Archive

Posts Tagged ‘autonikto’

niktoHelper – Bridge between Nmap Grepable Output and Nikto

July 7, 2013 Leave a comment

During a penetration test, Nikto is usually used after Nmap. However, sometimes the web servers are virtual hosts (serving more than one website on the same web server)

The usual steps after running Nmap against the hosts are
1. Go to Bing.com and do a reverse DNS lookup (e.g. IP:69.194.235.101) on the IPs.
2. If there are no results, check the SSL certificate on the host
3. Run nikto.pl with the vhost parameter. (e.g.)

perl nikto.pl -vhost www.bd-motor.com -maxtime 7200 -Cgidirs all -ssl -host  69.194.235.103 -port 80 -output nikto_69.194.235.103-port443-www.bd-motor.com.txt

This script automates all of the above steps.

Below is what you see when you run niktoHelper.py without any arguments.

You are able to select the number of threads to use using the -child argument.
To only display the Nikto command output, use the -display argument.

Image

To run nikto against a selected website, key in the number followed by comma
E.g. 1,4,10

To run nikto against all results, key in ALL and press enter
To skip all websites shown, press ENTER or key in NONE followed by enter key.Image

If you use the -display argument, the Nikto command is supposed to be used against the websites are shown on screen.

Image

The script can be downloaded at https://github.com/milo2012/pentest_scripts/tree/master/niktohelper

If you have any feedback and suggestion, please send it to me below. Thank you

Follow

Get every new post delivered to your Inbox.