Niktoについて
Niktoとはすでに公表されているセキュリティホールや設定について、辞書ベースでスキャンするツールです。 Metasploitable2に対してNiktoを実行することでどのような脆弱性がスキャンされるか試してみました。
検証を行った環境
今回は下記IPアドレスでテストを行うことにしました。
Kali Linux 192.168.28.3
Metasploitable2 192.168.28.4
niktoコマンドの実行
Kali Linux上でniktoコマンドを実行します。
┌──(root㉿kali)-[~] └─# nikto -h 192.168.28.4 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.28.4 + Target Hostname: 192.168.28.4 + Target Port: 80 + Start Time: 2023-05-11 22:53:34 (GMT9) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) DAV/2 + /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10. + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + /index: Uncommon header 'tcn' found, with contents: list. + /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275 + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + /: Web Server returns a valid response with junk HTTP methods which may cause false positives. + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing + /phpinfo.php: Output from the phpinfo() function was found. + /doc/: Directory indexing found. + /doc/: The /doc/ directory is browsable. This may be /usr/doc. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678 + /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184 + /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184 + /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184 + /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184 + /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + /phpMyAdmin/ChangeLog: Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Wed Dec 10 02:24:00 2008. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 + /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + /test/: Directory indexing found. + /test/: This might be interesting. + /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552 + /icons/: Directory indexing found. + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ + /phpMyAdmin/: phpMyAdmin directory found. + /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/ + /#wp-config.php#: #wp-config.php# file found. This file contains the credentials. + 8910 requests: 0 error(s) and 27 item(s) reported on remote host + End Time: 2023-05-11 22:54:20 (GMT9) (46 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
大量の脆弱性が検出されたことが分かります。 今回は以上です。