4.5. Adding Custom Entries to the Plug-in Databases
A key advantage of many plug-ins is that you
can extend them via their .db data driver files.
The msgs, outdated,
realms, and core plug-ins all
use .db files as their signature database.
Because each plug-in functions differently and has unique
requirements for data input, the syntax of each
.db file is different. The one common thread
among them is that they all use the Comma Separated
Value (CSV) format. All of the Nikto plug-ins use the
parse_csv( ) routine from the
core plug-in to convert each line of the
.db file into an array.
4.5.1. .db Files Associated with the nikto_core Plug-in
The
nikto_core plug-in uses
servers.db to categorize a target based
on its Server: header. The file contains
categories of web servers and regular expressions that
map to them. To limit testing time and false positives, Nikto uses
the function get_banner() to retrieve the
Server: banner and then sets the appropriate
server category using the function set_server_cats(
). The
scan_database.db file and the optional
user_scan_database.db file are the driver files for the
main checks launched from nikto_core.plugin and
they share the same syntax. The line syntax is as follows:
[Server category], [URI], [Status Code /Search Text ], [HTTP Method], [Message]
"iis","/","Length Required","SEARCH","WebDAV is installed.\n";
"cern","/.www_acl","200","GET","Contains authorization information"
"generic","/cfdocs/examples/httpclient/mainframeset.cfm","200!not found","GET",
"This might be interesting"
The first entry of the first line is the server categoryin
this case, iis. Once the category has been
determined, only checks of this type will be run against it, unless
the -generic command-line option is specified.
This will reduce total scan time and false positives. The second
entry of the first line is the URI requested. The third entry is the
text Nikto will look for in the response. If the text is found, the
check will register as a vulnerability and will display the
appropriate output to the user. You can specify both the status code
and search text using ! as the separator. The
fourth entry is the HTTP method that will be used in the request.
Typically this will be GET or
POST. The fifth entry is the message Nikto should
print if the check succeeds.
Note that the check on the first and second lines is similar, except
that on the second line the "search
text" field is an HTTP response code.
If Nikto sees a number in this field, it assumes the number is a
response code. The check succeeds if the actual response code matches
the check. You can see a variation of this in the
"search text" entry on the third
line. The third line specifies a response code to look for and search
text to match against. The check will be successful if the response
code is 200 and the returned page does not contain
the string not found
(case-sensitive). Look at the following log of the third check.
Because the response code was 404 and not
200 the check is known to have failed.
REQUEST: **************
GET /cfdocs/examples/httpclient/mainframeset.cfm HTTP/1.1\r\n
Host: 192.168.0.100\r\n
\r\n
RESPONSE: **************
HTTP/1.1 404 Not Found\r\n
Date: Tue, 08 Jun 2004 23:58:30 GMT\r\n
Server: Apache/1.3.19 (QNX) PHP/4.1.3 mod_ssl/2.6.4 OpenSSL/0.9.6c\r\n
Transfer-Encoding: chunked\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
\r\n
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<HTML><HEAD>\n<
TITLE>404 Not Found</TITLE>\n</HEAD><BODY>\n<H1>Not Found</
H1>\nThe requested URL / cfdocs/examples/httpclient/mainframeset.cfm was not found
on this server.<P>\n</BODY></HTML>\n
4.5.2. outdated.db for the nikto_outdated Plug-in
The
nikto_outdated plug-in, as the name suggests, checks
the version of the web server as given by the
Server: header to determine if it is outdated. It
does this by comparing the retrieved banner to the
versions in the
outdated.db file.
It's important to note that web servers vary in
terms of how they announce themselves in the
Server: header. It's easy for us
to see that Apache/1.3.26-WebDav and
apache-1.3.26 Apache web server, but
it's challenging for the scanner to see this. The
nikto_outdated plug-in tries to take a best guess
as to what the separators are (a space, /,
-, etc.) and then translates alphabetic characters
to their equivalent ASCII ordinals (as in the debug output a few
paragraphs down).
The syntax of outdated.db is as follows:
[Web Server Banner], [Current Version], [Display Message]
"Apache/","Apache/2.0.47","@RUNNING_VER appears to be outdated (current is at least
@CURRENT_VER). Apache 1.3.28 is still maintained and considered secure."
The first entry is the string the plug-in matches on to determine if
the current line's checks should be run. The second
entry is the version of the web server that is considered up-to-date.
The third entry is the message displayed if the version is outdated.
The @RUNNING_VER and
@CURRENT_VER tokens will be replaced with the
strings that their names suggest.
The logic flow of the plug-in is best illustrated by putting the
program in debug mode using the -debug flag. The
debug output shows the plug-in has correctly chosen the
/ character as a separator to be used in parsing
the web server banner. Then it goes on to parse out the version (what
Nikto calls numberifcation), and finally it
checks major and minor versions of the running version on the target
to the Current Version and prints out the
Display Message string if the version is outdated.
D: nikto_outdated.plugin: verstring: Apache/, sepr:/
D: nikto_outdated.plugin: $CURRENT:apache/2.0.47:$RUNNING:apache/1.3.29:
D: nikto_outdated.plugin: $CURRENT:2.0.47:$RUNNING:1.3.29: (after numberifcation)
D: nikto_outdated.plugin: major compare: $CUR[0]:2: $RUN[0]:1:
+ Apache/1.3.29 appears to be outdated (current is at least Apache/2.0.47).
Apache 1.3.28 is still maintained and considered secure.
4.5.3. realms.db for the nikto_realms Plug-in
The realms.db
file contains the entries to drive the
attacks that the nitko_realms plug-in attempts
against a server's Basic Auth
HTTP authorization.
The syntax is as follows:
[Realm], [Username], [Password],[Success Message]
"@ANY","test","test","Generic account discovered."
"ConfigToolPassword",,,"Realm matches a Nokia Checkpoint Firewall-1"
The plug-in checks to see if the realm is matched, and if so, it
attempts to authenticate using the
Username and
Password. On success the message is
displayed to the user. The entry @ANY is a
wildcard that matches all realms.
4.5.4. server_msgs.db for the nikto_msgs Plug-in
The nikto_msgs plug-in performs matches
on the web server banner. If a certain version is found, it will
display the corresponding message. One of the benefits of the
plug-in's .db file syntax is
that it uses Perl regular expressions to match on the banner.
The syntax for server_msgs.db is as follows:
[Web Server RegEx], [Success Message]
"Apache\/2\.0\.4[0-5]","Apache versions 2.0.40 through 2.0.45 are vulnerable to a DoS
in basic authentication. CAN-2003-0189."
|
لطفا منتظر باشید ...
