Tools & Utils

Nikto 2.5.0 Released!

Nikto 2.5.0 has now been released!

Please Note: Breaking changes to JSON and XML output may have occurred. If you rely on these formats please test before upgrading.

The Nikto 2.5.0 version contains hundreds of updates over several years, including the highlights below.
  • IPv6 support (thanks to @richardleach)
  • Updated db_checks format uses multiple reference


DavTest 1.0:

DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.

DAVTest supports:
  • Automatically sending of exploit files

GIT Extractor

I promised last time that I would do a git extractor and, yes, I came across a site in the real world that used git to manage its releases. A quick script later and I had its web.config file and all of the internal goodies.

There's a much more detailed write up and the tool at the corporate blog of the company I work for.

Mercurial Extractor

This is an expansion of part of a talk I did for OWASP East Midlands.

If you actually read the articles posted up here you may have read about the svnpristine extractor that was written in October 2012 and not released until February 2013 (hey, it takes me a while).

SVN Pristine Extractor

So, you're sat on a customer site, and nothing is going right: patching is up to date, passwords are all set to complex values, user input is validated, you have to wear a suit and even the coffee doesn't taste very nice.

Oh, but wait! That scan against the internal web server reveals that: