Nikto Cheat Sheet

15-09-2021
 |  [RAND-100] - Comments

Purpose of this post

This cheat sheet is the main resource coming in with me into my CAB441 Network Security exam. As we have access to the internet, it was encouraged to create a sheet that would be readily accessible and CTRL-F-able.

The cheat sheet contains info about the following topics: Basic Linux Networking Tools (ip, dig) Information Gathering (whois, CT logs, subdomain enumeration) TCP Tools (ncat) TLS Tools (openssl, ncat, sslyze, socat) HTTP Tools (python webserver, curl, nikto, gobuster) Feb 18, 2014 Nikto is not designed as a stealthy tool. That’s exactly the place where cheat sheets come in handy! Hacking Tools Cheat Sheet. So, I created a cheat sheet that contains lots of commands and tools that we often use during our penetration tests, security assessments or red teaming engagements. The cheat sheet contains info about the following topics: Basic Linux Networking Tools (ip, dig). Nikto Cheat Sheet Introduction To Networks V6 Packet Tracer Activities Alien Skin Bokeh 2.0.1.493 (32 How Far Back To Mount Bosch Dishwasher Hyster H80c Parts Pvp Tag Plugin Ampli Fener Numero Deserie How To Train Your Dragon 3 Torrent Hitman: Sniper Challenge Video Card Requirements The Novo Group.

Network Security

Iptables

Here’s a coolcheat sheet. man iptables and main iptables-extensions are both very useful. If you want to visualise your iptables rules,check this out.

Chains

There are five built in iptables chains.

  • INPUT
  • OUTPUT
  • FORWARD
  • PREROUTING
  • POSTROUTING

Tables

There are five built-in iptables tables. The first three are the most common. The following descriptions have been taken from the TABLES section of the man pages. The previous flow chart also shows the different tables.

  • filter

    This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

  • nat

    This table is consulted when a packet that creates a new connection is encountered. It consists of four built-ins: PREROUTING (for altering packets as soon as they come in), INPUT (for altering packets destined for local sockets), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).

  • mangle

    This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

There are also raw and security tables.

Targets

There are six iptables targets.

  • ACCEPT

    Let the packet through.

  • DROP

    Drop the packet on the floor

  • REJECT

    Let the other end know the destination port is unreachable

  • MASQUERADE

    Mask the private IP address of a node with the exernal IP address of the firewall / gateway

  • RETURN

    Stop traversing the chain and resume at the next rule in the previous (calling) chain. If the end of the chain is reached, the chain policy is used.

  • QUEUE

    Pass the packet to userspace

Note: there are more targets that have very specific cases. For example, the DNAT target can only exist in the nat table and will only be valid in the PREROUTING and OUTPUT chains. More info about these targets can be found in the iptables and iptables-extensions man pages.

Rules

Delete all rules:

Set a default policy:

Set a rule for a certain protocol:

Iptables extensions

iptables can use extended packet matching and target modules using the -m option.

Nikto Cheat Sheet 2018

If a protocol is specified using the -p option, and an unknown extension option is encountered, iptables will load a match module identical to the name of the protocol.

These extended match modules allow further constraints on rules and add more command line options.

Matching the state of a packet

Redirecting a packet destined for port 80 to a different ip:

View man iptables-extensions for more information.

Snort

You can write rules for snort by creating a .rules file in the /etc/snort/rules folder. Alternatively, you can edit the snort.conf file or use the local.rules file. Read more about how to write snort ruleshere.

The complete docs can be foundright here.

Basic snort rule syntax:

Actions

  • alert: alerts and logs the packet when triggered
  • log: only logs the packet when triggered
  • pass: ignored or drops the packet or traffic matching
  • dynamic: alerts then activates a dynamic rule or rules
  • drop: block and log the packet
  • reject: block the packet, log it, and then send an unreachable message
  • sdrop: block the packet but do not log it

Rule options

  • msg: <sample message>: Logs the message into /var/snort/log on a successful match
  • flags: <flags>: Match specific TCP flags (see below)
  • content: <text>: Match specific text in a packet
  • content: |<hex>|: Match specific hex characters
  • sid: <snort id>: Unique number to identify rules easily
  • rev: <revision #>: Rule revision number
  • reference: <ref>: Where to go to get more info about the rule
  • gid: <generator id>: Identifies which part of snort generated the alert.

You can find more information about rule optionsat the snort docs.

TCP flags

  • A = ACK
  • F = FIN
  • P = PSH
  • R = RST
  • S = SYN
  • U = URG
  • 2 = reserved bit
  • 1 = most significant bit
  • 0 = no flags

Examples

Alert when a URL is over 200 bytes long.

Web Penetration Testing

Resources

  1. Web Penetration Writeup:A pen-test walk-through, eerily mirroring the web penetration testing practical.

  2. SQL Injection Cheat Sheet:The SQL injection cheat sheet used in the aforementioned walkthrough.

  3. nmap Cheat Sheet:Simple nmap cheat sheet. The command man nmap is also very useful.

