Nikto – Web server scanner

Note: Nikto is included in latest Kali Linux (2020.1)

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.

It can be used to discover potential issues and security vulnerabilities from web servers including:

  • Server and software misconfigurations
  • Default files and programs
  • Insecure files and programs
  • Outdated servers and programs [1]

Some basic usages/Quick start

Scan the IP/Host on TCP port 80

nikto -h 10.0.0.1
 
nikto -h contoso.com

Scan the IP/Host on specified port (443 in this case)

nikto -h 10.0.0.1 -p 443
 
nikto -h https://10.0.0.1:443/

Multiple Ports

nikto -h 10.0.0.1 -p 40,443,3128

Using a proxy

# Using the proxy server specified from configuration file
nikto -h 10.0.0.1 -p 80 -useproxy
 
# Specifying proxy server on the fly
nikto -h 10.0.0.1 -useproxy http://127.0.0.1:3128/

Help

$ nikto -H
   Options:
       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don't ask, don't send
                               auto  Don't ask, just send
       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               json  JSON Format
                               htm   HTML Format
                               nbe   Nessus NBE format
                               sql   Generic SQL (see docs for schema)
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host/URL
       -404code           Ignore these HTTP codes as negative responses (always). Format is "302,301".
       -404string         Ignore this string in response body content as negative response (always). Can be a regular expression.
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host (e.g., 1h, 60m, 3600s)
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -Option            Over-ride an option in nikto.conf, can be issued multiple times
       -output+           Write output to this file ('.' for auto-name)
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Save              Save positive responses to this directory ('.' for auto-name)
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               d     WebService
                               e     Administrative Console
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -useragent         Over-rides the default useragent
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -url+              Target host/URL (alias of -host)
       -useproxy          Use the proxy defined in nikto.conf, or argument http://server:port
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
                + requires a value

Resources

[1] Nikto v2.1.5 – The Manual
[2] Github


How to: Remove/Clear journal log files (To free some storage) for Debian/Ubuntu etc.

Journal logs are stored in “/var/log/journal” folder

journal logs
journal logs

Check journal log file size

We can open that folder to check manually or use “ncdu” command, we can also use dedicate journalctl command

sudo journalctl --disk-usage
sudo journalctl --disk-usage
sudo journalctl –disk-usage

Change maximum journal log folder size

1 Open “/etc/systemd/journald.conf” file

2 Change or add following line

SystemMaxUse=

To a size you prefer

SystemMaxUse=100M

Force log rotation

sudo systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald.service
 
sudo systemctl restart systemd-journald.service

Did you know even you are in incognito mode, browsing behaviour can be still be tracked by canvas fingerprinting

The canvas element in HTML5 is on attribute to be used fingerprinting, namely “canvas fingerprinting”. This attribute will write and read an image while rendering the web page. As the value of a retrieved image provides a unique characteristic of the user operating system that is sufficient enough to be used for identification of a web browser. [1]

Block canvas fingerprint completely is not an good idea as well. Just like User-Agent. Since most of browsers has canvas fingerprint, if one doesn’t, it actually makes it easier to identifying that specific browser.

Change the canvas fingerprint frequently is also too obvious since most browsers don’t change it frequently or never changes.

The last resort will be change the canvas fingerprint with longer period of time rather than change it every 10 minutes etc. daily or weekly can be better, although it may not increase any kind of anonymity, or we can manually switch the canvas fingerprint when necessary, e.g. when new identity is necessary.

Nowadays, many browsers are compatible with plugins. We can install plugins to achieve manual switch of canvas fingerprint easily.

Warning: These techniques won’t help to achieve full anonymity. Only used for fight against canvas fingerprinting .(and still not 100% effective)

To achieve better anonymity, there are a lot more things we need to take care about e.g. IP address, email address etc.

Tools

Here are some tools we can use to check our canvas fingerprint and other privacy/tracking related matters associated with browsers.

browserleaks.com

Browserleaks – Canvas fingerprint

Resources

[1] S. Luangmaneerote, E. Zaluska, and L. Carr, “Survey of existing fingerprint countermeasures,” in 2016 International Conference on Information Society (i-Society), 2016: IEEE, pp. 137-141.


Introduction to /etc/passwd and /etc/shadow files in Linux systems (Debian/Ubuntu/CentOS/RHEL etc.)

Linux operating systems store all username and password (including administrators/root) in /etc/passwd and /etc/shadow file.

/etc/passwd

Each user has a line of corresponding record which records basic attributes. Only root/administrators can modify it. All other users have read only access to it.

/etc/shadow

As name suggested, this file is like shadow of “passwd” file. The record in “shadow” file is corresponding to the records in “passwd” file. Records is “shadow” file is automatically produced by “pwconv” command based on “passwd” file. Only root/administrators have read and write access to “shadow” file, other users can’t read it.

