19 Replies Latest reply: May 4, 2012 7:23 AM by Renaud RSS

Nikto plugin no longer working

We recently installed Nikto and enabled the Nikto plugin on our Nessus 5 server. Everything seemed to be working fine until 5 days ago when we stopped getting any Nikto output on the Nessus report.

 

We are using Nessus 5.1 and Nikto 2.1.4.

 

I have checked that:

 

- Nikto runs Ok on its own.

- Nikto directory is in the system path.

- Nikto can be called using ..\..\nasl nikto.nasl from the plugins directory.

- Nikto is enabled in the policy preferences

- The correct policy is being used in the scan template

 

We did experiment with Tuning 5 and Tuning 7 and also Mutate 1 and Mutate 2 but we have turned all of those options off again.

We have also shut down Nessus and updated the plugins.

Unfortunately, we are still getting no Nikto plugin item on the report.

 

We have also shut down Nessus and updated the plugins.

  • Re: Nikto plugin no longer working

    Forgot to mention:

     

    - web application tests are enabled

    - CGI Abuses and CGI Abuses:XSS are enabled, along with service detection, settings and web servers

    - have also tried with ALL plugins enabled

    - Disable if server never replies 404: tried checked and unchecked

     

    No sure what else to try!

  • Re: Nikto plugin no longer working

    Further bit of information that might be relevant.

     

    Have checked the nessus logs.

     

    nessus.dump is 0 bytes and contains nothing.

     

    nessus.messages contains some messages to show the scan running and completing but no indication that Nikto was ever run. There are a few 'Invalid protocol negotiation' messages however. I've attached a sample output for the last scan.

    • Re: Nikto plugin no longer working
      jedi

      the nikto plugin hasn't actually worked for years has it - i always find (on 4.x) that it runs out of memory and produces no results.

      • Re: Nikto plugin no longer working

        I wasn't aware of that. We have never used it before. We had it working but it has suddenly stopped. We have rebooted the server as well. The thing is, there is no indication in the log that it is even being called. I've even watched the processes on the server while the scan is progressing and I can't see perl being called.

      • Re: Nikto plugin no longer working
        Renaud

        Simon John wrote:

         

        the nikto plugin hasn't actually worked for years has it - i always find (on 4.x) that it runs out of memory and produces no results.

         

        This is inaccurate. The nikto plugin actually works, you need to make sure it's in your $PATH and the settings need to be configured properly. More information about your "problems" would help to diagnose what's going on.

        • Re: Nikto plugin no longer working

          Renaud, thought I had provided enough detail to work from.

           

          The plugin number 14260 is not listed under Info items as would normally be the case. There is no Nikto output at all in the report and perl does not appear to be getting launched during the scan process. A few days ago everything worked fine. Log output has already been provided. You might also notice that I had mentioned that the Nikto directry is in my system $PATH.

           

          I have also now attached a copy of the scan policy for you.

           

          Any further information you require I am quite willing to provide.

          • Re: Nikto plugin no longer working
            Renaud

            I was answering to Simon John. I'm investigating your issue, which is probably different.

             

            Thanks,

             

            -rd

          • Re: Nikto plugin no longer working
            Renaud

            If you create a new policy (vs editing a new one), does the Nikto preference show up? Where did you install Nikto exactly, and what does your PATH look like?

             

            -rd

            • Re: Nikto plugin no longer working

              Renaud,

               

              Thanks for having a look.

               

              Yes I have tried creating a completely new policy and the Nikto plugin does still show up in the plugin configuration dropdown in the policy preferences. I also deleted the policy and re-imported it from a previously exported backup which was known to be working.

              • Re: Nikto plugin no longer working
                Renaud

                And so, where is Nikto installed and what does your PATH look like?

                 

                One thing to try is to stop the Nessus service, log into your system and start the nessusd process manually (as root or admin, depending on the OS you use) after having verified that nikto was in your $PATH, and see if that solves your problem.

                 

                Most of the time, the confusion comes from the fact that as a user, you see nikto in the $PATH, but system-wide you don't.

