mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-11 10:03:42 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
240 lines
7.7 KiB
Markdown
240 lines
7.7 KiB
Markdown
---
|
|
name: performing-web-application-scanning-with-nikto
|
|
description: Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous
|
|
files/programs, checks for outdated versions of over 1,250 servers, and identifies ve
|
|
domain: cybersecurity
|
|
subdomain: vulnerability-management
|
|
tags:
|
|
- vulnerability-management
|
|
- cve
|
|
- nikto
|
|
- web-scanning
|
|
- owasp
|
|
- risk
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- ID.RA-01
|
|
- ID.RA-02
|
|
- ID.IM-02
|
|
- ID.RA-06
|
|
---
|
|
# Performing Web Application Scanning with Nikto
|
|
|
|
## Overview
|
|
Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies version-specific problems on over 270 servers. It performs comprehensive tests including XSS, SQL injection, server misconfigurations, default credentials, and known vulnerable CGI scripts.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When conducting security assessments that involve performing web application scanning with nikto
|
|
- When following incident response procedures for related security events
|
|
- When performing scheduled security testing or auditing activities
|
|
- When validating security controls through hands-on testing
|
|
|
|
## Prerequisites
|
|
- Nikto installed (Perl-based, included in Kali Linux)
|
|
- Written authorization to scan target web servers
|
|
- Network access to target web applications
|
|
- Understanding of HTTP/HTTPS protocols
|
|
|
|
## Core Concepts
|
|
|
|
### What Nikto Detects
|
|
- Server misconfigurations and dangerous default files
|
|
- Outdated server software versions with known CVEs
|
|
- Common CGI vulnerabilities and dangerous scripts
|
|
- Default credentials and admin pages
|
|
- HTTP methods that should be disabled (PUT, DELETE, TRACE)
|
|
- SSL/TLS misconfigurations and weak ciphers
|
|
- Missing security headers (X-Frame-Options, CSP, HSTS)
|
|
- Information disclosure through headers and error pages
|
|
|
|
### Nikto vs Other Web Scanners
|
|
| Feature | Nikto | OWASP ZAP | Burp Suite | Nuclei |
|
|
|---------|-------|-----------|------------|--------|
|
|
| License | Open Source | Open Source | Commercial | Open Source |
|
|
| Focus | Server/Config | App Logic | Full Pentest | Template-Based |
|
|
| Speed | Fast | Medium | Slow | Very Fast |
|
|
| False Positives | Moderate | Low | Low | Low |
|
|
| Authentication | Basic | Full | Full | Template |
|
|
| Active Community | Yes | Yes | Yes | Yes |
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Basic Scanning
|
|
```bash
|
|
# Basic scan against a target
|
|
nikto -h https://target.example.com
|
|
|
|
# Scan specific port
|
|
nikto -h target.example.com -p 8443
|
|
|
|
# Scan multiple ports
|
|
nikto -h target.example.com -p 80,443,8080,8443
|
|
|
|
# Scan with SSL enforcement
|
|
nikto -h target.example.com -ssl
|
|
|
|
# Scan from a host list file
|
|
nikto -h targets.txt
|
|
```
|
|
|
|
### Step 2: Advanced Scanning Options
|
|
```bash
|
|
# Comprehensive scan with all tuning options
|
|
nikto -h https://target.example.com \
|
|
-Tuning 123456789abcde \
|
|
-timeout 10 \
|
|
-Pause 2 \
|
|
-Display V \
|
|
-output report.html \
|
|
-Format htm
|
|
|
|
# Tuning options control test types:
|
|
# 0 - File Upload
|
|
# 1 - Interesting File / Seen in logs
|
|
# 2 - Misconfiguration / Default File
|
|
# 3 - Information Disclosure
|
|
# 4 - Injection (XSS/Script/HTML)
|
|
# 5 - Remote File Retrieval - Inside Web Root
|
|
# 6 - Denial of Service
|
|
# 7 - Remote File Retrieval - Server Wide
|
|
# 8 - Command Execution / Remote Shell
|
|
# 9 - SQL Injection
|
|
# a - Authentication Bypass
|
|
# b - Software Identification
|
|
# c - Remote Source Inclusion
|
|
# d - WebService
|
|
# e - Administrative Console
|
|
|
|
# Scan with specific tuning (XSS + SQL injection + auth bypass)
|
|
nikto -h https://target.example.com -Tuning 49a
|
|
|
|
# Scan with authentication
|
|
nikto -h https://target.example.com -id admin:password
|
|
|
|
# Scan through a proxy
|
|
nikto -h https://target.example.com -useproxy http://proxy:8080
|
|
|
|
# Scan with custom User-Agent
|
|
nikto -h https://target.example.com -useragent "Mozilla/5.0 (Security Scan)"
|
|
|
|
