Dharma - A generation-based, context-free grammar fuzzer

A generation-based, context-free grammar fuzzer.

Requirements

None

Examples

Generate a single test-case.

% ./dharma.py -grammars grammars/webcrypto.dg

Generate a single test case with multiple grammars.

% ./dharma.py -grammars grammars/canvas2d.dg grammars/mediarecorder.dg

Generating test-cases as files.

% ./dharma.py -grammars grammars/webcrypto.dg -storage . -count 5

Generate test-cases, send each over WebSocket to Firefox, observe the process for crashes and bucket them.

% ./dharma.py -server -grammars grammars/canvas2d.dg -template grammars/var/templates/html5/default.html
% ./framboise.py -setup inbound64-release -debug -worker 4 -testcase ~/dev/projects/fuzzers/dharma/grammars/var/index.html

Benchmark the generator.

% time ./dharma.py -grammars grammars/webcrypto.dg -count 10000 > /dev/null

Grammar Cheetsheet

Comment

%%% comment

Controls

%const% name := value

Sections

%section% := value
%section% := variable
%section% := variance

Extension methods

%range%(0-9)
%range%(0.0-9.0)
%range%(a-z)
%range%(!-~)
%range%(0x100-0x200)

%repeat%(+variable+)
%repeat%(+variable+, ", ")

%uri%(path)
%uri%(lookup_key)

%block%(path)

%choice%(foo, "bar", 1)

Assigning values

digit :=
    %range%(0-9)

sign :=
    +
    -

value :=
    +sign+%repeat%(+digit+)

Using values

+value+

Assigning variables

variable :=
    @variable@ = new Foo();

Using variables

value :=
    !variable!.bar();

Referencing values from common.dg

value :=
    attribute=+common:number+

Calling javascript library functions

foo :=
    Random.pick([0,1]);

Download Dharma

Read More

KeyBox - A web-based SSH console that centrally manages administrative access to systems

KeyBox is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.

Administrators can login using two-factor authentication with FreeOTP or Google Authenticator. From there they can manage their public SSH keys or connect to their systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.

KeyBox layers TLS/SSL on top of SSH and acts as a bastion host for administration. Protocols are stacked (TLS/SSL + SSH) so infrastructure cannot be exposed through tunneling / port forwarding. More details can be found in the following whitepaper: The Security Implications of SSH. Also, SSH key management is enabled by default to prevent unmanaged public keys and enforce best practices.

Prerequisites

• Java JDK 1.7 or greater http://www.oracle.com/technetwork/java/javase/overview/index.html
• Browser with Web Socket support http://caniuse.com/websockets Note: In Safari if using a self-signed certificate you must import the certificate into your Keychain. Select 'Show Certificate' -> 'Always Trust' when prompted in Safari
• Maven 3 or greater ( Only needed if building from source ) http://maven.apache.org
• Install FreeOTP or Google Authenticator to enable two-factor authentication with Android or iOS

To Run Bundled with Jetty

If you're not big on the idea of building from source...
Download keybox-jetty-vXX.XX.tar.gz
https://github.com/skavanagh/KeyBox/releases
Export environment variables
for Linux/Unix/OSX

 export JAVA_HOME=/path/to/jdk
 export PATH=$JAVA_HOME/bin:$PATH

for Windows

 set JAVA_HOME=C:\path\to\jdk
 set PATH=%JAVA_HOME%\bin;%PATH%

Start KeyBox
for Linux/Unix/OSX

    ./startKeyBox.sh

for Windows

    startKeyBox.bat

How to Configure SSL in Jetty (it is a good idea to add or generate your own unique certificate)
http://wiki.eclipse.org/Jetty/Howto/Configure_SSL

Using KeyBox

Open browser to https://<whatever ip>:8443
Login with

username:admin
password:changeme

Steps:

1. Create systems
2. Create profiles
3. Assign systems to profile
4. Assign profiles to users
5. Users can login to create sessions on assigned systems
6. Start a composite SSH session or create and execute a script across multiple sessions
7. Add additional public keys to systems
8. Disable any adminstrative public key forcing key rotation.
9. Audit session history

Download KeyBox

Read More

BetterCap - A complete, modular, portable and easily extensible MITM framework

BetterCap is an attempt to create a complete, modular, portable and easily extensible MITM framework with every kind of features could be needed while performing a man in the middle attack.
It's currently able to sniff and print from the network the following informations:

• URLs being visited.
• HTTPS host being visited.
• HTTP POSTed data.
• FTP credentials.
• IRC credentials.
• POP, IMAP and SMTP credentials.
• NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.

DEPENDS

• colorize (gem install colorize)
• packetfu (gem install packetfu)
• pcaprub (gem install pcaprub) [sudo apt-get install ruby-dev libpcap-dev]

Download BetterCap

Read More

SIMP - System Integrity Management Platform Lydecker Black

SIMP is a framework that aims to provide a reasonable combination of security compliance and operational flexibility.

The ultimate goal of the project is to provide a complete management environment focused on compliance with the various profiles in the SCAP Security Guide Project and industry best practice.

Though it is fully capable out of the box, the intent of SIMP is to be molded to your target environment in such a way that deviations are easily identifiable to both Operations Teams and Security Officers.

Supported Operating Systems

The following Operating Systems are supported:

• Red Hat Enterprise Linux
  • 6.6
  • 7.1
• CentOS
  • 6.6
  • 7.1-1503-01

Technology components

SIMP uses Puppet to manage and maintain the configuration of the various component systems.

Though there are many possible configurations, out of the box SIMP provides:

• Management
  • Puppet Server
  • PuppetDB
  • MCollective
• Authentication
  • OpenLDAP
• Kickstart/Update
• YUM
• DNS
• DHCP
• TFTP

SIMP Provided Materials

Build Materials

• simp-core
• simp-doc
• simp-rsync

Puppet Modules

• pupmod-simp-acpid
• pupmod-simp-activemq
• pupmod-simp-aide
• pupmod-simp-apache
• pupmod-simp-auditd
• pupmod-simp-autofs
• pupmod-simp-backuppc
• pupmod-simp-cgroups
• pupmod-simp-clamav
• pupmod-simp-common
• pupmod-simp-concat
• pupmod-simp-dhcp
• pupmod-simp-elasticsearch
• pupmod-simp-freeradius
• pupmod-simp-functions
• pupmod-simp-ganglia
• pupmod-simp-gfs2
• pupmod-simp-iptables
• pupmod-simp-jenkins
• pupmod-simp-kibana
• pupmod-simp-krb5
• pupmod-simp-libvirt
• pupmod-simp-logrotate
• pupmod-simp-logstash
• pupmod-simp-mcafee
• pupmod-simp-mcollective
• pupmod-simp-mozilla
• pupmod-simp-multipathd
• pupmod-simp-named
• pupmod-simp-network
• pupmod-simp-nfs
• pupmod-simp-nscd
• pupmod-simp-ntpd
• pupmod-simp-oddjob
• pupmod-simp-openldap
• pupmod-simp-openscap
• pupmod-simp-pam
• pupmod-simp-pki
• pupmod-simp-polkit
• pupmod-simp-postfix
• pupmod-simp-pupmod
• pupmod-simp-rsync
• pupmod-simp-rsyslog
• pupmod-simp-site
• pupmod-simp-selinux
• pupmod-simp-shinken
• pupmod-simp-simp
• pupmod-simp-snmpd
• pupmod-simp-ssh
• pupmod-simp-sssd
• pupmod-simp-stunnel
• pupmod-simp-sudo
• pupmod-simp-sudosh
• pupmod-simp-svckill
• pupmod-simp-sysctl
• pupmod-simp-tcpwrappers
• pupmod-simp-tftpboot
• pupmod-simp-tpm
• pupmod-simp-upstart
• pupmod-simp-vnc
• pupmod-simp-vsftpd
• pupmod-simp-windowmanager
• pupmod-simp-xinetd
• pupmod-simp-xwindows
• rubygem-simp-rake-helpers
• rubygem-simp-cli

Forked External Modules

Most forks are simply to fit the materials into our build processes but some have modifications that we are looking to push back upstream when possible.