  1. nikto Cheat Sheet:Nikto scanner cheat sheet. man nikto can also be used on Kali.
  1. sqlmap Cheat SheetSqlmap scanner cheat sheet. man sqlmap can also be used on Kali.

Steps

  1. Identify the devices by performing a ping scan.

  2. After finding the devices, perform a service / port scan for each device.

  3. Since this is a web penetration test, use the results of the previous nmap scan to find which device is running a http or ssl/http service. These are typically on ports 80, 433 or 8080 and contain words like httpd, Apache, etc.

  4. When the target device has been identified, visit the pages in a web browser to see what’s there. Alternatively, this could be done with the curl command. Check for common directories and files like /login, sitemap.xml and robots.txt.

  5. If nothing in particular stands out from an initial inspection, use the nikto command to perform a more thorough inspection.

    If nothing useful pops up, run nikto on a different port or using ssl.

    It might also pay to run nikto with different tuning options. To focus on SQL Injection use the command

    For more help with nikto, refer to nikto -h or man nikto.

    Note: Nikto is self described as being not stealthy, if stealth is your goal it may pay to spend more time on Step 4.

  6. Nikto will return a bunch of information relating to your query. Most likely you’ll see a bunch of directories and files on the server that may be of interest. You should inspect these files and look for any SQL injection opportunities.

  7. Plan in advance how you intend to get a reverse shell, as the exam has a fixed time and sqlmap can take a long time to run. In the case of the practical, it was obvious that it would be through the wordpress site. Once I’d gathered enough information, I decided that the easiest way to get into the wordpress site would be finding an admin user’s password.

Attack

When a page with a form or endpoint that is vulnerable to SQL injection is found, use the sqlmap tool to perform an attack.

If you’ve found a form, you can paste the following JavaScript method into your browser’s console to get the data string.

When you have it, try and find a list of databases using:

Typically, it will use a delay based technique to determine the contents of the SQL database. If you issued the above command, and followed the prompts, you’ll see the command will slowly letter-by-letter spell out the databases on the device. When you see one that will aid your takeover.

Once you see a database that will be of interest, feel free to perform a keyboard interrupt and continue on with the next steps.

Find the tables in the target database:

Once again it will type out letter-by-letter the contents of the table. When you spot something interesting, skip straight to finding it’s contents.

Find the contents of a table:

Note: Instead of going through step by step like I explained, you could use the sqlmap wizard. I find this to be incredibly slow however, and wouldn’t encourage it in a time-limited situation. Nonetheless, if you’d like to use the wizard issue the command:

Take control

The steps to get a reverse shell will depend on the content of the database. In the case of the practical, finding the contents of the database allowed you to log into the wordpress site that was present. After logging in, a php reverse shell script could easily be added to the site.

Nikto Cheat Sheet

Tips

  1. Try accessing the site using different protocols. https:// and http:// are often used to show different things.

  2. sqlmap can often take ages, but it stores data to disk as it goes. So if you perform a keyboard interrupt you can often get right back to where you were.

  3. The default table name for a Wordpress site is wordpress8080

  4. The Wordpress admin page lives as /admin

  5. This gistshows an easy way to get a reverse PHP shell

    Before visiting the page, you should set up the listener.

  6. Since the POST method doesn’t show the data as query parameters, you will have to use the --data option of sqlmap. More information on using sqlmap with POST can be foundhere.

  7. John the Ripper is a useful piece of software in Kali that can crack passwords.

Exploiting Buffer Overflows

Resources

Before attempting a buffer overflow, you should read up on how the CPU works on a low level.

Steps

  1. Setup the machine with the vulnerability and open Immunity Debugger.

  2. Attach Immunity Debugger to the application and start it up.

  3. Determine how to cause the buffer overflow - you will most likely be told. When you know, you can start to fuzz the input to cause a crash. The following script was used for SLMail and comes fromhere.

    Upon causing a crash, note down the length of the buffer required to cause the crash.

  4. Determine what part of the message ends up being written to the EIP register. This can be done using the pattern_create.rb file in the metasploit tools directory. This will create a unique string that will allow you to see how many characters are required to make it into the program counter.

    Now copy and paste this into your python script.

    Finally, inspect immunity debugger and note the characters in the EIP register. Cross reference with the pasted buffer to determine the offset.

    Note: pattern_create.rb has a sister tool called pattern_offset.rb that can help you to determine the offset.

  1. Now that you know start of the part of the message that overflows into the program counter, verify that it’s correct by sending a buffer made of “A's, “B's and “C's. The “A's represent the data that consumes the stack, the “B's represent the return address and the “C's represent the arbitrary shellcode to be executed.

