- Nikto Cheat Sheet
- Nikto Cheat Sheet Template
- Nikto Cheat Sheet
- Nikto Cheat Sheet Sans
- Nikto Cheat Sheet 2019
Nikto Cheat Sheet. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. If the help menu is confused, you are welcome to use Nikto cheat sheet. This is one of the examples. Task 2-1: Flag for scanning a host There are two answers to this question. Perl nikto.pl -h 192.168.1.188 -Cgidirs all -o test -Format csv The 'all' options would instruct Nikto2 to test all available CGI directories. If you want to specify a specific CGI directory, the.
7 August 20209 minutes to readToday, I going to do a tutorial write-up for two web scanning application namely Nikto and OWASP ZAP on tryhackme. This write-up is a little bit different compared to my other CTF challenge. That is why I called this write up as a tutorial instead of a walkthrough. In addition, I was surprised that some of the challenges are not able to complete the task, so far only 26 out of 86 people completed the room (about 30%). This gives me the inspiration to shout out my opinion and the need to spread the knowledge. Without further ado, let’s get it on.
Task 1: Nikto and OWASP ZAP
Both Nikto and OWASP ZAP run webserver scanning while Nikto runs in the shell and OWASP run-in GUI format. Both scanners behave in a different way. In summary, Nikto works best for reconnaissance while OWASP ZAP for webserver vulnerability analysis. As the old-timer said, two is better than one. Multiple tools always work better than a single tool.
Task 2: Nikto
This task required the user to familiar with the use of Nikto web scanner tool. If you are unfamiliar with the flag, remember, always use -H and –help (simplified help menu) to help you up. Every answer to this task is on the help menu.
If the help menu is confused, you are welcome to use Nikto cheat sheet. This is one of the examples.
Task 2-1: Flag for scanning a host
There are two answers to this question. It can be either -h or -host. However, challenger only can input -h to the answer field. Actually, it doesn’t matter, as long as you learned it.
Task 2-2: Flag for scanning non-secure transport
The answer is on the help menu. A non-secure transport port also known as non-secure socket layer (NoSSL).
Task 2-3: Flag for scanning secure
The opposite of NoSSL is SSL, silly me.
Task 2-4: Flag for specified a port scan
Similarly, this task got two answers which are -p or -port.
Task 2-5: Flag for identifying the integrity of the vulnerable database
-dbcheck is used to identify the Nikto’s vulnerable database, Always update your Nikto database using -update.
Task 2-6: Flag used to guess and test username in APACHE
We need to use -mutate flag with option 3 for the task to enumerate usernames and files in Apache server.
Task 2-7: Flag for credential check
We can perform the credential check using -id flag follows by the username and password.
Task 2-8: Webserver version
Launch the Nikto scanner using the following command.
After a few seconds, you will be prompt with the following results.
Task 2-9: Hidden directory
After that, wait a few minutes. The Nikto scanner will return a hidden directory with an OSVDB number. FYI, OSVDB was shut down on April 2016, it is replaced by VulnDB.
Task 2-10: Flag to limit the scan to end a certain time
Sometimes, Nikto can take a long time do complete a full scan. In order to limit the scanning time, we can set the desired run time with -until.
Task 2-11: Flag to list all plugins
To list all the available plugins on Nikto, simply use -list-plugins.
Task 2-12: Find outdated software on host using plugin
To find the outdated software on the target host, use -Plugins outdated.
Task 2-13: Run a standard test using a plugin
To run a series of a standard test, you are requested to use -Plugins tests.
Task 3: OWASP ZAP scanner
We just finished the basic tutorial on Nikto and let’s proceed to OWASP Zap scanner.
Task 3-1: Launch the ZAP
OWASP ZAP scanner is not designed to run using a shell. This is because the way of Zap scanner presents the scan results is far more complex and sophisticated. However, you can launch the Zap scanner using the command line. If you are using Kali Linux, the Zap scanner launching command can be found on /bin.
Task 3-2: Zap scanner GUI
After launching using the zap scanner, you will be prompt by a neat GUI. Let me explain the frame of the GUI.
- All the scanned site will be listed in this frame
- This is a workspace window consists of a quick start (you can launch the scan right here), webserver request and website response windows.
- All the results include web server vulnerability, scanning history, spider crawl, and progress will be displayed right inside this frame
To start our first attack on the webserver, simply go to frame 2 and click on Automated scan.
Enter the webserver URL and start the attack.
Task 3-3: Zap scanner is ‘noisy’
Running a standard Zap scanner somehow generate ‘noise’ to the webserver where the victim knows someone is scanning their web server. Rest assured, the OWASP zap scanner can run in 4 different modes.
- Safe mode: A passive and quiet scan that turns off all the harmful features while scanning.
- Protected mode: Only scan the webserver with a particular scope. This is to reduce the ‘noise’.
- Standard mode: Scan anything that is relevant (default by OWASP Zap scanner).
- Attack mode: A full-scale active scanning. The noisiest one.
I highly recommend the user to use the ‘protected mode’. If you wanted to maximize the webserver visibility, go for ‘standard mode’. Bear in mind, both ‘safe mode’ and ‘protected mode’ will disable the following feature.
- Spider crawling
- Fuzzing
- Force browsing
- Breaking
- Resending requests
Task 3-4: File which instructs the search engine
Nikto Cheat Sheet
After starts the attack, you will notice a text file called robots.txt.