File permission for passwd and shadow
File permission for passwd and shadow

About /etc/passwd

sudo vi /etc/passwd
partial passwd file
partial passwd file
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

There are 7 columns for each record

ColumnDescription
1Username
2Placeholder, x = password is required to login, empty = password is not required to login
3User UID
4User GID
5Extra information, Full name, contact information etc.
6Home directory
7Login shell, /bin/bash = Login to system shell enabled, /sbin/nologin = User can’t login

About /etc/shadow

sudo vi /etc/shadow
partial shadow file
partial shadow file
root:!:18313:0:99999:7:::
daemon:*:18313:0:99999:7:::
bin:*:18313:0:99999:7:::
sys:*:18313:0:99999:7:::
sync:*:18313:0:99999:7:::
games:*:18313:0:99999:7:::
man:*:18313:0:99999:7:::
lp:*:18313:0:99999:7:::
mail:*:18313:0:99999:7:::
news:*:18313:0:99999:7:::

There are 8 columns for each record

ColumnDecription
1Username
2Password (!! = no password, encrypted if password is set)
3Days between last change of password and 01/01/1970
4Minimum password age (Validated days)
5Maximum password age (Validated days)
6Buffer time (Days) after the password is expired (After the password is expired, for how many days the user can change the password, old password can’t be used to login again during this period of time)
7Number of days after password expires that account is disabled
8Date which the account is disabled (Days since 01/01/1979)
9Not used yet

How to: Switch Desktop Environments for Kali Linux easily

By default, Kali Linux uses XFCE as desktop environment, it is lightweight and quick.

Sometimes we want to switch to other desktop environment like GNOME, here is how (Switch to other desktop environment will have similar steps)

We can Install GNOME desktop environment with tasksel. (Easier)

1 Launch tasksel

sudo tasksel
sudo tasksel
sudo tasksel

2 Make sure “GNOME” is selected (Use Up/Down Arrow keys to navigate through the list, Space key to select/deselect)

tasksel
tasksel

3 Use tab key to highlight “<Ok>”, then hit “Enter” key to confirm and install GNOME

tasksel - OK
tasksel – OK

4 After the installation is done, we need to use following command to change default desktop environment

sudo update-alternatives --config x-session-manager
sudo update-alternatives --config x-session-manager
sudo update-alternatives –config x-session-manager

5 Enter correct number which represents corresponding desktop environments (In this case we enter 1, then press Enter key again)

We select GNOME desktop environment
We select GNOME desktop environment

6 We reboot the system

sudo reboot

7 Login to the system

8 Now we can see Kali Linux is using GNOME as desktop environment

sudo update-alternatives --config x-session-manager
sudo update-alternatives –config x-session-manager

To switch back, we just simply repeat step 4 to step 7 again, but use different number, e.g. number for xfce4 is 2 this time in above image.

To switch to other desktop environments, the steps are very similar, we just need to install different desktop environment first then make sure selecting the correct desktop environment for x-session-manager.


How to: Upgrade Roundcube webmail easily with terminal/command

Roundcube is an open source web/online MUA (mail user agent)

Note!: Don’t forget to change the download link and folder name for wget and Install/Update (Step 2 and 4)

#1 Switch to /tmp directory
cd /tmp
 
#2 Download the package with wget
wget https://github.com/roundcube/roundcubemail/releases/download/1.4.3/roundcubemail-1.4.3-complete.tar.gz
 
#3 Extract the package
tar xf roundcubemail-*.tar.gz
 
#4 Install/Update
./roundcubemail-1.4.3/bin/installto.sh /destinationFolder/roundcube

Extended Reading

MUA (mail user agent) Is used for users to read, compose, and send email. Examples of MUAs are Roundcube, SquirrelMail, pine, Microsoft Outlook etc.

MTA (mail transfer agent) Is used for the transport, delivery, and forwarding of email. Examples of MTAs like SMTP servers are POSTFIX, sendmail etc.


How to: Run Linux commands with time limit/timeout (Kill process/command after some time)

Sometimes we want to stop or kill the command after a period of time, so that we don’t get stuck with that command and wasting resources etc. To specify timeout or time limit for Linux command, we can use timeout command

Command Usage/Parameters

timeout [OPTION] DURATION COMMAND [ARG]...

DURATION is integer or floating point with unit

s: Seconds (Default)

m: Minutes

h: Hours

d: Days

Without units appended, by default it is considered as seconds.

If the DURATION is 0, the timeout is disabled.

