NAME
Wnikto32 v1.3a - Web Server and CGI Scanner
SYNOPSIS
Wnikto32 [-h target] [options]
WARNING
Wnikto32 is a tool for finding default web files and examing web server and CGI security.
It makes a lot of reqeusts to the remote server, which in some cases may cause the server
to crash. It may also be illegal to use this software against servers you do not have
permission to do test.
DESCRIPTION
Wnikto32 is designed to examine web servers and look for items in multiple categories:
- misconfigurations
- default files and scripts
- insecure files and scripts
- outdated software
Supports basic port scanning and will determine if a web server
is running on any open ports.
Wnikto32 checks and code can be automatically udpated from the main distribution server by
using the 'update' option (see below) to ensure Wnikto32 is checking the most recent vulnerabilities.
Wnikto32 will also load user defined checks at startup if they are placed in a file named "user_scan_database.db" in
the plugins directory. Unlike scan_database.db, this file will not be over-written if the -update option is used. This
should always be used if you add your own checks (and you should send those checks to se_cur_ity@hotmail.com).
Wnikto32 leaves a footprint on a server it scans--both in an invalid 404 check and in the User-Agent header.
Note that it's pretty obvious when Wnikto32 is scanning a server anyway--the large
number of invalid requests sticks out a lot in the server logs, although with an IDS evasion technique it might not
be extremely obvious that it was Wnikto32.
OPTIONS
The options listed below are all optional except the -h target specification. They can all be abbreviated
to the first letter (i.e., -m for -mutate), with the exception of -verbose and -debug.
-allcgi
Force scan of all possible CGI directories defined in the wnikto32.ini value CGIDIRS, regardless
of whether they might exist or not.
-cookies
Print out the cookie names and values that were received during the scan.
-evasion
IDS evasion techniques. This enables the intrusion detection evasion in LibWhisker. Multiple options
can be used by stringing the numbers together, i.e. to enable methods 1 and 5, use "-e 15". The valid
options are (use the number preceeding each description):
1 Random URI encoding (non-UTF8)
2 Add directory self-reference /./
3 Premature URL ending
4 Prepend long random string to request
5 Fake parameters to files
6 TAB as request spacer instead of spaces
7 Random case sensitivity
8 Use Windows directory separator \ instead of /
9 Session splicing
See the LibWhisker source for more information, or http://www.wiretrip.net/
-generic
Force full scan rather than trusting the "Server:" identification string, as many servers allow this
to be changed.
-findonly
Use port scan to find valid HTTP and HTTPS ports only, but do not perform checks against them.
-host
Target host to check against. This can be an IP address or hostname. This is the only required option.
-id
HTTP Authentication use, format is userid:password for authorizing Wnikto32 a web server realm.
-mutate
Mutate checks. This causes Wnikto32 put all files with all directories from the .db files and
can the host. You might find some oddities this way. Note that it generates a lot of checks.
-nolookup
Don't perform a host name lookup.
-output
Write output to this file when complete. Format is text unless -w is also used.
-port
Port number to scan, defaults to port 80 if missing. This can also be a range or list of ports, which
Wnikto32 will check for web servers. If a web server is found, it will perform a full scan unless the
-f option is used.
-root
Always prepend this to requests, i.e., changes a request of "/password.txt" to "/directory/password.txt"
(assuming the value passed on the CLI was "/directory")
-ssl
Force SSL mode on port(s) listed. Note that Wnikto32 attempts to determine if a port is HTTP or HTTPS
automatically, but this can be slow if the server fails to respond or is slow to respond to the
incorrect one.
-timeout
Timeout for each request, default is 10 seconds
-useproxy
Use the proxy defined in wnikto32.ini for all requests
-vhost
Virtual host to use for the "Host:" header, in case it is different from the target.
-webformat
Write to the -o output file in HTML (web) format.
These options cannot be abbreviated to the first letter:
-dbcheck
This option will check the syntax of the checks in the scan_database.db and user_scan_database.db files. This
is really only useful if you are adding checks or are having problems.
-debug
Print a huge amount of detail out. In most cases this is going to be more information than you need, so
try -verbose first.
-google
Perform a Google seach, restricted to the current target, for the words defined in GOOGLERS in the config file.
By default these words are: password passwd login
-update
This will connect to cirt.net and download updated scan_database.db and plugin files. Use this with
caution as you are downloading files--perhaps including code--from an "untrusted" source. This option
cannot be combined with any other, but required variables (like the PROXY settings) will be loaded
from the wnikto32.ini file.
-verbose
Print out a lot of extra data during a run. This can be useful if a scan or server is failing, or to see
exactly how a server responds to each request.
