Nikto '-mutate' parameter
Results 1 to 5 of 5

Thread: Nikto '-mutate' parameter

  1. #1
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548

    Nikto '-mutate' parameter

    Hi,

    I've tried to find out more about nikto's mutate option (and exactly what it does), but I've been unable to get my hands on anything useful. I even tried it on one of my own servers running some CGI scripts and I didn't get any different results to a standard nikto scan. Here's what I've seen:

    Taken from Cirt

    Mutate mode to "go fishing" on web servers for odd items

    ##-----------------------------------------------------

    Taken from the man page

    -mutate
    Mutate checks. This causes Nikto put all files with all directories from the .db files and
    can the host. You might find some oddities this way. Note that it generates a lot of checks.
    There are also some values you can pass to -mutate, like -mutate1 does something diferent to -mutate4, but I can't post up the help file right now because I don't have access to it. Could someone please tell me what it does, because I really have no clue...

    Thanks,

    -jk
    TAZForum <---- click

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Here is the entire 'help':

    ./nikto.pl
    ---------------------------------------------------------------------------
    - Nikto 1.35/1.35 - www.cirt.net
    + ERROR: No host specified

    Options:
    -Cgidirs+ Scan these CGI dirs: 'none', 'all', or a value like '/cgi/'
    -cookies print cookies found
    -evasion+ ids evasion technique (1-9, see below)
    -findonly find http(s) ports only, don't perform a full scan
    -Format save file (-o) Format: htm, csv or txt (assumed)
    -generic force full (generic) scan
    -host+ target host
    -id+ host authentication to use, format is useridassword
    -mutate+ mutate checks (see below)
    -nolookup skip name lookup
    -output+ write output to this file
    -port+ port to use (default 80)
    -root+ prepend root value to all requests, format is /directory
    -ssl force ssl mode on port
    -timeout timeout (default 10 seconds)
    -useproxy use the proxy defined in config.txt
    -Version print plugin and database versions
    -vhost+ virtual host (for Host header)
    + requires a value

    These options cannot be abbreviated:
    -config+ use this config file
    -debug debug mode
    -dbcheck syntax check scan_database.db and user_scan_database.db
    -update update databases and plugins from cirt.net
    -verbose verbose mode

    IDS Evasion Techniques:
    1 Random URI encoding (non-UTF8)
    2 Directory self-reference (/./)
    3 Premature URL ending
    4 Prepend long random string
    5 Fake parameter
    6 TAB as request spacer
    7 Random case sensitivity
    8 Use Windows directory separator (\)
    9 Session splicing

    Mutation Techniques:
    1 Test all files with all root directories
    2 Guess for password file names
    3 Enumerate user names via Apache (/~user type requests)
    4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
    Interestingly enough, I haven't enabled the mutate option before and I know for a fact that #3 and #4 were done by default...Maybe you found a bug?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548
    Hmm...I'm not sure. The thing is that I don't know what the -mutate parameter is meant to do, so I'm not sure if anything wrong with the way it's coded... And at version 1.35 I don't think it's likely.

    Are you sure 3 and 4 are enabled in a default scan? I seem to remember 3 being included as default, but I'm not sure about 4. But, if they are as default, why set two extra options to do something which is done without them? Odd...
    TAZForum <---- click

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Yeah I am sure...ran:

    ./nikto.pl -cookies -Cgidirs all -host &lt;target&gt;

    And got:
    + /cgi-bin/cgiwrap/~adm - cgiwrap can be used to enumerate user accounts. Recompile cgiwrap with the '--with-quiet-errors' option to stop user enumeration. (GET)
    + /~root - Enumeration of users is possible by requesting ~username (responds with Forbidden for real users, not found for non-existent users) (GET).

    (got alot more, just didn't paste them for brevities sake)...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548
    Ah, then you are right. So there really isn't a point in having 3 or 4 as mutation options...

    It's quite obvious what 2 does, but I have yet to see it in action (I don't keep any passwords of any sort on my test server). And 1, well - it's not exactly too clear what it does.

    I guess we'll have to guess until someone who knows about it comes along
    TAZForum <---- click

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •