Posted on

Nikto vulnerability scanner: Complete guide

Hello, aspiring ethical Hackers. This blogpost is a complete guide to Nikto vulnerability scanner. Nikto is a free command line web vulnerability scanner that scans web servers and detects over 6700 potentially dangerous files/CGIs, outdated server software, other vulnerabilities and misconfigurations. Nikto can also detect the installed software on the target web server. We will be running Nikto on Kali Linux as it is installed by default in Kali Linux. So let’s start.

Let’s start with a version check (-Version)

The “version” option of Nikto checks for the version of the software, plugins and database versions.

Checking Database (-dbcheck)

It’s always a good thing to check for any errors in the scan database before scanning. The “-dbcheck” option of Nikto checks the scan databases for any errors.

The Host option (–host) (-h)

To scan a target using Nikto, first we need to specify a target. To set the target, we need to use the “host” option. This is shown below.

The target can be IP address of the webserver or URL of the website. This scan took 45 seconds to finish.

The Host option (–ssl)

To scan a website with HTTPS enabled with nikto, we can use the “SSL” option.

The Port option (–port)

By default, Nikto scans the default HTTP and HTTPS ports when specified. However, if the target web server is running on a custom port you can set Nikto to scan a different port by using the “port” option.

Scanning for CGI directories (–Cgidirs)

To scan for the presence of all CGI directories on the target webserver, the “cgidirs” option can be used.

You can specify a specific CGI directory to search or you can use “all” value to scan for all CGI directories on the target.

What output you want Nikto to show? (–Display)

To control the type and amount of output Nikto shows after finishing the scan, we can use the “Display” option. Here are the values that can be set for the Display option.

How much time you want Nikto to spend on a scan? (–maxtime)

Using the “maxtime” option, we can specify the maximum time to spend for scanning a target. This time can be specified in seconds.

As you can see, the scan ended in 2 seconds while earlier the same scan took 45 seconds.

Don’t look for names (-nolookup)

The “nolookup” option specifies Nikto to not query for names when an IP address is specified.

Don’t look for pages that are not there (–no404)

The “no404” option specifies Nikto to disable “file not found” checking. This will reduce the total number of requests made to the target.

Just discover the ports (–findonly)

If you want to just find the HTTP(S) ports of a target without performing any security scan, you can use the “–findonly” option. Specifying this option allows Nikto to connect to HTTPS or HTTP ports and report the server header.

The Timeout option (–timeout)

The “–timeout” option specifies time to wait before timing out a request. The default timeout of Nikto is 10 seconds.

The Pause option (–Pause)

By using “–Pause” option of Nikto, we can specify delay between each test Nikto performs.

What if we have to authenticate? (–id)

With the “-id” option you can use Nikto to perform basic authentication to the target.

The tuning option (–tuning)

With the “-Tuning” option, we can control the test that Nikto will use against a target. It can take the following values.

For example, this is how we test for misconfigured files on the target.

See all Nikto plugins (–list-plugins)

Nikto has lot of plugins that can be used against various targets. To view all these plugins, we can use the “–list-plugins” option.

Use a particular plugin (–Plugins)

To use a particular plugin, we can use the “Plugins” option. For example, let’s use the robots plugin as shown below.

Can Nikto evade detection? (–evasion)

While scanning, Nikto can use various techniques to evade Intrusion Detection System (IDS). The evasion techniques of Nikto are given below.

Saving output (-o)

Nikto can save the output of the scan in a file with the “output(-o)” as shown below.

Formats in which you can save output (-Format)

You can save in different formats you like using the “-Format” option. Valid formats are csv, htm, txt and xml.

That is the complete guide for Nikto vulnerability scanner. If you have any questions bring them in the comments section.

Posted on

Nessus vulnerability scanner: Beginner’s guide

Hello aspiring ethical hackers. In this blogpost, you will learn about Nessus vulnerability scanner. Nessus is an open-source network vulnerability scanner that uses Common Vulnerabilities and Exposures (CVE) architecture. It is widely used for vulnerability assessment and penetration testing.

Nessus server can be installed on Unix, Linux and FreeBSD whereas Nessus client is available for Unix and Windows based operating systems. For this tutorial, we will be installing Nessus on Kali Linux. Nessus can be downloaded from here. It can also be downloaded using curl as shown below (version may change).

Once the latest version of Nessus is downloaded, it can be installed as shown below.

Once the installation is finished, enable nessus as shown below.

Then start nessus as shown below.

Nessus runs on port 8834 by default. It can be viewed in browser.

Click on “Accept the risk and continue”.

Click on “Continue”. Select the type of Nessus install you want. Since we are using a Free version of Nessus for this tutorial we select “Register for Nessus Essentials”. Click on “continue”.

