Nikto is becoming one of my favourite tools. I like it because of its wide ranging use cases and its simplicity. So whats an example use case for Nikto? When I am bored right now and so I am going to hunt around my local network and see what I can find…
# First install Nikto
brew install nikto
# Now get my ipaddress range
ifconfig
# Copy my ipaddress into to ipcalculator to get my cidr block
eth0 Link encap:Ethernet HWaddr 00:0B:CD:1C:18:5A
inet addr:172.16.25.126 Bcast:172.16.25.63 Mask:255.255.255.224
inet6 addr: fe80::20b:cdff:fe1c:185a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2341604 errors:0 dropped:0 overruns:0 frame:0
TX packets:2217673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:293460932 (279.8 MiB) TX bytes:1042006549 (993.7 MiB)
Interrupt:185 Memory:f7fe0000-f7ff0000
# Get my Cidr range (brew install ipcalc)
ipcalc 172.16.25.126
cp363412:~ $ ipcalc 172.16.25.126
Address: 172.16.25.126 10101100.00010000.00011001. 01111110
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111
=>
Network: 172.16.25.0/24 10101100.00010000.00011001. 00000000
HostMin: 172.16.25.1 10101100.00010000.00011001. 00000001
HostMax: 172.16.25.254 10101100.00010000.00011001. 11111110
Broadcast: 172.16.25.255 10101100.00010000.00011001. 11111111
Hosts/Net: 254 Class B, Private Internet
# Our NW range is "Network: 172.16.25.0/24"
Now lets pop across to nmap to get a list of active hosts in my network
# Now we run a quick nmap scan for ports 80 and 443 across the entire range looking for any hosts that respond and dump the results into a grepable file
nmap -p 80,433 172.16.25.0/24 -oG webhosts.txt
# View the list of hosts
cat webhosts.txt
$ cat webhosts.txt
# Nmap 7.93 scan initiated Wed Jan 25 20:17:42 2023 as: nmap -p 80,433 -oG webhosts.txt 172.16.25.0/26
Host: 172.16.25.0 () Status: Up
Host: 172.16.25.0 () Ports: 80/open/tcp//http///, 433/open/tcp//nnsp///
Host: 172.16.25.1 () Status: Up
Host: 172.16.25.1 () Ports: 80/open/tcp//http///, 433/open/tcp//nnsp///
Host: 172.16.25.2 () Status: Up
Host: 172.16.25.2 () Ports: 80/open/tcp//http///, 433/open/tcp//nnsp///
Host: 172.16.25.3 () Status: Up
Host: 172.16.25.3 () Ports: 80/open/tcp//http///, 433/open/tcp//nnsp///
Host: 172.16.25.4 () Status: Up
Host: 172.16.25.4 () Ports: 80/open/tcp//http///, 433/open/tcp//nnsp///
Host: 172.16.25.5 () Status: Up
Next we want to grep this webhost file and send all the hosts that responded to the port probe of to Nikto for scanning. To do this we can use some linux magic. First we cat to read the output stored in our webhosts.txt document. Next we use awk. This is a Linux tool that will help search for the patterns. In the command below we are asking it to look for “Up” (meaning the host is up). Then we tell it to print $2, which means to print out the second word in the line that we found the word “Up” on, i.e. to print the IP address. Finally, we send that data to a new file called niktoscan.txt.
cat webhosts.txt | awk '/Up$/{print $2}' | cat >> niktoscan.txt
cat niktoscan.txt
$ cat niktoscan.txt
172.16.25.0
172.16.25.1
172.16.25.2
172.16.25.3
172.16.25.4
172.16.25.5
172.16.25.6
172.16.25.7
172.16.25.8
172.16.25.9
172.16.25.10
...Now let nikto do its stuff:
nikto -h niktoscan.txt -ssl >> niktoresults.txt
# Lets check what came back
cat niktoresults.txt