Nikto not finding webserver

[dsolstad]

There is a webserver using self-signed certificate that Nikto does not recognize. I can however reach it via normal web browsers. I had to proxy Nikto through Burp to be able to scan it.

curl complains about that the dh key is too small:

$ curl -ik https://192.168.1.50:9043
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Is this something that should and can be fixed?

$ nikto -host 192.168.1.55 -port 9043 -D v

• Nikto v2.1.6

---

V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_cookies
V:Thu Nov 22 07:16:33 2018 - Loaded "HTTP Cookie Internal IP" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_subdomain
V:Thu Nov 22 07:16:33 2018 - Loaded "Sub-domain forcer" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_outdated
V:Thu Nov 22 07:16:33 2018 - Loaded "Outdated" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_tests
V:Thu Nov 22 07:16:33 2018 - Loaded "Nikto Tests" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_clientaccesspolicy
V:Thu Nov 22 07:16:33 2018 - Loaded "clientaccesspolicy.xml" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_sitefiles
V:Thu Nov 22 07:16:33 2018 - Loaded "Site Files" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_cgi
V:Thu Nov 22 07:16:33 2018 - Loaded "CGI" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_sqlg
V:Thu Nov 22 07:16:33 2018 - Loaded "Generic SQL reports" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_ssl
V:Thu Nov 22 07:16:33 2018 - Loaded "SSL and cert checks" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_csv
V:Thu Nov 22 07:16:33 2018 - Loaded "CSV reports" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_put_del_test
V:Thu Nov 22 07:16:33 2018 - Loaded "Put/Delete test" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_auth
V:Thu Nov 22 07:16:33 2018 - Loaded "Guess authentication" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_text
V:Thu Nov 22 07:16:33 2018 - Loaded "Text reports" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_dictionary_attack
V:Thu Nov 22 07:16:33 2018 - Loaded "Dictionary attack" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_apacheusers
V:Thu Nov 22 07:16:33 2018 - Loaded "Apache Users" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_embedded
V:Thu Nov 22 07:16:33 2018 - Loaded "Embedded Detection" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_apache_expect_xss
V:Thu Nov 22 07:16:33 2018 - Loaded "Apache Expect XSS" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_httpoptions
V:Thu Nov 22 07:16:33 2018 - Loaded "HTTP Options" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_favicon
V:Thu Nov 22 07:16:33 2018 - Loaded "Favicon" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_drupal
V:Thu Nov 22 07:16:33 2018 - Loaded "Drupal Specific Tests" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_content_search
V:Thu Nov 22 07:16:33 2018 - Loaded "Content Search" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_headers
V:Thu Nov 22 07:16:33 2018 - Loaded "HTTP Headers" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_multiple_index
V:Thu Nov 22 07:16:33 2018 - Loaded "Multiple Index" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_msgs
V:Thu Nov 22 07:16:33 2018 - Loaded "Server Messages" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_nbe
V:Thu Nov 22 07:16:33 2018 - Loaded "NBE reports" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_negotiate
V:Thu Nov 22 07:16:33 2018 - Loaded "Negotiate" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_robots
V:Thu Nov 22 07:16:33 2018 - Loaded "Robots" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_ms10_070
V:Thu Nov 22 07:16:33 2018 - Loaded "ms10-070 Check" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_siebel
V:Thu Nov 22 07:16:33 2018 - Loaded "Siebel Checks" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_html
V:Thu Nov 22 07:16:33 2018 - Loaded "Report as HTML" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_paths
V:Thu Nov 22 07:16:33 2018 - Loaded "Path Search" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_report_xml
V:Thu Nov 22 07:16:33 2018 - Loaded "Report as XML" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_parked
V:Thu Nov 22 07:16:33 2018 - Loaded "Parked Detection" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_core
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_fileops
V:Thu Nov 22 07:16:33 2018 - Loaded "File Operations" plugin.
V:Thu Nov 22 07:16:33 2018 - Initialising plugin nikto_shellshock
V:Thu Nov 22 07:16:33 2018 - Loaded "shellshock" plugin.
V:Thu Nov 22 07:16:33 2018 - Getting targets
V:Thu Nov 22 07:16:33 2018 - Target:192.168.1.55 port:9043
V:Thu Nov 22 07:16:33 2018 - Checking for HTTPS on port 192.168.1.55:9043, using HEAD
V:Thu Nov 22 07:16:33 2018 - for HEAD:
V:Thu Nov 22 07:16:33 2018 - Checking for HTTP on port 192.168.1.55:9043, using HEAD
V:Thu Nov 22 07:16:33 2018 - for HEAD:
V:Thu Nov 22 07:16:33 2018 - Checking for HTTPS on port 192.168.1.55:9043, using GET
V:Thu Nov 22 07:16:33 2018 - for GET:
V:Thu Nov 22 07:16:33 2018 - Checking for HTTP on port 192.168.1.55:9043, using GET
V:Thu Nov 22 07:16:34 2018 - for GET:

