Nikto is an open source web server scanner that is able to perform extensive tests for multiple items.
Nikto is a command-line tool that features support for SSL, HTTP proxy, subdomain guessing, multiple ports, and much more.
Product's homepage
Requirements:
· Perl
What's New in This Release: [ read full changelog ]
· Ticket 261: Update CSV report to include banner info and put data into proper columns
· Ticket 247: Move etag header check to postfetch so no additional requests are made
· Ticket 245: Liberal use of CDATA in XML report to prevent problems. Thanks to Peter Wang for reporting.
· Ticket 242: nikto_headers.plugin now uses nfetch instead of direct LW calls
· Ticket 234: Add plugin for crossdomain.xml (and clientaccesspolicy.xml) to look for wildcards and warn about entries
· Ticket 233: Fix bad values in robots.txt from causing crashes
· Ticket 229: Don't repeat XML headers if appending to an existing report file, thanks to digininja for idea
· Ticket 228: Add client SSL certificate support. Thanks to monnerat for code submission!
· Ticket 226: Add GMT offset to time outputs
· Ticket 225: Template variables now have terminating hash to prevent collisions
· Ticket 224: Space in robots.txt kills scanner
· Ticket 222: Fix problems with banner parsing related to spaces, should result in fewer missed matches which should be hits.
· Ticket 220: Certificate wildcard matching incorrect
· Ticket 217: Add -IgnoreCode option to allow db_404_strings' @CODE at the command line
· Ticket 214: Relocate databases to 'databases/' directory from 'plugins/'
· Ticket 211: Shuffled some information in HTML report and added more summary data. Added error count and total check count to XML (note: DTD change).
· Ticket 209: Find IPs in HTTP headers
· Ticket 202: -maxtime maximum execution time per host (seconds)
· Ticket 175: -until run until specified time or duration
· Ticket 174: Checked for sites parked at hosting providers or advertising pages
· Ticket 161: robots.txt now checks for listed files (content search, etc.)
· Ticket 91: Identification of WEBrick fails. Updates made to handle banners with multiple items but no spaces
· Ticket 74: Removed 'single' mode code from nikto. There are better tools for this nowadays.
· Ticket 57: nfetch no longer uses global request/response hashes
· Ticket 1: Save full response on positive, plaintext & JSON
· Completely remove cache functionality as it was near worthless and added a lot of overhead
· Including JSON-PP source to not require JSON installation. http://search.cpan.org/~makamaka/JSON-2.53/lib/JSON/backportPP.pm
· Add IP address to CSV output. NOTE: this changes a parse-able report format!
· add_vulnerability now takes in %request and %response for saving of data
· nfetch() now returns headers received as argument 6--no more hash reference over-writing headers to send
· Added sub get_ips() to centralize IP extraction from strings
· Output file name now takes '.' which will auto-generate output filename like nikto_hostname_port.EXT
· Fix -root not appearing in report output, reported by Cédric Michel
· nikto_favicon.plugin checks for icons in
· tags
· Add check for non-empty OPTIONS response body, which could be related to something like http://zacstewart.com/2012/04/14/http-options-method.html
· Add nikto_paths.plugin to look for things to add to db_variables values
· Items found in robots.txt are now added to values from db_variables
· Keep tokens from getting into Û_extensions, thanks to Erik Cabetas
· Fix vhost not being set properly, thanks to Brian Poole
· Fix crash on invalid regex chars in robots.txt (dis)allow lines
· Default to use Net::SSL instead of Net::SSLeay as a result of too many memory issues in SSLeay
Find us on Google+