• augeasproviders
• augeasproviders_apache
• augeasproviders_base
• augeasproviders_core
• augeasproviders_grub
• augeasproviders_mounttab
• augeasproviders_nagios
• augeasproviders_pam
• augeasproviders_postgresql
• augeasproviders_puppet
• augeasproviders_shellvar
• augeasproviders_ssh
• puppet-elasticsearch
• puppetlabs-apache
• puppetlabs-postgresql
• puppetlabs-stdlib
• puppetlabs-inifile
• puppetlabs-puppetdb
• puppetlabs-mysql
• puppetlabs-java
• puppet-gpasswd
• augeasproviders_sysctl
• puppet-datacat
• puppetlabs-java_ks
• puppet-memcached

Download SIMP

Read More

yarGen - A Generator for Yara Rules (for malware researchers)

yarGen is a generator for Yara rules.

What does yarGen do?

The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files.

Since version 0.14.0 it uses naive-bayes-classifier by Mustafa Atik and Nejdet Yucesoy in order to classify the string and detect useful words instead of compression/encryption garbage.

Since version 0.12.0 yarGen does not completely remove the goodware strings from the analysis process but includes them with a very low score. The rules will be included if no better strings can be found and marked with a comment /* Goodware rule */. Force yarGen to remvoe all goodware strings with --excludegood. Also since version 0.12.0 yarGen allows to place the "strings.xml" from PEstudio in the program directory in order to apply the blacklist definition during the string analysis process. You'll get better results.

The rule generation process tries to identify similarities between the files that get analyzed and then combines the strings to so called "super rules". Up to now the super rule generation does not remove the simple rule for the files that have been combined in a single super rule. This means that there is some redundancy when super rules are created. You can supress a simple rule for a file that was already covered by super rule by using --nosimple.

Installation

1. Make sure you have at least 2GB of RAM on the machine you plan to use yarGen
2. Clone the git repository
3. Install all dependancies with sudo pip install pickle scandir lxml naiveBayesClassifier
4. Unzip the goodware database (e.g. 7z x good-strings.db.zip.001)
5. See help with python yarGen.py --help

Memory Requirements

Warning: yarGen pulls the whole goodstring database to memory and uses up to 2 GB of memory for a few seconds.

Command Line Parameters

usage: yarGen.py [-h] [-m M] [-g G] [-u] [-c] [-o output_rule_file]
                 [-p prefix] [-a author] [-r ref] [-l min-size] [-z min-score]
                 [-s max-size] [-rc maxstrings] [-nr] [-oe] [-fs size-in-MB]
                 [--score] [--inverse] [--nodirname] [--noscorefilter]
                 [--excludegood] [--nosimple] [--nomagic] [--nofilesize]
                 [-fm FM] [--noglobal] [--nosuper] [--debug]

yarGen

optional arguments:
  -h, --help           show this help message and exit
  -m M                 Path to scan for malware
  -g G                 Path to scan for goodware (dont use the database
                       shipped with yaraGen)
  -u                   Update local goodware database (use with -g)
  -c                   Create new local goodware database (use with -g)
  -o output_rule_file  Output rule file
  -p prefix            Prefix for the rule description
  -a author            Author Name
  -r ref               Reference
  -l min-size          Minimum string length to consider (default=8)
  -z min-score         Minimum score to consider (default=5)
  -s max-size          Maximum length to consider (default=128)
  -rc maxstrings       Maximum number of strings per rule (default=20,
                       intelligent filtering will be applied)
  -nr                  Do not recursively scan directories
  -oe                  Only scan executable extensions EXE, DLL, ASP, JSP,
                       PHP, BIN, INFECTED
  -fs size-in-MB       Max file size in MB to analyze (default=3)
  --score              Show the string scores as comments in the rules
  --inverse            Show the string scores as comments in the rules
  --nodirname          Don't use the folder name variable in inverse rules
  --noscorefilter      Don't filter strings based on score (default in
                       'inverse' mode)
  --excludegood        Force the exclude all goodware strings
  --nosimple           Skip simple rule creation for files included in super
                       rules
  --nomagic            Don't include the magic header condition statement
  --nofilesize         Don't include the filesize condition statement
  -fm FM               Multiplier for the maximum 'filesize' condition
                       (default: 5)
  --noglobal           Don't create global rules
  --nosuper            Don't try to create super rules that match against
                       various files
  --debug              Debug output

