nikto-1.34.man

Ubuntu packages of security software。 相当不错的源码

.TH Nikto 1 "November 05, 2003" "Nikto 1.34" ""
.
.SH NAME
.
\fBNikto\fP - Web Server and CGI Scanner, Version 1.34
.
.SH SYNOPSIS
.
\fBnikto.pl\fP [\-h \fItarget\fP] [\fIoptions\fP]
.
.SH WARNING
.
Nikto is a tool for finding default web files and examing web server and
CGI security.  It makes a lot of reqeusts to the remote server, which in
some cases may cause the server to crash.  It may also be illegal to use
this software against servers you do not have permission to do test.
.
.SH DESCRIPTION
.
Nikto is designed to examine web servers and look for items in multiple
categories:
.RS
.IP \(bu 3
misconfigurations
.IP \(bu 3
default files and scripts
.IP \(bu 3
insecure files and scripts
.IP \(bu 3
outdated software
.RE
.PP
It uses Rain Forest Puppy's LibWhisker (wiretrip.net) for HTTP
functionality, and can perform checks in HTTP or HTTPS.  It also supports
basic port scanning and will determine if a web server is running on any
open ports.
.PP
Nikto checks and code can be automatically udpated from the main
distribution server by using the \fB\-update\fP option (see below) to ensure
Nikto is checking the most recent vulnerabilities.
.PP
Nikto will also load user defined checks at startup if they are placed
in a file named \fIuser_scan_database.db\fP in the plugins directory.
Unlike \fIscan_database.db\fP, this file will not be over-written if the
\fB\-update\fP option is used. This should always be used if you add
your own checks (and you should send those checks to sullo@cirt.net).
.PP
Nikto leaves a footprint on a server it scans--both in an invalid 404
check and in the User-Agent header. This can be changed by forcing the
\fB$NIKTO{fingerprint}\fP and \fB$NIKTO{useragent}\fP to new values in
the source code, \fBor\fP, if any IDS evasion (\fB\-e\fP) option is
used.  Note that it's pretty obvious when Nikto is scanning a server
anyway--the large number of invalid requests sticks out a lot in the
server logs, although with an IDS evasion technique it might not be
extremely obvious that it was Nikto.
.PP
Why the name Nikto? See the movies \fI"The Day the Earth Stood
Still"\fP and, of course \fI"Army of Darkness"\fP for the answer. For
a full list of pop-culture references to this, see
http://www.blather.net/archives2/issue2no21.html which has a lot of
good information.
.
.SH OPTIONS
.
The options listed below are all optional except the \fB\-h\fP target
specification.  They can all be abbreviated to the first letter (i.e.,
\fB\-m\fP for \fB\-mutate\fP), with the exception of \fB\-verbose\fP
and \fB\-debug\fB.
.TP
.BI \-config " <config file>"
Read the specified configuration file instead of the default one.
.TP
.BI \-Cgidirs " <dirs>"
Optionally force the CGI directories to scan. Valid values are 'none' to
not check any, 'all' to force scan all CGi directories (like the deprecated
\fB\-allcgi\fP), or a value to use as the CGI directory, i.e. '/cgi/'.
.TP
.B \-cookies
Print out the cookie names and values that were received during the scan.
.TP
.BI \-evasion " <evasion method>"
IDS evasion techniques.  This enables the intrusion detection evasion in
LibWhisker.  Multiple options can be used by stringing the numbers
together, i.e. to enable methods 1 and 5, use "\-e 15".  The valid options
are (use the number preceeding each description):
.RS
.TP
.B 1
Random URI encoding (non-UTF8)
.TP
.B 2
Add directory self-reference\~/./
.TP
.B 3
Premature URL ending
.TP
.B 4
Prepend long random string to request
.TP
.B 5
Fake parameters to files
.TP
.B 6
TAB as request spacer instead of spaces
.TP
.B 7
Random case sensitivity
.TP
.B 8
Use Windows directory separator\~\\ instead of\~/
.TP
.B 9
Session splicing
.PP
See the LibWhisker source for more information, or http://www.wiretrip.net/
.RE
.TP
.B \-findonly
Use port scan to find valid HTTP and HTTPS ports only, but do not perform
checks against them.
.TP
.B \-Format
Output format for the file specified with the -output option. Valid formats
are:
.RS
.TP
.B HTM
HTML output format.
.TP
.B TXT
Text output format. This is the default if \fB\-F\fP is not specified.
.TP
.B CSV
Comma Seperated Value format.