• No web server found on 192.168.1.55:9043

---

V:Thu Nov 22 07:16:34 2018 - Opening reports (none, )
V:Thu Nov 22 07:16:34 2018 - 6934 server checks loaded
V:Thu Nov 22 07:16:34 2018 - Running start for "Embedded Detection" plugin
V:Thu Nov 22 07:16:34 2018 - Running start for "Favicon" plugin
V:Thu Nov 22 07:16:34 2018 - Running start for "Drupal Specific Tests" plugin
V:Thu Nov 22 07:16:34 2018 - Running start for "HTTP Headers" plugin
V:Thu Nov 22 07:16:34 2018 - Running start for "Guess authentication" plugin
V:Thu Nov 22 07:16:34 2018 - Running start for "Content Search" plugin

• 0 host(s) tested
  V:Thu Nov 22 07:16:34 2018 + 8 requests made in 1 seconds

[sullo]

My best guess is this is an underlying OS/encryption issue since curl can't handle it (can wget?). It's possible the perl TLS modules and/or Libwhisker can't handle it--there are a lot of things that can wrong in that chain.

I'd make sure that your perl libraries for Net::SSLeay and Net::SSL are up to date.

Also, I'd force change the SSL library nikto is using, and try both rather than letting it auto select. See nikto.conf and update this bit:

# SSLeay        - use Net::SSLeay 
# SSL           - use Net::SSL 
# auto          - automatically choose whats available 
#                 (SSLeay wins if both are available) 
LW_SSL_ENGINE=auto

[dsolstad]

wget finds it with --no-check-certificate.
It didn't make any difference by changing LW_SSL_ENGINE.
Everything from an updated Kali machine.

[tautology0]

I've notice some problems with SSL and perl on Windows, but not on Linux. Could you try it with "-D d" instead of "-D v" as that will dump the actual request headers?

[dsolstad]

D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_parked_strings
D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_404_strings
D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_outdated
D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_variables
D:Thu Nov 29 05:12:42 2018 - Loading DB: /var/lib//nikto/databases/db_tests

• Nikto v2.1.6

---

D:Thu Nov 29 05:12:42 2018 WARNING: No init found for nikto_core
D:Thu Nov 29 05:12:42 2018 'Request Hash' = {
'Connection' => 'Keep-Alive',
'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)',
'whisker' => {
'version' => '1.1',
'force_bodysnatch' => 0,
'method' => 'HEAD',
'host' => '192.168.1.50',
'lowercase_incoming_headers' => 1,
'MAGIC' => 31339,
'ssl_save_info' => 1,
'ssl' => 1,
'ignore_duplicate_headers' => 1,
'max_size' => 0,
'uri_param_sep' => '?',
'uri_prefix' => '',
'protocol' => 'HTTP',
'timeout' => 10,
'retry' => 0,
'http_eol' => "\r\n",
'http_space1' => ' ',
'keep-alive' => 1,
'uri_postfix' => '',
'port' => 9043,
'invalid_protocol_return_value' => 1,
'force_close' => 0,
'ssl_rsacertfile' => undef,
'http_space2' => ' ',
'include_host_in_uri' => 0,
'require_newline_after_headers' => 0,
'trailing_slurp' => 0,
'ssl_certfile' => undef,
'force_open' => 0,
'normalize_incoming_headers' => 1,
'uri' => '/'
},
'Host' => '192.168.1.50:9043'
};
D:Thu Nov 29 05:12:42 2018 'Result Hash' = {
'whisker' => {
'ssl_cert_altnames' => [
1,
'ProfileUUID:'
],
'ssl_cert_subject' => '',
'error' => "sending request: SSL error: ssl_write_all 12402: 1 - SSL_ERROR_SSL(-1,1,error:00000001:lib(0):func(0):reason(1),)\nSSL_write 12402: 1 - error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small\n",
'uri' => '/',
'ssl_cert_issuer' => '',
'MAGIC' => 31340,
'ssl_cipher' => '(NONE)'
}
};
D:Thu Nov 29 05:12:42 2018 'Request Hash' = {
'Connection' => 'Keep-Alive',
'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)',
'whisker' => {
'ignore_duplicate_headers' => 1,
'max_size' => 0,
'MAGIC' => 31339,
'ssl' => 0,
'ssl_save_info' => 1,
'lowercase_incoming_headers' => 1,
'version' => '1.1',
'method' => 'HEAD',
'force_bodysnatch' => 0,
'host' => '192.168.1.50',
'ssl_certfile' => undef,
'uri' => '/',
'force_open' => 0,
'normalize_incoming_headers' => 1,
'http_space2' => ' ',
'ssl_rsacertfile' => undef,
'include_host_in_uri' => 0,
'require_newline_after_headers' => 0,
'trailing_slurp' => 0,
'http_eol' => "\r\n",
'keep-alive' => 1,
'http_space1' => ' ',
'force_close' => 0,
'invalid_protocol_return_value' => 1,
'port' => 9043,
'uri_postfix' => '',
'protocol' => 'HTTP',
'uri_prefix' => '',
'uri_param_sep' => '?',
'timeout' => 10,
'retry' => 0
},
'Host' => '192.168.1.50'
};
D:Thu Nov 29 05:12:42 2018 'Result Hash' = {
'whisker' => {
'data' => '',
'http_data_sent' => 1,
'uri' => '/',
'error' => 'error reading HTTP response',
'MAGIC' => 31340,
'lowercase_incoming_headers' => 1
}
};
D:Thu Nov 29 05:12:42 2018 'Request Hash' = {
'Host' => '192.168.1.50:9043',
'whisker' => {
'lowercase_incoming_headers' => 1,
'version' => '1.1',
'force_bodysnatch' => 0,
'method' => 'GET',
'host' => '192.168.1.50',
'ignore_duplicate_headers' => 1,
'max_size' => 0,
'MAGIC' => 31339,
'ssl_save_info' => 1,
'ssl' => 1,
'http_eol' => "\r\n",
'http_space1' => ' ',
'keep-alive' => 1,
'uri_postfix' => '',
'force_close' => 0,
'port' => 9043,
'invalid_protocol_return_value' => 1,
'uri_param_sep' => '?',
'uri_prefix' => '',
'protocol' => 'HTTP',
'timeout' => 10,
'retry' => 0,
'ssl_certfile' => undef,
'normalize_incoming_headers' => 1,
'force_open' => 0,
'uri' => '/',
'ssl_rsacertfile' => undef,
'http_space2' => ' ',
'include_host_in_uri' => 0,
'require_newline_after_headers' => 0,
'trailing_slurp' => 0
},
'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)',
'Connection' => 'Keep-Alive'
};
D:Thu Nov 29 05:12:42 2018 'Result Hash' = {
'whisker' => {
'ssl_cert_issuer' => '',
'MAGIC' => 31340,
'ssl_cipher' => '(NONE)',
'error' => "sending request: SSL error: ssl_write_all 12402: 1 - SSL_ERROR_SSL(-1,1,error:00000001:lib(0):func(0):reason(1),)\nSSL_write 12402: 1 - error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small\n",
'uri' => '/',
'ssl_cert_subject' => '',
'ssl_cert_altnames' => [
1,
'ProfileUUID:'
]
}
};
D:Thu Nov 29 05:12:42 2018 'Request Hash' = {
'Host' => '192.168.1.50',
'whisker' => {
'lowercase_incoming_headers' => 1,
'force_bodysnatch' => 0,
'method' => 'GET',
'version' => '1.1',
'host' => '192.168.1.50',
'ignore_duplicate_headers' => 1,
'max_size' => 0,
'ssl_save_info' => 1,
'ssl' => 0,
'MAGIC' => 31339,
'http_eol' => "\r\n",
'uri_postfix' => '',
'invalid_protocol_return_value' => 1,
'port' => 9043,
'force_close' => 0,
'http_space1' => ' ',
'keep-alive' => 1,
'uri_prefix' => '',
'uri_param_sep' => '?',
'protocol' => 'HTTP',
'retry' => 0,
'timeout' => 10,
'normalize_incoming_headers' => 1,
'force_open' => 0,
'uri' => '/',
'ssl_certfile' => undef,
'include_host_in_uri' => 0,
'http_space2' => ' ',
'ssl_rsacertfile' => undef,
'trailing_slurp' => 0,
'require_newline_after_headers' => 0
},
'Connection' => 'Keep-Alive',
'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)'
};
D:Thu Nov 29 05:12:42 2018 'Result Hash' = {
'whisker' => {
'http_data_sent' => 1,
'data' => '',
'MAGIC' => 31340,
'lowercase_incoming_headers' => 1,
'uri' => '/',
'error' => 'error reading HTTP response'
}
};

• No web server found on 192.168.1.50:9043

---

• 0 host(s) tested

[tautology0]

Here's the problem, this bugger: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Basically the Diffie-Hellman key on the server is <1024 bits. This isn't supported in the version of openssl you're using. The ideal solution would be to get the server to match modern TLS standards

[ms08067]

I am having the same issue. The target site is http so no SSL/TLS. I can see it making HEAD requests in wireshark, I dont see any RST packets or anything negative that the server responds with. I can navigate to the site manually just fine. First time ive seen this happen.

[ms08067]

Here is a curl and response...Ive censored the domain.

curl -IL http://www.########.com

HTTP/1.1 200 OK
Server: openresty/1.11.2.4
Date: Wed, 19 Dec 2018 15:38:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29-pl0-gentoo
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.#######.com/xmlrpc.php
Link: http://www.#######.com/; rel=shortlink
Set-Cookie: PHPSESSID=5ab739ef1c3b9b1232263f5ead67158a; path=/
X-Webcom-Cache-Status: BYPASS

[sullo]

@ms08067 I don't see anything in that response that should be a problem. Can you post a debug dump in a file? If you use -D DS it should scrub the output of the hostname (verify though). I'm particularly looking for the first request or two to see the request/response. Thanks.

[tautology0]

I think the two problems aren't related. I think @dsolstad's problem is the version of openssl and the server being scanned. We need more information from @ms08067.

[cyc115]

Curl will accept tlsv1.0 if you remove CipherString = DEFAULT@SECLEVEL=2 from /etc/ssl/openssl.cnf. But nkito won't budge.
eg. curl https://example.com --tlsv1.0 -k