January 24, 2002 Copyright 2002 All Rights Reserved

Firewall, IDS and ECommerce

Web
Server Assessment
With
Nikto & N-Stealth
(1 August, 2004)

Linux/Windows Lab
1
January 24, 2002 Copyright 2002 All Rights Reserved

Web Server Assessment Laboratory

Laboratory Overview
This laboratory will be composed of two parts.
Part One will involve installing and using Nikto on a
Linux system. Nikto can be downloaded from
www.cirt.net.
Part Two will involve installing and using N-Stealth
on a Windows system. N-Stealth can be downloaded from
www.nstalker.com.
Laboratory Objective
The student will be able to
(1). Understand the purpose of automated tools to assess
Web Server vulnerabilities.
(2). Understand how to install and use Nikto, an automated
Web Server assessment tool.
(3). Understand how to install and use N-Stealth, an
automated Web server assessment tool.

Class Preparation
(1) The student should review the lecture associated with
Web server vulnerabilities.
(2) The student should review this laboratory.

Estimated Completion Time

60 Minutes

2
January 24, 2002 Copyright 2002 All Rights Reserved

1. Information for Laboratory

A. The students will utilize both Nikto and N-Stealth as
automated web server vulnerability assessment tools.
Prior to the start of the laboratory the instructor will
discuss web server assessment and automated web server
assessment tools. In addition, prior to the exercise the
instructors should have downloaded Nikto onto a Linux box
and N-Stealth onto Windows systems.
B. Web Server Vulnerabilities.
The first step in assessing the vulnerability of a web
site, after performing web server reconnaissance, is to assess
the vulnerability of the web server. This step is primarily
concerned with exposing the vulnerabilities that exists in the
server which handles the interface between the user and the
process logic.

2. Part 1 – Web Assessment w/Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web
servers for multiple items, including over 2600 potentially dangerous files/CGIs, versions on over 625
servers, and version specific problems on over 230 servers. Scan items and plugins are frequently
updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan
possible, and it's fairly obvious in log files. However, there is support for LibWhisker's anti-IDS
methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are "info only" type
checks that look for items that may not have a security flaw, but the webmaster or security engineer
may not know are present on the server. These items are usually marked appropriately in the
information printed. There are also some checks for unknown items which have been seen scanned for
in log files.

3
January 24, 2002 Copyright 2002 All Rights Reserved

You will now use Nikto to scan and analyze

a web server identified by your instructor. The
web site scanned in this exercise was previously
mirrored and installed on a class lab server. In
addition, the instructor will have previously
downloaded Nikto on the Linux box.

A. Nikto Document exploration

(1) At the Linux Redhat 9.0 KDE desktop use the
Konqueror to open /root by clicking on the root desktop Icon.
(2) Now click on nikto-1.32 > nikto_usage.html. A
screen similar to the following should be displayed. Explore
this screen in coordination with your instructor. Look
especially at the documentation on evasion techniques.

(3). Now close Konqueror and return to the linux

desktop.

4
January 24, 2002 Copyright 2002 All Rights Reserved

B. The Basic Scan

(1) Click on the shell terminal. Now input the
command:
cd nikto-1.32
perl nikto.pl -h www.nvcc.edu

A screen similar to one shown below should be present.

Explore this screen in coordination with your instructor.

5
 January 24, 2002 Copyright 2002 All Rights Reserved

C. The Scan w/IDS

(1). Nikto is especially noisy and will most certainly be
detected and logged by any reputable IDS. Nikto has
incorporated certain IDS countermeasures that can be
employed to attempt to evade logging or at least to bypass
simple string matching.

IDS evasion techniques. This enables the intrusion detection evasion in LibWhisker. Multiple
options can be used by stringing the numbers together, i.e. to enable methods 1 and 5, use "-e 15". The
valid options are (use the number preceding each description):
1 Random URI encoding (non-UTF8)
2 Add directory self-reference /./
3 Premature URL ending
4 Prepend long random string to request
5 Fake parameters to files
6 TAB as request spacer instead of spaces
7 Random case sensitivity
8 Use Windows directory separator \ instead of /
9 Session splicing

(2). Open the shell terminal and input the following

command:
cd nikto-1.32
perl nikto.pl -h www.nvcc.edu -p 80 -e 167

6
January 24, 2002 Copyright 2002 All Rights Reserved

A screen similar to the following should be displayed.

Explore this screen in coordination with your instructor.

7
January 24, 2002 Copyright 2002 All Rights Reserved

D. Updating Nikto

Nikto is a two piece tool: engine and vunerability database. The database is a
series of "plugins" that contains exploit information. They hold information for over
100 unique web servers and more than 2,000 known vulnerabilities among the web
servers and CGI applications.
The latest plugins should be retrieved prior to running Nikto.

(1). Open the shell terminal an input the following command:

cd nikto-1.32
perl nikto.pl -update

(2). A screen similar to the following should appear.

Examine this screen in coordination with your instructor.

(3). This concludes the Nikto exercise. Exit the shell terminal
and power down the Linux box.

