今日は脆弱性診断等の現場でよく使われるNiktoの基本的な使い方や各オプションについて詳しく解説していきます。
Niktoとは
Niktoは脆弱性スキャンツールでWebサーバーの設定やインストールされたWebアプリケーションのバージョンなどを調べることができます。ペネトレーションテストや脆弱性診断の業務に従事している人は特に使う機会が多いでしょう。
実際の脆弱性診断では脆弱性スキャンツールによって検出内容が変わる場合があるため、Niktoに加え他のツールも組み合わせて使用することでより精度の高い脆弱性スキャンが実施できます。
Niktoの使い方
構文
使用する際の基本的な構文です。ここに必要に応じてオプションを追加していきます。
nikto -h 診断対象使用例
以下は私の環境で試した使用例です。
└─$ nikto -h 192.168.11.10 -port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.11.10
+ Target Hostname: 192.168.11.10
+ Target Port: 80
+ Start Time: 2023-04-01 00:12:07 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5edd476405d8f, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
+ /login.html: Admin login page/section found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-04-01 00:12:50 (GMT9) (43 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested最初に「Target IP」「Target Hostname」「Target Port」などスキャン対象の情報が表示され、その後検出した脆弱性に関する内容が出力されます。
Niktoのオプション
Niktoにはいろいろなオプションがありますが、その中でも利用頻度が高いと思われるものについて解説します。
※コマンドの後ろに+がついているものは必ずオプションの後に値を指定する必要があります。
-config+オプション
設定ファイルを読み込みスキャンを行います。これにより設定情報を保存して再利用することが可能です。
nikto -h 192.168.11.11 -config /etc/nikto.conf-Display+オプション
スキャン中にコンソールに表示する情報を指定することができます。デフォルトではスキャン対象の情報や脆弱性に関する情報しか出力されませんが、このオプションを利用することで変更できます。オプションに応じた出力内容は以下の通りです。
| 1 | Show redirects |
| 2 | Show cookies received |
| 3 | Show all 200/OK responses |
| 4 | Show URLs which require authentication |
| D | Debug output |
| E | Display all HTTP errors |
| P | Print progress to STDOUT |
| S | Scrub output of IPs and hostnames |
| V | Verbose output |
いくつか気になるものを指定して試してみました。
「3」を指定した場合(ステータスコード200のレスポンスの情報を表示してくれる)
nikto -h 192.168.11.11 -Display 3
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.11.11
+ Target Hostname: 192.168.11.11
+ Target Port: 80
+ Start Time: 2023-04-01 18:10:29 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5edd476405d8f, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ /./ - 200/OK Response could be Appending '/./' to a directory may reveal PHP source code.
+ /?mod=node&nid=some_thing&op=view - 200/OK Response could be Sage 1.0b3 may reveal system paths with invalid module names.
+ /?mod=some_thing&op=browse - 200/OK Response could be Sage 1.0b3 reveals system paths with invalid module names.
+ /./ - 200/OK Response could be Appending '/./' to a directory allows indexing
+ / - 200/OK Response could be Appears to be a default Apache Tomcat install.
+ // - 200/OK Response could be Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.「P」を指定した場合(スキャンの進捗情報が表示される)
Nikto -h 192.168.11.11 -Display P
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.11.11
+ Target Hostname: 192.168.11.11
+ Target Port: 80
+ Start Time: 2023-04-01 18:20:36 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5edd476405d8f, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
- STATUS: Completed 1000 requests (~14% complete, 6 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 1500 requests (~22% complete, 7 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
- STATUS: Completed 2000 requests (~29% complete, 54 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 2500 requests (~36% complete, 40 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 3000 requests (~43% complete, 30 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 4000 requests (~58% complete, 17 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 4500 requests (~65% complete, 13 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 5000 requests (~72% complete, 9 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 5500 requests (~80% complete, 7 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 6000 requests (~87% complete, 4 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
+ /login.html: Admin login page/section found.