Best Practice

See the following blog post for a more detailed description on how to use yarGen for YARA rule creation: How to Write Simple but Sound Yara Rules

Examples

Use the shipped database (FAST) to create some rules

python yarGen.py -m X:\MAL\Case1401

Use the shipped database of goodware strings and scan the malware directory "X:\MAL" recursively. Create rules for all files included in this directory and below. A file named 'yargen_rules.yar' will be generated in the current directory.

Show the score of the strings as comment

yarGen will by default use the top 20 strings based on their score. To see how a certain string in the rule scored, use the "--score" parameter.

python yarGen.py --score -m X:\MAL\Case1401

Use only strings with a certain minimum score

In order to use only strings for your rules that match a certain minimum score use the "-z" parameter. It is a good pratice to first create rules with "--score" and than perform a second run with a minimum score set for you sample set via "-z".

python yarGen.py --score -z 5 -m X:\MAL\Case1401

Preset author and reference

python yarGen.py -a "Florian Roth" -r "http://goo.gl/c2qgFx" -m /opt/mal/case_441 -o case441.yar

Exclude strings from Goodware samples

python yarGen.py --excludegood -m /opt/mal/case_441

Supress simple rule if alreay covered by a super rules

python yarGen.py --nosimple -m /opt/mal/case_441

Show debugging output

python yarGen.py --debug -m /opt/mal/case_441

Create a new goodware strings database

python yarGen.py -c -g C:\Windows\System32

Update the goodware strings database (append new strings to the old ones)

python yarGen.py -u -g "C:\Program Files"

Inverse rule creation (still beta)

In order to create some inverse rules on goodware, you have to prepare a directory with subdirectories in which you include all versions of the files you want to create inverse rules for with their original name and in their original folder. If that sounds strange, let me give you an example.
E.g. you want to create inverse rules for all Windows executables in the System32 folder, you have to create a goodware archive with the following directory structure:

• G:\goodware
  • WindowsXP
    • System32 - all files
  • Windows2003
    • System32 - all files
  • Windows2008R2
    • System32 - all files

yarGen than creates rules that identify e.g. file name "cmd.exe" in path ending with "System32" and checks if the file contains certain necessary strings. If the strings don't show up, the rule will fire. This indicates a replaced system file or malware file that tries to masquerade as a system file.

python yarGen.py --inverse -oe -m G:\goodware\

You can also instruct yarGen not to include the file path but solely rely on the filename.

python yarGen.py --inverse -oe --nodirname -m G:\goodware\

Download yarGen

Read More

Snitch - Information Gathering via dorks

Snitch is a tool which automate dorking process for specified domain. Using build-in dork categories, this tool helps gather informations about domain which can be found using search engines. It can be quite useful in early phases of pentest.

Examples

devil@hell:~/snitch/$ python snitch.py

                       _ __       __  
           _________  (_) /______/ /_ 
          / ___/ __ \/ / __/ ___/ __ \ 
         (__  ) / / / / /_/ /__/ / / /
        /____/_/ /_/_/\__/\___/_/ /_/ ~0.2   

Usage: snitch.py [options]

Options:
  -h, --help            show this help message and exit
  -U [url], --url=[url]
                        domain(s) or domain extension(s) separated by comma *
  -D [type], --dork=[type]
                        dork type(s) separated by comma *
  -O [file], --output=[file]
                        output file
  -S [ip:port], --socks=[ip:port]
                        socks5 proxy
  -I [seconds], --interval=[seconds]
                        interval between requests, 2s by default
  -P [pages], --pages=[pages]
                        pages to retrieve, 10 by default
  -v                    turn on verbosity

Dork types:
  info  | Information leak & Potential web bugs
  ext   | Sensitive extensions
  docs  | Documents & Messages
  files | Files & Directories
  soft  | Web software
  all   | All