To run Nessus Essentials, you need an activation code. Get the activation code by entering the following details.

You need a user account to login into Nessus. Create an account and most importantly remember the user account information.

Then, Nessus will download all the required plugins. This may take some time (a bit long time sometimes).

Once all the plugins are finished downloading, you should see this.

The installation is finished. Now, it’s time to start scanning with Nessus. Click on “New scan”. A new popup opens. Assign a target.

Click on “Run scan”.

The scan will start and take some time to finish. For this tutorial, we are using “Metasploitable 2” as target. See how to install Metasploitable 2 in VirtualBox.

The vulnerabilities are classified into five categories by Nessus. They are Critical, High, Medium, Low and Information. You can view detailed information about the detected vulnerabilities by clicking on them.

All the scans you perform are located in “My scans” section.

Nessus allows different types of scans. All the scans that can be performed using Nessus can be viewed from “All scans” section.

Posted on

Vulnerability scanning for beginners

Hello aspiring Ethical Hackers. In this blogpost, you will learn about vulnerability scanning. Before you learn what a vulnerability scan is, you need to know what a vulnerability is? A vulnerability is a weakness, flaw, error or a misconfiguration in a software or network that allows hackers to gain unauthorized access to the organization by exploiting it.

What is vulnerability scanning?

Now that you have understood what is a vulnerability, let’s see what is scanning. Vulnerability scanning is the process of identifying the security vulnerabilities in a software or a network of the organization. Vulnerability scanning is usually performed to protect the organization from hackers although it is also performed by hackers to gain access to the organization.

Types of vulnerability scans

Vulnerability scanning can be categorized into different types. They are,

  1. External Vulnerability Scan
  2. Internal vulnerability scan
  3. Environmental scans
  4. Intrusive Scans
  5. Non-Intrusive scan.
  6. Credentialed scan
  7. Non-credentialed scan

1. External vulnerability scan:

In an external vulnerability scan, the external facing resources of an organization are scanned. These include, websites, systems, ports and services.

2. Internal vulnerability scan:

In this type of scan, the vulnerability scan is performed on the internal network of the organization or on resources to which the users or employees of the organization have access to. This scan is performed to get information about the vulnerabilities which employees or malware which gained access to the network can exploit.

3. Environmental scan:

Environmental vulnerability scans are performed based on the target environment. For example, target environment can be cloud based, IOT, mobile devise, websites etc.

Vulnerability scans can also be classified as either Intrusive or Non-Intrusive.

4. Non- Intrusive scan:

In a non-intrusive vulnerability scan, vulnerabilities are just identified and reported.

5. Intrusive scan:

In an intrusive vulnerability scan, vulnerability is not just identified but also exploited.

Apart from these categorizations, vulnerability scan is also classified as credentialed scans and non-credentialed scans.

6. Credentialed scan:

Also known as authenticated scan, this vulnerability scan in performed using a set of credentials. This type of scan gives the trusted users view of the organization.

7. Non-credentialed scan:

Also known as non-authenticated scan, this vulnerability scan gives the external user’s view of the network or revenue of organization.

Uses of vulnerability scans

Vulnerability scanning can help cyber security personnel of the organization to get an idea about the vulnerabilities in the organization beforehand and to prevent them from being exploited by attackers. As hackers also perform vulnerability scans, vulnerability scanning gives an idea to the organization as to what hackers can see.

How are vulnerability scans performed?

Vulnerability scans can be performed manually or using tools (vulnerability scanner). See how to perform vulnerability scanning with Nikto and Nessus.

Vulnerability scan vs Vulnerability assessment

In vulnerability scanning, vulnerabilities are scanned and reported whereas in vulnerability assessment, apart from identifying vulnerabilities the impact of the vulnerabilities when exploited is also assessed. Learn more about vulnerability assessment.

Posted on

OS fingerprinting for beginners

Hello, aspiring Ethical Hackers. In this blogpost you will learn about OS Fingerprinting. Before you learn about OS fingerprinting, you should know what exactly is Fingerprinting. Fingerprinting is a form of biometrics that identifies a person with their fingerprint. Why Fingerprint? Because GOD has created humans in such a way that two people (no matter how much population rises) have same fingerprints.

What is OS Fingerprinting?

Just like every human has his own fingerprint, operating systems too have a unique fingerprint. Windows systems have a unique fingerprint whereas Linux systems have their unique fingerprint. The process of determining this fingerprint to determine the operating system of the target is known as Operating System fingerprinting.

What is this required?

If a hacker or pen tester can find out the operating system of the target system, he/she can know which vulnerabilities to exploit or which payloads to design to gain access to the target system (For example, Windows need EXE payloads whereas Linux systems require .sh payloads.

