Section 4.5. Adding Custom Entries to the Plug-in Databases

4.5. Adding Custom Entries to the Plug-in Databases

A key advantage of many plug-ins is that you can extend them via their .db data driver files. The msgs , outdated , realms , and core plug-ins all use .db files as their signature database. Because each plug-in functions differently and has unique requirements for data input, the syntax of each .db file is different. The one common thread among them is that they all use the Comma Separated Value (CSV) format. All of the Nikto plug-ins use the parse_csv( ) routine from the core plug-in to convert each line of the .db file into an array.

4.5.1. .db Files Associated with the nikto_core Plug-in

The nikto_core plug-in uses servers.db to categorize a target based on its Server : header. The file contains categories of web servers and regular expressions that map to them. To limit testing time and false positives, Nikto uses the function get_banner() to retrieve the Server : banner and then sets the appropriate server category using the function set_server_cats( ) . The scan_database.db file and the optional user_scan_database.db file are the driver files for the main checks launched from nikto_core.plugin and they share the same syntax. The line syntax is as follows :

[Server category], [URI], [Status Code /Search Text ], [HTTP Method], [Message]
"iis","/","Length Required","SEARCH","WebDAV is installed.\n";
"cern","/.www_acl","200","GET","Contains authorization information"
"generic","/cfdocs/examples/httpclient/mainframeset.cfm","200!not found","GET", 
    "This might be interesting"

The first entry of the first line is the server categoryin this case, iis . Once the category has been determined, only checks of this type will be run against it, unless the - generic command-line option is specified. This will reduce total scan time and false positives. The second entry of the first line is the URI requested . The third entry is the text Nikto will look for in the response. If the text is found, the check will register as a vulnerability and will display the appropriate output to the user . You can specify both the status code and search text using ! as the separator. The fourth entry is the HTTP method that will be used in the request. Typically this will be GET or POST . The fifth entry is the message Nikto should print if the check succeeds.

Note that the check on the first and second lines is similar, except that on the second line the "search text" field is an HTTP response code. If Nikto sees a number in this field, it assumes the number is a response code. The check succeeds if the actual response code matches the check. You can see a variation of this in the "search text" entry on the third line. The third line specifies a response code to look for and search text to match against. The check will be successful if the response code is 200 and the returned page does not contain the string not found (case-sensitive). Look at the following log of the third check. Because the response code was 404 and not 200 the check is known to have failed.

REQUEST: **************
GET /cfdocs/examples/httpclient/mainframeset.cfm HTTP/1.1\r\n
Host: 192.168.0.100\r\n
\r\n
RESPONSE: **************
HTTP/1.1 404 Not Found\r\n
Date: Tue, 08 Jun 2004 23:58:30 GMT\r\n
Server: Apache/1.3.19 (QNX) PHP/4.1.3 mod_ssl/2.6.4 OpenSSL/0.9.6c\r\n
Transfer-Encoding: chunked\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
\r\n
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<HTML><HEAD>\n<
TITLE>404 Not Found</TITLE>\n</HEAD><BODY>\n<H1>Not Found</
H1>\nThe requested URL / cfdocs/examples/httpclient/mainframeset.cfm was not found 
on this server.<P>\n</BODY></HTML>\n

4.5.2. outdated.db for the nikto_outdated Plug-in

The nikto_outdated plug-in, as the name suggests, checks the version of the web server as given by the Server : header to determine if it is outdated. It does this by comparing the retrieved banner to the versions in the outdated.db file. It's important to note that web servers vary in terms of how they announce themselves in the Server : header. It's easy for us to see that Apache/1.3.26-WebDav and apache-1.3.26 php/4.3.1 represent the same version of the Apache web server, but it's challenging for the scanner to see this. The nikto_outdated plug-in tries to take a best guess as to what the separators are (a space, / , - , etc.) and then translates alphabetic characters to their equivalent ASCII ordinals (as in the debug output a few paragraphs down).

The syntax of outdated.db is as follows:

[Web Server Banner], [Current Version], [Display Message]

"Apache/","Apache/2.0.47","@RUNNING_VER appears to be outdated (current is at least
    @CURRENT_VER). Apache 1.3.28 is still maintained and considered secure."

The first entry is the string the plug-in matches on to determine if the current line's checks should be run. The second entry is the version of the web server that is considered up-to-date. The third entry is the message displayed if the version is outdated. The @RUNNING_VER and @CURRENT_VER tokens will be replaced with the strings that their names suggest.

The logic flow of the plug-in is best illustrated by putting the program in debug mode using the - debug flag. The debug output shows the plug-in has correctly chosen the / character as a separator to be used in parsing the web server banner. Then it goes on to parse out the version (what Nikto calls numberifcation ), and finally it checks major and minor versions of the running version on the target to the Current Version and prints out the Display Message string if the version is outdated.

D: nikto_outdated.plugin: verstring: Apache/, sepr:/
D: nikto_outdated.plugin: $CURRENT:apache/2.0.47:$RUNNING:apache/1.3.29:
D: nikto_outdated.plugin: $CURRENT:2.0.47:$RUNNING:1.3.29: (after numberifcation)
D: nikto_outdated.plugin: major compare: $CUR[0]:2: $RUN[0]:1:
+ Apache/1.3.29 appears to be outdated (current is at least Apache/2.0.47). 
  Apache 1.3.28 is still maintained and considered secure.

4.5.3. realms.db for the nikto_realms Plug-in

The realms.db file contains the entries to drive the attacks that the nitko_realms plug-in attempts against a server's Basic Auth HTTP authorization.

The syntax is as follows:

[Realm], [Username], [Password],[Success Message]
"@ANY","test","test","Generic account discovered."
"ConfigToolPassword",,,"Realm matches a Nokia Checkpoint Firewall-1"

The plug-in checks to see if the realm is matched, and if so, it attempts to authenticate using the Username and Password . On success the message is displayed to the user. The entry @ANY is a wildcard that matches all realms.

4.5.4. server_msgs.db for the nikto_msgs Plug-in

The nikto_msgs plug-in performs matches on the web server banner. If a certain version is found, it will display the corresponding message. One of the benefits of the plug-in's .db file syntax is that it uses Perl regular expressions to match on the banner.

The syntax for server_msgs.db is as follows:

[Web Server RegEx], [Success Message]

"Apache\/2\.0\.4[0-5]","Apache versions 2.0.40 through 2.0.45 are vulnerable to a DoS 
in basic authentication. CAN-2003-0189."