4.5. Adding Custom Entries to the Plug-in Databases
A key advantage of many plug-ins is that you can extend them via their
data driver files. The
4.5.1. .db Files Associated with the nikto_core Plug-in
to categorize a target based on its
: header. The file contains categories of web servers and regular expressions that map to them. To limit testing time and false positives, Nikto uses the function
to retrieve the
: banner and then sets the appropriate server category using the function
file and the optional
file are the driver files for the main checks launched from
and they share the same syntax. The line syntax is as
[Server category], [URI], [Status Code /Search Text ], [HTTP Method], [Message] "iis","/","Length Required","SEARCH","WebDAV is installed.\n"; "cern","/.www_acl","200","GET","Contains authorization information" "generic","/cfdocs/examples/httpclient/mainframeset.cfm","200!not found","GET", "This might be interesting"
The first entry of the first line is the server categoryin this case,
. Once the category has been determined, only checks of this type will be run against it, unless the -
command-line option is specified. This will reduce total scan time and false positives. The second entry of the first line is the URI
Note that the check on the first and second lines is similar, except that on the second line the "search text" field is an HTTP response code. If Nikto sees a number in this field, it assumes the number is a response code. The check succeeds if the actual response code matches the check. You can see a variation of this in the "search text" entry on the third line. The third line specifies a response code to look for and search text to match against. The check will be successful if the response code is 200 and the returned page does not contain the string not found (case-sensitive). Look at the following log of the third check. Because the response code was 404 and not 200 the check is known to have failed.
REQUEST: ************** GET /cfdocs/examples/httpclient/mainframeset.cfm HTTP/1.1\r\n Host: 192.168.0.100\r\n \r\n RESPONSE: ************** HTTP/1.1 404 Not Found\r\n Date: Tue, 08 Jun 2004 23:58:30 GMT\r\n Server: Apache/1.3.19 (QNX) PHP/4.1.3 mod_ssl/2.6.4 OpenSSL/0.9.6c\r\n Transfer-Encoding: chunked\r\n Content-Type: text/html; charset=iso-8859-1\r\n \r\n <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<HTML><HEAD>\n< TITLE>404 Not Found</TITLE>\n</HEAD><BODY>\n<H1>Not Found</ H1>\nThe requested URL / cfdocs/examples/httpclient/mainframeset.cfm was not found on this server.<P>\n</BODY></HTML>\n
4.5.2. outdated.db for the nikto_outdated Plug-in
plug-in, as the
The syntax of outdated.db is as follows:
[Web Server Banner], [Current Version], [Display Message] "Apache/","Apache/2.0.47","@RUNNING_VER appears to be outdated (current is at least @CURRENT_VER). Apache 1.3.28 is still maintained and considered secure."
The first entry is the string the plug-in matches on to determine if the current line's checks should be run. The second entry is the version of the web server that is considered up-to-date. The third entry is the message displayed if the version is outdated. The
tokens will be
The logic flow of the plug-in is best
D: nikto_outdated.plugin: verstring: Apache/, sepr:/ D: nikto_outdated.plugin: $CURRENT:apache/2.0.47:$RUNNING:apache/1.3.29: D: nikto_outdated.plugin: $CURRENT:2.0.47:$RUNNING:1.3.29: (after numberifcation) D: nikto_outdated.plugin: major compare: $CUR:2: $RUN:1: + Apache/1.3.29 appears to be outdated (current is at least Apache/2.0.47). Apache 1.3.28 is still maintained and considered secure.
4.5.3. realms.db for the nikto_realms Plug-in
The realms.db file contains the entries to drive the attacks that the nitko_realms plug-in attempts against a server's Basic Auth HTTP authorization.
The syntax is as follows:
[Realm], [Username], [Password],[Success Message] "@ANY","test","test","Generic account discovered." "ConfigToolPassword",,,"Realm matches a Nokia Checkpoint Firewall-1"
The plug-in checks to see if the realm is matched, and if so, it attempts to authenticate using the Username and Password . On success the message is displayed to the user. The entry @ANY is a wildcard that matches all realms.
4.5.4. server_msgs.db for the nikto_msgs Plug-in
The syntax for server_msgs.db is as follows:
[Web Server RegEx], [Success Message] "Apache\/2\.0\.4[0-5]","Apache versions 2.0.40 through 2.0.45 are vulnerable to a DoS in basic authentication. CAN-2003-0189."