7 is required for certain tools to be used. Many commercial tools or Microsoft specific network assessment and penetration tools are available that run cleanly on the platform. Radio Frequency Tools. Frequency Counter. A Frequency Counter should cover from 1. Hz- 3 GHz. A good example of a reasonably priced frequency counter is the MFJ- 8. Frequency Counter. Frequency Scanner. A scanner is a radio receiver that can automatically tune, or scan, two or more discrete frequencies, stopping when it finds a signal on one of them and then continuing to scan other frequencies when the initial transmission ceases. These are not to be used in Florida, Kentucky, or Minnesota unless you are a person who holds a current amateur radio license issued by the Federal Communications Commission. The required hardware is the Uniden BCD3. T Bearcat Handheld Digital Scanner or PSR- 8. GRE Digital trunking scanner. Spectrum Analyzer. A spectrum analyzer is a device used to examine the spectral composition of some electrical, acoustic, or optical waveform. A spectrum analyzer is used to determine whether or not a wireless transmitter is working according to federally defined standards and is used to determine, by direct observation, the bandwidth of a digital or analog signal. A good example of a reasonably priced spectrum analyzer is the Kaltman Creations HF4. RF Spectrum Analyzer. USB adapter. An 8. USB adapter allow for the easy connection of a wireless adapter to the penetration testing system. There are several issues with using something other than the approved USB adapter as not all of them support the required functions. The required hardware is the Alfa AWUS0. NH 5. 00m. W High Gain 8. Wireless USB. External Antennas. External antennas come in a variety of shapes, based upon the usage and with a variety of connectors. All external antennas must have RP- SMA connectors that are compatible with the Alfa. Since the Alfa comes with an Omni- directional antenna, we need to obtain a directional antenna. The best choice is a panel antenna as it provides the capabilities required in a package that travels well. The required hardware is the L- com 2. GHz 1. 4 d. Bi Flat Panel Antenna with RP- SMA connector. A good magnetic mount Omni- directional antenna such as the L- com 2. GHz/9. 00 MHz 3 d. Bi Omni Magnetic Mount Antenna with RP- SMA Plug Connector is a good choice. USB GPSA GPS is a necessity to properly perform an RF assessment. Without this it's simply impossible to determine where and how far RF signals are propagating. There are numerous options are available, therefore you should look to obtain a USB GPS that is supported on operating system that you are using be that Linux, Windows and Mac OS X. Software. The software requirements are based upon the engagement scope, however we've listed some commercial and open source software that could be required to properly conduct a full penetration test. Software. URLDescription. Windows Only. Maltego. The defacto standard for mining data on individuals and companies. Comes in a free community version and paid version. A vulnerabilty scanning tool available in paid and free versions. Nessus is useful for finding and documenting vulnerabilities mostly from the inside of a given network. IBM's automated Web application security testing suite. Products/Retina. aspx. Retina is an an automated network vulnerability scanner that can be managed from a single web- based console. It can be used in conjunction with Metasploit where if an exploit exists in Metasploit, it can be launched directly from Retina to verify that the vulnerability exists. Nexpose is a vulnerability scanner from the same company that brings you Metasploit. Available in both free and paid versions that differ in levels of support and features. Open. VAS is a vulnerability scanner that originally started as a fork of the Nessus project. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 2. January 2. 01. 1). HP Web. Inspect performs web application security testing and assessment for complex web applications. Supports Java. Script, Flash, Silverlight and others. TUVE/index. php? key=swf. HP SWFScan is a free tool developed by HP Web Security Research Group to automatically find security vulnerabilities in applications built on the Flash platform. Useful for decompiling flash apps and finding hard- coded credentials, etc. Backtrack Linux. [1]One of the most complete penetration testing Linux distributions available. Includes many of the more popular free pentesting tools but is based on Ubuntu so it's also easily expandable. Can be run on Live CD, USB key, VM or installed on a hard drive. Samurai. WTF (Web Testing Framework). A live Linux distribution built for the specific purpose of web application scanning. Includes tools such as Fierce, Maltego, Web. Scarab, Be. EF any many more tools specific to web application testing. Site. Digger 3. 0 is a free tool that runs on Windows. It searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites. Download. FOCAFOCA is a tool that allows you to find out more about a website by (amongst other things) analysing the metadata in any documents it makes available. THC IPv. 6 Attack Toolkit. The largest single collection of tools designed to exploit vulnerabilities in the IPv. ICMP6 protocols. http: //thc. Hydra is a very fast network logon brute force cracker which can attack many different services and resources. Cain & Abel is a password recovery tool that runs on Windows. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute- Force and Cryptanalysis attacks, recording Vo.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2017
Categories |