Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nikto Result

From: david lodge <resident.deity () gmail com>
Date: Thu, 17 Dec 2009 18:00:47 +0000
2009/12/15 Matt Gardenghi <mtgarden () gmail com>:

It's moments like this that make me enjoy pentesting.  :-)

Also, you should always reference:
http://www.phenoelit-us.org/dpl/dpl.html
http://cirt.net/passwords

There are plenty more, but those are good starts.

Manuals for the apps will often give you the defaults as well.


Unfortunately this seems to be a false positive due a bug discovered
in Nikto (that I came across the same day I found this). Basically if
the web server returns an error (e.g. timeout, not a 404) whilst
guessing authorisation then Nikto will think that the authentication
succeeded.

This has been raised as bug #106
(http://trac2.assembla.com/Nikto_2/ticket/106) and will be fixed in
the next point release.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: