Penetration Testing mailing list archives
Re: Nikto Result
From: david lodge <resident.deity () gmail com>
Date: Thu, 17 Dec 2009 18:00:47 +0000
2009/12/15 Matt Gardenghi <mtgarden () gmail com>:
It's moments like this that make me enjoy pentesting. :-) Also, you should always reference: http://www.phenoelit-us.org/dpl/dpl.html http://cirt.net/passwords There are plenty more, but those are good starts. Manuals for the apps will often give you the defaults as well.
Unfortunately this seems to be a false positive due a bug discovered in Nikto (that I came across the same day I found this). Basically if the web server returns an error (e.g. timeout, not a 404) whilst guessing authorisation then Nikto will think that the authentication succeeded. This has been raised as bug #106 (http://trac2.assembla.com/Nikto_2/ticket/106) and will be fixed in the next point release. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Nikto Result Zaki Akhmad (Dec 15)
- Re: Nikto Result Koen Bossaert (Dec 15)
- Re: Nikto Result Matt Gardenghi (Dec 15)
- Re: Nikto Result david lodge (Dec 21)
- Re: Nikto Result Matt Gardenghi (Dec 15)
- Re: Nikto Result Koen Bossaert (Dec 15)