Nikto – Web server scanner

Note: Nikto is included in latest Kali Linux (2020.1)

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.

It can be used to discover potential issues and security vulnerabilities from web servers including:

  • Server and software misconfigurations
  • Default files and programs
  • Insecure files and programs
  • Outdated servers and programs [1]

Some basic usages/Quick start

Scan the IP/Host on TCP port 80

nikto -h 10.0.0.1
 
nikto -h contoso.com

Scan the IP/Host on specified port (443 in this case)

nikto -h 10.0.0.1 -p 443
 
nikto -h https://10.0.0.1:443/

Multiple Ports

nikto -h 10.0.0.1 -p 40,443,3128

Using a proxy

# Using the proxy server specified from configuration file
nikto -h 10.0.0.1 -p 80 -useproxy
 
# Specifying proxy server on the fly
nikto -h 10.0.0.1 -useproxy http://127.0.0.1:3128/

Help

$ nikto -H
   Options:
       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don't ask, don't send
                               auto  Don't ask, just send
       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               json  JSON Format
                               htm   HTML Format
                               nbe   Nessus NBE format
                               sql   Generic SQL (see docs for schema)
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host/URL
       -404code           Ignore these HTTP codes as negative responses (always). Format is "302,301".
       -404string         Ignore this string in response body content as negative response (always). Can be a regular expression.
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host (e.g., 1h, 60m, 3600s)
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -Option            Over-ride an option in nikto.conf, can be issued multiple times
       -output+           Write output to this file ('.' for auto-name)
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Save              Save positive responses to this directory ('.' for auto-name)
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               d     WebService
                               e     Administrative Console
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -useragent         Over-rides the default useragent
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -url+              Target host/URL (alias of -host)
       -useproxy          Use the proxy defined in nikto.conf, or argument http://server:port
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
                + requires a value

Resources

[1] Nikto v2.1.5 – The Manual
[2] Github


How to: Switch Desktop Environments for Kali Linux easily

By default, Kali Linux uses XFCE as desktop environment, it is lightweight and quick.

Sometimes we want to switch to other desktop environment like GNOME, here is how (Switch to other desktop environment will have similar steps)

We can Install GNOME desktop environment with tasksel. (Easier)

1 Launch tasksel

sudo tasksel
sudo tasksel
sudo tasksel

2 Make sure “GNOME” is selected (Use Up/Down Arrow keys to navigate through the list, Space key to select/deselect)

tasksel
tasksel

3 Use tab key to highlight “<Ok>”, then hit “Enter” key to confirm and install GNOME

tasksel - OK
tasksel – OK

4 After the installation is done, we need to use following command to change default desktop environment

sudo update-alternatives --config x-session-manager
sudo update-alternatives --config x-session-manager
sudo update-alternatives –config x-session-manager

5 Enter correct number which represents corresponding desktop environments (In this case we enter 1, then press Enter key again)

We select GNOME desktop environment
We select GNOME desktop environment

6 We reboot the system

sudo reboot

7 Login to the system

8 Now we can see Kali Linux is using GNOME as desktop environment

sudo update-alternatives --config x-session-manager
sudo update-alternatives –config x-session-manager

To switch back, we just simply repeat step 4 to step 7 again, but use different number, e.g. number for xfce4 is 2 this time in above image.

To switch to other desktop environments, the steps are very similar, we just need to install different desktop environment first then make sure selecting the correct desktop environment for x-session-manager.


How to: Run Linux commands with time limit/timeout (Kill process/command after some time)

Sometimes we want to stop or kill the command after a period of time, so that we don’t get stuck with that command and wasting resources etc. To specify timeout or time limit for Linux command, we can use timeout command

Command Usage/Parameters

timeout [OPTION] DURATION COMMAND [ARG]...

DURATION is integer or floating point with unit

s: Seconds (Default)

m: Minutes

h: Hours

d: Days

Without units appended, by default it is considered as seconds.

If the DURATION is 0, the timeout is disabled.