.RE
.TP
.B \-generic
Force full scan rather than trusting the "Server:" identification string,
as many servers allow this to be changed.
.TP
.BI \-host " <ip, hostname or file>"
Target host(s) to check against. This can be an IP address or
hostname, or a file of IPs or hostnames.  If this argument is a file,
it should formatted as described below. This is the only required
option.
.TP
.BI \-id " <user:password:realm>"
HTTP Authentication use, format is userid:password for authorizing
Nikto a web server realm. For NTLM realms, format is
id:password:realm.
.TP
.BI \-mutate
Mutate checks. This causes Nikto put all files with all directories
from the .db files and can the host. You might find some oddities this
way. Note that it generates a lot of checks.
.TP
.BI \-nolookup
Don't perform a host name lookup.
.TP
.BI \-output " <filename>"
Write output to this file when complete.  Format is text unless specified
via \fB\-Format\fP.
.TP
.BI \-port " <port number>"
Port number to scan, defaults to port 80 if missing.  This can also be
a range or list of ports, which Nikto will check for web servers.  If
a web server is found, it will perform a full scan unless the
\fB\-f\fP option is used.
.TP
.BI \-root " <root>"
Always prepend this to requests, i.e., changes a request of "/password.txt"
to "/directory/password.txt" (assuming the value passed on the CLI was
"/directory")
.TP
.B \-ssl
Force SSL mode on port(s) listed.  Note that Nikto attempts to determine if
a port is HTTP or HTTPS automatically, but this can be slow if the server
fails to respond or is slow to respond to the incorrect one. This sets SSL
usage for \fBall\fP hosts and ports.
.TP
.B \-timeout " <timeout>"
Set timeout for each request, default is 10 seconds
.TP
.B \-useproxy
Use the proxy defined in \fIconfig.txt\fP for all requests
.TP
.BI \-vhost " <ip or hostname>"
Virtual host to use for the "Host:" header, in case it is different from
the target.
.TP
.B \-Version
Print version numbers of Nikto, all plugins and all databases.
.PP
These options cannot be abbreviated to the first letter:
.TP
.B \-dbcheck
This option will check the syntax of the checks in the
\fIscan_database.db\fP and \fIuser_scan_database.db\fP files. This is
really only useful if you are adding checks or are having problems.
.TP
.B \-debug
Print a huge amount of detail out. In most cases this is going to be more
information than you need, so try \fB\-verbose\fP first.
.TP
.B \-update
This will connect to cirt.net and download updated scan_database.db and
plugin files. Use this with caution as you are downloading files--perhaps
including code--from an "untrusted" source. This option cannot be combined
with any other, but required variables (like the \fBPROXY\fP settings)
will be loaded from the \fIconfig.txt\fP file.
.TP
.B \-verbose
Print out a lot of extra data during a run. This can be useful if a scan or
server is failing, or to see exactly how a server responds to each request.
.
.SH HOSTNAME FILE
.
If a file is specified with \fB\-h\fP instead of a hostname or IP, Nikto
will open the file to use it as a list of targets. The file should be
formatted with one host per line. If no port is specified, port 80 is
assumed. Multiple ports may be specified per host. If a host file is used,
any ports specified via \fB\-p\fP are added to every host. Valid lines would
be:
.PP
.RS
10.100.100.100
.br
10.100.100.100:443
.br
10.100.100.100,443
.br
10.100.100.100:443:8443
.br
10.100.100.100,443,8443
.br
evilash.example.com,80
.br
(etc)
.RE
.
.SH CONFIG FILE
.
The \fIconfig.txt\fP file provides a means to set variables at
run-time without modifying the Nikto source itself. The options below
can be set in the file. Options that accept multiple values
(\fBCGIDIRS\fP, \fBSKIPPORTS\fP, etc.) should just use a space to
distinguish multiple values.  None of these are required unless you
need them.
.TP
.B CLIOPTS
Add any option here to be added to every Nikto execution, whether specified
at the command line or not.
.TP
.B NMAP
Path to nmap. If defined, Nikto will use nmap to port scan a host rather
than PERL code, and so should be faster.
.TP
.B SKIPPORTS
Port number never to scan (so you don't crash services, perhaps?).
.TP
.B PROXYHOST
Server to use as a proxy, either IP or hostname, no 'http://' needed.
.TP
.B PROXYPORT
Port number that \fBPROXYHOST\fP uses as a proxy.
.TP
.B PROXYUSER
If the \fBPROXYHOST\fP requires authentication, use this ID. Nikto will
prompt for it if this is not set & it is needed.
.TP
.B PROXYPASS