Cuando quieres analizar las vulnerabilidades de un servidor web, puedes hacerlo con muchísimas herramientas y te recomiendo que no te quedes solo con una… ya que los falsos positivos existen.
Hoy traigo la herramienta muy conocida llamada Nikto que la gran mayoría de vosotros seguro que conocéis.
¿Que es Nikto?
Nikto es un escáner de vulnerabilidad de línea de comandos de software gratuito que escanea servidores web en busca de archivos / CGI peligrosos, software de servidor obsoleto y otros problemas. Realiza comprobaciones genéricas y específicas del tipo de servidor. También captura e imprime las cookies recibidas.
¿Como usar Nikto?
La verdad que es muy fácil de utilizar.
comandoit@comandoit:~# nikto -h servidorvictima -p 80 Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: servidorvictima + Target Hostname: servidorvictima + Target Port: 80 + Start Time: 2020-08-07 18:29:38 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) DAV/2 + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + /phpinfo.php: Output from the phpinfo() function was found. + OSVDB-3268: /doc/: Directory indexing found. + OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec 9 12:24:00 2008 + OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: /test/: Directory indexing found. + OSVDB-3092: /test/: This might be interesting... + OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /phpMyAdmin/: phpMyAdmin directory found + OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 8726 requests: 0 error(s) and 27 item(s) reported on remote host + End Time: 2020-08-07 18:30:18 (GMT-4) (40 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Como podéis ver, nos analiza el servidor web y nos muestra vulnerabilidades muy interesantes para comprobar.