- STATUS: Completed 6500 requests (~94% complete, 2 seconds left): currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
- STATUS: Completed 7000 requests: currently in plugin 'Nikto Tests'
- STATUS: Running average: Not enough data.
+ 7889 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-04-01 18:21:19 (GMT9) (43 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested「V」を指定した場合(検査用リクエストの詳細などが分かる)
Nikto -h 192.168.11.11 -Display V
- Nikto v2.1.6
---------------------------------------------------------------------------
V:Sat Apr 1 18:25:30 2023 - Initialising plugin nikto_sitefiles
V:Sat Apr 1 18:25:30 2023 - Loaded "Site Files" plugin.
V:Sat Apr 1 18:25:30 2023 - Initialising plugin nikto_content_search
V:Sat Apr 1 18:25:30 2023 - Loaded "Content Search" plugin.
…(略)…
V:Sat Apr 1 18:25:31 2023 - Initialising plugin nikto_fileops
V:Sat Apr 1 18:25:31 2023 - Loaded "File Operations" plugin.
V:Sat Apr 1 18:25:31 2023 - Getting targets
V:Sat Apr 1 18:25:31 2023 - Target:192.168.11.11 port:80
V:Sat Apr 1 18:25:31 2023 - Opening reports (none, )
V:Sat Apr 1 18:25:31 2023 - Checking for HTTP on port 192.168.11.11:80, using GET
V:Sat Apr 1 18:25:31 2023 - 200 for GET: /
V:Sat Apr 1 18:25:31 2023 - 6897 server checks loaded
V:Sat Apr 1 18:25:31 2023 - Running start for "Favicon" plugin
V:Sat Apr 1 18:25:31 2023 - Running start for "Directory Traversal" plugin
V:Sat Apr 1 18:25:31 2023 - Running start for "IBM/Lotus Domino Specific Tests" plugin
V:Sat Apr 1 18:25:31 2023 - Running start for "HTTP Headers" plugin
V:Sat Apr 1 18:25:31 2023 - Running start for "Drupal Specific Tests" plugin
V:Sat Apr 1 18:25:31 2023 - Running start for "Content Search" plugin
V:Sat Apr 1 18:25:31 2023 - Running start for "Guess authentication" plugin
V:Sat Apr 1 18:25:31 2023 - 200 for GET: /
+ Target IP: 192.168.11.11
+ Target Hostname: 192.168.11.11
+ Target Port: 80
+ Start Time: 2023-04-01 18:25:31 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Debian)
V:Sat Apr 1 18:25:31 2023 - 200 for GET: /
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
V:Sat Apr 1 18:25:31 2023 - Testing error for file: /.QVZtn5sj
V:Sat Apr 1 18:25:31 2023 - 404 for GET: /.QVZtn5sj
V:Sat Apr 1 18:25:31 2023 - Testing error for file: /QVZtn5sj.map
V:Sat Apr 1 18:25:31 2023 - 404 for GET: /QVZtn5sj.map
…(略)…
V:Sat Apr 1 18:25:31 2023 - 404 for GET: /QVZtn5sj.html
V:Sat Apr 1 18:25:31 2023 - Testing error for file: /QVZtn5sj.sql-Format+,-Output+オプション
Niktoのスキャン結果を指定した形式でファイルに出力します。形式をFormatオプションで指定しOutputオプションでファイルパスを指定します。Formatオプションに指定できる形式一覧は以下の通りです。
| csv | json | html | nbe | sql | txt | xml |
Nikto -h 192.168.11.11 -Format html -output /home/kali/desktop/nikto
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.11.10
+ Target Hostname: 192.168.11.10
+ Target Port: 80
+ Start Time: 2023-04-03 22:27:01 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5edd476405d8f, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
+ /login.html: Admin login page/section found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-04-03 22:27:43 (GMT9) (42 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested以下はhtml形式で出力した場合の結果です。
-host+オプション
診断対象を指定します。-hを使う場合と何が違うのか気になって結果を比較してみましたが、特に違いはないようです。
//-hostと-hを比較したが特に違いは見つけられなかった。
lqq(kali?kali)-[~]
mq$ nikto -host 192.168.11.10 -id user:kali -nossl
lqq(kali?kali)-[~]
mq$ nikto -h 192.168.11.11 -id user:kali -nossl-id+オプション
脆弱性診断などではBasic認証が設定されている対象を見かけることがあります。niktoのデフォルトでのスキャンはBasic認証に対応していないため、idオプションを使うことで結果を正しく取得することができます。「ユーザー名:パスワード」形式で指定します。
//Basic認証をかけた対象にデフォルトのままスキャンを行った場合正しく結果が取得できない
└─$ nikto -h 192.168.11.11
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.11.11
+ Target Hostname: 192.168.11.11
+ Target Port: 80
+ Start Time: 2023-04-05 00:18:31 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ / - Requires Authentication for realm 'Basic'
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
+ 8040 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2023-04-05 00:19:13 (GMT9) (42 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested//idオプションを利用することで正常に結果が取得できる
└─$ nikto -h 192.168.11.11 -id user:kali
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.11.11
+ Target Hostname: 192.168.11.11
+ Target Port: 80
+ Start Time: 2023-04-05 08:52:22 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ / - Requires Authentication for realm 'Basic'
+ Successfully authenticated to realm 'Basic' with user-supplied credentials.
+ OSVDB-3268: /: Directory indexing found.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3268: /./: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing
+ OSVDB-3268: //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ OSVDB-3268: /%2e/: Directory indexing found.
+ OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.
+ OSVDB-3268: ///: Directory indexing found.
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
+ OSVDB-119: /?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-119: /?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-3268: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.
+ OSVDB-3288: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when /'s are requested.
+ 7890 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2023-04-05 08:52:31 (GMT9) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested-nossl,-sslオプション
このオプションを指定することでSSL通信を利用せずにスキャンする(-nossl)のか、利用してスキャンを行う(-ssl)のかを指定することができます。
lqq(kali?kali)-[~]
mq$ nikto -h 192.168.11.10 -id user:kali -nossl
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.11.10
+ Target Hostname: 192.168.11.10
+ Target Port: 80
+ Start Time: 2023-04-06 22:53:40 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ / - Requires Authentication for realm 'Basic'
+ Successfully authenticated to realm 'Basic' with user-supplied credentials.
+ OSVDB-3268: /: Directory indexing found.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /./: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing
+ OSVDB-3268: //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ OSVDB-3268: /%2e/: Directory indexing found.
+ OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.
+ OSVDB-3268: ///: Directory indexing found.
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
+ OSVDB-119: /?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-119: /?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-3268: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.
+ OSVDB-3288: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when /'s are requested.
+ 7916 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2023-04-06 22:53:49 (GMT9) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested//sslが稼働していない対象にSSL通信を指定してスキャンをかけても検出されない
lqq(kali?kali)-[~]
mq$ nikto -h 192.168.11.10 -id user:kali -ssl -port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ No web server found on 192.168.11.10:443
---------------------------------------------------------------------------
+ 0 host(s) tested-port+オプション
niktoではデフォルトで80番(-sslオプションを指定した場合は443番)ポートをスキャンする仕様になっています。ただWebサーバ側の設定で稼働しているポートは変更される場合があるので、このような場合はniktoのスキャンポートも変更する必要があります。
//以下の例では80番ポートを指定してスキャン
nikto -h 192.168.11.11 -id user:kali -port 80-Versionオプション
niktoのバージョン情報を取得できます。
lqq(kali?kali)-[~]
mq$ nikto --Version
---------------------------------------------------------------------------
Nikto Versions
---------------------------------------------------------------------------
File Version Last Mod
----------------------------- -------- ----------
Nikto main 2.1.6
LibWhisker 2.5
db_404_strings 2.003
…(略)…