I have been scanning my web server using Nikto to check the vulnerability but I have no idea how to read the renerated report.

Is there any references which I can refering to?
Anyone who knows how to read the report, can please share with me?

Thank You.....

Is there any references which I can refering to?
The references are in the report. Basically application version numbers you can search your distro's security, update and release info for, vulnerabilities by CAN (www.cve.mitre.org) or OSVDB (www.osvdb.org) tag and human interpretable strings with keywords you can search for with your favourite searchengine.


Anyone who knows how to read the report, can please share with me?
Post the report?

I still dont understand the output of the report. For you information the server I scan is a IIS web server. How could the report display apache or tomcat??

That is the example of the output. I have few question on it.
1) What does the + sign means on the every single line of the output?

2) What does the (GET) means at the every end of the output?

3) I dindt use any apache or tomcat, how could the result says show out default apache foreign language file found?

Appreciate, if anyone can help me on this.

Thanks a lot.....

1) What does the + sign means on the every single line of the output?
That it's not an internal error or comment (like not using "-g")?


2) What does the (GET) means at the every end of the output?
It's one of the HTTP methods, others (HTTP 1.1) are HEAD, POST, PUT, DELETE, OPTIONS, TRACE and CONNECT. There's other methods available if you use WebDAV 'n stuff.


3) I dindt use any apache or tomcat, how could the result says show out default apache foreign language file found?
Because you didn't use "-g"? Maybe it should read just "default foreign language file found"? If you think it should by all means submit your patches to the Nikto maintainers.


BTW, maybe run something else as well, like Nessus.

Hi unSpawn,


The below which is part of my report I have. Can you please have a look? Thank You.....

-***** SSL support not available (see docs for SSL install instructions) *****
---------------------------------------------------------------------------
- Nikto 1.35/1.34 - www.cirt.net
+ Target IP:
+ Target Hostname:
+ Target Port: 80
+ Start Time: Thu Aug 10 00:53:52 2006
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server ID string not sent
+ Server does not respond with '404' for error messages (uses '403').
+ This may increase false-positives.
+ All CGI directories 'found', use '-C none' to test none
+ /conspass.chl+ - Abyss allows hidden/protected files to be served if a + is added to the request. (GET)
+ /consport.chl+ - Abyss allows hidden/protected files to be served if a + is added to the request. (GET)
+ /general.chl+ - Abyss allows hidden/protected files to be served if a + is added to the request. (GET)
+ /srvstatus.chl+ - Abyss allows hidden/protected files to be served if a + is added to the request. (GET)
+ /.DS_Store - Apache on Mac OSX will serve the .DS_Store file, which contains sensitive information. Configure Apache to ignore this file or upgrade to a newer version. (GET)
+ /.FBCIndex - This file son OSX contains the source of the files in the directory. http://www.securiteam.com/securitynews/5LP0O005FS.html (GET)
+ /docs/ - May give list of installed software (GET)
+ /examples/servlet/AUX - Apache Tomcat versions below 4.1 may be vulnerable to DoS by repeatedly requesting this file. (GET)
+ /icons/ - Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used all, the /icons directory should be removed. (GET)
+ /index.html.ca - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.cz.iso8859-2 - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.de - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.dk - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.ee - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.el - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.en - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.es - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.et - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.fr - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.he.iso8859-8 - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.hr.iso8859-2 - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)

+ Over 20 "OK" messages, this may be a by-product of the
+ server answering all requests with a "200 OK" message. You should
+ manually verify your results.
+ /index.html.it - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.ja.iso2022-jp - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.kr.iso2022-kr - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.ltz.utf8 - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
+ /index.html.lu.utf8 - Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. (GET)
. (GET)
+ /supporter/index.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /supporter/tupdate.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /sw000.asp?|-|0|404_Object_Not_Found - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /syslog.htm?%20 - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /technote/print.cgi - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /texis/websearch/phine - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /tinymsg.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /topic/entete.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /topsitesdir/edit.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /ttforum/index.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /tutos/file/file_new.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /tutos/file/file_select.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /typo3/typo3/dev/translations.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /uifc/MultFileUploadHandler.php+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /upload.cgi+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /url.jsp - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /useraction.php3 - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /utils/sprc.asp+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /vars.inc+ - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /VBZooM/add-subject.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /wbboard/profile.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /wbboard/reply.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /webcalendar/login.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /webcalendar/view_m.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /webmail/lib/emailreader_execute_on_each_page.inc.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /webmail/src/read_body.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /web_app/WEB-INF/jrun-web.xml - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /web_app/WEB-INF/webapp.properties - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /XMBforum/buddy.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /XMBforum/member.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /x_stat_admin.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /yabbse/Reminder.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /yabbse/Sources/Packages.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /zentrack/index.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)
+ /_head.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET)

+ Over 20 "OK" messages, this may be a by-product of the
+ server answering all requests with a "200 OK" message. You should
+ manually verify your results.
+ 3311 items checked - 1496 item(s) found on remote host(s)
+ End Time: Thu Aug 10 04:57:36 2006 (14624 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Another part