Examples:
  snitch.py -I5 -P3 --dork=ext,info -U gov -S 127.0.0.1:9050
  snitch.py --url=site.com -D all -O /tmp/dorks

devil@hell:~/snitch/$ python snitch.py -U gov -D ext -P20 -S 127.0.0.1:9050
[+] Target: gov
[!] Using SOCKS5 (IP - XX.XX.XX.XX)
[!] Pages limit set to 20

[+] Looking for sensitive extensions

http://www.seismic.ca.gov/pub/CSSC_1998-01_COG.pdf.OLD
http://greengenes.lbl.gov/Download/Sequence_Data/Fasta_data_files/CoreSet_2010/formatdb.log
http://www.uspto.gov/web/patents/pdx/permitting_access.pdf_2010may17.bak
http://www.dss.virginia.gov/tst.log
http://appliedresearch.cancer.gov/nhanes_pam/create.pam_perday.log
ftp://ftp.eia.doe.gov/pub/oil_gas/natural_gas/feature_articles/2006/ngshock/ngshock.pdf.bak
http://appliedresearch.cancer.gov/nhanes_pam/create.pam_perminute.log
https://igscb.jpl.nasa.gov/igscb/station/mgexlog/nya2_20130905.log
http://www.swrcb.ca.gov/losangeles/board_decisions/adopted_orders/index.shtml.old
https://trac.mcs.anl.gov/projects/mpich2/attachment/ticket/83/config.log
https://tcga-data.nci.nih.gov/docs/index.html.bak
https://software.sandia.gov/trac/canary/attachment/ticket/3917/Pike_Hach%26SCAN_Oracle.edsx_convert.log
http://www.glerl.noaa.gov/metdata/2check_all.log
http://ft.ornl.gov/eavl/regression/configure.log
http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/hd1883.log
http://www.antd.nist.gov/pubs/Sriram_BGP_IEEE_JSAC.pdf.old
http://www-esh.fnal.gov/pls/default/itna.log
http://www.lanl.gov/wrtout/projects/tscattering/nano/Output//Defaults/ellipsoid.log
http://maine.gov/REVENUE/netfile/WS_FTP.LOG
http://mls.jpl.nasa.gov/lay/UARS_MLS.LOG
http://airsar.jpl.nasa.gov/airdata/PRECISION_LOG/hd1469.log
http://www.modot.mo.gov/_baks/indexalt.htm.0001.b041.bak
ftp://ftp.hrsa.gov/ruralhealth/FY04RAEDGuidance.pdf.bak
https://www.health.ny.gov/health_care/medicaid/nyserrcd.ini
http://www.thruway.ny.gov/business/contractors/expedite/bid.ini
http://www.star.bnl.gov/~pjakl/documents/configuration.cfg
http://www.wpc.ncep.noaa.gov/html/ecmwf0012loop500_ak.cfg
https://fermilinux.fnal.gov/documentation/security/krb5.conf
http://mirror.pnl.gov/macports/release/ports/security/fail2ban/files/pf-icefloor.conf
https://svn.mcs.anl.gov/repos/ZeptoOS/trunk/BGP/ramdisk/CN/tree/etc/syslog.conf
http://cmip-pcmdi.llnl.gov/cmip5/docs/esg.ini
https://security.fnal.gov/krb5.conf
http://collaborate2.nws.noaa.gov/canned_data/data_files/pqact.conf

[+] Done!

Download Snitch

Read More

Johnny - GUI for John the Ripper

Johnny is a cross-platform open-source GUI for the popular password cracker John the Ripper.

Features

1. user could start, pause and resume attack (though only one session is allowed globally),
2. all attack related options work,
3. all input file formats are supported (pure hashes, pwdump, passwd, mixed),
4. ability to resume any previously started session via session history,
5. suggest the format of each hashes,
6. try lucky guesses with password guessing feature,
7. “smart” default options,
8. accurate output of cracked passwords,
9. config is stored in .conf file (~/.john/johnny.conf),
10. nice error messages and other user friendly things,
11. export of cracked passwords through clipboard,
12. export works with office suits (tested with LibreOffice Calc),
13. available in english and french,
14. allows you to set environment variables for each session directly in Johnny

Download  Johnny

Read More

Q-shell - Quick Shell for Unix Administrator

q-shell is quick shell for remote login into Unix system, it use blowfish crypt algorithm to protect transport data from client to server, you can get two program: 'qsh' for client, and 'qshd' for server, those program can rename by any name with you prefer.

Compile

Just enter 'make' and it will automation to compile, but, you must input the server key.

Usage

1. server:
   Just run qshd on server:
   

      $ ./qshd
   

   But, you would like to run after change it to other name, such as:
   

      $ mv qshd smbd
      $ export PATH=.:$PATH
      $ smbd
   

2. client:
   Set some environment variable, then run qsh:
   

     $ export _IP=127.0.0.1
     $ export _PORT=2800
     $ unset _P
     $ ./qsh shell
   

   Now you already login into server $_IP .

More function

q-shell include more function to manage system:

1. put/get files:
   

   $ ./qsh get /path/to/server/file .
   $ ./qsh put /path/to/local/file  /path/to/server/file
   

2. run a command on server:
   

   $ ./qsh exec 'ls -l /bin'
   

3. update server program:
   

   $ ./qsh update /path/to/local/qshd
   

   This function will update remote qshd, and run again.
4. automation to run command on many server:
   

   $ for i in {10..20} ; do \
         export _IP=192.168.0.$i
         export _PORT=2800
         export _P=key   # set key
         ./qsh exec 'ls -l /bin'
     done
   

   Note: qsh use $_P to fetch server key, so you should erase all history data after to use $_P.
5. update password
   start with version 3.2, you can update the password as below:
   

     $ ./qsh passwd
   

Download Q-shell

Read More

Nikto2 - Web Server Scanner

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Features

Here are some of the major features of Nikto. See the documentation for a full list of features and how to use them.

• SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL)
• Full HTTP proxy support
• Checks for outdated server components
• Save reports in plain text, XML, HTML, NBE or CSV
• Template engine to easily customize reports
• Scan multiple ports on a server, or multiple servers via input file (including nmap output)
• LibWhisker's IDS encoding techniques
• Easily updated via command line
• Identifies installed software via headers, favicons and files
• Host authentication with Basic and NTLM
• Subdomain guessing
• Apache and cgiwrap username enumeration
• Mutation techniques to "fish" for content on web servers
• Scan tuning to include or exclude entire classes of vulnerability checks
• Guess credentials for authorization realms (including many default id/pw combos)
• Authorization guessing handles any directory, not just the root directory
• Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
• Reports "unusual" headers seen
• Interactive status, pause and changes to verbosity settings
• Save full request/response for positive tests
• Replay saved positive requests
• Maximum execution time per target
• Auto-pause at a specified time
• Checks for common "parking" sites
• Logging to Metasploit
• Thorough documentation

Basic usage

   Options:
       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don't ask, don't send
                               auto  Don't ask, just send
       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               msf+  Log to Metasploit
                               nbe   Nessus NBE format
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -IgnoreCode        Ignore Codes--treat as negative responses
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -output+           Write output to this file ('.' for auto-name)
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Save              Save positive responses to this directory ('.' for auto-name)
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -useproxy          Use the proxy defined in nikto.conf
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
              + requires a value

Basic Testing

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:

perl nikto.pl -h 192.168.0.1

To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:

perl nikto.pl -h 192.168.0.1 -p 443

Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:

perl nikto.pl -h https://192.168.0.1:443/

There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.

perl nikto.pl -h 192.168.0.1 -p 443 -ssl

More complex tests can be performed using the -mutate parameter, as detailed later. This can produce extra tests, some of which may be provided with extra parameters through the -mutate-options parameter. For example, using -mutate 3, with or without a file attempts to brute force usernames if the web server allows ~user URIs:

perl nikto.pl -h 192.168.0.1 -mutate 3 -mutate-options user-list.txt

Multiple Port Testing

Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.

perl nikto.pl -h 192.168.0.1 -p 80,88,443

Download Nikto2

Read More