Nikto not finding webserver

[dsolstad]

There is a webserver using self-signed certificate that Nikto does not recognize. I can however reach it via normal web browsers. I had to proxy Nikto through Burp to be able to scan it.

curl complains about that the dh key is too small:

$ curl -ik https://192.168.1.50:9043 curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Is this something that should and can be fixed?

$ nikto -host 192.168.1.55 -port 9043 -D v

• Nikto v2.1.6

  V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_cookies V:Thu Nov 22 07:16:33 2018 - Loaded "HTTP Cookie Internal IP" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_subdomain V:Thu Nov 22 07:16:33 2018 - Loaded "Sub-domain forcer" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_outdated V:Thu Nov 22 07:16:33 2018 - Loaded "Outdated" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_tests V:Thu Nov 22 07:16:33 2018 - Loaded "Nikto Tests" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_clientaccesspolicy V:Thu Nov 22 07:16:33 2018 - Loaded "clientaccesspolicy.xml" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_sitefiles V:Thu Nov 22 07:16:33 2018 - Loaded "Site Files" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_cgi V:Thu Nov 22 07:16:33 2018 - Loaded "CGI" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_sqlg V:Thu Nov 22 07:16:33 2018 - Loaded "Generic SQL reports" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_ssl V:Thu Nov 22 07:16:33 2018 - Loaded "SSL and cert checks" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_csv V:Thu Nov 22 07:16:33 2018 - Loaded "CSV reports" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_put_del_test V:Thu Nov 22 07:16:33 2018 - Loaded "Put/Delete test" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_auth V:Thu Nov 22 07:16:33 2018 - Loaded "Guess authentication" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_text V:Thu Nov 22 07:16:33 2018 - Loaded "Text reports" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_dictionary_attack V:Thu Nov 22 07:16:33 2018 - Loaded "Dictionary attack" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_apacheusers V:Thu Nov 22 07:16:33 2018 - Loaded "Apache Users" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_embedded V:Thu Nov 22 07:16:33 2018 - Loaded "Embedded Detection" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_apache_expect_xss V:Thu Nov 22 07:16:33 2018 - Loaded "Apache Expect XSS" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_httpoptions V:Thu Nov 22 07:16:33 2018 - Loaded "HTTP Options" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_favicon V:Thu Nov 22 07:16:33 2018 - Loaded "Favicon" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_drupal V:Thu Nov 22 07:16:33 2018 - Loaded "Drupal Specific Tests" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_content_search V:Thu Nov 22 07:16:33 2018 - Loaded "Content Search" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_headers V:Thu Nov 22 07:16:33 2018 - Loaded "HTTP Headers" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_multiple_index V:Thu Nov 22 07:16:33 2018 - Loaded "Multiple Index" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_msgs V:Thu Nov 22 07:16:33 2018 - Loaded "Server Messages" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_nbe V:Thu Nov 22 07:16:33 2018 - Loaded "NBE reports" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_negotiate V:Thu Nov 22 07:16:33 2018 - Loaded "Negotiate" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_robots V:Thu Nov 22 07:16:33 2018 - Loaded "Robots" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_ms10_070 V:Thu Nov 22 07:16:33 2018 - Loaded "ms10-070 Check" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_siebel V:Thu Nov 22 07:16:33 2018 - Loaded "Siebel Checks" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_html V:Thu Nov 22 07:16:33 2018 - Loaded "Report as HTML" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_paths V:Thu Nov 22 07:16:33 2018 - Loaded "Path Search" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_xml V:Thu Nov 22 07:16:33 2018 - Loaded "Report as XML" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_parked V:Thu Nov 22 07:16:33 2018 - Loaded "Parked Detection" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_core V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_fileops V:Thu Nov 22 07:16:33 2018 - Loaded "File Operations" plugin. V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_shellshock V:Thu Nov 22 07:16:33 2018 - Loaded "shellshock" plugin. V:Thu Nov 22 07:16:33 2018 - Getting targets V:Thu Nov 22 07:16:33 2018 - Target:192.168.1.55 port:9043 V:Thu Nov 22 07:16:33 2018 - Checking for HTTPS on port 192.168.1.55:9043, using HEAD V:Thu Nov 22 07:16:33 2018 - for HEAD: V:Thu Nov 22 07:16:33 2018 - Checking for HTTP on port 192.168.1.55:9043, using HEAD V:Thu Nov 22 07:16:33 2018 - for HEAD: V:Thu Nov 22 07:16:33 2018 - Checking for HTTPS on port 192.168.1.55:9043, using GET V:Thu Nov 22 07:16:33 2018 - for GET:
  V:Thu Nov 22 07:16:33 2018 - Checking for HTTP on port 192.168.1.55:9043, using GET V:Thu Nov 22 07:16:34 2018 - for GET:

• No web server found on 192.168.1.55:9043

  V:Thu Nov 22 07:16:34 2018 - Opening reports (none, ) V:Thu Nov 22 07:16:34 2018 - 6934 server checks loaded V:Thu Nov 22 07:16:34 2018 - Running start for "Embedded Detection" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "Favicon" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "Drupal Specific Tests" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "HTTP Headers" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "Guess authentication" plugin V:Thu Nov 22 07:16:34 2018 - Running start for "Content Search" plugin

• 0 host(s) tested V:Thu Nov 22 07:16:34 2018 + 8 requests made in 1 seconds

[sullo]

My best guess is this is an underlying OS/encryption issue since curl can't handle it (can wget?). It's possible the perl TLS modules and/or Libwhisker can't handle it--there are a lot of things that can wrong in that chain.

I'd make sure that your perl libraries for Net::SSLeay and Net::SSL are up to date.

Also, I'd force change the SSL library nikto is using, and try both rather than letting it auto select. See nikto.conf and update this bit:

# SSLeay        - use Net::SSLeay 
# SSL           - use Net::SSL 
# auto          - automatically choose whats available 
#                 (SSLeay wins if both are available) 
LW_SSL_ENGINE=auto

[dsolstad]

wget finds it with --no-check-certificate. It didn't make any difference by changing LW_SSL_ENGINE. Everything from an updated Kali machine.

[tautology0]

I've notice some problems with SSL and perl on Windows, but not on Linux. Could you try it with "-D d" instead of "-D v" as that will dump the actual request headers?

[dsolstad]

D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_parked_strings D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_404_strings D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_outdated D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_variables D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_tests

• Nikto v2.1.6

  D:Thu Nov 29 05:12:42 2018 WARNING: No init found for nikto_core D:Thu Nov 29 05:12:42 2018 'Request Hash' = { 'Connection' => 'Keep-Alive', 'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)', 'whisker' => { 'version' => '1.1', 'force_bodysnatch' => 0, 'method' => 'HEAD', 'host' => '192.168.1.50', 'lowercase_incoming_headers' => 1, 'MAGIC' => 31339, 'ssl_save_info' => 1, 'ssl' => 1, 'ignore_duplicate_headers' => 1, 'max_size' => 0, 'uri_param_sep' => '?', 'uri_prefix' => '', 'protocol' => 'HTTP', 'timeout' => 10, 'retry' => 0, 'http_eol' => "\r\n", 'http_space1' => ' ', 'keep-alive' => 1, 'uri_postfix' => '', 'port' => 9043, 'invalid_protocol_return_value' => 1, 'force_close' => 0, 'ssl_rsacertfile' => undef, 'http_space2' => ' ', 'include_host_in_uri' => 0, 'require_newline_after_headers' => 0, 'trailing_slurp' => 0, 'ssl_certfile' => undef, 'force_open' => 0, 'normalize_incoming_headers' => 1, 'uri' => '/' }, 'Host' => '192.168.1.50:9043' }; D:Thu Nov 29 05:12:42 2018 'Result Hash' = { 'whisker' => { 'ssl_cert_altnames' => [ 1, 'ProfileUUID:' ], 'ssl_cert_subject' => '', 'error' => "sending request: SSL error: ssl_write_all 12402: 1 - SSL_ERROR_SSL(-1,1,error:00000001:lib(0):func(0):reason(1),)\nSSL_write 12402: 1 - error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small\n", 'uri' => '/', 'ssl_cert_issuer' => '', 'MAGIC' => 31340, 'ssl_cipher' => '(NONE)' } }; D:Thu Nov 29 05:12:42 2018 'Request Hash' = { 'Connection' => 'Keep-Alive', 'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)', 'whisker' => { 'ignore_duplicate_headers' => 1, 'max_size' => 0, 'MAGIC' => 31339, 'ssl' => 0, 'ssl_save_info' => 1, 'lowercase_incoming_headers' => 1, 'version' => '1.1', 'method' => 'HEAD', 'force_bodysnatch' => 0, 'host' => '192.168.1.50', 'ssl_certfile' => undef, 'uri' => '/', 'force_open' => 0, 'normalize_incoming_headers' => 1, 'http_space2' => ' ', 'ssl_rsacertfile' => undef, 'include_host_in_uri' => 0, 'require_newline_after_headers' => 0, 'trailing_slurp' => 0, 'http_eol' => "\r\n", 'keep-alive' => 1, 'http_space1' => ' ', 'force_close' => 0, 'invalid_protocol_return_value' => 1, 'port' => 9043, 'uri_postfix' => '', 'protocol' => 'HTTP', 'uri_prefix' => '', 'uri_param_sep' => '?', 'timeout' => 10, 'retry' => 0 }, 'Host' => '192.168.1.50' }; D:Thu Nov 29 05:12:42 2018 'Result Hash' = { 'whisker' => { 'data' => '', 'http_data_sent' => 1, 'uri' => '/', 'error' => 'error reading HTTP response', 'MAGIC' => 31340, 'lowercase_incoming_headers' => 1 } }; D:Thu Nov 29 05:12:42 2018 'Request Hash' = { 'Host' => '192.168.1.50:9043', 'whisker' => { 'lowercase_incoming_headers' => 1, 'version' => '1.1', 'force_bodysnatch' => 0, 'method' => 'GET', 'host' => '192.168.1.50', 'ignore_duplicate_headers' => 1, 'max_size' => 0, 'MAGIC' => 31339, 'ssl_save_info' => 1, 'ssl' => 1, 'http_eol' => "\r\n", 'http_space1' => ' ', 'keep-alive' => 1, 'uri_postfix' => '', 'force_close' => 0, 'port' => 9043, 'invalid_protocol_return_value' => 1, 'uri_param_sep' => '?', 'uri_prefix' => '', 'protocol' => 'HTTP', 'timeout' => 10, 'retry' => 0, 'ssl_certfile' => undef, 'normalize_incoming_headers' => 1, 'force_open' => 0, 'uri' => '/', 'ssl_rsacertfile' => undef, 'http_space2' => ' ', 'include_host_in_uri' => 0, 'require_newline_after_headers' => 0, 'trailing_slurp' => 0 }, 'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)', 'Connection' => 'Keep-Alive' }; D:Thu Nov 29 05:12:42 2018 'Result Hash' = { 'whisker' => { 'ssl_cert_issuer' => '', 'MAGIC' => 31340, 'ssl_cipher' => '(NONE)', 'error' => "sending request: SSL error: ssl_write_all 12402: 1 - SSL_ERROR_SSL(-1,1,error:00000001:lib(0):func(0):reason(1),)\nSSL_write 12402: 1 - error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small\n", 'uri' => '/', 'ssl_cert_subject' => '', 'ssl_cert_altnames' => [ 1, 'ProfileUUID:' ] } }; D:Thu Nov 29 05:12:42 2018 'Request Hash' = { 'Host' => '192.168.1.50', 'whisker' => { 'lowercase_incoming_headers' => 1, 'force_bodysnatch' => 0, 'method' => 'GET', 'version' => '1.1', 'host' => '192.168.1.50', 'ignore_duplicate_headers' => 1, 'max_size' => 0, 'ssl_save_info' => 1, 'ssl' => 0, 'MAGIC' => 31339, 'http_eol' => "\r\n", 'uri_postfix' => '', 'invalid_protocol_return_value' => 1, 'port' => 9043, 'force_close' => 0, 'http_space1' => ' ', 'keep-alive' => 1, 'uri_prefix' => '', 'uri_param_sep' => '?', 'protocol' => 'HTTP', 'retry' => 0, 'timeout' => 10, 'normalize_incoming_headers' => 1, 'force_open' => 0, 'uri' => '/', 'ssl_certfile' => undef, 'include_host_in_uri' => 0, 'http_space2' => ' ', 'ssl_rsacertfile' => undef, 'trailing_slurp' => 0, 'require_newline_after_headers' => 0 }, 'Connection' => 'Keep-Alive', 'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)' }; D:Thu Nov 29 05:12:42 2018 'Result Hash' = { 'whisker' => { 'http_data_sent' => 1, 'data' => '', 'MAGIC' => 31340, 'lowercase_incoming_headers' => 1, 'uri' => '/', 'error' => 'error reading HTTP response' } };

