{"id":17031,"date":"2021-06-07T05:15:00","date_gmt":"2021-06-07T03:15:00","guid":{"rendered":"http:\/\/blog.wenzlaff.de\/?p=17031"},"modified":"2021-06-08T21:36:45","modified_gmt":"2021-06-08T19:36:45","slug":"webserver-sicherheit-ueberpruefen","status":"publish","type":"post","link":"http:\/\/blog.wenzlaff.de\/?p=17031","title":{"rendered":"Webserver Sicherheit \u00fcberpr\u00fcfen mit nikto"},"content":{"rendered":"

Wer einen eigenen Webserver laufen hat, kann mit nikto<\/a> einen Sicherheitscann ausf\u00fchren. <\/p>\n

Nikto ist ein in Perl geschriebener Open Source Web Server Scanner. Nikto testet Web Server auf \u00fcber 7800 potentiell sch\u00e4dliche Dateien und Programme und pr\u00fcft \u00fcber 1250 Server-Versionen auf ihre Aktualit\u00e4t und weist bei \u00fcber 270 Server-Versionen auf bekannte Sicherheitsl\u00fccken hin. Der Scanner pr\u00fcft Header und versucht ausserdem, ausnutzbare Fehler und Defaults in der Webserver-Konfiguration aufzudecken. Nikto schickt ca. 7800 GET-Requests an den Webserver, um auf das Vorhandensein unsicherer Inhalte zu pr\u00fcfen, richtet also keinen Schaden an.<\/p>\n

Der ist schnell auf dem Raspberry Pi installiert mit:<\/p>\n

sudo apt-get install nikto<\/strong><\/p>\n

Es wir die v2.1.5<\/strong> installiert. Das kann mit
\nnikto -Version<\/strong> \u00fcberpr\u00fcft werden. Es wird die ausgegeben: <\/p>\n

