01.02.2008 nikto_core - Fixed improper parsing of long options (-update, etc.). Thanks to Frank Breedijk for figuring this out. 12.30.2007 db_servers - Removed as it is not used 12.19.2007 nikto_msgs.plugin - Add a boundary for regex on versions to cut down false positives 12.19.2007 niko_favicon.plugin - Added OSVDB ID 12.18.2007 niko_favicon.plugin - Fix false positive when favicon.ico doesn't exist 11.22.2007 Nikto 2.01 release - Fix anti ids encoding use. thanks to Francisco Amato - Fix virtual host usage if set via CLI. thanks Jon Hart - Fix Host header restoration when testing for IIS IP leak - Fix for plugindir & templatedir if EXECDIR is set in config.txt, thanks Shiraishi.M and Will Andrews for pointing it out. - Fix count of items--count now accurately reflects the number of items, not just number of vulns. thanks Frank Breedijk - Kick a few more things to KB that should be saved - Added SKIPIDS to config.txt to completely ignore some tests loaded from db_tests. Suggested by Christian Folini. - Enhanced rm_active_content to try to exclude the file/QUERYSTRING requested - Unset the auth header after guessing at it. Thanks Paul Woroshow for reporting the bug. 11.12.2007 nikto_headers.plugin - Fix internal IP address snarfing for IIS, thanks Frank Breedijk for pointing it out 11.10.2007 Nikto 2.00 release - Rewrite of nikto_httpoptions.plugin to read the Public header - Fixups to prevent namespace violations in nikto.pl and nikto_core.plugin - Add some normalizations to the -root option variable, suggested by Erik Cabetas - Added -Display with options for suppressing redirects & cookies from being included in output - Added -Tuning options to let users specify what they would like to test, or exclude certain categories - Added config.txt's NMAPOPTS, thanks Sean Lewis for the suggestion - All new HTML report - Bugfix: a found cookie would report for every port/server after it was found - Bugfix: all hosts scanned with all ports if hosts file used - Bugfix: all hosts scanned with port 80 despite what the user wanted - Bugfix: Reverse DNS inet_aton error fix, pointed out by Jason Peel @ Foundstone - Changed auth checking so it will test any directory found, not just /, and removed nikto_realms.plugin as a consequence - Changed scan_database.db format significantly (and name), (and all the code to deal with tests) - Completely new 404 engine which causes less false-positives (see docs) - Created dump_lw_hash instead of dump_request_hash & dump_result_hash - Implemented a knowledge base which (should) store all the gory details of scans... probably use this later ;) - Moved pre-defined variables from config.txt to variables.db so they can be automagically updated. Entries in config.txt are still read. - Removed %CFG, storing vars in %NIKTO instead - Removed -generic - Removed extraneous global vars - Removed load_realms, combined with load_variables - Replaced %CONFIG with %NIKTOCONFIG - Set MAX_WARN to trigger on any response code, skipping 404|403|401|400 to avoid common ones - Added -Single single request mode - Updates to use the RFP's LibWhisker 2.0 - Added -Help to show extended help ouput, changed default help screen to be shorter. Suggested by Jericho. - Additional error checking on invalid reverse-dns (Paul Woroshow) - Cleaned up comment/line parsing routines in multiple places, from Erik Cabetas - Tightened some for loops with real values instead of guessing, from Erik Cabetas - Addded error message if no host is specified, from Erik Cabetas - Added more robust output file type checking (txt/htm/cvs), from Erik Cabetas - Added more debug statements regarding which CGI directories will be scanned, from Erik Cabatas - Bugfix: more 'half dead host' scanning issues resolved with Jericho. LW is much pickier now about calling http_close - Added error if -F specified without -o, from Erik Cabetas - Bugfix: server category match no longer matches partial strings, from Erik Cabetas - Bugfix: mis-pasted line, pointed to by Erik Cabetas - Send all errors to STDERR - Added -config option to specify a config file, thanks to Pavel Kankovsky - fixed regex issue on banner. thanks Alexander Ehlert for pointing it out - All other plugins updated for v2 changes - Added favicon.ico hash checking - ... gobs more 02.06.2004 nikto_core.plugin 1.21 - Cleaned up comment/line parsing routines in multiple places, from Erik Cabetas - Tightened some for loops with real values instead of guessing, from from Erik Cabetas - Removed duplicate bit of code, from Erik Cabetas - Addded error message if no host is specified, from Erik Cabetas - Added more robust output file type checking (txt/htm/cvs), from Erik Cabetas - Added more debug statements regarding which CGI directories will be scanned, from Erik Cabatas 12.17.2003 nikto_core.plugin 1.20 - Fixed BID links, thanks Richard Tortorella for the report. 