Basic Usage

Timeout ping command after 3 seconds

timeout 3 ping 127.0.0.1
timeout 3 ping 127.0.0.1
timeout 3 ping 127.0.0.1

Timeout ping command after 3 minutes

timeout 3m ping 127.0.0.1

Timeout ping command after 3 days

timeout 1d ping 127.0.0.1

Timeout ping command after 3.2 seconds

timeout 3.2s ping 127.0.0.1

Send specific signal after timeout

By default if signal is not specified, timeout command will use “SIGTERM” signal after timeout. We can use -s (-signal) switch to specific which signal to send after timeout

e.g. Send SIGKILL signal to ping command after 3 seconds

sudo timeout -s SIGKILL 3s ping 127.0.0.1
sudo timeout -s SIGKILL 3s ping 127.0.0.1
sudo timeout -s SIGKILL 3s ping 127.0.0.1

We can use the name of the signal or the number of the signal

e.g. We can use 9 as SIGKILL to achieve same result

sudo timeout -s 9 3s ping 127.0.0.1
sudo timeout -s 9 3s ping 127.0.0.1
sudo timeout -s 9 3s ping 127.0.0.1

To list all acceptable signal, we can use kill -l to find out

kill -l
[email protected]:~# kill -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
 6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
21) SIGTTIN     22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO       30) SIGPWR
31) SIGSYS      34) SIGRTMIN    35) SIGRTMIN+1  36) SIGRTMIN+2  37) SIGRTMIN+3
38) SIGRTMIN+4  39) SIGRTMIN+5  40) SIGRTMIN+6  41) SIGRTMIN+7  42) SIGRTMIN+8
43) SIGRTMIN+9  44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9  56) SIGRTMAX-8  57) SIGRTMAX-7
58) SIGRTMAX-6  59) SIGRTMAX-5  60) SIGRTMAX-4  61) SIGRTMAX-3  62) SIGRTMAX-2
63) SIGRTMAX-1  64) SIGRTMAX
kill -l
kill -l

Stop frozen process

SIGTERM, the default signal can be ignored by some processes, thus the program will keep running. To make sure the process is killed, we can use -k (–kill after) switch with specified time. When the time limited reached, force to kill the process.

e.g. Let the shell script run for 2 minutes, if it did not exit, then kill after 5 seconds

timeout -k 5s 2m sh test.sh

By default the timeout command will run in background, if we want to run it in foreground, refer to following example

timeout --foreground 2m ./test.sh

timeout help

Usage: timeout [OPTION] DURATION COMMAND [ARG]...
  or:  timeout [OPTION]
Start COMMAND, and kill it if still running after DURATION.
Mandatory arguments to long options are mandatory for short options too.
      --preserve-status
                 exit with the same status as COMMAND, even when the
                   command times out
      --foreground
                 when not running timeout directly from a shell prompt,
                   allow COMMAND to read from the TTY and get TTY signals;
                   in this mode, children of COMMAND will not be timed out
  -k, --kill-after=DURATION
                 also send a KILL signal if COMMAND is still running
                   this long after the initial signal was sent
  -s, --signal=SIGNAL
                 specify the signal to be sent on timeout;
                   SIGNAL may be a name like 'HUP' or a number;
                   see 'kill -l' for a list of signals
  -v, --verbose  diagnose to stderr any signal sent upon timeout
      --help     display this help and exit
      --version  output version information and exit
DURATION is a floating point number with an optional suffix:
's' for seconds (the default), 'm' for minutes, 'h' for hours or 'd' for days.
A duration of 0 disables the associated timeout.
If the command times out, and --preserve-status is not set, then exit with
status 124.  Otherwise, exit with the status of COMMAND.  If no signal
is specified, send the TERM signal upon timeout.  The TERM signal kills
any process that does not block or catch that signal.  It may be necessary
to use the KILL (9) signal, since this signal cannot be caught, in which
case the exit status is 128+9 rather than 124.
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/timeout>
or available locally via: info '(coreutils) timeout invocation'

How to: Add DSCP, QoS, 802.1Q VLAN ID to Wireshark columns

Sometimes we want to see DSCP, QoS, 802.1Q VLAN ID information while diagnosing the network.

Here is how to add those to columns for easier inspecting

1 Launch Wireshark, select an NIC to work with

2 Right click on the column (Near top, under the toolbar)

Wireshark - column
Wireshark – column

3 Then click on “Column Preferences…”

Wireshark - Column Preferences...
Wireshark – Column Preferences…

4 Navigate to “Appearance -> Columns”

Wireshark - Preferences
Wireshark – Preferences

5 Click on the “+” button

6 Add the necessary rows from below table (Title can be different)

TitleTypeFieldsField Occurrence
DSCPCustomip.dsfield.dscp0
DSCP ValueIP DSCP Value
QoSCustomqos0
802.1Q802.1Q VLAN id
Wireshark - Preferences - Add column
Wireshark – Preferences – Add column

7 When finished, click on “OK” button

8 Now we can see those added columns

Wireshark with added columns
Wireshark with added columns