2. Part 2 – N-Stealth

8
January 24, 2002 Copyright 2002 All Rights Reserved

N-Stealth is a vulnerability-assessment product that scans web servers to identify

security problems and weaknesses that may allow an attacker to gain privileged
access. The software comes with an extensive database of over 30,000
vulnerabilities and exploits. N-Stealth is more actively maintained than the network
security scanners and consequently has a larger database of vulnerabilities. N-
Stealth is a comprehensive web server security-auditing tool that scans for over
30,000 vulnerabilities. It is ideal for system administrators, security consultant and
IT professionals. The software's wide array of scanning techniques and extensive
security-hole database make it the best available program for locking down web
servers

You will now use N-Stealth to scan and analyze

a web server identified by your instructor. The
web site scanned in this exercise was previously
mirrored and installed on a class lab server. In
addition, the instructor will have previously
installed N-Stealth on a Windows box.

A. Phase 1 - Installation
(1) Using Explorer go to the following directory:
C:\Program Files\Security Toolbox\Assessment Tools. A
screen similar to the following should appear.

9
January 24, 2002 Copyright 2002 All Rights Reserved

(2). Double click Nstealth-Free-5-2b24.exe. Now

select English. A screen similar to the following should
appear.

(2) Click Next. A screen similar to the following

should appear.

10
January 24, 2002 Copyright 2002 All Rights Reserved

(3). Read the License agreement and select I Agree.

The following screen should appear.

(4). Elect the defaults and click Next. The following

screen should appear.

11
January 24, 2002 Copyright 2002 All Rights Reserved

(5). Elect the default and click Install. The following

screen should appear.

6. Click Finish. N-Stealth has now been successfully

installed.

12
January 24, 2002 Copyright 2002 All Rights Reserved

B. Phase Two – Web Assessment w/ N-Stealth

You will now use N-Stealth to scan and
analyze a web site identified by your instructor.
The web site scanned in this exercise was
previously mirrored and installed on a class lab
server.
(1) Click Start > Programs > N-Stealth > Nstealth. A screen
similar to the following should appear.

13
January 24, 2002 Copyright 2002 All Rights Reserved

(2). Set English as your default language and click OK. The
following screen should appear.

(3). Enter a url specified by your instructor and click Start Scan
and select No at the next pop-up screen. A screen similar to the
following should appear. Explore this screen in coordination
with your instructor.

14
January 24, 2002 Copyright 2002 All Rights Reserved

(4). At the instructor's discretion either stop the scan or let it run
to completion. If it runs to completion the scan may take several
minutes since over 16,000 items will be checked. If the scan is
stopped a screen similar to the following should be present.
Explore the screen in coordination with your instructor.

(5) Select Report Manager. A screen similar to the following

should be present.

15
January 24, 2002 Copyright 2002 All Rights Reserved

(6). Highlight the URL just scanned and select Generate. The
following screen should appear.

(7). Click OK. The following screen should appear.

16
January 24, 2002 Copyright 2002 All Rights Reserved

(8). Select Report Directory tab, highlight the URL just

scanned and click Open. The following report should appear.
Examine this report in coordination with your instructor.

(9). This concludes the formal portion of the exercise. The

student should now. on their own, explore the capabilities of N-
Stealth.

(10). At the conclusion of the exercise, the student should delete

the report, close all files and uninstall N-Stealth.

17
January 24, 2002 Copyright 2002 All Rights Reserved

CONGRATULATIONS. You have just finished the

Windows Web Server Vulnerability Assessment
laboratory.

18
January 24, 2002 Copyright 2002 All Rights Reserved

Instructors Appendix

1. Nikto.
The current version of Nikto is 1.32 can be
downloaded from www.cirt.net onto a Linux box.
Nikto is a perl script written by Chris Sullo and is styled
after RFP's Whisker. Nikto uses RFP's Libwhisker
library for HTTP/socket functionality. It has a reputation
of being one of the best free Web server scanners.
It has two major functions that are noteworthy. First,
since it is exceptionally noisy and will undoubtedly be
logged, it can employ IDS techniques. Nikto, when
employing IDS evasion, uses nine different techniques to
format the URL request to bypass simple string matching
IDSs. Second, it has the capability of being automatically
through the use of the -update command.
a. I downloaded and installed Nikto onto a Redhat

9.0 box.
b. Nikto can be installed onto any directory,

however, I choose to install it into /root.

c. The following commands were used to

unzip/untar nikto-current.tar.gz in the /root

directory
gunzip nikto-curretn.tar.gz
tar -xvf nikto-current.tar
cd nikto-1.32

2. N-Stealth.
WebSleuth can be downloaded from www.nstalker.com.
a. Download N-Stealth onto a Widows box.

19
January 24, 2002 Copyright 2002 All Rights Reserved

b. N-Stealth can be downloaded into any

directory, however, I choose to download it into
C:\Program Files\Security Toolbox\Assessment
Tools.

3. Web Site.
A web site should only be analyzed if permission has
be been granted. For this exercise I mirrored the NVCC
web site onto a classroom Server composed of a
Windows 2003 machine running IIS.

20