In this tutorial we would like to show you how to make your own version of Nikto which runs directly from your own browser so there is no need to install it and fiddle with Perl. Another benefit of this approach is that by doing all of this in your browser you are getting for free all the goodies of the complex network stack of Chrome or Firefox.
Let's get started.
First we are going to use the fuzzer for the job so we need to get this opened up. Let's create a new variable called path with value of a dictionary. To create a dictionary simply select it from the dropdown menu or start typing dictionary until it autocompletes.
Click on the Edit button and after that on the Load a common list button. This is where we can load many readily-available lists. We download them all from the vendor for your own convenience. Select the program/databases/db_tests list from the nikto dictionary set.
When loaded you get the following content:
Notice that each line has a special format and as such we cannot use it directly so we will have to parse it first and extract the information that we need.
Parsing the file will take chaining a few transforms but it is relative straightforward process. You can cut (META+X, CTRL+X) the dictionary item because we will place it somewhere else. By cutting it you will store it in the clipboard so it is easy to move it around.
Looking at the lines loaded from the dictionary we need to split them with comma. We also need to remove the quotes. This is done with 2 transforms. First, we need to deal with the splitting. From the dropdown menu select Split or type split until it autocompletes. Paste the dictionary in the first field and make sure the we have comma in the second field. Use the range input to select the field we want. In our case this is field 4 or 3 depending on how you are trained to count ;).
Now we need to remove the quotes. We can use a transform such as Replace with a regex but if we assume that this looks like a JSON string we can also decode it as such which will strip away the quotes nicely.
First of all cut the split item as we did before with the dictionary. Select Encode from the dropdown or start typing encode until it autocompletes. In the field paste the split item we placed in the clipboard. For algorithm select json and make sure we select the decode option.
The last thing we want to do is to place the path variable in the URL. Replace the last slash by typing variable until it autocompletes. From the dropdown list select the path variable.
Use the arrow keys next to the start button to preview what this will look like.
Happy? Not quite! It is close but not good enough. You will notice some strange string such as
@cgidirs, which we need to handle as well. Nikto uses these a lot.
Go back to the variables tab. Cut the json decoded item we created a few moments ago. Add a Replace item by selecting it from the dropdown or by typing replace until it autocompletes. For the search just type
/@cgidirs/gi, which, if you notice, is a regular expression. For the replacement we can just use
/cgi-bin/ in this example but in reality we can create a list or dictionary with multiple values. It can get pretty interesting.
Now we are done! Clicking on the start button will scan through the paths in the Nikto dictionary.
If you enjoy this tutorial, follow us on twitter @websecurify.