Nikto is a tool that it has been written in Perl and it can perform tests against web servers in order to identify potential vulnerabilities.Nikto can be used in web application penetration tests and in some cases can produce juicy results.Specifically if a system administrator has not configured very well his web server and the web server is out of date or there is a misconfiguration Nikto is capable to find them.

For the needs of the article we will use Nikto in order to scan the web server where the DVWA (Damn Vulnerable Web Application) is hosted.Before we start the scan it is always a good practice to perform an update for obtaining the latest plugins.This can be achieved with the -update parameter.

Updating Nikto
Updating Nikto

 

Now we can scan the URL of the web application with the command ./nikto.pl -host IP.You can see the results of Nikto in the next image:

Nikto results
Nikto results

Analyzing The Output

The first information that we have is the version of the Apache which is 2.2.8.So we can check on the web in order to see what kind of vulnerabilities exist for this version.Also Nikto discovered the robots.txt file which in many cases can contain sensitive directories and it must always be checked.In this case the robots.txt contained the following entry:

User-agent: *

Disallow: /

This actually means that all the robots should not visit any pages on this site.The next information that we have from Nikto is that the version of the web server is out of date which can be considered as an issue.Additionally Nikto has identified that the TRACE method is allowed.This method is used to debug web server connections and can be abused in order to disclose sensitive information configuration.

If we rate these issues so far we can say that the impact is low.However Nikto has discovered other issues which seems to be most interesting.Lets examine the directory indexing in the dvwa/config/.

Directory Indexing - DVWA
Directory Indexing – DVWA

 

We can see that there is a PHP file which probably contains the configuration details of the application.In order to see what this file contains we will put the ~ after the config.inc.php file so the URL will be:

http://172.16.212.133/dvwa/config/config.inc.php~

Discover credentials on the config.php file
Discover credentials on the config.php file

 

As we can see from the config file we obtained the following information:

  • Application Database (dvwa)
  • Database User (root)
  • Database Password (null)

We can now use these credentials in order to connect and to own the database of the application.We can of course check and the other issues but from the moment that we have valid credentials for the database the goal has achieved.

Conclusion

This was just a simple demonstration of the capabilities of Nikto against a web server that was intentionally vulnerable.Also from this tutorial we saw that it is always a good practice to check the config files as they might contain plain text credentials and the major effectiveness of Nikto to discover misconfiguration on the web server.However this doesn’t mean that this amount of vulnerabilities will be discovered in real world scenarios as in nowadays most administrators have the knowledge to avoid that kind of mistakes when configuring their web servers.

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s