Nikto, NMap , Skipfish and friends

Some specific tools can be used during Pentests. Target remain the same. The goal is to create a list of target hosts and to execute a full scan with multiple security tools.

Here, I’m focusing on those tools :

You have to distinct different type of scans:

  • Ports / Services scanning – NMap
  • Vulnerability scanning – Nessus, OpenVAS
  • Web application scanning – Nessus, OpenVAS, Nikto, SkipFish, WebSecurify

Port scanning gives you an overview of open-ports and the nature of the available services.

You can then deduct of the Services running on the host.

Then, Vulnerability scanning will draw a list of possible breaches or outdated services.

If port 80 or 443 is open, verify if there is a Web Application Firewall (Waf) in place, and you can continue to scan the Web Application to research for a XSS, a SQL Injection, a bad Form, vulnerable structure or other possible data leakage.


First of all, create a file like this (TARGETs.txt) that contains the different hosts, IPs or domains to scan.

www.server1.com
http://www.server2.com
5.5.12.51

1. Basics

Some basics about the different tools.

1) Doing a single target scan

# Nmap
nmap -p80 192.168.0.0/24
nmap -v -A www.server1.com
# Websecurify
websecurify -websecurifytest http://www.server1.com,MyAppWorkspace
# Nikto
nikto.pl -no404 -Format htm -output RESULT.htm -h www.server1.com
# Skipfish
skipfish -Q -o OUTPUT http://www.server1.com/test

2) Multiple Targets Scan

# Nmap
nmap –vv –n -A –iL TARGETs.txt
# Websecurify
websecurify -websecurfitest http://www.server1.com,http://www.server2.com,MySecondWorkspace
# Nikto
nikto.pl -no404 -Format htm -output RESULT.htm -h TARGETs.txt
nmap -p80 192.168.0.0/24 -oG - | nikto.pl -h -

2. All in One ?

Sample of a possible script (doesn’t trigger errors and doesn’t provide options). I have clearly to optimize it.

#!/bin/bash

# =======================
# Scan a host with NMAP, Nikto, Skipfish,
# WebSecurify. Do WAF test with Waffit

# Running as ROOT, sorry I'm lazy.

echo $1
if test ! -s "$1"
then
  echo Syntax Error :-x
  echo you must provide an IP, a domain or an URLs
  echo Usage : $0 IP.ADD.RE.SS 
  echo Usage : $0 target.domain.corp
  echo Usage : $0 http://target.domain.corp/
  exit 1
fi

URL=$1
URI=`echo $URL | sed -e "s/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/"`
echo The current URI is $URI
echo The current URL is $URL

# Application DIR and BIN
NMAP_BIN=nmap
NIKTO_DIR=./nikto
NIKTO_BIN=$NIKTO_DIR/nikto.pl
WEBSECURIFY_BIN=./WebSecurify/websecurify
SKIPFISH_DIR=./skipfish
SKIPFISH_BIN=$SKIPFISH_DIR/skipfish
WAFFIT_BIN=./waffit-read-only/wafw00f.py

# Reports settings
#   Final permissions on the reports
REPORTS_USER=null
REPORTS_GRP=null
#   Reports output
REPORTS_PATH=report_`date +%m%d_%H%M`
echo $REPORT_PATH

# =======================
mkdir $REPORTS_PATH
echo NMAP Scan started
$NMAP_BIN -vv -n -A $URI > $REPORTS_PATH/NMAP_REPORT.txt
cd $NIKTO_DIR
echo Nikto2 Scan started
$NIKTO_BIN -no404 -Format htm -output ../$REPORTS_PATH/NIKTO_REPORT.htm -host $URL
cd -
echo WebSecurify Scan started
$WEBSECURIFY_BIN -websecurifytest $URL,$URI_Workspace
echo Waffit Scan started
$WAFFIT_BIN $URL > $REPORTS_PATH/WAFFIT_REPORT.txt
cd $SKIPFISH_DIR
echo SkipFish Scan started
#$SKIPFISH_BIN -t 12 -o $REPORTS_PATH/$URI $URL
$SKIPFISH_BIN  -W /dev/null -J -U -Q -u -t 12 -o ../$REPORTS_PATH/$URI $URL
cd -
chown -R $REPORTS_USER:$REPORTS_GRP $REPORTS_PATH

Be the first to comment

Leave a Reply

Your email address will not be published.


*


*