January 2018
Intermediate to advanced
376 pages
8h 45m
English
Content preview from Mastering Linux Security and Hardening
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Scanning a web server with Nikto
From here on out, you no longer need sudo privileges. So, you get a break from always having to type your password.
To do a simple scan, use the -h option to specify the target host:
nikto -h 192.168.0.9nikto -h www.example.com
Let's look at some sample output:
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.+ /cgi-bin/guestbook.pl: May allow attackers to execute commands as the web daemon.+ /cgi-bin/wwwadmin.pl: Administration CGI?+ /cgi-bin/Count.cgi: This may allow attackers to execute arbitrary commands on the server+ OSVDB-28260: /_vti_bin/shtml.exe/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611: ...