Tag Archives: web scanner

Hack-proof your Website with Nikto

Do you want to hack-proof your website? It is probably the best method to protect the website from malicious hackers and crackers.It will help you in better understanding about the security mechanism of your website.That’s why in this post I will try to explain how to exploit the loopholes in websites and the server(on which it is hosted) so that we can fix the problems and the website may become hack proof(Just a Fun).
The first step is to find the vulnerabilities in the server on which the targeted website is hosted.I am going to introduce you with a great hacking tool that will perform this job(scanning for vulnerabilities).The name of that software is Nikto.

Nikto : Command line tool for scanning web servers
Nikto is a website vulnerability scanning tool(Free and Open Source) made fr0m Perl(A script programming language like php or python).Hence you can use Nikto as a web server assessment tool for finding insecure files and programs on web server(Specialy against XSS vulnerabilities;Cross Site Scripting is one of the important hacking techniques used thesedays by the most of the attackers).

Scanning Websites Using Nikto will give following information :

  • misconfigured server and software
  • default programs and files
  • insecure programs and files
  • outdated programs and servers or plugins

Nikto is available for all the major Operating systems i.e for Linux,MacOSX and windows(By using ActiveState perl).

How to install Nikto in Ubuntu 10.04 :
In Ubuntu 10.04 you can easily install the Nikto by using Synaptic Package Manager.
1.Open the Synaptic Package Manager and search for “nikto”.
2.Check the box for install.
3.Click on Apply changes to install the checked packages.
4.It may ask for installing other dependencies if so then click ok.
5.Installation will begin and wait for its completion.
6.After completion of the installation you can invoke Nikto fr0m the terminal.

Invoking Nikto fr0m Ubuntu 10.04 shell :
Hit CTRL+ALT+T (Default shortcut for starting terminal) or start it fr0m Applications->Accessories->terminal.

Some Commonly used commands for hacking :

nikto -host : to specify the host to scan

(after host you can put host name or IP address of the target web server)

-port : TCP port(s) to scan.You can put by using comma e.g (80,443) or by giving the range of port such as (80-100)

-cgidirs : For scanning specified cgi directories.

-dbcheck : Check the scan databases for syntax errors.

-update : Updates the plugins and databases fr0m cirt.net.

-tunning : this option is used to tune the scan test against the target.

-format : It is used to specify the file format of the output.

For more information about the commands used in Nikto you can go to usr->share->doc->nikto->nikto_mannual.html or go to its official website. http://cirt.net/nikto2
Examples of website hacks :
nikto -host example.com

– Nikto v2.03/2.04
+ Target IP: xxx.xxx.xxx.xxx
+ Target Hostname: example.com
+ Target Port: 80
+ Start Time: 2010-05-24 16:43:05
+ Server: Apache
– /robots.txt – retrieved but it does not contain any ‘disallow’ entries (which is odd). (GET)
+ OSVDB-0: Retrieved X-Powered-By header: PHP/5.2.12
+ OSVDB-5433: WebLogic may reveal its internal IP or hostname in the Location header. The value is “http://example.com./”.
+ OSVDB-0: Non-standard header -cookie returned by server, with contents: wordpress_test_cookie=WP+Cookie+check; path=/
+ OSVDB-0: Non-standard header x-pingback returned by server, with contents: http://example.com/xyz.php
+ OSVDB-0: Non-standard header x-powered-by returned by server, with contents: PHP/5.2.12

Open source website scanner : skipfish

With the rapid growth of internet, number of websites are increasing exponentially and these are the major source of information.Hence it is necessary to keep this source safe from online frauds and hacks.These days Websites are mostly hacked due to some security holes.Since most are database driven so hackers/crackers also use sql injection to get credential information from the database.XML injection and Cross site Scripting(XSS) is another most widely used hacking techniques thesedays.But all these hacks happens due to the loopholes in website design and coding.


Skipfish is an open source web security tool which can be used to scan the websites against the SQL/XML injection or XSS loopholes.
It creates a site map based on the recursive crawl and dictionary based probes,to analize the security leaks in the websites.

Features of Skipfish :

performance :
Its performence is very high as it can handle more than 500 request/sec against internet targets,more than 2000 requests/sec on
LAN network with a modest CPU and network.Advanced HTTP/1.1 features,smart response caching..and many more.

Simple to Use :
It is highly reliable and simple to use.It can create automatic wordlist based on the analysis of site content.It has probabilistic
scanning feature for allowing periodic and time-bound assessments of complex sites.

Well-Designed Security checks :
It provides security check against stored XSS(Path,parameters and headers),blind sql and XML injection.It has also the feature of signature checks for detecting vulnerabilities.

Fore more info : http://code.google.com/p/skipfish/wiki/SkipfishDoc

credit : Google Inc