Hi All,
I know most of us use tools to conduct the initial phases of web app pen-test.
One tool which caught my eye was Wikto - Web Server Assessment Tool
by the bainy bunch at SensePost. From the SensePost website...
" Wikto is Nikto for Windows - but with a couple of fancy extra
features including Fuzzy logic error code checking, a back-end
miner, Google assisted directory mining and real time HTTP
request/response monitoring. Wikto is coded in C# and requires the
.NET framework."
This is a very useful tool and I personally think it's a must in a
pen-testers toolkit. Here are come of the features:
CGI checker - it uses Nikto (it actually uses NIkto's database)
Web Server Fingerprinting (via HTTPrint)
Mirroring, link, and directory detection (HTTrack)
BackEnd miner
SSL Support
Automated google-hacking
The first thing I wanted to do when I installed Wikto was start
scanning my targets with Wikto, but first you have to make sure that
all the components are up-to-date and a proper configuration is being
used. Easier said that done (hence me sending this email to the list).
1. Acquiring the Google API key: You will need a key from Google to
have access to the Google API. You are limited 1000 requests a day.
One you visit http://api.google.com you will see many API's which
Google has. The one that we are interested in (and not mentioned in
any of the Wikto reference material) is Google Data Data API
(http://code.google.com/apis/base/ ). Click on the "API Key" under the
"Related Links" section, then follow the instructions, click "Sign Me
Up", follow the instructions again, click "Continue" and you will see
the Google API Key displayed .
2. HTTrack and HTTPrint need to be downloaded from their respective
locations and installed. You will need to configure Wikto to where it
will use the executable.
3. The entries in "Update sites" of Wikto section need to be changed
since the DB's and schema's don't exist in those locations anymore.
a. With the latest version of Wikto (v1.63.2279.18538), the Nikto
DB updated is pointing to http://www.cirt.net/nikto/UPDATES/
1.34/scan_database.db this is INCORRECT and needs to me changed to
http://www.cirt.net/nikto/UPDATES/1.36/scan_database.db . So do that
if you want to get the latest Nikto Db
b. The location of the GoogleHack DB is also incorrect. Actually,
the schema.xml file does not exist anymore in XML format. It is kept
up-to-date by Johnny but is sub sectioned and is in PHP format now.
So, I had 2 options here, one, I could of downloaded the individual
GHDB and combined and created a new XML schema file (without knowing
the original format) or I could jsut find an older version of the
schema.xml file just to get Wikto working then add updates when I had
time. I chose to find an older version. I found of at
http://web.archive.org/web/20060112052059/http://johnny.ihackstuff.com/xml/schemal.xml
Yes, there is a Jume 2006 schema.xml intact and I downloaded it into
the Database directory of Wikto and it worked. I will updated the
schema.xml filled later with the latest updates from Johnny's site.
But if someone has ALREADY done so, please share !
c. The BackEnd DB updates are not available from SensePost anymore !
Can anymore assist, SensePost do you still update teh BackEnd DB files
and where can we obtain them from ? Or does anymore else have a recent
copy of the updated DB ?
Ok, so here is a list of some adventures you will have when trying to
configure and use Wikto v1.63.2278.18538. If anyone has any tips or
anything else in that nature which may be of assistance.
R/
CGI Phantom
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC. Download a
free trial of AppScan today and see why more customers choose AppScan
then any other solution.
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008fHP
--------------------------------------------------------------------------
