Specifiying Individual Plugins

Nikto: 

In Nikto 2.1.1, the facillity to call only specific plugins was added. This was mainly designed as a debugging and development feature so that it is easier to test one plugin without running all of the tests. This was a very simple plugin string that consisted of a simple comma separated list of plugin names.

In Nikto 2.1.2 it was discovered that this facillity was of more use than previously thought and could fix one of the basic flaws with the current plugin system: that of passing parameters to the plugin, something that had been hacked via using -mutate-options.

So a new system was put in place that allows a semi-colon separated list of plugin names with option parameters placed in brackets. In simple form a plugin statement is like:

<plugin-name>[(<parameter name>[:<parameter value>][,<other parameters>])]

For example we can do:

tests(report:500,verbose)

Which will set the parameters report to a value of 500 and verbose to a value of 1. The parameters and plugin names can be found be running:

./nikto.pl -list-plugins

This also means that we deprecate the mutate options and replace them with parameters passed to plugins, so the mutate options now internally translate to:

  1. tests(all)
  2. tests(passfiles)
  3. apacheusers(enumerate,home[,dictionary:dict.txt])
  4. apacheusers(enumerate,cgiwrap[,dictionary:dict.txt])
  5. subdomain
  6. dictionary(dictionary:dict.txt)

Macros for commonly run plugin sets can also be defined in nikto.conf, the default ones are:

@@MUTATE=dictionary;subdomain

@@DEFAULT=@@ALL;-@@MUTATE;tests(report:500)

These are expanded by using -list-plugins and can be overridden through -Plugins.

Altogether this can allow a customised set of plugins that may need to be run for a specific circumstance. For example if a normal test bought up that the server was vulnerable to the apache Expect header XSS attack and we want to run a test just to see that it is vulnerable by adding debugging, we can run:

nikto.pl -host target.txt -Plugins "apache_expect_xss(verbose,debug)"

And then manually check the output to see whether it was truly vulnerable.

It should be noted that reports are also plugins, so if you need to customise the plugin string and want an output, include the report plugin:

nikto.pl -host targets.txt -Plugins "apacheusers(enumerate,dictionary:users.txt);report_xml" -output apacheusers.xml