10.27.2003 Nikto 1.32 release nikto_core.plugin 1.19 - Removed unecessary 'use IO::Socket' call from resolve() - Removed unecessary counters - Replaced some slow foreach counters - Moved proxy_check earlier, before port_scan, so it will be set first - Removed -allcgi option in favor of -CGIdir, which can specify to test 'all', 'none' or a specific directory. - Bugfix: testing through proxy by making sure host name is set instead of ip, thanks to Fabrice Annic for the catch - Bugfix: a regex/logic/if error in test_target, thanks Pavel Kankovsky for the bug report. 401/302 messages will now report regardless of test/pass fail. - Bugfix: -dbcheck now identifies duplicates without relying on message text, thanks Jericho / Attrition.org for pointing this out nikto.pl 1.12 - Rearranged order of get_banner & setup so that it would be called right nikto_headers.plugin 1.08 - Added DAAP header check 10.02.2003 nikto_core.plugin 1.18 - Fixed get_banner to properly handle multi host/port scans 10.01.2003 nikto_outdated.plugin 1.12 - Fixed improper matching in version evals, reported by Paul Bakker 09.30.2003 nikto_core.plugin 1.17 - Reordered loop code to make -f scans faster. - Added a skip for "(Win32)" in the version updates back to cirt.net nikto_outdated.plugin 1.11 - Stripping () from version strings 09.24.2003 Nikto 1.31 release nikto_core.plugin 1.16 - Fixed a bug in resolve() that may prevent name lookups when host files used - Fixed a bug in resolve() where scan would exit if 1 name resolution from host file failed - Changed set_targets so that if the -h value exists as a file it reads that instead of resolving it as a name. This eliminates need for .csv or .txt file name endings. - Added auto or semi-auto update of version strings to CIRT.net. This is done through a simple GET request. Controlled via config.txt's UPDATES variable. *ABSOLUTELY NO* server info is sent... only versions from HTTP headers, i.e. "Apache/4.0". Thanks to Jericho for feedback/ideas. - Added a host counter output at end & for every 10 hosts - Set CHANGES.txt download only on *code* updates, not DBs - Added MAX_WARN to config.txt for warning level on OK/Moved messages, thanks Jericho for the suggestion. - Added PROMPTS to config.txt to allow user control of prompting--good for unattended scans - Added a regex test to dbcheck() better catch errors in server_msgs.db - Thanks again to Jericho for many updated tests/information. - Cleaned up port scan code - Fixed/improved scanning through proxies nikto_outdated.plugin 1.09 - Added support for sending updates of version strings to CIRT.net. See nikto_core.plugin version 1.15 notes. LW.pm - 1.8 - Updated to LW.pm v1.8, see the change log included with it (www.wiretrip.net/rfp/). nikto.pl - 1.10 - Implemented versioning on nikto.pl (!), many changes to support core 1.15 - Put 'require LW.pm' down *after* we know where it is.. duh. Thanks J Barber (ussysadmin.com) for the suggestion. Also changed it 'require' vs 'use' so in the future I can update it, if necessary. - Hosts are now tested in the same order as the appear in an input file 08.18.2003 nikto_outdated.plugin 1.08 - Fixed nasty regex bug in the version eval, and made more efficient. Pointed out by fr0stman, thx Zeno for assistance 07.22.2003 nikto_headers.plugin 1.07 - Added Host header back after delete in IIS Content-Location check. Thanks to Abdi Ponce for the bug report & debug. nikto_httpoptions.plugin 1.04 - Changed PROPPATCH, TRACK, TRACE messages. Changed PROPFIND message, thanks to Jericho for tracking down some good info on it. Added SEARCH message. nikto_core.plugin 1.14 - Added tags to the HTML output for browser-neatness - Removed a stray debug print 07.03.2003 - Thanks to Jeremy Bae for many Jeus Webserver tests. 06.29.2003 nikto_core.plugin 1.13 - changed some &function calls to function() to keep $_ from being passed down another level.. thanks to zeno for the heads-up. nikto_headers.plugin 1.05 - fixed the IIS4 content-location check as it had a tendency to fail miserably... 06.29.2003 nikto_core.plugin 1.12 - changed output of dump_request to be more like normal request text 06.29.2003 nikto_core.plugin 1.11 - bug fix for scanning through proxies 06.19.2003 nikto_core.plugin 1.10 - added 'csv' to file formats in -help output (doh!) - minor speedups 06.17.2003 nikto_user_enum_apache.plugin 1.02 - Bugfix: some user names not tested (zz, zzz, etc.) - Major rewrite for speed improvements nikto_user_enum_cgiwrap.plugin 1.01 - Bugfix: some user names not tested (zz, zzz, etc.) - Major rewrite for speed improvements 06.16.2003 nikto_core.plugin 1.09 - dbcheck option enhanced: check that all plugins are in the order file - dbcheck option enhanced: check that all plugins have properly named sub calls - update option enhanced: retrieves updated CHANGES.txt file with code updates - Bugfix: resolve() did not properly catch invalid IP addresses. Reported by Rick Tortorella. 