经过连续十天的收集情报,体验了各式工具,可以发现前面介绍的大部分工具都是单纯的收集情报,少部分则可以做简单的分析,但其实有些工具不只可以收集情报,更可以根据收集到的情报,主动向目标主机额外进行一些测试,进一步发现目标主机可利用的漏洞,今天要介绍的工具就属於这类型的,我们可以在Kali第二个分类Vulnerability Analysis
找到它。
根据wiki的资料,nikto
是一个GPL开源的网页服务器扫描器,主要功能就是扫描目标网页服务器是否有以下问题
wiki有提到nikto
本身不太常更新,所以有可能无法扫描新的弱点或危险,实际测试工具自带的update
功能
nikto -update
也的确发现更新功能处於即将被废弃的状态
-update is deprecated in git versions of Nikto; please pull directly from git.
+ ERROR (404): Unable to get cirt.net/nikto/UPDATES/2.1.6/versions.txt
因此到 nikto GitHub 查看目前状态,其实还是有继续在维护、更新,所以这边就按照GitHub页面上的建议先 git clone 下来
git clone https://github.com/sullo/nikto
# Main script is in program/
cd nikto/program
# Run using the shebang interpreter
./nikto.pl -h http://www.example.com
# Run using perl (if you forget to chmod)
perl nikto.pl -h http://www.example.com
实际测试从GitHub上抓下来的版本跟目前Kali内建的版本是一致的,所以接下来就直接用Day 2所建的靶机192.168.1.86
来实际测试看看
警告: nikto是一个用来发现、检查网页服务器全问题的工具。对目标主机会使用大量请求,这些过量的请求可能会使远程主机当机。另外从Cirt.net更新的插件也不能保证绝对系统无害,所以建议使用测试用的靶机来体验。
nikto -host 192.168.1.86
测试结果会直接显示在console上
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.86
+ Target Hostname: 192.168.1.86
+ Target Port: 80
+ Start Time: 2021-09-25 12:50:05 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec 9 12:24:00 2008
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8726 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2021-09-25 12:50:43 (GMT-4) (38 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
每一行都是一个侦测到潜在性问题,例如侦测到使用的网页服务器版本太过老旧,该版本已不再维护,所以可能存在没有修复的漏洞
Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
或是存在已知问题,OSVDB
全名Open Source Vulnerability Database
,而这个问题揭露了如果透过浏览器连览http://192.168.1.86/doc
这个URL,将可以看到、存取这个资料夹下所有的档案,包含各种设定档,隐藏的机敏资料
OSVDB-3268: /doc/: Directory indexing found.
今天介绍了nikto
这个工具,虽然有可能因为更新频率无法应对最新的危险,但由於使用方式简单,对於我们在学习漏洞分析,或是了解各式漏洞的历史缘由,也是很有帮助的,如果自己有架站需求,也可以透过不同的工具来让自己避开这些问题。
<<: Day 11 - Spring Boot & JdbcTemplate
>>: [面试][前端]如何判断专案要使用 CSR 还是 SSR?
前言 昨天将 VMA结构检视了一遍,也大概了解vma_area_struct 与 mm_struct...
杯里的水并不多,再加上中途受其他外力改变倾倒的方向,所以只有键盘边缘沾上几滴水珠。 「⋯⋯学姐,刚刚...
前言 看了一些交易资料,现在来看看一些帐务相关的资料吧。 参考网站:Position 本日程序码使用...
《PSYCHO-PASS心灵判官》中第三集监视官常守朱第二次遇到的事件,是「八王子工厂杀人事件」 在...