Types of OS Fingerprinting

os fingerprinting

Active OS Fingerprinting

In Active OS Fingerprinting, specially crafted packets are sent to the target system and its responses are analyzed to determine the operating system of target computers. This interaction can be as simple as a ping or a scanner like Nmap. Using ping, we can detect a target operating system by observing the Time To Live (TTL) values as shown below.

Time To Live (TTL) is the amount of time or “hops” that a packet is set to exist inside a network before discarded by a router. In simple words, it is the period of time that a packet or data should exist on a network before being discarded. This value differs from operating system to operating system. Here are the default TTL values of some operating systems. You can know about the default TTL values of more operating systems here.

Another way to perform Active Foot printing is by sending specially crafted packets to the target system. Among all Ethical Hackers use Nmap for OS fingerprinting.

Passive OS Fingerprinting

Although Active Fingerprinting is very effective and accurate at determining the target’s operating system, it is very noisy and can be easily spotted by Cyber security teams. Passive fingerprinting is a more effective way of detecting target system’s OS. Moreover, there is no chance of Firewalls blocking this type of fingerprinting. How is it possible?

In passive OS fingerprinting, a sample of packets coming from the target we are interested in are analyzed. For this purpose, we use a Packet Capture API. It relies on guessing the target OS by observing their TCP/IP implementation. Apart from TTL, this type of fingerprinting will observe window size, Don’t Fragment (DF) bit and Type Of Service (TOS).

Posted on

Port scanning techniques for beginners

Hello aspiring Ethical Hackers. In our previous blogpost you learnt what is a port? what is port scanning etc. In this blogpost, you will learn about different port scanning techniques that are be used to determine if a port is open or not. Ethical Hackers and Penetration Testers use different port scanning techniques to determine if a port is open or not. Unless a port is open, you cannot enumerate the service running on it for further exploitation. So, using a wrong port scanning technique can give you a wrong result.

In order to understand the various port scanning techniques, readers need to first understand how TCP communication takes place between programs and applications. You have read in our article on OSI model that the Transport Layer is responsible for reliable data transfer between end systems. You have also read two protocols are used for data transfer between devices and applications. They are Transmission Control Protocol (TCP) and user Datagram Protocol (UDP).

Transmission Control Protocol is a reliable connection-oriented protocol that ensures that data is transmitted accurately and completely between programs and applications.

How TCP communication takes place?

To make sure that data is transmitting correctly and completely, Transmission Control Protocol (TCP) uses various flags in the headers. These flags are given below.

TCP Three-Way Handshake

Before sending data using TCP, two devices establish a connection using a Three-Way handshake which is shown below.

  1. A client sends a TCP packet to the Server with SYN flag set.
  2. The Server responds with a TCP packet with both SYN and ACK flags set.
  3. The client replies to the packet with a TCP packet with ACK flag set.

After this 3-way handshake, both client and Server start sending and receiving data. Now, that you understood how a TCP communication works it’s time to see different port scanning techniques.

1. TCP Connect Scan (-sT)

In this type of scan, NMAP sends a TCP packet to a port with the SYN flags set. If the port is open, the target responds with a SYN/ACK flag set to packet. Then Nmap sends ACK packet. If the port is closed, the target sends a RST packet. If the target doesn’t respond, the port can be considered filtered.

2. SYN or Half-Open Scan (-sS)

In a SYN scan, Nmap sends a SYN packet to the target port. If the port is open, the target sends a “SYN/ACK” set packet. Then Nmap instead of sending a packet with ACK flag set, sends a packet with RST flag set to terminate the connection. Since the Three-way handshake is not complete, it is known as “half-open” scan. Similarly, since the TCP connection is not complete it is not logged and hence considered a stealthy scan. Also, unlike TCP connect scan this scan is fast.

3. ACK Scan (-sA)

Unlike the above two scans, this scan is not used to determine if a port is open or not. In fact, it is used to determine firewall rulesets. In this scan, Nmap sends a packet with ACK flag set to the target port. Here, both open and closed ports send a packet with RST flag set. These ports are labelled as unfiltered. If the ACK packet is dropped, the port is labelled as filtered.

4. NULL Scan (-sN)

In this scan, Nmap doesn’t set any flags while sending a packet to the target. If no response is received, the port is assigned as open/filtered. If an RST flag is received from the target port, the port is considered closed and if any ICMP unreachable error 3, code,1,2, 9,10 or 13 is received, it is considered as filtered.

5. FIN Scan (-sF)

In this scan, Nmap sends a packet with FIN flag set to the target. The result is same as that of NULL scan.

6. XMAS Scan (-sX)

In this type of scan, NMAP sets FIN, PSH and URG flags to the packet and sends it to target port. The result is same as that of Null scan & FIN scan.

Since the packet is lighted up like a Christmas tree when these 3 flags are set, it is known as XMAS scan. Learn about different port scan results.