digg

Join DiggAbout

Donkeys and Elephants and Delegates,oh my!
Check out the most popular Elections 2008 content on Digg.

How To Probe Your Apache Setup For Vulnerabilities

howtoforge.org — This tutorial will show you how to set up the free web server security scanner tool, Nikto. This tool will probe your Apache set-up for vulnerabilities, so you can get an idea of what holes may exist in your configuration. This tutorial will get you so far as installing the tool, and running your first scan.

Bury
show profanity settings
expand all
  • penedo, on 10/12/2007, -2/+6Thumbs up for pointing to the tool. I didn't have to follow the installation instructions since a simple "aptitude install nikto" got the tool on my Debian Etch. And it found some weknesses in my default Apache installation on Debian Sarge.

    Dug.
    • warmcat, on 10/12/2007, -1/+1The link to the project on the article page is a 404. The correct link to the project is

      http://www.cirt.net/code/nikto.shtml
    • jfinke, on 10/12/2007, -1/+2Which is peculiar since he is targeting DD. apt-get install nikto vs. compiling everything from source....
    • techisFun, on 10/12/2007, -9/+4How many diggs does it take for your story to make it to the front page? I need to find out so I know how many Digg accounts I need to create....
    • xenlab, on 10/12/2007, -1/+1@warmcat

      The typo'd URL was corrected in the article. Thanks for spotting that.
  • gmillerd, on 10/12/2007, -1/+3Never had luck with -evasion, which is a pain in the ass.
    • xenlab, on 10/12/2007, -1/+1@gmillerd

      the evasion flag takes longer, but it allowed me to test my Snort/BASE installation and ruleset. It blocked everything Nikto threw at it, which says something about Snort, I suppose.
  • Flare, on 10/12/2007, -8/+1Question, how come a story with only 69 diggs makes the homepage? Is it the "digg circle of friends" effect?
  • dc2447, on 10/12/2007, -0/+3Nice idea but my reports were all littered with false positives
    • dragonmantank, on 10/12/2007, -0/+1Same here. I built my box by hand, but apparently by throwing random stuff after ? I've got a lot of things wrong. Out of 15, only 1 was valid (outdated SSL).
  • qwer, on 10/12/2007, -2/+2seems to be most of howtoforge articles will come to home page some of them are not that much clear
  • prockcore, on 10/12/2007, -0/+1Wonder how it compares to Nessus... which will scan an entire server, not just apache.
    • xenlab, on 10/12/2007, -0/+1Nessus is the king. Since it also goes after vulnerabilities in the O/S. However, Nessus is not entirely free (you can download a demo version). Nikto is a good alternative for at least testing your web server, which for most people is most public attack surface area they have.
  • josegutz, on 10/12/2007, -2/+5Dugg for inccluding HOW TO PROBE in the title....
    • colklink, on 10/12/2007, -3/+1huh..huhuhuh...you said "probe"....
  • patterson, on 10/12/2007, -5/+2Does anyone know of a similar tool for Apache running on Windows? I'd love to know how insecure my little development server is.
    • xenlab, on 10/12/2007, -1/+2If you set up a PERL environment on your dev box, you can run Nikto (it's just a PERL script). At the minimum you can try CYGWIN (www.cygwin.com) and go at it like that.
  • lagerbottom, on 10/12/2007, -1/+3Why do people insist on installing Perl modules like that instead of using the CPAN shell.

    `perl -MCPAN -e shell`

    cpan> install Net::SSLeay
    • punkrock4life, on 10/12/2007, -1/+1i like to have one mechanism in charge of keeping everything on my system up to date... for me, that would be freebsd ports.
    • xenlab, on 10/12/2007, -0/+1I don't use PERL very often, so I went with the only way I knew how. I'll check into using CPANs automated tool.
  • Sentinel88, on 10/12/2007, -3/+0Simply post your IP here. I'm sure many Digg users would dutifully test your setup for vulnerabilities.

    Test my server: 72.14.203.104
  • crimpshrine, on 10/12/2007, -1/+0If you redirect to HTTPS on any requests make sure to set scanning only on SSL or otherwise practically every redirect winds up being a false positive.

    Actually if your web daemon is at all customized (even adding modproxy) throws this tool off it seems.



  • Aninhumer, on 10/12/2007, -2/+4Go on a forum and post your IP address, claiming that you're unhackable :P

    BTW my IP address is 127.0.0.1, and I'm unhackable
  • persaltier, on 10/12/2007, -0/+1That's nothing.

    Mine's 86.7.5.309 Good luck w/ that one.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.