                • Re: Nikto plugin no longer working

                  I asppreciate the response and I understand the difference between the system and the user path. I am quite certain that the Nikto directory is in the system path. Can I ask you, does nessusd have a verbose mode so that will increase the level of logging currently being generated? Also, does nasl also have a verbose mode?

        • Re: Nikto plugin no longer working
          jedi

          Renaud Deraison wrote:

           

          Simon John wrote:

           

          the nikto plugin hasn't actually worked for years has it - i always find (on 4.x) that it runs out of memory and produces no results.

           

          This is inaccurate. The nikto plugin actually works, you need to make sure it's in your $PATH and the settings need to be configured properly. More information about your "problems" would help to diagnose what's going on.

           

          lol its not inaccurate for me! nikto works fine on its own, and nikto.pl is in the $PATH (as nessus runs it) but it seems to eat through memory for some reason when run via nessus, like 2-4gb in no time. i've not really used it in a while as i find the webapp plugins more useful (nikto is a bit too specific to known vulns) but when i next try it i'll send over a log.

          • Re: Nikto plugin no longer working

            Yes, I'm looking at the WebApp tests as well. Nikto seems to report many of the same things but sometimes it seems to report more than the Nessus scan. I'm not sure whether it is down to the configuration of the policy so I'm currently doing further research. Unfortunately, the Nikto output, especially when presented via Nessus, is not very user friendly. It would be nice if it could be passed in HTML but not wrapped with HTML and BODY tags.

  • Re: Nikto plugin no longer working

    Ok, I found the 'Log Scan Details to Server' option in the policy and turned that on which gave me a lot more information in the log. I have the following two entries relating to Nikto:

     

    [Wed May 02 10:55:58 2012][3616.115] user chajj001 : launching nikto.nasl against localhost [12962]
    [Wed May 02 10:55:58 2012][3616.115] nikto.nasl (process 12962) finished its job in 0.000 seconds

     

    At least this tells me that Nessus has launched nikto.nasl although the fact that it finished in 0.000 seconds suggests that it did not complete properly. It's unfortunate that the log does not give any further information especially as a manual run of nikto.nasl using nasl.exe does return results as expected

     

    Since nikto.nasl was run, why is there no Plugin ID 14260 item on the report?

    • Re: Nikto plugin no longer working
      Renaud

      If you're on Nessus 5, can you search the audit trail for plugin#14260?

      • Re: Nikto plugin no longer working

        Renaud,

         

        I've tried what you suggested (took me a while to find it!). The Audit Trail feature reports:

         

        Nikto was not found in $PATH

         

        Unfortunately this appears to be nonsense as I can see the correct path from both a user and a system command prompt. This is either a bug in the 'find_in_path' fuction that the plugin uses or an anomaly in they way that the operating system is presenting the path to the application.

      • Re: Nikto plugin no longer working

        Renaud,

         

        I've spent some considerable time on this and determined that it seems to come down to some kind of problem with how the pread  function determines 'the directory where the command was found' when the  the cd parameter is set to true or 1.Quoting the Nasl2 Reference:

         

        cd is a boolean, FALSE by default. If TRUE, Nessus changes its current directory to the directory where the command was found.

         

        Since find_in_path does not  directly return a value, and this path is not passed in any way to the pread function, how does pread determine that path?  If the return value is being stored somewhere then it appears to be  getting changed before we reach the call to pread. Whatever the case,  I could determine* that the cmd variable was getting set to a value of 'nikto' yet the plugin was still returning 'Nikto was not found in  $PATH'.

         

        * by setting script_add_preference(name:"Test", type:"entry", value:cmd). The value it was being set to was then shown in the GUI when a new profile was created.

        • Re: Nikto plugin no longer working
          Renaud

          The directory is done by doing some sort of "which nikto" and then doing a 'cd' to that directory. You can always try the following shortcut if you have any doubts:

           

          # echo > /usr/bin/nikto << EOF

          #!/bin/sh

          cd /path/to/your/local/nikto/installation

          ./nikto.pl $*

          EOF


          # chmod +x /usr/bin/nikto

           

           

          But, again, I think this is a $PATH problem in your system (which is why the plugin exits when find_in_path() fails, not because the 'cd' argument from pread() fails)