    You can easily create this buffer using python:

  2. Once you’ve verified that the offset is correct, you have to find a way to get an instruction into the program counter that will jump to the top of the stack and begin executing your arbitrary shell code.

    Inside immunity debugger, click on the command box at the bottom of the page and write the following command:

    This will bring up a list of modules / libraries that are dynamically linked to the executable. Inside one of these modules is probably the assembly command JMP ESP, which will jump to the top of the stack.

    When deciding on a DLL to use, it’s important that you choose one that was compiled with DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) disabled.

  3. Once you’ve found a module with the previous security features turned off, you must search for the command JMP ESP inside it. The shellcode for this command is FFE4 which can be found using the nasm-shell.rb utility in metasploit. Return to the command box and issue:

    Note down the address of the memory that contains the command. As Windows is little endian, the bytes of the address should be reversed.

  4. There’s one final thing to do before starting the attack - find “bad characters” that will cause your program to stop.

    To find out what characters are bad, send a list of all ascii characters and note where it stops. Remove the troublesome characters and try again until all of them make it through. Make note of the “bad characters”.

    Here’s a list of all ascii characters:

Attack

Sheet

Now that you’ve got all the information required to execute code on the target machine. This can be done using the tools msfvenom and shikata_ga_nai.

Once you have the payload, add it back into your python code. It’s important that you space the payload out with some NOP characters (x90) so that your program has space to execute.

Take control

Now that you’ve got your payload ready, it’s just a matter of setting up a nc listener and performing the exploit. It’s important that you test the payload before attacking a real machine, because you only get one shot. It’s also important that you don’t forget to make the return address the right one for the network you’re on.

Bennett is a Software Engineer working at Clipchamp.He spends most of his day playing with React and Gatsby, and editing videos and his nights programming in Rust.You can follow him on Github or Twitter.
Previous
Changing from X.org and i3wm to Sway and Wayland
Next
How to complete the Advent of Code 2018 challenges with Rust

All the tables provided in the cheat sheets are also presented in tables below which are easy to copy and paste.

The Nikto cheat sheet covers:

  • Installation
  • Standard command to scan websites
  • Scan options
  • Display options
  • Output options
  • Tuning options

Nikto Cheat Sheet Printable

View or Download the Cheat Sheet JPG image

Right-click on the image below to save the JPG file ( 2427 width x 2302 height in pixels), or click here and open it in a new browser tab. Once the image opens in a new window, you may need to click on the image to zoom in and view the full-sized jpeg.

View or Download the cheat sheet PDF file

You can download the cheat sheet PDF file here. If it opens in a new browser tab, simply right click on the PDF and navigate to the download selection.

What’s included in the Cheat Sheet

The following categories and items have been included in the cheat sheet:

Nikto Cheat Sheet Sans

Installation

Standard command to scan websites

Nikto Cheat Sheet Github


Standard command to scan websites



nikto –host (web url host name) –(http port number )


Nikto Cheat Sheet Excel

Scan options


Scan options



Nikto –h (Hostname/IP address)



Scan a host



Nikto -h -port (Port Number1),(Port Number2)



Scan host targeting specific ports



Nikto -h (Hostname) -maxtime (seconds)



Define maximum scan time



Nikto -h-until



Scan duration



Nikto -h-vhost



Define host header



Nikto -h-no404



Skip http 404 guessing



Nikto -h-nossl



Stop using SSL during scan



Nikto -h-ssl



Force to use SSL



Nikto -update



Update scan engine plugins



Nikto -h-dbcheck



Check database



Nikto -h (Hostname/IP address) -output (filename)



Input output to a file



Nikto -h-useproxy (Proxy IP address)



Web host scan via a proxy



Nikto -h-config (filename.conf)



Use a specified file as a database



Nikto -h-nolookup



Stop DNS lookup for hosts



Nikto -h-nocache



Stop caching responses for scans


Display options


Display Options



Nikto -h -Display (option)



1



Display redirects



2



Display cookies



3



Display 200 ok response



4



Display Web URLs requiring authentication



D



Display debug output



E



Show HTTP errors



P



Print to STDOUT



V



Verbose output display


Output options


Output Options



Nikto -h -Format



csv



Comma Separated Value



htm



HTML Format



txt



Plain text



xml



XML Format


Tuning options


Tuning Options



Nikto -h (Hostname) -tuning (Option)



0



Upload files



7



Remote File Retrieval - Server Wide



1



View specific file in log



8



Command Execution / Remote Shell



2



DDefault file misconfiguration



9



SQL Injection



3



Display information disclosure



a



Authentication Bypass



4



Injection (XSS/Script/HTML)



b



Software Identification



5



Remote File Retrieval - Inside Web Root



c



Remote Source Inclusion



6



Denial of Service



x



Reverse Tuning Options


Reference and additional resources: https://github.com/sullo/nikto

Nikto Cheat Sheet Template

L’article Nikto Cheat Sheet est apparu en premier sur Comparitech.