06.12.2003 nikto_core.plugin 1.08 - Removed iprint() entirely (finally) - Made "Needs Auth" links active in HTML output 05.30.2003 nikto_core.plugin 1.07 - Bugfix: 05.30.2003 nikto_core.plugin 1.06 - Added number of elapsed seconds to final host/port output - Bugfix: Changed CAN/CVE link to point to cve.mitre.org instead of ICAT - Bugfix: Duplicate port 80 in nmap options if -p not specified but 80 specified in hosts file 05.28.2003 nikto_core.plugin 1.05 - Bugfix: -update code prevented automatic updates. Found & fixed by Keith Young. Also reported by Paul Worshaw. 05.27.2003 Nikto 1.30 release General changes - removed nikto_google.plugin entirely (may add better plugin later) - major "under the hood" changes to make things easier to maintain, read & modify - killed as many global vars as I could stand in favor of a few global hashes (CLI input, etc.) - added $CURRENT_HOST_ID and $CURRENT_PORT as globals--these are the pointers to "where you are" (mostly as in $TARGETS) - added the ability to have basic conditional items for tests, i.e. "200!index" to designate a response of "200" but the content does not contain "index" (suggested by Paul Woroshow). - added -V option, which displays versions of all code files & databases (suggested by Jericho) - specifying -ssl now forces *all ports* on *all servers* to use ssl. best that can be done for now. - added multi-host support via a text file with port specification in the file or via CLI - all new save file routines - unbuffered file output to keep partial/cancelled run data - removed the -w option in favor of -F with multiple formats - added support for NTLM authentication - added cgiwrap plugin nikto_core.plugin 1.05 - Many updates to support multiple host scans - Added UA for update agents - Changed all %SERVER hash refs to either %CLI or %TARGETS - Removed %BANNERS (now in %TARGETS) - Added set_targets() to handle various target input methods - Bugfix: non-SSL ports not found after first SSL port found on a host - Bugfix: authentication realms were not checked with the proper root if -r was specified on the CLI - Bugfix: can't call 'fprint' if core plugin is not found (duh!). Found by Erwin Paternotte. nikto_user_enum_cgiwrap.plugin 1.00 - added nikto_mutate.plugin 1.05 - change for using %CLI nikto_passfiles.plugin 1.01 - change for using %CLI nikto_user_enum_apache.plugin 1.01 - change for using %CLI - renamed from 'nikto_userenum.plugin' nikto_msgs.plugin 1.03 - minor changes for multi-host support plugins_order.txt 1.03 - removed nikto_google.plugin 02.23.2003 nikto_core.plugin 1.04 - Added a work around for servers that answer with blank www-authenticate headers with invalid id/pass combos nikto_realms.plugin 1.00 - Added to distro realms.db 1.00 - Added to distro plugins_order.txt 1.02 - Added nikto_realms.plugin 01.22.2003 nikto_httpoptions.plugin 1.03 - standardized wording, added TRACE option, added more description to WebDAV msgs (thanks Jericho at attrition.org). 01.22.2003 nikto_core.plugin 1.03 - fixed a bug with matching proper server categories, thanks to Paul Woroshow. 01.17.2003 nikto_core.plugin 1.02 - fixed the GetOptions only looking for "-gener" instead of "-generic", thanks to Michel Arboi 01.02.2003 nikto_core.plugin 1.01 - fixed proxy authentication not prompting for -update option 01.01.2003 Nikto 1.23 - added nikto_plugin_order.txt to force plugin order to something we want rather than alpha - added nikto_core.plugin & removed most functions from nikto.pl - added -cookies option - enhanced db syntax error checking (spurred by syntax problems Thomas Reinke found) - started using the LW 1.6 libraries - fixed infinite loop output problem (no longer wrapping long lines) - removed usage from saved output (too long) - remove nikto_frontpage.plugin and put checks in scan_database.db - moved server categories from scan_database.db to servers.db - got rid of the leading "c," requirement from scan_database.db - added STATIC-COOKIE config item as suggested by Eyal Udassin - made CLI options case sensitive (to support more options, hosts files, etc) - added Javier Fernandez-Sanguino Pen~a's Apache user enumeration plugin - added -r (-root) file prepend as suggested by Eyal Udassin - many DB typo fixes from Jay Swofford - fixed a regex bug in nikto_robots.plugin and nikto_apacheusers.plugin - new update location (path) to better support upgrades that don't effect db syntax 08.21.2002 Nikto 1.21 - Fixed all the proxy code--none of it was working due to where it was set in the initialization. - Added -update to the help output. Not sure why it wasn't there. 