How NIKTO saved my tail on a cold Wisconsin morning

Talking crap and pissin' folks off. These are a few of my favorite things - in a good way, of course! Not a type "A" win-at-all-cost jag-off like the folks you want to punch right square in the face at a sporting event. For me it's to bring out the competitive spirit and comradeship between friends. This is most likely why I am drawn to fishing so much. Challenging each other, to see who gets to take the walk of glory vs. the walk of shame back to the truck, is always a good time. So here I am on a conference call with a few of the Dudes in my hacking circle and we are all laying it down thick and heavy to each other, playing "Can you top this?" So of course a challenge ensued: "Break up into teams of two and see how many servers (of each other's) we can compromise." Sounds fair and fun right? Oh no, not for me, 'cause, you see, I am an idiot. I just have to push it just a bit more. So I say, "If you can break into my server and capture my flag, I will send you out a Wisconsin Kringle from O&H Bakery and I will wear a dress on the next episode of TechWiseTV." Yeah, that's right. I am moron. I went about config'ing and hardening up my server to get ready for the contest. The rules are simple. It needs to be on the Internet, needs to be a Web server, we have 72 hours to config it and 72 hours to git 'er done! I started running some pen tests and it looked good, but pen testing your own stuff is like proofreading your own blog. I needed something else that was more automated. I tried Nessus, Paros and WebScarab and they did indeed catch some stuff. I was feeling OK, but I just felt I was missing something. I did not know what, but I was going to deploy the server. Now I am a fan of crappy sci-fi movies, so I had the Robert Wise classic "The Day the Earth Stood Still" playing in the background and starting thinking about the 1974 album cover of Goodnight Vienna with Ringo Starr wearing a spacesuit saying "Klaatu Barada Nikto." Laughing to myself, I thought, yeah that al...bum... wait... Nikto! That's it! How did I overlook that awesome tool? Nikto is an excellent Web scanner that for some unknown reason I totally forgot about - oh right, see paragraph four. Anyway, I went here to download and make this prog. Nikto is built on LibWhisker and will run on any machine with Perl installed. I will be using my Ubuntu machine to get this Dude up and going on. To get it going you need to preinstall a few modules: - PERL and Net_SSLeay - LibWhisker Then a simple sudo apt-get command grabs this 264K file and it is ready to go: sudo apt-get install nikto Running it is really just as simple. My server IP was 192.168.1.22 so to get it started I just entered: ./nikto -h 192.168.1.22 Nikto starts to run a bunch of tests against the Web server and then prints the results to the terminal. Sure enough, Nikto found a hole that I know would have bit me in the tail: +OSVDB-877: TRACE /: TRACE option appears to allow XSS... I also used the -mutate option to actively look and try to exploit for other weaknesses. I had success again with test 4: enumerating users via /cgi-bin/cgiwrap/~user Nikto is a fantastic tool that can take input from NMAP to scan multiple servers (kinda slow though), and there is a prebuilt NASL plug-in for Nessus as well to extend Nikto. I also used Nikto Evasion mode to put the LibWhisker module to work and actually slipped through an IDS and grabbed a flag. What a fantastic tool this is! As for the contest? Well, we didn't win - but we didn't lose either. So Lane Bryant won't see me in their shop this time - oh wait, I mean "ever"! That's what I meant, "ever"! Jimmy Ray Purser Trivia File Transfer Protocol Play-Doh was originally designed to clean coal dust off of walls. Joe McVicker's sister-in-law suggested marketing it as a toy for kids. It did OK, but when they offered Captain Kangaroo 2% of the total sales if he featured it on his show, a can of Play-Doh was in every kid's household!