# Scan specific CGI directories
|
|
nikto -h https://target.example.com -Cgidirs /cgi-bin/,/scripts/
|
|
|
|
# Evasion techniques (IDS avoidance for authorized testing)
|
|
# 1-Random URI encoding, 2-Directory self-reference
|
|
# 3-Premature URL ending, 4-Prepend long random string
|
|
nikto -h https://target.example.com -evasion 1234
|
|
```
|
|
|
|
### Step 3: Output and Reporting
|
|
```bash
|
|
# Generate multiple output formats
|
|
nikto -h https://target.example.com -output scan.csv -Format csv
|
|
nikto -h https://target.example.com -output scan.xml -Format xml
|
|
nikto -h https://target.example.com -output scan.html -Format htm
|
|
nikto -h https://target.example.com -output scan.txt -Format txt
|
|
|
|
# JSON output (newer versions)
|
|
nikto -h https://target.example.com -output scan.json -Format json
|
|
|
|
# Save to multiple formats simultaneously
|
|
nikto -h https://target.example.com \
|
|
-output scan_report \
|
|
-Format htm
|
|
```
|
|
|
|
### Step 4: Scan Multiple Targets
|
|
```bash
|
|
# Create targets file (one per line)
|
|
cat > targets.txt << 'EOF'
|
|
https://app1.example.com
|
|
https://app2.example.com:8443
|
|
http://internal-app.corp.local
|
|
192.168.1.100:8080
|
|
EOF
|
|
|
|
# Scan all targets
|
|
nikto -h targets.txt -output multi_scan.html -Format htm
|
|
|
|
# Parallel scanning with GNU parallel
|
|
cat targets.txt | parallel -j 5 "nikto -h {} -output {/}_report.html -Format htm"
|
|
```
|
|
|
|
### Step 5: SSL/TLS Assessment
|
|
```bash
|
|
# Comprehensive SSL scan
|
|
nikto -h https://target.example.com -ssl \
|
|
-Tuning b \
|
|
-Display V
|
|
|
|
# Check for specific SSL vulnerabilities
|
|
# Nikto checks for:
|
|
# - Expired certificates
|
|
# - Self-signed certificates
|
|
# - Weak cipher suites
|
|
# - SSLv2/SSLv3 enabled
|
|
# - BEAST, POODLE, Heartbleed indicators
|
|
# - Missing HSTS header
|
|
```
|
|
|
|
### Step 6: Integration with Other Tools
|
|
```bash
|
|
# Pipe Nmap results into Nikto
|
|
nmap -p 80,443,8080 --open -oG - 192.168.1.0/24 | \
|
|
awk '/open/{print $2}' | \
|
|
while read host; do nikto -h "$host" -output "${host}_nikto.html" -Format htm; done
|
|
|
|
# Export to Metasploit-compatible format
|
|
nikto -h target.example.com -output msf_import.xml -Format xml
|
|
|
|
# Parse Nikto XML output with Python for custom reporting
|
|
python3 -c "
|
|
import xml.etree.ElementTree as ET
|
|
tree = ET.parse('scan.xml')
|
|
for item in tree.findall('.//item'):
|
|
print(f\"[{item.get('id')}] {item.findtext('description', '')[:100]}\")
|
|
"
|
|
```
|
|
|
|
## Interpreting Results
|
|
|
|
### Severity Classification
|
|
- **OSVDB/CVE References**: Cross-reference with NVD for CVSS scores
|
|
- **Server Information Disclosure**: Version banners, technology stack
|
|
- **Dangerous HTTP Methods**: PUT, DELETE, TRACE enabled
|
|
- **Default/Backup Files**: .bak, .old, .swp, web.config.bak
|
|
- **Admin Interfaces**: /admin, /manager, /console exposed
|
|
- **Missing Security Headers**: CSP, X-Frame-Options, HSTS
|
|
|
|
### Common False Positives
|
|
- Generic checks triggered by custom 404 pages
|
|
- Anti-CSRF tokens flagged as form vulnerabilities
|
|
- CDN/WAF responses misidentified as vulnerable
|
|
- Load balancer health check pages
|
|
|
|
## Best Practices
|
|
1. Always obtain written authorization before scanning
|
|
2. Run Nikto in conjunction with application-level scanners (ZAP, Burp)
|
|
3. Use -Pause flag to reduce load on production servers
|
|
4. Validate findings manually before reporting
|
|
5. Combine with SSL testing tools (testssl.sh, sslyze) for comprehensive coverage
|
|
6. Schedule regular scans as part of continuous vulnerability management
|
|
7. Keep Nikto database updated for latest vulnerability checks
|
|
8. Use appropriate evasion settings only for authorized IDS testing
|
|
|
|
## Common Pitfalls
|
|
- Running Nikto without authorization (legal liability)
|
|
- Treating Nikto as a complete web application scanner (it focuses on server/config issues)
|
|
- Not validating results leading to false positive reports
|
|
- Scanning too aggressively against production systems
|
|
- Ignoring SSL/TLS findings as "informational"
|
|
|
|
## Related Skills
|
|
- scanning-infrastructure-with-nessus
|
|
- scanning-apis-for-security-vulnerabilities
|
|
- performing-network-vulnerability-assessment
|