CONFIG FILE
The 'wnikto32.ini' file provides a means to set variables without modifying the Wnikto32 source itself at run-time. The
options below can be set in the file. Options that accept multiple values (CGIDIRS, SKIPPORTS, etc.) should just use
a space to distinguish multiple values. None of these are required unless you need them.
CGIDIRS - CGI directories to look for, valid ones (or all) will be used for CGI checks against the remote host.
CLIOPTS - Add any option here to be added to every Wnikto32 execution, whether specified at the command line or not.
NMAP - Path to nmap. If defined, Wnikto32 will use nmap to port scan a host rather than PERL code, and so should be faster.
SKIPPORTS - Port number never to scan (so you don't crash services, perhaps?).
PROXYHOST - Server to use as a proxy, either IP or hostname, no 'http://' needed.
PROXYPORT - Port number that PROXYHOST uses as a proxy.
PROXYUSER - If the PROXYHOST requires authentication, use this ID. Wnikto32 will prompt for it if this is not set & it is needed.
PROXYPASS - If the PROXYHOST requires a password for PROXYUSER, use this password. Wnikto32 will prompt for it if this is not set & it is needed.
DEFAULTHTTPVER - First try this HTTP method. If this fails, Wnikto32 will attempt to find a valid one. Useful if you want try something non-standard.
PLUGINDIR - If Wnikto32 can't find it's plugin directory for some reason, enter the full path and the problem is solved.
MUTATEDIRS - Additional directories to use when operating under the Mutate mode besides ones already defined the .db files.
MUTATEFILES - Additional files to use when operating under the Mutate mode besides ones already defined the .db files.
GOOGLERS - If the Google search plugin (-google) is used, a Google search will be done with the site and these words.
STATIC-COOKIE - The name/value of this cookie, if set, will be sent for every request (useful for auth cookies).
EXAMPLES
A basic scan of a web server on port 80. The -h option is the only option that is required for a basic scan of a web
server on the standard HTTP port.
Wnikto32.exe -h 10.100.100.10
A basic scan of a web server on port 443, forcing SSL encryption and ignoring the Server header. Note that Wnikto32 does
not assume port 443 to be SSL, but if HTTP fails it will try HTTPS.
Wnikto32.exe -h 10.100.100.10 -p 443 -s -g
Scanning multiple ports on the server, letting Wnikto32 determine if they are HTTP and SSL encrypted.
Wnikto32.exe -h 10.100.100.10 -p 80-90
Scanning specific ports on the system.
Wnikto32.exe -h 10.100.100.10 -p 80,443,8000,8080
You may combine IDS evasion techniques as desired.
Wnikto32.exe -h 10.100.100.10 -p 80 -e 167
IMPORTANT FILES
wnikto32.ini - run-time configuration options, see the CONFIG FILE section
Wnikto32_core.plugin - main Wnikto32 code, absolutely required
Wnikto32_plugin_order.txt - determines the order in which plugins are executed
user_scan_database.db - If it exists in the plugins directory, it will load these checks as well. Same syntax as scan_database.db
ADDITIONAL SOFTWARE
CHECKS
Checks, both information and actual security problems, are derived from a number of sources. These include the mailing lists
BugTraq, NTBugTraq, WebAppSec (WWW-Mobile-Code), and others. The web sites www.securitytracker.com, www.securiteam.com,
www.packetstormsecurity.com and www.securityfocus.com. Additionally, updates to Nessus are watched and many thanks to
all the plugin writers (and to Renaud for Nessus itself) (http://www.nessus.org/).
WARNINGS
Wnikto32 can cause harm to your local system, the remote system and/or the network. Some options can generate over 70,000
HTTP requests to a target. Do not run Wnikto32 againsts hosts you are not authorized to perform testing against. Cirt.net
takes no responsibility for anything done with this software, any problems it may cause or problems it may find.
Plugins are standard PERL. They are included and executed when Wnikto32 is run. If you run the -update option, new and
updated plugins will be downloaded from cirt.net. This means you are downloading code, and potentially running it,
without viewing it yourself. Please consider the implications. Do not assume code distributed from Cirt.net is not
harmful, as accidents happen and a malicious third party may have inserted a dangerous plugin. Cirt.net assumes no
responsibility if any malicious code is delivered via the -update option.
DISTRIBUTION
Wnikto32 may be obtained from http://exploit.wox.org and updated databases and plugins are distributed from http://www.cirt.net/
SEE ALSO
Nessus - http://www.frame4.com/
LICENSE
This copyright applies to all code included in this distribution
Copyright (C) 2003 Morning Wood Inc
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the
Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
Contact Information: See the AUTHOR section.
AUTHOR
morning_wood, se_cur_ity@hotmail.com
http://exploit.wox.org/
I want to thank the original author without who's work this conversion would not have been possible.
Sullo, sullo@cirt.net
http://www.cirt.net/
And thank you, my true friends... you know who you are.
morning_wood Thecore