Grey bar Blue bar
Share this:

Tue, 8 Jan 2008

Strange Entries in your wbeserver logs, Wikto and questions about our Gender!

Over the past while we have been getting emails from people trying to figure out why they had entries like this in their http log files:

10.10.1.136 - - [32/Dec/2007:25:61:07 +0200] "GET //admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.1" 404 - Recently a concerned Wikto user figured out that this was linked to him using Wikto (our Win32 Nikto Replacement + Directory / File / Back-End Miner). A snippet from his email read:

-snip-

I sniffed the traffic going out from my host going to the target host and infact this is the result: HTTP GET /admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.0 All the requests are full of this... Well, at this point the questions are two: 1) You have a strange sense of humor. 2) You have been compromised. Waiting for a feedback,

-snip-

We replied to his email to allay his concerns, but the question comes up often enough, so i figured i would paste our response here:

-snip-

Hi XXXXX..

The quick short answer is: a strange sense of humour..

As you probably know, part of Wikto's advantage over other scanners is that it doesnt rely on the HTTP response code coming back from the server to make its decisions. This is why an HTTP server that responds with "friendly 404" messages (a 200 with an error) throw simple scanners off..

Instead Wikto asks for a resource that does not exist (but that looks similar to your request.. i.e. if you wanted login.asp we first look for [strange_file_that_will_never_be_there].asp and then we compare the response to looking for login.asp

if both pages return a similar result, even if its not a 400 message, we can conclude that the resource isnt there.. During the last build our lead developer (ian@sensepost.com) had a minor turf war with one of our lead analysts (gareth@sensepost.com) that probably started over some life and death matter like coffee, pool or foosball..

Gareth used a host name of ian.devs.like.a.girl in some article/chapter he wrote on penetration testing, so when ian needed a [strange_file_that_will_never_be_there] he came up with the obvious choice.. now everyone who scans using wikto loudly testifies to: a) our strange sense of humour b) that ian won that round! :> -snip-

(In the new build this string is user configurable, so you can insult members of your team while pen-testing too..)

So there you have it.. If you have seen it in your logs:

a) Congrats! - The fact that you even check your logs is admirable

b) Dont worry (unless you have hidden directories, backup files, etc lying around - cause chances are Wikto will find it)

/mh

Oh.. for the "windows_sucks_and_i_dont_want_to_boot_a_vm_image_to_run_this_tool" brigade, i have it on good authority that ian's Java port of Wikto (wiktoJ ?) is being dusted and polished.. so watch this space..