実行方法(Perlスクリプトを wget でダウンロードしてきて実行します)
wget wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar -xzvf nikto-current.tar.gz
cd nikto-2.1.5
perl nikto.pl -update
perl nikto.pl -host https://YOUR-SERVER.TLD
実行結果
---------------------------------------------------------------------------
+ Target IP: xxx.xxx.xxx.xxx
+ Target Hostname: dummy.server.name.com
+ Target Port: 80
+ Start Time: 2018-10-10 17:32:48 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) PHP/7.1.2
+ Server leaks inodes via ETags, header found with file /, fields: 0x813 0x5747dfb6fe842
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ / - Requires Authentication for realm 'Secret Area'
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6545 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2018-10-10 17:36:18 (GMT9) (210 seconds)
---------------------------------------------------------------------------
上記のサーバでは次のような脆弱性が報告されています。
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
TRACE メソッドが有効なので無効にしましょう(XST脆弱性があります)
+ OSVDB-3268: /icons/: Directory indexing found.
ディレクトリインデックスが見えてますよ
+ OSVDB-3233: /icons/README: Apache default file found.
Apacheのデフォルトファイルが見えてますよ