Do you want to hack-proof your website? It is probably the best method to protect the website from malicious hackers and crackers.It will help you in better understanding about the security mechanism of your website.That’s why in this post I will try to explain how to exploit the loopholes in websites and the server(on which it is hosted) so that we can fix the problems and the website may become hack proof(Just a Fun).
The first step is to find the vulnerabilities in the server on which the targeted website is hosted.I am going to introduce you with a great hacking tool that will perform this job(scanning for vulnerabilities).The name of that software is Nikto.
Nikto : Command line tool for scanning web servers
Nikto is a website vulnerability scanning tool(Free and Open Source) made fr0m Perl(A script programming language like php or python).Hence you can use Nikto as a web server assessment tool for finding insecure files and programs on web server(Specialy against XSS vulnerabilities;Cross Site Scripting is one of the important hacking techniques used thesedays by the most of the attackers).
Scanning Websites Using Nikto will give following information :
- misconfigured server and software
- default programs and files
- insecure programs and files
- outdated programs and servers or plugins
Nikto is available for all the major Operating systems i.e for Linux,MacOSX and windows(By using ActiveState perl).
How to install Nikto in Ubuntu 10.04 :
In Ubuntu 10.04 you can easily install the Nikto by using Synaptic Package Manager.
1.Open the Synaptic Package Manager and search for “nikto”.
2.Check the box for install.
3.Click on Apply changes to install the checked packages.
4.It may ask for installing other dependencies if so then click ok.
5.Installation will begin and wait for its completion.
6.After completion of the installation you can invoke Nikto fr0m the terminal.
Invoking Nikto fr0m Ubuntu 10.04 shell :
Hit CTRL+ALT+T (Default shortcut for starting terminal) or start it fr0m Applications->Accessories->terminal.
Some Commonly used commands for hacking :
nikto -host : to specify the host to scan
(after host you can put host name or IP address of the target web server)
-port : TCP port(s) to scan.You can put by using comma e.g (80,443) or by giving the range of port such as (80-100)
-cgidirs : For scanning specified cgi directories.
-dbcheck : Check the scan databases for syntax errors.
-update : Updates the plugins and databases fr0m cirt.net.
-tunning : this option is used to tune the scan test against the target.
-format : It is used to specify the file format of the output.
For more information about the commands used in Nikto you can go to usr->share->doc->nikto->nikto_mannual.html or go to its official website. http://cirt.net/nikto2
Examples of website hacks :
nikto -host example.com
– Nikto v2.03/2.04
+ Target IP: xxx.xxx.xxx.xxx
+ Target Hostname: example.com
+ Target Port: 80
+ Start Time: 2010-05-24 16:43:05
+ Server: Apache
– /robots.txt – retrieved but it does not contain any ‘disallow’ entries (which is odd). (GET)
+ OSVDB-0: Retrieved X-Powered-By header: PHP/5.2.12
+ OSVDB-5433: WebLogic may reveal its internal IP or hostname in the Location header. The value is “http://example.com./”.
+ OSVDB-0: Non-standard header -cookie returned by server, with contents: wordpress_test_cookie=WP+Cookie+check; path=/
+ OSVDB-0: Non-standard header x-pingback returned by server, with contents: http://example.com/xyz.php
+ OSVDB-0: Non-standard header x-powered-by returned by server, with contents: PHP/5.2.12