+ /iisadmpwd/aexp2.htr - Gives domain and system name, may allow an attacker to brute force for access. Also will allow an NT4 user to change his password regardless of the 'user cannot change password' security policy. CAN-2002-0421. BID-4236. BID-2110. (GET)
+ /iisadmpwd/aexp2b.htr - Gives domain and system name, may allow an attacker to brute force for access. Also will allow an NT4 user to change his password regardless of the 'user cannot change password' security policy. CAN-2002-0421. BID-4236. BID-2110. (GET)
+ /iisadmpwd/aexp3.htr - Gives domain and system name, may allow an attacker to brute force for access. Also will allow an NT4 user to change his password regardless of the 'user cannot change password' security policy. CAN-2002-0421. BID-4236. BID-2110. (GET)
+ /iisadmpwd/aexp4.htr - Gives domain and system name, may allow an attacker to brute force for access. Also will allow an NT4 user to change his password regardless of the 'user cannot change password' security policy. CAN-2002-0421. BID-4236. BID-2110. (GET)
+ /iisadmpwd/aexp4b.htr - Gives domain and system name, may allow an attacker to brute force for access. Also will allow an NT4 user to change his password regardless of the 'user cannot change password' security policy. CAN-2002-0421. BID-4236. BID-2110. (GET)
+ /iissamples/exair/howitworks/Codebrw1.asp - This is a default IIS script/file which should be removed, it may allow a DoS against the server. CAN-1999-0738. MS99-013. CVE-1999-0449. BID-193. (GET)
+ /iissamples/exair/search/advsearch.asp - Scripts within the Exair package on IIS 4 can be used for a DoS against the server. CVE-1999-0449. BID-193. (GET)
+ /iissamples/exair/search/query.asp - Scripts within the Exair package on IIS 4 can be used for a DoS against the server. CVE-1999-0449. BID-193. (GET)
+ /iissamples/exair/search/search.asp - Scripts within the Exair package on IIS 4 can be used for a DoS against the server. CVE-1999-0449. BID-193. (GET)
+ /iissamples/sdk/asp/docs/codebrw2.asp - This is a default IIS script/file which should be removed. CAN-1999-0738. MS99-013. (GET)
+ /iissamples/sdk/asp/docs/codebrws.asp - This is a default IIS script/file which should be removed. CAN-1999-0738. MS99-013. (GET)
+ /iissamples/sdk/asp/docs/Winmsdp.exe - This is a default IIS script/file which should be removed. CAN-1999-0738. MS99-013. (GET)
+ /xxxxxxxxxxabcd.html - The IIS server may be vulnerable to Cross Site Scripting (XSS) in error messages, ensure Q319733 is installed, see MS02-018, CVE-2002-0075, SNS-49, CA-2002-09 (GET)
+ /msadc/samples/adctest.asp - The IIS sample application adctest.asp may be used to remotely execute commands on the server. RFP9901 (http://www.wiretrip.net/rfp/p/doc.asp/i2/d3.htm) (GET)
+ /officescan/cgi/cgiChkMasterPwd.exe - Trend Officescan allows you to skip the login page and access soem CGI programs directly. (GET)
+ /pbserver/pbserver.dll - This may contain a buffer overflow. http://www.microsoft.com/technet/sec...n/ms00-094.asp (GET)
+ /prd.i/pgen/ - has MS Merchant Server 1.0 (GET)
+ /readme.eml - Remote server may be infected with the Nimda virus. (GET)
+ /scripts/admin.pl - Default FrontPage CGI found. (GET)

Hi unSpawn,

For the example below, can you roughly tell me what is the impact and action I can do?

+ /xxxxxxxxxxabcd.html - The IIS server may be vulnerable to Cross Site Scripting (XSS) in error messages, ensure Q319733 is installed, see MS02-018, CVE-2002-0075, SNS-49, CA-2002-09 (GET)
+ /iissamples/exair/howitworks/Codebrw1.asp - This is a default IIS script/file which should be removed, it may allow a DoS against the server. CAN-1999-0738. MS99-013. CVE-1999-0449. BID-193. (GET)

For the below, I already have the vulnerability info detail and solution.
CVE-1999-0449
MS02-018
OSVDB-2922

Thank you for provide the info for
But there is more vulenerability for the scaned results as below, can i know where can I get the info from?
Example:
CAN-1999-0738
BID-193
SNS-49


Thank you for all the replies, I really appreciate all of it

For the example below, can you roughly tell me what is the impact and action I can do?
Not here, really. This is the Linux Security forum and you're talking IIS. I do not want to give specific advice for running IIS here: I would have to move the thread to the /General forum.

In the most broad terms you should strip installation defaults, configure it as strict as possible, update and harden a server before allowing public access to it.

Qnnnnnn = MICROS~1 fixes
CAN- = CVE
CA- = CERT (cert.org/advisories)
SNS- = Japanese (en version here: http://attrition.org/security/advisory/sns/)
BID- = //I don't know these