Nikto 


Nikto is an open-source vulnerability scanner, written in Perl, and originally released in late 2001, which provides additional vulnerability scanning specific to web servers. It performs checks for 6400 potentially dangerous files and scripts, 1200 outdated server versions, and nearly 300 version-specific problems on web servers.
There is even functionality to have Nikto launched automatically from Nessus when a web server is found. We will be running Nikto directly from the command line in a BackTrack terminal, but you can search the Nessus blog for the write-up on how these two tools can work together in an automated way. 
Nikto is built into BackTrack and is executed directly in the terminal. First, you need to browse to the Nikto directory by executing the cd /pentest/web/nikto command in a terminal window. 
Alternatively, you can launch a terminal window directly in the Nikto directory from the BackTrack menu by clicking Applications → BackTrack → Vulnerability Assessment → Web Application Assessment → Web Vulnerability Scanners → Nikto as


You should always update Nikto by executing the perl nikto.pl -update command before using the scanner to ensure that you have the most recent plug-in signatures. You can run the scanner against our localhost with the following command where the -h switch is used to define our target address (127.0.0.1) and the -p switch is used to specify which ports we want to probe (1-500). 

perl nikto.pl -h 127.0.0.1 -p 1–500 

It would have been just as simple to specify only port 80 for our scan as we already know this is the only port that DVWA is using to communicate over HTTP. In fact, if you don’t specify ports for Nikto to scan, it will scan only port 80 by default. As expected, Nikto provides summary results from its scan of our DVWA web server. 

+ Server: Apache/2.2.14 (Ubuntu) 
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.9 
+ Root page / redirects to: login.php + robots.txt contains 1 entry which should be manually viewed.
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.2.19). Apache 1.3.42 (final release) and 2.0.64 are also current. 
+ ETag header found on server, inode: 829490, size: 26, mtime: 0x4c4799096fba4 + OSVDB-3268: /config/: Directory indexing found. 
+ /config/: Configuration information may be available remotely. 
+ OSVDB-3268: /doc/: Directory indexing found. 
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc. 
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. 
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts. 
+ OSVDB-3092: /login/: This might be interesting. . . 
+ OSVDB-3268: /icons/: Directory indexing found. 
+ OSVDB-3268: /docs/: Directory indexing found. 
+ OSVDB-3092: /CHANGELOG.txt: A changelog was found. 
+ OSVDB-3233: /icons/README: Apache default file found. 
+ /login.php: Admin login page/section found. 
+ 6456 items checked: 0 error(s) and 16 item(s) reported on remote host 
+ End Time: 2012-07-11 09:27:23 (20 seconds) 

The most important take-away from Nikto’s output is the Open Source Vulnerability Database (OSVDB) entries that provide specific information about discovered vulnerabilities. These identifiers are very similar to the CVE identifiers that Nessus and Metasploit use. OSVDB is an independent and open-source project with the goal to provide unbiased technical information on over 90,000 vulnerabilities related to over 70,000 products.