Tutorial Penetration Tools #3 || How to Find Website Vulnerability using Nikto on Kali Linux 2 || Bagaimana mencari kerentanan website menggunakan Nikto di Kali Linux 2

in #utopian-io7 years ago (edited)

12.png

What is a Nikto..?

Nikto is a most popular web security app when you start a web pentesting. Nikto is a web application scanning tool that searches for configuration errors, open access web directories and number of web applications. Nikto is an Open Source web scanner (GPL), which performs comprehensive tests on web servers. Nikto has the ability to detect 3500 potentially dangerous / CGIS files. Nikto can test web server quickly, but it's easy to see on the log. But it is very useful to test a web server. I think this nikto web server reader that has a vulnerability of CVE and OSVDB (Open Source Vulnerability Data Base).

tutorials-1415-0-76022500-1450729402.jpg

Nikto Functions :

Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests on web servers for multiple items, including over 6700 potentially dangerous files / CGIS, checks for outdated versions of over 1,250 servers, and certain version issues in over 270 server. It also checks server configuration items such as presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be updated automatically.

Features

These are some of the key features in the current version:

  • Support SSL (Unix with OpenSSL or maybe Windows with ActiveState's
  • Perl / NetSSL)
  • Full HTTP proxy support
  • Check out obsolete server components
  • Save the report in plain text, XML, HTML, NBE or CSV
  • Scan multiple ports on a server, or multiple servers via input files (including Nmap output)
  • Identify installed software through headers, favicon and files
  • Host authentication with Basic and NTLM
  • Scan tuning to enter or exclude all consumer class checks
  • The upgrades are composed of several methods: headers,
  • Save request / full response for positive test
  • Maximum execution time per target

Tutorial using Nikto at Kali Linux 2

Open your linux terminal and make sure your computer is connected to the internet to penetrate the target website.

Then open Nikto app in Kali Linux then follow the following command :

Applications ->> Vulnerability Analysis ->> nikto

Screenshot from 2018-02-01 22-38-22.png

first open terminal in linux time, then type command :

nikto

root@kali_ ~_001.png
then next comes some options that can be used on nikto

Note :
Then we determine the website that we will test the vulnerability, for example here using the website "www.yahoo.com" which we test as learning about knowledge vulnerability analysis of a website.

Then to scan the website with the host name we can use the -h option by typing the command :

nikto -h www.yahoo.com

root@kali_ ~_006.png

Then we wait until the scan is complete and then we can see find some information about the target that is : Target IP, Target Hostname, Target Port and Start Time.

Target IP : 106.10.178.36

Target Hostname : www.yahoo.com

Target Port : 80

Start Time : 2018-02-01 23:24:47 (GMT7)

root@kali_ ~_003.png

Then to scan the vulnerability we can see the running process we need to use the Display option by typing the command :

nikto -D v -h www.yahoo.com

root@kali_ ~_009.png

Then on this display we can see all the processes that are in progress and need a long time until the process is complete.

After the process is complete we can see how long it takes to do the scanning and in this process takes (612 seconds) to complete the scanning process.

root@kali_ ~_008.png

Next to scan for SQL Vulnerability for a website. We can do a single scan can be completed with a fast time by typing the command :

nikto -Tuning 9 -h www.yahoo.com

root@kali_ ~_011.png

Next to scan the software identification on a website we can type the command :

nikto -Tuning b -h www.yahoo.com

root@kali_ ~_012.png

Next to scan Denial Distribute of Services (DDoS) on a website we can type in the command:

nikto -Tuning 6 -h www.yahoo.com

root@kali_ ~_014.png

Then to scaning results can we save on file by using command below to find the vulnerability.

nikto -Display V -o nikto_scan_result.html -Format html -h 106.10.178.37

root@kali_ ~_015.png

Then wait until the process is complete. Furthermore, when it is finished to see the file we can type the command :

ls

root@kali_ ~_017.png

Then we find the file named nikto_scan_result.html
root@kali_ ~_019.png

Then to open the file we go to folder /Home and click on file: nikto_scan_result.html

Home ->> nikto_scan_result.html

Screenshot from 2018-02-02 00-33-57.png

Finally, that open nikto_scan_result.html in our browser and we can see the full results of vulnerability scanning website we have done.

Screenshot from 2018-02-02 00-33-37.png
Screenshot from 2018-02-02 00-33-46.png

Syntax Description :

-Tuning : Scan Tuning

-D : Display

-h : Hostname

v : Virtual Host (for host Header)

V : Print plugin dan Database Version

b : Tuning to Software Identification

9 : Tuning to search for sql vulnerabilities

6 : Tuning to scan Denial Distributed of Services (DDos)



Posted on Utopian.io - Rewarding Open Source Contributors

Sort:  

Hello @fandimuhammad11 your post looks awesome.

Thank you for the contribution. It has been approved.

Maybe you should consider keeping your titles just in English, which is not mandatory but makes a lot of sense in my personal opinion. It would also be useful to add the difficulty of your tutorial to the introduction as suggested by our template so readers can decide right away if this is helpful to them or not.

You can contact us on Discord.
[utopian-moderator]

thanks @flauwy next i will make better contribution

Hey @fandimuhammad11 I am @utopian-io. I have just upvoted you!

Achievements

  • You have less than 500 followers. Just gave you a gift to help you succeed!
  • Seems like you contribute quite often. AMAZING!

Suggestions

  • Contribute more often to get higher and higher rewards. I wish to see you often!
  • Work on your followers to increase the votes/rewards. I follow what humans do and my vote is mainly based on that. Good luck!

Get Noticed!

  • Did you know project owners can manually vote with their own voting power or by voting power delegated to their projects? Ask the project owner to review your contributions!

Community-Driven Witness!

I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!

mooncryption-utopian-witness-gif

Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x