Robots.txt is used to tell the search engine which directory or files shouldn’t be indexed,
Task 3-5: Which page is disallowed to be indexed
Open up the robots.txt file, you will find out disallow:/ . What does it mean? It means the robots.txt tells the search engine not to index every page on the site for all browsers.
Task 3-6: The directory contains images
The answer is on the spider tab of the bottom frame.
Task 3-7: Non-secure transport and cookie
Checking on the alert tab for web server vulnerability. We come across a cookie No HttpOnly flag.
Task 3-8: Cross-site scripting (XSS)
Look like the webserver is vulnerable to XSS.
Task 3-9: Which site is out of scope
The spider crawls something in the website which is found to be out of scope.
Task 3-10 and 3-11: HTTP request method
There are two types of HTTP request method which is POST and GET. This method is used to send any relevant information to the webserver such as username, password, page id, etc. The basic difference between GET and POST are
- GET request submitting a full URL with information which can be bookmarked and re-executed for later use.
- POST request submitting a URL without information which cannot be bookmarked or re-executed.
Nikto Cheat Sheet Template
The example of GET and POST to send a page id
- (GET) http://example.com/page.php?id=2
- (POST) http://example.com/page.php
For the sake of convenience, GET request is better than POST. However, from the security point of view, GET request is less secure than POST where POST will never save the parameter on the browser history or webserver log. GET request is suitable to be used on submitting non-sensitive data such as page id while POST method should be used on sending sensitive data like username and password.
Task (extra): More on Zap scanner
You can perform a deep scan or attack on a certain site. Simply right-click the site and choose the action.
On the other, you can generate a full scan report in HTML format which served for future use especially your are a pentester.
Conclusion
That’s all for the basic tutorial on Nikto and OWASP Zap webserver scanning tool. Note that, there is another web server scanner tool worth to be discovered with, such as w3af, Arachni, Grabber and more. Hope you enjoy the tutorial and see you again ;)
tags: tryhackme - tutorial - web - OWASPThanks for reading. Follow my twitter for latest update
If you like this post, consider a small donation. Much appreciated. :)
Vortex
Everyone knows: cheat sheets are cool! They are very useful if you already know the basics about a topic but you have to look up details when you are not sure about something.
Especially, if you are new to a certain topic and you have to learn a lot of new stuff, it’s sometimes very hard to memorize everything.
Imagine you just got your 1st job as a security analyst. You’ll have to learn a lot of new tools, command options, attacks and so on. How can you quickly do a reverse DNS lookup of every IP address in a network? How can you run a specific nmap script against all servers on port 23? How do you show the details of a certificate of a TLS service? How did this Metasploit payload generation tool work again? How was this logonpasswords command called in mimikatz? And how again can I reuse relayed NTLM sessions using SOCKS? OK, I think you got it – it’s not so easy, right?
That’s exactly the place where cheat sheets come in handy!
So, I created a cheat sheet that contains lots of commands and tools that we often use during our penetration tests, security assessments or red teaming engagements. The cheat sheet contains info about the following topics:
- Basic Linux Networking Tools (ip, dig)
- Information Gathering (whois, CT logs, subdomain enumeration)
- TCP Tools (ncat)
- TLS Tools (openssl, ncat, sslyze, socat)
- HTTP Tools (python webserver, curl, nikto, gobuster)
- Sniffing (ARP spoofing, tcpdump, Wireshark, …)
- Network Scanning (nmap, masscan)
- Shells (Bind/reverse shells)
- Vulnerability DBs and Exploits (searchsploit and some links)
- Cracking (ncrack, hashcat, John the Ripper)
- Metasploit Framework (Use exploits, generate shells, shell listeners, meterpreter, pivoting, SOCKS proxying)
- Linux Privilege Escalation (LinEnum, lynis, GTFOBins)
- Windows Privilege Escalation (PowerSploit, smbmap)
- Windows Credentials Gathering (mimikatz, lsadump)
- Passh-The-Hash (Lots of impacket tools)
- NTLM Relay (ntlmrelayx, SOCKS proxying)
- Active Directory (BloodHound & PingCastle)
- Online References
The cheat sheet can be found here:
Download as a handy printable PDF:
Grab it while it’s hot 🤘!
Note: The latest version can always be found on GitHub: https://github.com/CompassSecurity/Hacking_Tools_Cheat_Sheet
Nikto Cheat Sheet
Do you want to know more about these attack techniques and tools? Then, our new security training “Internal Network and System Security” might be something for you! In this training, the students will learn how attackers find security vulnerabilities in internal networks, how they are exploited and especially how to protect yourself and your infrastructure from such attacks. So this is a perfect course for network and system administrators that want to know the tools of the attackers in order to defend against them.
More infos about this training in general can be found here: https://www.compass-security.com/en/services/security-trainings/course-description-internal-network-and-system-security/.
Nikto Cheat Sheet Sans
There is a public training on the 11th and 12th of February 2020 where everyone whoi is interested can participate. More info can be found here: https://www.compass-security.com/en/services/security-trainings/translate-to-english-internal-network-and-system-security-februar-2020-bern/ . Note: This training will be held in German only (slides/course material are in English).
Nikto Cheat Sheet 2019
So, happy hacking and have fun!