Basic Usage

Timeout ping command after 3 seconds

timeout 3 ping 127.0.0.1
timeout 3 ping 127.0.0.1
timeout 3 ping 127.0.0.1

Timeout ping command after 3 minutes

timeout 3m ping 127.0.0.1

Timeout ping command after 3 days

timeout 1d ping 127.0.0.1

Timeout ping command after 3.2 seconds

timeout 3.2s ping 127.0.0.1

Send specific signal after timeout

By default if signal is not specified, timeout command will use “SIGTERM” signal after timeout. We can use -s (-signal) switch to specific which signal to send after timeout

e.g. Send SIGKILL signal to ping command after 3 seconds

sudo timeout -s SIGKILL 3s ping 127.0.0.1
sudo timeout -s SIGKILL 3s ping 127.0.0.1
sudo timeout -s SIGKILL 3s ping 127.0.0.1

We can use the name of the signal or the number of the signal

e.g. We can use 9 as SIGKILL to achieve same result

sudo timeout -s 9 3s ping 127.0.0.1
sudo timeout -s 9 3s ping 127.0.0.1
sudo timeout -s 9 3s ping 127.0.0.1

To list all acceptable signal, we can use kill -l to find out

kill -l
[email protected]:~# kill -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
 6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
21) SIGTTIN     22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO       30) SIGPWR
31) SIGSYS      34) SIGRTMIN    35) SIGRTMIN+1  36) SIGRTMIN+2  37) SIGRTMIN+3
38) SIGRTMIN+4  39) SIGRTMIN+5  40) SIGRTMIN+6  41) SIGRTMIN+7  42) SIGRTMIN+8
43) SIGRTMIN+9  44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9  56) SIGRTMAX-8  57) SIGRTMAX-7
58) SIGRTMAX-6  59) SIGRTMAX-5  60) SIGRTMAX-4  61) SIGRTMAX-3  62) SIGRTMAX-2
63) SIGRTMAX-1  64) SIGRTMAX
kill -l
kill -l

Stop frozen process

SIGTERM, the default signal can be ignored by some processes, thus the program will keep running. To make sure the process is killed, we can use -k (–kill after) switch with specified time. When the time limited reached, force to kill the process.

e.g. Let the shell script run for 2 minutes, if it did not exit, then kill after 5 seconds

timeout -k 5s 2m sh test.sh

By default the timeout command will run in background, if we want to run it in foreground, refer to following example

timeout --foreground 2m ./test.sh

timeout help

Usage: timeout [OPTION] DURATION COMMAND [ARG]...
  or:  timeout [OPTION]
Start COMMAND, and kill it if still running after DURATION.
Mandatory arguments to long options are mandatory for short options too.
      --preserve-status
                 exit with the same status as COMMAND, even when the
                   command times out
      --foreground
                 when not running timeout directly from a shell prompt,
                   allow COMMAND to read from the TTY and get TTY signals;
                   in this mode, children of COMMAND will not be timed out
  -k, --kill-after=DURATION
                 also send a KILL signal if COMMAND is still running
                   this long after the initial signal was sent
  -s, --signal=SIGNAL
                 specify the signal to be sent on timeout;
                   SIGNAL may be a name like 'HUP' or a number;
                   see 'kill -l' for a list of signals
  -v, --verbose  diagnose to stderr any signal sent upon timeout
      --help     display this help and exit
      --version  output version information and exit
DURATION is a floating point number with an optional suffix:
's' for seconds (the default), 'm' for minutes, 'h' for hours or 'd' for days.
A duration of 0 disables the associated timeout.
If the command times out, and --preserve-status is not set, then exit with
status 124.  Otherwise, exit with the status of COMMAND.  If no signal
is specified, send the TERM signal upon timeout.  The TERM signal kills
any process that does not block or catch that signal.  It may be necessary
to use the KILL (9) signal, since this signal cannot be caught, in which
case the exit status is 128+9 rather than 124.
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/timeout>
or available locally via: info '(coreutils) timeout invocation'

Linux Command Line/ Terminal Disk Space Usage tool (Find largest folder/file)

For finding largest file/folder or showing disk space usage on Windows, refer to this one: How to: Find Largest file on Windows, Windows 7, Windows 10, Microsoft Windows, Windows Server (Disk Space Usage)

Ncdu (NCurses Disk Usage) is a command line tool to view and analyse disk space usage on Linux.

