Sunday 17 March 2013

Nikto & MagicTree


Magic Tree is a Pen testing productivity tool on Backtrack 5R3 and from a standard install it can't launch Nikto from with itself and access the output file.

What are Nikto & Magic Tree

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated

MagicTree is a penetration tester productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and report generation.  "Tree" is because all the data is stored in a tree structure, and "Magic" is because it is designed to magically do the most cumbersome and boring part of penetration testing - data management and reporting.

Configuring Nikto to work with other tools such as MagicTree on Backtrack 5R3

Create a symbolic link for nikto.pl

ln -s /pentest/web/nikto/nikto.pl /usr/local/bin

Edit /pentest/web/nikto/nikto.pl, modify the configfile variable line to be

$VARIABLES{'configfile'} = /pentest/web/nikto/nikto.conf"

Edit the nikto.conf file

EXECDIR=/pentest/web/nikto
NIKTODTD=/pentest/web/nikto/docs/nikto.dtd 
PLUGINDIR=//pentest/web/nikto/plugins
TEMPLATEDIR=/pentest/web/nikto/templates
DOCDIR=/pentest/web/nikto/docs

Using Nikto from Magic Tree

Queries can be run on the data gathered within Magic Tree which generate host and port number details, these can be fed into Nikto in the following command, the use of $out allows the XML formatted data from Nikto to be merged with the existing data in Magic Tree

nikto.pl -host $host -port $port -Format xml -output $out

References

Nikto - http://www.cirt.net/nikto2
MagicTree - http://www.gremwell.com/what_is_magictree

No comments:

Post a Comment