- nikto_core
-
The core plug-in, as the name suggests, contains
the core functionality for the main vulnerability-checking routines.
These routines are available for use within the rest of the plug-ins.
This plug-in and its exported routines were discussed in detail in
the previous section.
- nikto_realms
-
This
plug-in
checks whether the web server uses
HTTP Basic authentication. If it does,
it loads default usernames and passwords and attempts to guess valid
credentials.
- nikto_headers
-
This plug-in iterates through the returned HTTP
headers in the server response and
reports back any that are interesting from a security perspective;
these include X-Powered-By,
Content-Location,
Servlet-Engine, and
DAAP-Server.
- nikto_robots
-
This
plug-in retrieves the robots.txt file if it is
available and reports back interesting entries, such as
Disallow. The robots.txt file
is checked by "friendly" web site
crawlers to determine if it should follow any rules when crawling the
web site.
- nikto_httpoptions
-
This plug-in reviews the allowed HTTP methods, as
reported via an OPTIONS request to the web server.
Dangerous methods include PUT,
CONNECT, and DELETE, among
others.
- nikto_outdated
-
This plug-in focuses on the Server HTTP header and
uses a "best-guess" parser that
determines the
web server version, then checks
that version against a list of up-to-date web server versions found
in the
outdated.db file.
- nikto_msgs
-
As with the nikto_outdated plug-in, this plug-in
focuses on the Server HTTP header but it uses the
web server version to determine if there are any version-specific
security warnings.
- nikto_apacheusers
-
This plug-in checks to see if the UserDir option
in Apache, or the equivalent in another web server, is enabled. If
this option is enabled, you can enumerate valid system users by
generating URIs such as /~root for use in
requests.
- nikto_mutate
-
This plug-in is enabled only if -m
1 is specified on the command line. If the
MUTATEDIRS and MUTATEFILES
variables are set in Nikto's configuration, each
request is mutated three times. The first time is the standard
request, the second has the MUTATEDIRS item
prepended to the URI, and the third has a
MUTATEFILES entry appended to the URI. You should
not use this plug-in with its default settings because the mutation
engine is extremely slow.
- nikto_passfiles
-
This plug-in is enabled only if -m
2 is specified on the command line. This plug-in
has an array of common password filenames such as
passwd, .htpasswd, etc. It combines the filenames
with common file extensions and directory names to make requests in
an attempt to check for files with interesting information (usually
credentials). Be aware that using this plug-in with its default
settings yields more than 2,000 checks.
- nikto_user_enum_apache
-
This plug-in is enabled only if -m
3 is specified on the command line. This plug-in
guesses usernames with the same URI formatting technique as the
nikto_apacheusers plug-in. It's
not recommend for general use because the default generation engine
is set for five-character alphabetic usernames and thus produces
11,881,376 checks.
- nikto_user_enum_cgiwrap
-
This plug-in is enabled only if -m 4 is specified
on the command line. Its logic is very similar to that of the
nikto_user_enum_apache plug-in. The key difference
is that this plug-in uses an enumeration technique specific to the
CGIWrap program. CGIWrap is
a web server extension that allows for better security by running CGI
scripts as the user that created them instead of as the web server
user. The plug-in generates URIs such as
/cgi-bin/cgiwrap/userguess. Keeping in mind that
the username generation routine is the same as in
nikto_user_enum_apache, the same warnings
apply.
