httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apache-...@yihye-beseder.no-ip.com
Subject Help with newbie configuration on Win32/nikto problems
Date Sun, 10 Oct 2004 18:25:07 GMT
Trying to use Nikto to verify my win32 WinXP SP2 SSL hand-compiled 
Apache server. (I know, I should use a REAL O/S, but I am not in the 
position right now to make the leap, as of yet).  

Apache 2.0.52
running nikto 1.34

Here is my output:

> perl nikto.pl -h localhost
-------------------------------------------------------------------------
--
- Nikto 1.34/1.29 - www.cirt.net
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: Fri Oct 8 21:14:55 2004
-------------------------------------------------------------------------
--
- Scan is dependent on "Server" string which can be faked, use -g to 
override
+ Server: Apache
- Server did not understand HTTP 1.1, switching to HTTP 1.0
+ Server does not respond with '404' for error messages (uses '400').
+ This may increase false-positives.
+ Allowed HTTP Methods: GET,HEAD,POST,OPTIONS,TRACE
+ HTTP method 'TRACE' is typically only used for debugging. It should be 
disabled.
+ / - Appears to be a default Apache install. (GET)
+ /icons/ - Directory indexing is enabled, it should only be enabled for 
specific directories (if required). If indexing is not used all, the 
/icons directory should be removed. (GET)
+ 2449 items checked - 2 item(s) found on remote host(s)
+ End Time: Fri Oct 8 21:16:46 2004 (111 seconds)
-------------------------------------------------------------------------
--
+ 1 host(s) tested


> perl nikto.pl -h localhost -p 443
-------------------------------------------------------------------------
--
- Nikto 1.34/1.29 - www.cirt.net
+ No HTTP(s) ports found on localhost / 443
+ 1 host(s) tested

>

==========================
Ok, why doesn't it see port 443 as SSL? 
netstat -an reports:
  TCP    127.0.0.1:443          0.0.0.0:0              LISTENING

I can get to it using https://localhost/ all day long and I have 
installed the NET::SSLealy plugin, otherwise I would get a message that 
SSL wasn't available at all.  

Why does it say that HTTP 1.1 isn't supported?

Is the 400 vs. 404 issue a problem?

As to the TRACE option, I am loading the rewrite module and have:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
at the end of my httpd.conf file, but still no soap.

Is this "+ / - Appears to be a default Apache install. (GET)" a problem? 
If so, what can I do about it?

Please advise about any other part of my httpd.conf file or other file I 
need to post.

Any help would be greatly appreciated.

Thanks.




Mime
View raw message