Nikto web site scanner
Today I was looking for an automated way to find any security related server mis-configurations on my website, and found a really nice tool called Nikto that does just that.
In fact it was so helpful it showed me I was doing directory indexing through Apache where I didn’t want to.
Here is an example of its use.
aczid@aczid:~$ nikto -host blog.aczid.nl --------------------------------------------------------------------------- - Nikto 2.02/2.03 - cirt.net + Target IP: 127.0.1.1 + Target Hostname: blog.aczid.nl + Target Port: 80 + Start Time: 2009-01-25 0:16:00 --------------------------------------------------------------------------- + Server: nginx/0.6.32 + OSVDB-0: Retrieved X-Powered-By header: Phusion Passenger (mod_rails/mod_rack) 2.0.6 - /robots.txt - contains 1 'disallow' entry which should be manually viewed. (GET) + OSVDB-0: GET /?mod=some_thing&op=browse : Sage 1.0b3 reveals system paths with invalid module names. + OSVDB-3092: GET /sitemap.xml : This gives a nice listing of the site content. + OSVDB-3092: GET /archives/ : This might be interesting... + OSVDB-3092: GET /stats/ : This might be interesting... + 2967 items checked: 6 item(s) reported on remote host + End Time: 2009-01-25 0:16:00 (23 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
And remember, Gort! Klaatu barada nikto!