It can be easily installed on most Linux systems with package management system.

ncdu on Kali Linux 2020
ncdu on Kali Linux 2020

Debian/Kali Linux/Ubuntu etc. Linux installation

sudo apt install ncdu -y
 
OR
 
sudo aptitude ncdu -y

RHEL/CentOS/Fedora etc. Linux installation

If EPEL repo is not installed yet, we have to install EPEL repo first

sudo yum -y install epel-release

Next, we can now install ncdu

sudo yum install ncdu -y

Using ncdu is simple.

Show current working directory info

ncdu

Show info for a folder e.g. “/etc”

ncdu /etc

To show more info about a folder while in ncdu, press “i” key (Press “i” again to dismiss)

ncdu - i
ncdu – i

Press Shift + ? to show help document while in ncdu

ncdu help
ncdu help

Press “q” key to quit menus and the ncdu program


How to: Use shortcut keys/Key combinations in Linux Terminal

1 Tab

When entering command, enter beginning of the command, file name or folder name or command option then press “Tab” key, it will complete the rest for you automatically or show all possible results.

2 Ctrl + C

Terminate/Kill the command or process, it will terminate the running process immediately. (signal SIGINT). It can be intercepted by a program, thus the program can clean itself up before exiting or not exit at all.

3 Ctrl + Z

Suspending a process by sending the SIGSTOP signal, it cannot be intercepted by the program.

4 Ctrl + D

Exit the current terminal. If you are using SSH, it will close it. If you are using a terminal directly, it will close the terminal window.

5 Ctrl + L

Clear terminal screen, same effect as “clear” command

6 Ctrl + A

Move the type cursor to the beginning of the line (Same as pressing “Home” key on keyboard)

7 Ctrl + E

Move the type cursor to the end of the line (Same as pressing “End” key on keyboard)

8 Ctrl + U

Wipe the line and move the type cursor to the beginning of the line (Instead of use “Backspace” key to clear the line slowly)

9 Ctrl + K

Wipe the content from the type cursor to the end of the line

10 Ctrl + W

Clear a word

Before Ctrl + W

Before Ctrl + W
Before Ctrl + W

After Ctrl + W

After Ctrl + W
After Ctrl + W

11 Ctrl + Y

It will paste text removed by Ctrl + U, Ctrl + U and Ctrl + K. If you have deleted text by mistake, this will be helpful.

12 Ctrl + P

Review last command, use repetitively to go back further. Many Terminal provides this review function by PageUp key as well. Some provide the review function by using up arrow key as well (↑).

13 Ctrl + N

Similar usage as Ctrl + P but opposite direction, this command navigate to more recent commands. Many Terminal provides this review function by PageDown key as well. Some provide the review function by using down arrow key as well (↓).

14 Ctrl + R

Used for search history commands

Bonus:

Alternatively, we can use “history” command to show all history command

To search from history command, we can use “history | grep searchTerm”


How to: Upgrade Kali Linux & How to: Check Kali Linux current version

Use following command with root to upgrade Kali Linux

apt update && apt -y full-upgrade

How to Check Current Version of Kali Linux

grep VERSION /etc/os-release
uname -a

e.g.

[email protected]:~# grep VERSION /etc/os-release
VERSION="2020.1"
VERSION_ID="2020.1"
VERSION_CODENAME="kali-rolling"
[email protected]:~# uname -a
Linux k 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64 GNU/Linux
[email protected]:~#
[email protected]:~# uname -v
1 SMP Debian 5.4.13-1kali1 (2020-01-20)
[email protected]:~# uname -r
5.4.0-kali3-amd64
[email protected]:~#

NOTE: The output of uname -r may be different depending on architecture.

Resources

Kali Linux 2020.1 Release


Kali Linux – pip/pip3 install -r requirements.txt fail

The Error

When executing following command in Kali Linux

pip install -r requirements.txt
 
OR
 
pip3 install -r requirements.txt

We get error

Command “python setup.py egg_info” failed with error code 1 in ….

Or other errors

We can give following fix a try

The Fix

Use following command instead

pip install --upgrade --force-reinstall -r requirements.txt
 
OR
 
pip3 install --upgrade --force-reinstall -r requirements.txt 

Basics about Network configuration in Linux, IP commands, configuration files etc.

Table of Contents

1 Some useful basic IP commands

1.1 Use network/Interface configuration files to make permanent changes.

For CentOS/RHEL/Fedora etc.

File: /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"
BOOTPROTO=static
ONBOOT=yes TYPE="Ethernet"
IPADDR=10.0.0.10
NAME="System eth0"
HWADDR=00:53:78:2C:7D:9E
GATEWAY=10.0.0.1

For Debian/Ubuntu/Kali Linux etc.

File: /etc/network/interfaces

auto eth0
iface eth0 inet static
address 10.0.0.10
netmask 255.255.255.0
gateway 10.0.0.1

Restart network services to make the changes take effect

sudo /etc/init.d/networking restart
 
OR
 
sudo service restart networking
 
OR
 
systemctl restart networking

1.2 Assign IP address to a specific interface (eth0 in this example) (nonpersistent, will be lost after system reboot)

sudo ip addr add 10.0.0.10 dev eth0

1.3 Remove IP address from a specific interface

sudo ip addr del 10.0.0.10/24 dev eth0

1.4 Check IP address

sudo ip addr
 
OR
 
sudo ip addr show
 
OR
 
sudo ifconfig

1.5 Enable Network interface

sudo ip link set eth0 up

1.6 Disable Network interface

sudo ip link set eth0 down

1.7 Check routing table

sudo ip route show

1.8 Add Static route

sudo ip route del 10.0.0.0/24

1.9 Add persistent static routes

For CentOS/RHEL/Fedora etc.

File: /etc/sysconfig/network-scripts/route-eth0

Add following

10.0.0.0/24 via 192.168.5.20 dev eth0

For Debian/Ubuntu/Kali Linux etc.

File: /etc/network/interfaces

Add following

up ip route add 10.0.0.0/24 via 192.168.5.20 dev eth0

Restart network services to make the changes take effect

sudo /etc/init.d/networking restart
 
OR
 
sudo service restart networking
 
OR
 
systemctl restart networking

1.10 Add default gateway

sudo ip route add default via 10.0.0.1

2 Network configuration file

For CentOS/RHEL/Fedora etc.

File: /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
   #Alias name for the NIC
BOOTPROTO={static|dhcp|none|bootp}
   #Boot protocol, static|none;dhcp
IPADDR=192.168.10.10
   #Set IP address
NETMASK=255.255.255.0
   #Netmask
GATEWAY=192.168.10.1
   #Gateway
ONBOOT=yes|no
   #Activate the network port or not, on boot
HWADDR=00:1E:0B:8F:B0:D0
   #MAC address, if same as the default MAC address of the hardware, this line can be omitted 
DNS1=202.106.0.20
   #Specifiy DNS server
USERCTL=yes|no
   #Users (non-admin/root) allowed to enable/disable this port or not
PEERDNS=yes|no
   #Accept/Reject the DNS server from DHCP while BOOTPROTO is dhcp

For Debian/Ubuntu/Kali Linux etc.

File: /etc/network/interfaces

auto eth1
     #Automatically connect to Ethernet on boot
iface eth1 inet static
     #Assign IP address by static/dhcp
address 192.168.72.8
     #IP address
netmask 255.255.255.0
     #Netmask
gateway 192.168.72.1
     #Default gateway
dns-nameservers 8.8.8.8 4.4.2.2
     #DNS server

3 Hosts configuration

File: /etc/hosts

192.168.0.10 internalserver.mynet

4 Network Interface Controller (NIC) Naming

lo: Localhost loop

ppp#: Point-to-Point Protocol

eth: Ethernet

5 Network management tool

network tool and NetworkManager tool.

network

Restart network

sudo /etc/init.d/network restart

NetworkManager

It can be used to manager network easily, when X Window is not available this GUI tool can be used to manage network without the need to edit configuration file manually.

nmtui
nmtui
nmtui
NetworkManager TUI - nmtui
NetworkManager TUI – mntui

6 NetworkManager cli

NetworkManager provides cli tools as well alongside nmtui

nmcli con show
     #Get UUID table
nmcli dev
     #Check network device status
nmcli r wifi off
     #Turn off wifi
nmcli - commands
nmcli – commands

Start NetworkManager on boot

chkconfig NetworkManager on
 
OR
 
 systemctl enable NetworkManager

Start NetworkManager immediately

service NetworkManager start
 
OR
 
 systemctl start NetworkManager