• No web server found on 192.168.1.50:9043

• 0 host(s) tested

[tautology0]

Here's the problem, this bugger: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Basically the Diffie-Hellman key on the server is <1024 bits. This isn't supported in the version of openssl you're using. The ideal solution would be to get the server to match modern TLS standards

[ms08067]

I am having the same issue. The target site is http so no SSL/TLS. I can see it making HEAD requests in wireshark, I dont see any RST packets or anything negative that the server responds with. I can navigate to the site manually just fine. First time ive seen this happen.

[ms08067]

Here is a curl and response...Ive censored the domain.

curl -IL http://www.########.com

HTTP/1.1 200 OK Server: openresty/1.11.2.4 Date: Wed, 19 Dec 2018 15:38:42 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/5.3.29-pl0-gentoo Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Pingback: http://www.#######.com/xmlrpc.php Link: http://www.#######.com/; rel=shortlink Set-Cookie: PHPSESSID=5ab739ef1c3b9b1232263f5ead67158a; path=/ X-Webcom-Cache-Status: BYPASS

[sullo]

@ms08067 I don't see anything in that response that should be a problem. Can you post a debug dump in a file? If you use -D DS it should scrub the output of the hostname (verify though). I'm particularly looking for the first request or two to see the request/response. Thanks.

[tautology0]

I think the two problems aren't related. I think @dsolstad's problem is the version of openssl and the server being scanned. We need more information from @ms08067.

[cyc115]

Curl will accept tlsv1.0 if you remove CipherString = DEFAULT@SECLEVEL=2 from /etc/ssl/openssl.cnf. But nkito won't budge. eg. curl https://example.com --tlsv1.0 -k