\r\n---------------------------------------------------------------------------\r\nNikto Versions\r\n---------------------------------------------------------------------------\r\nFile                               Version      Last Mod\r\n-----------------------------      --------     ----------\r\nNikto main                         2.1.5\r\nLibWhisker                         2.5\r\nCHANGES.txt\r\ndb_404_strings                     2.003\r\ndb_content_search                  2.000\r\n         2012-07-04                1.0\r\ndb_embedded                        2.004\r\ndb_favicon                         2.010\r\ndb_headers                         2.008\r\ndb_httpoptions                     2.002\r\ndb_multiple_index                  2.005\r\ndb_outdated                        2.017\r\ndb_parked_strings                  2.000\r\ndb_realms                          2.002\r\ndb_server_msgs                     2.006\r\ndb_subdomains                      2.006\r\ndb_tests                           2.019\r\ndb_variables                       2.004\r\nnikto_apache_expect_xss.plugin     2.04\r\nnikto_apacheusers.plugin           2.06\r\nnikto_auth.plugin                  2.04\r\nnikto_cgi.plugin                   2.06         2008-05-06\r\nnikto_clientaccesspolicy.plugin    1.00\r\nnikto_content_search.plugin        2.05\r\nnikto_cookies.plugin               2.03\r\nnikto_core.plugin                  2.1.5\r\nnikto_dictionary_attack.plugin     2.04\r\nnikto_embedded.plugin              2.07\r\nnikto_favicon.plugin               2.09\r\nnikto_fileops.plugin               1.00\r\nnikto_headers.plugin               2.10\r\nnikto_httpoptions.plugin           2.10\r\nnikto_msgs.plugin                  2.07\r\nnikto_multiple_index.plugin        2.03\r\nnikto_outdated.plugin              2.09\r\nnikto_parked.plugin                2.00\r\nnikto_paths.plugin                 2.00\r\nnikto_put_del_test.plugin          2.04\r\nnikto_report_csv.plugin            2.06         2008-11-11\r\nnikto_report_html.plugin           2.05         2009-07-20\r\nnikto_report_msf.plugin            1.00\r\nnikto_report_nbe.plugin            2.01\r\nnikto_report_text.plugin           2.05         2008-11-11\r\nnikto_report_xml.plugin            2.05         2009-07-20\r\nnikto_robots.plugin                2.06\r\nnikto_siebel.plugin                1.00         2011-01-03\r\nnikto_ssl.plugin                   2.01\r\nnikto_subdomain.plugin             2.01\r\nnikto_tests.plugin                 2.04         2008-09-21\r\n---------------------------------------------------------------------------\r\nModule RPC::XML missing. Logging to Metasploit is disabled.\r\nModule RPC::XML::Client missing. Logging to Metasploit is disabled.\r\nUndefined subroutine &LW2::init_ssl_engine called at \/var\/lib\/nikto\/plugins\/nikto_core.plugin line 2499.\r\n\r\n       -config+            Use this config file\r\n       -Display+           Turn on\/off display outputs\r\n       -dbcheck            check database and other key files for syntax errors\r\n       -Format+            save file (-o) format\r\n       -Help               Extended help information\r\n       -host+              target host\r\n       -id+                Host authentication to use, format is id:pass or id:pass:realm\r\n       -list-plugins       List all available plugins\r\n       -output+            Write output to this file\r\n       -nossl              Disables using SSL\r\n       -no404              Disables 404 checks\r\n       -Plugins+           List of plugins to run (default: ALL)\r\n       -port+              Port to use (default 80)\r\n       -root+              Prepend root value to all requests, format is \/directory\r\n       -ssl                Force ssl mode on port\r\n       -Tuning+            Scan tuning\r\n       -timeout+           Timeout for requests (default 10 seconds)\r\n       -update             Update databases and plugins from CIRT.net\r\n       -Version            Print plugin and database versions\r\n       -vhost+             Virtual host (for Host header)\r\n   \t\t+ requires a value\r\n\r\n\tNote: This is the short help output. Use -H for full help text.\r\n<\/pre>\n
Die vollst\u00e4ndige Anleitung gibt es mit nikto -Help<\/strong><\/p>\n
nikto -Help\r\n\r\n   Options:\r\n       -ask+               Whether to ask about submitting updates\r\n                               yes   Ask about each (default)\r\n                               no    Don't ask, don't send\r\n                               auto  Don't ask, just send\r\n       -Cgidirs+           Scan these CGI dirs: \"none\", \"all\", or values like \"\/cgi\/ \/cgi-a\/\"\r\n       -config+            Use this config file\r\n       -Display+           Turn on\/off display outputs:\r\n                               1     Show redirects\r\n                               2     Show cookies received\r\n                               3     Show all 200\/OK responses\r\n                               4     Show URLs which require authentication\r\n                               D     Debug output\r\n                               E     Display all HTTP errors\r\n                               P     Print progress to STDOUT\r\n                               S     Scrub output of IPs and hostnames\r\n                               V     Verbose output\r\n       -dbcheck           Check database and other key files for syntax errors\r\n       -evasion+          Encoding technique:\r\n                               1     Random URI encoding (non-UTF8)\r\n                               2     Directory self-reference (\/.\/)\r\n                               3     Premature URL ending\r\n                               4     Prepend long random string\r\n                               5     Fake parameter\r\n                               6     TAB as request spacer\r\n                               7     Change the case of the URL\r\n                               8     Use Windows directory separator (\\)\r\n                               A     Use a carriage return (0x0d) as a request spacer\r\n                               B     Use binary value 0x0b as a request spacer\r\n        -Format+           Save file (-o) format:\r\n                               csv   Comma-separated-value\r\n                               htm   HTML Format\r\n                               msf+  Log to Metasploit\r\n                               nbe   Nessus NBE format\r\n                               txt   Plain text\r\n                               xml   XML Format\r\n                               (if not specified the format will be taken from the file extension passed to -output)\r\n       -Help              Extended help information\r\n       -host+             Target host\r\n       -IgnoreCode        Ignore Codes--treat as negative responses\r\n       -id+               Host authentication to use, format is id:pass or id:pass:realm\r\n       -key+              Client certificate key file\r\n       -list-plugins      List all available plugins, perform no testing\r\n       -maxtime+          Maximum testing time per host\r\n       -mutate+           Guess additional file names:\r\n                               1     Test all files with all root directories\r\n                               2     Guess for password file names\r\n                               3     Enumerate user names via Apache (\/~user type requests)\r\n                               4     Enumerate user names via cgiwrap (\/cgi-bin\/cgiwrap\/~user type requests)\r\n                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain\r\n                               6     Attempt to guess directory names from the supplied dictionary file\r\n       -mutate-options    Provide information for mutates\r\n       -nointeractive     Disables interactive features\r\n       -nolookup          Disables DNS lookups\r\n       -nossl             Disables the use of SSL\r\n       -no404             Disables nikto attempting to guess a 404 page\r\n       -output+           Write output to this file ('.' for auto-name)\r\n       -Pause+            Pause between tests (seconds, integer or float)\r\n       -Plugins+          List of plugins to run (default: ALL)\r\n       -port+             Port to use (default 80)\r\n       -RSAcert+          Client certificate file\r\n       -root+             Prepend root value to all requests, format is \/directory\r\n       -Save              Save positive responses to this directory ('.' for auto-name)\r\n       -ssl               Force ssl mode on port\r\n       -Tuning+           Scan tuning:\r\n                               1     Interesting File \/ Seen in logs\r\n                               2     Misconfiguration \/ Default File\r\n                               3     Information Disclosure\r\n                               4     Injection (XSS\/Script\/HTML)\r\n                               5     Remote File Retrieval - Inside Web Root\r\n                               6     Denial of Service\r\n                               7     Remote File Retrieval - Server Wide\r\n                               8     Command Execution \/ Remote Shell\r\n                               9     SQL Injection\r\n                               0     File Upload\r\n                               a     Authentication Bypass\r\n                               b     Software Identification\r\n                               c     Remote Source Inclusion\r\n                               x     Reverse Tuning Options (i.e., include all except specified)\r\n       -timeout+          Timeout for requests (default 10 seconds)\r\n       -Userdbs           Load only user databases, not the standard databases\r\n                               all   Disable standard dbs and load only user dbs\r\n                               tests Disable only db_tests and load udb_tests\r\n       -until             Run until the specified time or duration\r\n       -update            Update databases and plugins from CIRT.net\r\n       -useproxy          Use the proxy defined in nikto.conf\r\n       -Version           Print plugin and database versions\r\n       -vhost+            Virtual host (for Host header)\r\n   \t\t+ requires a value<\/pre>\n
So nun der 1. Scann gegen den eigenen Webserver und das Ergebnis wird in eine HTML Datei geschrieben.<\/p>\n
nikto -h localhost -o nikto-report-server.html<\/strong><\/p>\n
Auf der Konsole wird nun nach ein paar Sekunden das Ergebnis ausgegeben:<\/p>\n
- Nikto v2.1.5\r\n---------------------------------------------------------------------------\r\n+ Target IP:          127.0.0.1\r\n+ Target Hostname:    localhost\r\n+ Target Port:        80\r\n+ Start Time:         2021-06-06 17:35:07 (GMT2)\r\n---------------------------------------------------------------------------\r\n+ Server: nginx\r\n+ Server leaks inodes via ETags, header found with file \/, fields: 0x60bb5ddc 0x1bc\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\r\n+ 6544 items checked: 0 error(s) and 2 item(s) reported on remote host\r\n+ End Time:           2021-06-06 17:36:13 (GMT2) (66 seconds)\r\n---------------------------------------------------------------------------\r\n+ 1 host(s) tested<\/pre>\n
Und es wird ein sch\u00f6ner HTML Report im lokalen Verzeichnis erstellt:<\/p>\n
\"\"<\/p>\n
Wer die aktuellste Version v2.1.6 haben will, kann sie clonen und ausf\u00fchren. Es werden dann einige mehr Request (7855 anstatt 6544) erzeugt. Z.B. wurde dann bei mir auch eine fehlerhafte Seite angemerkt, da kann ich dann mal was tun:<\/p>\n
The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.<\/p>\n
Um die neue Version auszuf\u00fchren:<\/p>\n
\r\ngit clone https:\/\/github.com\/IT-Berater\/nikto.git\r\ncd nikto\/program\r\n.\/nikto.pl -h localhost<\/pre>\n
Disclaimer<\/strong>: Bitte beachten, dass es illegal und strafbar ist, Hosts ohne schriftliche Genehmigung zu scannen.
\nVerwenden Sie nikto nicht auf fremde Server an! Sondern verwenden Sie nur den eigenen Server oder VMs f\u00fcr \u00dcbungs- und Testzwecke.<\/p>\n","protected":false},"excerpt":{"rendered":"
Wer einen eigenen Webserver laufen hat, kann mit nikto einen Sicherheitscann ausf\u00fchren. Nikto ist ein in Perl geschriebener Open Source Web Server Scanner. Nikto testet Web Server auf \u00fcber 7800 potentiell sch\u00e4dliche Dateien und Programme und pr\u00fcft \u00fcber 1250 Server-Versionen auf ihre Aktualit\u00e4t und weist bei \u00fcber 270 Server-Versionen auf bekannte Sicherheitsl\u00fccken hin. Der Scanner … <\/p>\n
\u201eWebserver Sicherheit \u00fcberpr\u00fcfen mit nikto\u201c <\/span>weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[220,1319,1,7],"tags":[1111,4920,511,512,176,4919],"class_list":["post-17031","post","type-post","status-publish","format-standard","hentry","category-anleitung","category-sicherheit-2","category-uncategorized","category-tools","tag-datensicherheit","tag-nikto","tag-scann","tag-scanner","tag-sicherheit","tag-webserver"],"_links":{"self":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/17031","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17031"}],"version-history":[{"count":0,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/17031\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17031"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}