Burp Tip of the Day - Nikto db import
Saturday, October 10, 2009 at 8:31AM CKTricky over at http://cktricky.blogspot.com has been running an awesome Burp Tip of the Day series on his blog. After seeing him use Nikto through Burp. I decided to see if I could just export the list of checks to a text file so that I could use them over and over in Intruder. After a bit of awk and sed hell I figured it out, and submited it to him for acceptance to his BTotD series. Yesterday it was posted ;-)
Here: http://cktricky.blogspot.com/2009/10/btod-importing-nikto-db-to-intruder.html
Here is the ugly command I came up with:
cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN//' | sed 's/^\///' > ~/nikto_burp.txt
What you are sacrificing here are the checks for the CGIDIRS, ADMIN, NUKE, POSTNUKE, and PHPMYADMIN interfaces. Personally, I've modified this script a bit, but you can modify it how best fits your tests:
cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS/cgi\-bin\//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN/phpMyAdmin\//' | sed 's/^\///' > ~/nikto_burp.txt
So that I could cover at least the most common cgi and phpmyadmin directories