Skip Links

Network World

Jimmy Ray Purser

How NIKTO saved my tail on a cold Wisconsin morning

So I say, "If you can break into my server and capture my flag, I will send you out a Wisconsin Kringle from O&H Bakery and I will wear a dress on the next episode of TechWiseTV." Yeah, that's right. I am moron.

By JimmyRay on Wed, 11/18/09 - 5:38pm.

Talking crap and pissin' folks off. These are a few of my favorite things - in a good way, of course! Not a type "A" win-at-all-cost jag-off like the folks you want to punch right square in the face at a sporting event. For me it's to bring out the competitive spirit and comradeship between friends. This is most likely why I am drawn to fishing so much. Challenging each other, to see who gets to take the walk of glory vs. the walk of shame back to the truck, is always a good time.

So here I am on a conference call with a few of the Dudes in my hacking circle and we are all laying it down thick and heavy to each other, playing "Can you top this?" So of course a challenge ensued: "Break up into teams of two and see how many servers (of each other's) we can compromise." Sounds fair and fun right? Oh no, not for me, 'cause, you see, I am an idiot. I just have to push it just a bit more.

So I say, "If you can break into my server and capture my flag, I will send you out a Wisconsin Kringle from O&H Bakery and I will wear a dress on the next episode of TechWiseTV."

Yeah, that's right. I am moron.

I went about config'ing and hardening up my server to get ready for the contest. The rules are simple. It needs to be on the Internet, needs to be a Web server, we have 72 hours to config it and 72 hours to git 'er done!

I started running some pen tests and it looked good, but pen testing your own stuff is like proofreading your own blog. I needed something else that was more automated. I tried Nessus, Paros and WebScarab and they did indeed catch some stuff. I was feeling OK, but I just felt I was missing something. I did not know what, but I was going to deploy the server.

Now I am a fan of crappy sci-fi movies, so I had the Robert Wise classic "The Day the Earth Stood Still" playing in the background and starting thinking about the 1974 album cover of Goodnight Vienna with Ringo Starr wearing a spacesuit saying "Klaatu Barada Nikto." Laughing to myself, I thought, yeah that al...bum... wait... Nikto! That's it! How did I overlook that awesome tool?

Nikto is an excellent Web scanner that for some unknown reason I totally forgot about - oh right, see paragraph four. Anyway, I went here to download and make this prog. Nikto is built on LibWhisker and will run on any machine with Perl installed. I will be using my Ubuntu machine to get this Dude up and going on.

To get it going you need to preinstall a few modules:
- PERL and Net_SSLeay
- LibWhisker

Then a simple sudo apt-get command grabs this 264K file and it is ready to go:

sudo apt-get install nikto

Running it is really just as simple. My server IP was 192.168.1.22 so to get it started I just entered:

./nikto -h 192.168.1.22

Nikto starts to run a bunch of tests against the Web server and then prints the results to the terminal. Sure enough, Nikto found a hole that I know would have bit me in the tail:

+OSVDB-877: TRACE /: TRACE option appears to allow XSS...

I also used the -mutate option to actively look and try to exploit for other weaknesses. I had success again with test 4: enumerating users via /cgi-bin/cgiwrap/~user

Nikto is a fantastic tool that can take input from NMAP to scan multiple servers (kinda slow though), and there is a prebuilt NASL plug-in for Nessus as well to extend Nikto. I also used Nikto Evasion mode to put the LibWhisker module to work and actually slipped through an IDS and grabbed a flag. What a fantastic tool this is!

As for the contest? Well, we didn't win - but we didn't lose either. So Lane Bryant won't see me in their shop this time - oh wait, I mean "ever"! That's what I meant, "ever"!

Jimmy Ray Purser

Trivia File Transfer Protocol
Play-Doh was originally designed to clean coal dust off of walls. Joe McVicker's sister-in-law suggested marketing it as a toy for kids. It did OK, but when they offered Captain Kangaroo 2% of the total sales if he featured it on his show, a can of Play-Doh was in every kid's household!

About Networking Geek to Geek

Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.

Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.

 

Most Discussed Posts