nikto_usage.txt

一个用perl写的功能强大的cgi漏洞检测程序

NAME
	Nikto  - Web Server and CGI Scanner
	Version - 1.32
	
	
SYNOPSIS
	nikto [-h target] [options]
	
	
WARNING
	Nikto is a tool for finding default web files and examing web server and CGI security.
	It makes a lot of reqeusts to the remote server, which in some cases may cause the server
	to crash.  It may also be illegal to use this software against servers you do not have 
	permission to do test.


DESCRIPTION
	Nikto is designed to examine web servers and look for items in multiple categories:
		- misconfigurations
		- default files and scripts
		- insecure files and scripts
		- outdated software
	
	It uses Rain Forest Puppy's LibWhisker (wiretrip.net) for HTTP functionality, and can perform checks in 
	HTTP or HTTPS.  It also supports basic port scanning and will determine if a web server
	is running on any open ports.
	
	Nikto checks and code can be automatically udpated from the main distribution server by
	using the 'update' option (see below) to ensure Nikto is checking the most recent vulnerabilities.
	
	Nikto will also load user defined checks at startup if they are placed in a file named "user_scan_database.db" in
	the plugins directory.  Unlike scan_database.db, this file will not be over-written if the -update option is used. This
	should always be used if you add your own checks (and you should send those checks to sullo@cirt.net).
	
	Nikto leaves a footprint on a server it scans--both in an invalid 404 check and in the User-Agent header. This can
	be changed by forcing the $NIKTO{fingerprint} and $NIKTO{useragent} to new values in the source code, OR, if any
	IDS evasion (-e) option is used.  Note that it's pretty obvious when Nikto is scanning a server anyway--the large
	number of invalid requests sticks out a lot in the server logs, although with an IDS evasion technique it might not
	be extremely obvious that it was Nikto.

	Why the name Nikto? See the movies The Day the Earth Stood Still" and, of course "Army of Darkness" for the answer. For
	a full list of pop-culture references to this, see http://www.blather.net/archives2/issue2no21.html which has a lot of
	good information.
	
OPTIONS
	The options listed below are all optional except the -h target specification.  They can all be abbreviated
	to the first letter (i.e., -m for -mutate), with the exception of -verbose and -debug.
	
       -Cgidirs       		
       		Optionally force the CGI directories to scan. Valid values are 'none' to not check any, 'all' to force scan all
       		CGi directories (like the deprecated -allcgi), or a value to use as the CGI directory, i.e. '/cgi/'. 

       -cookies       		
       		Print out the cookie names and values that were received during the scan.

       -evasion <evasion method>
            IDS evasion techniques.  This enables the intrusion detection evasion in LibWhisker.  Multiple options
            can be used by stringing the numbers together, i.e. to enable methods 1 and 5, use "-e 15".  The valid
            options are (use the number preceeding each description):
	   		 1	Random URI encoding (non-UTF8)
	   		 2	Add directory self-reference /./
	   		 3	Premature URL ending
	   		 4	Prepend long random string to request
	   		 5	Fake parameters to files
	   		 6	TAB as request spacer instead of spaces
	   		 7	Random case sensitivity
	   		 8	Use Windows directory separator \ instead of /
	   		 9	Session splicing
	   		See the LibWhisker source for more information, or http://www.wiretrip.net/

       -findonly
       		Use port scan to find valid HTTP and HTTPS ports only, but do not perform checks against them.

       -Format
       		Output format for the file specified with the -output option. Valid formats are:
       			HTM - HTML output format.
       			TXT - Text output format. This is the default if -F is not specified.
       			CSV - Comma Seperated Value format.

       -generic 
       		Force full scan rather than trusting the "Server:" identification string, as many servers allow this
       		to be changed.

       -host <ip, hostname or file>
            Target host(s) to check against. This can be an IP address or hostname, or a file of IPs or hostnames.  
            If this argument is a file, it should formatted as described below. This is the only required option.

       -id <user:password:realm>
       		HTTP Authentication use, format is userid:password for authorizing Nikto a web server realm. For NTLM
       		realms, format is id:password:realm.

       -mutate 
           	Mutate checks. This causes Nikto put all files with all directories from the .db files and 
       		can the host. You might find some oddities this way. Note that it generates a lot of checks.

       -nolookup
       		Don't perform a host name lookup.

       -output <filename>
       		Write output to this file when complete.  Format is text unless specified via -Format.

       -port <port number>
       		Port number to scan, defaults to port 80 if missing.  This can also be a range or list of ports, which
       		Nikto will check for web servers.  If a web server is found, it will perform a full scan unless the
       		-f option is used.

       -root
       		Always prepend this to requests, i.e., changes a request of "/password.txt" to "/directory/password.txt" 
       		(assuming the value passed on the CLI was "/directory")

       -ssl 
      		Force SSL mode on port(s) listed.  Note that Nikto attempts to determine if a port is HTTP or HTTPS 
      		automatically, but this can be slow if the server fails to respond or is slow to respond to the 
      		incorrect one. This sets SSL usage for *all* hosts and ports.

       -timeout	
       		Timeout for each request, default is 10 seconds
       		
       -useproxy
       		Use the proxy defined in config.txt for all requests

       -vhost <ip or hostname>
       		Virtual host to use for the "Host:" header, in case it is different from the target.

       -Version
       		Print version numbers of Nikto, all plugins and all databases.

   These options cannot be abbreviated to the first letter:
		-dbcheck
			This option will check the syntax of the checks in the scan_database.db and user_scan_database.db files. This
			is really only useful if you are adding checks or are having problems.

       -debug
       		Print a huge amount of detail out. In most cases this is going to be more information than you need, so
       		try -verbose first.
       	
		-update
			This will connect to cirt.net and download updated scan_database.db and plugin files. Use this with
			caution as you are downloading files--perhaps including code--from an "untrusted" source. This option
			cannot be combined with any other, but required variables (like the PROXY settings) will be loaded
			from the config.txt file.
		
       -verbose 
       		Print out a lot of extra data during a run. This can be useful if a scan or server is failing, or to see
       		exactly how a server responds to each request.

HOSTNAME FILE
	If a file is specified with -h instead of a hostname or IP, Nikto will open the file to use it as a list of targets. The file
	should be formatted with one host per line. If no port is specified, port 80 is assumed. Multiple ports may be specified per
	host. If a host file is used, any ports specified via -p are added to every host. Valid lines would be:
		10.100.100.100
		10.100.100.100:443
		10.100.100.100,443
		10.100.100.100:443:8443
		10.100.100.100,443,8443
		evilash.example.com,80
		(etc)
		

CONFIG FILE
	The 'config.txt' file provides a means to set variables at run-time without modifying the Nikto source itself. The
	options below can be set in the file. Options that accept multiple values (CGIDIRS, SKIPPORTS, etc.) should just use
	a space to distinguish multiple values.  None of these are required unless you need them.
	
	CLIOPTS - Add any option here to be added to every Nikto execution, whether specified at the command line or not.
	NMAP - Path to nmap. If defined, Nikto will use nmap to port scan a host rather than PERL code, and so should be faster.