Anda di halaman 1dari 2

- ***** SSL support not available (see docs for SSL install instructions) *****

--------------------------------------------------------------------------- Nikto 2.02/2.03


cirt.net
+ Target IP:
127.0.0.1
+ Target Hostname: localhost
+ Target Port:
80
+ Start Time:
2008-04-29 7:30:07
--------------------------------------------------------------------------+ Server: Microsoft-IIS/5.1
- Root page / redirects to: localstart.asp
- Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE
, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for de
bugging and should be disabled. This message does not mean it is vulnerable to X
ST.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove
files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to s
ave files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change f
ile locations on the web server.
+ OSVDB-13431: HTTP method ('Allow' Header): 'PROPFIND' may indicate DAV/WebDAV
is installed. This may be used to get directory listings if indexing is allowed
but a default page exists.
+ OSVDB-425: HTTP method ('Allow' Header): 'PROPPATCH' indicates DAV/WebDAV is i
nstalled.
+ OSVDB-: HTTP method ('Allow' Header): 'SEARCH' indicates DAV/WebDAV is install
ed, and may be used to get directory listings if Index Server is running.
- Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE,
MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-877: HTTP method ('Public' Header): 'TRACE' is typically only used for d
ebugging and should be disabled. This message does not mean it is vulnerable to
XST.
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remov
e files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to
save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change
file locations on the web server.
+ OSVDB-13431: HTTP method ('Public' Header): 'PROPFIND' may indicate DAV/WebDAV
is installed. This may be used to get directory listings if indexing is allowed
but a default page exists.
+ OSVDB-425: HTTP method ('Public' Header): 'PROPPATCH' indicates DAV/WebDAV is
installed.
+ OSVDB-: HTTP method ('Public' Header): 'SEARCH' indicates DAV/WebDAV is instal
led, and may be used to get directory listings if Index Server is running.
+ OSVDB-0: Retrieved X-Powered-By header: ASP.NET
+ Microsoft-IIS/5.1 appears to be outdated (4.0 for NT 4, 5.0 for Win2k)
+ OSVDB-396: GET /_vti_bin/shtml.exe : Attackers may be able to crash FrontPage
by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-0: GET /junk.aspx : ASP.net reveals its version in invalid .aspx error m
essages.
+ OSVDB-3092: POST /_vti_bin/shtml.dll/_vti_rpc?method=server+version%3a4%2e0%2e
2%2e2611 : Gives info about server settings. CAN-2000-0413, CAN-2000-0709, CAN-2
000-0710, BID-1608, BID-1174.
+ OSVDB-3092: POST /_vti_bin/shtml.exe/_vti_rpc?method=server+version%3a4%2e0%2e
2%2e2611 : Gives info about server settings.
+ OSVDB-3233: GET /postinfo.html : Microsoft FrontPage default file found.
+ OSVDB-1210: GET /scripts/samples/search/qfullhit.htw : Server may be vulnerabl
e to a Webhits.dll arbitrary file retrieval. MS00-006.

+ OSVDB-1210: GET /scripts/samples/search/qsumrhit.htw : Server may be vulnerabl


e to a Webhits.dll arbitrary file retrieval. MS00-006.
+ OSVDB-1210: GET /Nxjw9.htw : Server may be vulnerable to a Webhits.dll arbitra
ry file retrieval. Ensure Q252463i, Q252463a or Q251170 is installed. MS00-006.
+ OSVDB-877: TRACK / : TRACK option ('TRACE' alias) appears to allow XSS or cred
ential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.p
df for details
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. Se
e http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ Default account found for 'localhost' at /localstart.asp (ID 'administrator',
PW '1234'). IntelliTouch Voip Broadband phone
- Successfully authenticated to realm "localhost".
+ OSVDB-3092: GET /localstart.asp : This may be interesting...
+ OSVDB-3233: GET /_vti_bin/shtml.exe/_vti_rpc : FrontPage may be installed.
+ OSVDB-3233: GET /_vti_inf.html : FrontPage is installed and reveals its versio
n number (check HTML source for more information).
+ 2967 items checked: 32 item(s) reported on remote host
+ End Time:
2008-04-29 7:30:07 (14 seconds)
--------------------------------------------------------------------------+ 1 host(s) tested