Hari, Sorry this is a little off track, although it shows you are not the only one that is not having much luck with Nikto...
As you say Nessus runs Nikto by default if Nikto is in the path. That caught me my surprise, I installed Nikto to take a look at it and next thing Nessus is running it; in my view that's not a good default setting. I think removing Nikto from the path should stop it from running. Unfortunately Nikto does not fit in with the Nessus way of doing things. I think the Nikto plug-in only ever generates reports classed as "information". Having looked at some Nikto output, that's understandable because it seems impossible to automatically estimate what risk rating to give to a Nikto report. The documentation about how to interpret Nikto reports is sketchy as far as I can tell. The Nikto reports, at least the ones generated via the Nessus plug-in, tend to be very verbose and long for all but the smallest Web sites. Nikto seems to list everything it can see, says that more or less everything could be vulnerable (often without being specific) then leaves you to investigate. Nikto is, however, reportedly one of the best tools for testing Web servers... Example Nikto report: - Nikto 1.34/1.31 - www.cirt.net + Target IP: xxx.xxx.xxx.xxx + Target Hostname: xxxxxx + Target Port: 80 + Start Time: Sat Feb 17 00:33:53 2007 ------------------------------------------------------------------------ --- - Scan is dependent on "Server" string which can be faked, use -g to override + Server: Microsoft-IIS/6.0 + No CGI Directories found (use '-C all' to force check all possible dirs) - Retrieved X-Powered-By header: ASP.NET + IIS may reveal its internal IP in the Content-Location header. The value is "http://xxx.xxx.xxx.xxx/Default.htm";. CAN-2000-0649. + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK + HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists. + HTTP method 'SEARCH' may be used to get directory listings if Index Server is running. + HTTP method 'TRACE' is typically only used for debugging. It should be disabled. + Microsoft-IIS/6.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k) + /modules.php?name=Members_List&letter=All&sortby=pass - PHP Nuke module allows user names and passwords to be viewed. See http://www.frog-man.org/tutos/PHP-Nuke6.0-Members_List-Your_Account.txt for other SQL exploits in this module. (GET) + /Sites/Knowledge/Membership/Inspired/ViewCode.asp - The default ViewCode.asp can allow an attacker to read any file on the machine. CAN-1999-0738. MS99-013. (GET) + /Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp - The default ViewCode.asp can allow an attacker to read any file on the machine. CAN-1999-0738. MS99-013. (GET) + /Sites/Samples/Knowledge/Membership/Inspired/ViewCode.asp - The default ViewCode.asp can allow an attacker to read any file on the machine. CAN-1999-0738. MS99-013. (GET) + /Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp - The default ViewCode.asp can allow an attacker to read any file on the machine. CAN-1999-0738. MS99-013. (GET) + /Sites/Samples/Knowledge/Push/ViewCode.asp - The default ViewCode.asp can allow an attacker to read any file on the machine. CAN-1999-0738. MS99-013. (GET) + /Sites/Samples/Knowledge/Search/ViewCode.asp - The default ViewCode.asp can allow an attacker to read any file on the machine. CAN-1999-0738. MS99-013. (GET) + /_vti_bin/shtml.dll/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611 - Gives info about server settings. CAN-2000-0413, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (POST) + /_vti_bin/_vti_aut/author.dll?method=list+documents%3a3%2e0%2e2%2e1706&s ervice%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=fal se&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=t rue&listDerivedT=false&listBorders=false - We seem to have authoring access to the FrontPage web. (POST) + /_vti_inf.html - FrontPage may be installed. (GET) + /_vti_pvt/service.cnf - Contains meta-information about the web server, remove or ACL if FrontPage is not being used. (GET) + /_vti_pvt/services.cnf - Contains the list of subwebs, remove or ACL if FrontPage is not being used. May reveal server version if Admin has changed it. (GET) + 2034 items checked - 12 item(s) found on remote host(s) + End Time: Sat Feb 17 00:34:10 2007 (17 seconds) ------------------------------------------------------------------------ --- + 1 host(s) tested -- Carl Nelson Distributed Systems Support Section, Computer Centre, University of Leicester, Leicester, LE1 7RH, U.K. Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Hari Sekhon > Sent: 01 March 2007 10:35 > To: [email protected] > Subject: Re: NonExistant Hosts Appear when using Nikto within Nessus > > Does nobody know anything about this? > > It completely ruins any network reports if you have nikto with nessus. > > Do I have to remove Nikto from the path just to get around > this behaviour? > > > > On 20/02/07, Hari Sekhon <[EMAIL PROTECTED]> wrote: > > Hi, > > when using Nessus to scan a my network with the Nikto > nasl wrapper > > (which must be activated automatically by nessus since I have Nikto > > installed) it gives a report which shows a host on every single ip > > address, even though nearly all of them are unused ips. Each "host" > > then has one security note > > > > http (80/tcp) > > > > Here is the Nikto report: > > > -------------------------------------------------------------- > ------------- > > - Nikto 1.32/1.19 - www.cirt.net > > + No HTTP(s) ports found on x.x.x.x / 80 > > + 1 host(s) tested > > > > > > This means that I have a report with tonnes of fluff and if I then > > want to generate a html with pie charts (cos I like pictures and > > pretty > > colours) the charts will be very inaccurate since the percentage > > warnings will be completely off and make it look like any > problem is a > > very tiny percentage. > > > > Is there any way that I can stop it considering all these hosts up > > when in fact there is nothing listening on the ips. > > > > Thanks > > > > Hari Sekhon > > > > > -- > Hari Sekhon > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