08.12.2002 Nikto 1.20 - Re-packaged to take out a testing line from LW.pm. Thanks to D Rhoades for the catch 08.11.2002 Nikto 1.20 - Moved all mutate options to plugins - Added password file mutate plugin - Added better error messages if problems arise - Test for false-positives on all CGI directories - Added -useproxy CLI - Printing SSL certs the server accepts - Fixed port sorting if -f is used - Forked 1.20DCX edition for DefCon 10 CD: difference is only output - Fixed a bug where "findonly" was referenced as "findports" (thanks J DePriest) - Added properly wrapped text output in saved files 05.25.2002 Nikto 1.100 - stopped nikto from dying if no config.txt file found - added Apache user enumeration plugin - added robots.txt plugin - set false-positive message to display at end of run as well as during - 04.23.2002 Nikto 1.10BETA_3 - fixed CAN/CVE links, added BID/CA/MS links (suggested by Jericho). - prints total number of 'issues' found (suggested by Jericho). - fixed proxy usage in the cirt.net update function. - updated to use LW 1.4, which fixes an SSL infinite loop problem. - fixed 401 auth suppression (broken in beta 2). - added robots plugin to examine robots.txt & add items found to the mutate check - 03.31.2002 Nikto 1.10BETA_2 - fixed the config.txt DEFAULTHTTPVER variable setting so it really works - made proxy_check run only once per session - removed all reference to "nikto" in the scan_database.db - 03.23.2002 Nikto 1.10BETA_1 - renamed plugins from .pl to .plugin, just for clarity. but they're still perl files - allowed nikto.pl to update plugins the same as .db files - usage of LW 1.2 - countless "under the hood" type things - lowercase-incoming-headers to more easily handle case sensitive nonsense - compartmentalized a LOT more code to make things easier to read - created config.txt file configuration w/o midifying nikto.pl itself - added user_scan_database.db so that it won't get ovwr-written if the user adds checks - enabled RFP's LibWhisker anti-ids options - change "check," to "c," in scan_database, just to save a little bandwidth on cirt.net :) - added plugin to check HTTP methods - created a 'mutate' mode for really brute force finding stuff on servers - added the ability to set default CLI options via config file - added PLUGINDIR config variable - added plugin to check other HTTP headers (just x-powered-by for now) - added ability for nikto to auto-determine ssl v non-ssl on a port - added port scanning ability (with or without nmap) - added ability to send message via the update script's versions.txt file. I don't know why, but it may be handy to let folks know if a new beta is out, or something. - implemented the virtual host headers as patched by Pasi Eronen - 01.17.2002 Nikto 1.018 - Added /mpcgi/ to the @CGIDIRS array based on some suggestions. - Fixed a bug in the auth_check function (thanks RFP), and cleaned up error reporting on failed auths - 01.12.2002 Nikto 1.017 - Fixed a bug where the data portion of a request did not reset to null after some checks (thanks to Phil Brass for pointing me at it & letting me test against his server). - 01.10.2002 Nikto 1.016 - Add dump_*hash functions - Added pause (-x) in scan loop - Fixed a bug which caused a major slowdown - Added load_conf for setup for configuration files (future) - Fixed http vs. https links in output files - 01.08.2002 Nikto 1.015 - Fixed a bug (?) in Libwhisker PR4 (will check v1 code...) - Corrected an error which caused a few false-positives (404 really IS not found :) 01.07.2002 Nikto 1.014 - Removed comment filtering from lines in scan_database.db to accommodate SSI includes - Fixed quoting removal for data portions in checks (so " is valid). - 01.06.2002 Nikto 1.013 - Made major globabl variable changes, moved tons of them to hashes - Wrote some basic plugin writing documentation & added 'docs' directory - 01.03.2002 Nikto 1.012 - Added extended output for scan archival reasons (suggested by Steve Saady) - Changed host auth failure to a warning, not stoppage - Added "data" portion to scan_database.db - Added @IP and @HOSTNAME substitutions for scan_database.db checks (will be replaced by actual IP/hostname) - in case they are needed in the future. - Added JUNK() to scan_database.db checks to facilitate future buffer-overflows (non-DoS), and future DoS plugins - Added Proxy-agent as valid the same as Server result strings - Changed -l to -n ("nolookup") to be more accurate - 01.02.2002 Nikto 1.011 - Added proxy auth for db update requests (oops). - Started .xxx version numbering scheme to make life easier - Fixed href tags in HTM output (< and > encoding and target host/ip) - Added "caseless" WWW-Authenticate finding (for iPlanet Proxy) - 12.31.2001 Nikto 1.01 - Added regex to remove comments from scan_database.db in case they ever exist - Fixed extra 'Host:' line being sent to server (duh). - Fixed non 'GET' request data posting (duh). - Added -timeout option - 12.27.2001 Nikto 1.00 - Finalized beta version for release