Full Report
Over the past while we have been getting emails from people trying to figure out why they had entries like this in their http log files: 10.10.1.136 – – [32/Dec/2007:25:61:07 +0200] “GET //admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.1” 404 – Recently a concerned Wikto user figured out that this was linked to him using Wikto (our Win32 Nikto Replacement + Directory / File / Back-End Miner). A snippet from his email read: -snip- I sniffed the traffic going out from my host going to the target host and infact this is the result: HTTP GET /admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp HTTP/1.0 All the requests are full of this… Well, at this point the questions are two: 1) You have a strange sense of humor. 2) You have been compromised. Waiting for a feedback,
Analysis Summary
# Tool/Technique: Wikto
## Overview
Wikto is a Win32 Nikto replacement tool developed by SensePost. Its purpose is to perform directory, file, and back-end mining against web servers, often used during penetration testing activities. The observed activity in web server logs relates to a specific, humorous string used internally by Wikto during its testing methodology to discern whether a requested resource actually exists, even when the server returns non-standard error codes (like a 200 OK with an error message instead of a 404).
## Technical Details
- Type: Tool
- Platform: Win32 (Native Windows application)
- Capabilities: Directory/File/Back-End Miner, Web Server Scanning. Compares responses to known non-existent files to determine actual resource existence, bypassing servers that return "friendly 404s" (200 OK responses displaying an error page).
- First Seen: Activity observed in late 2007 logs, article published January 2008.
## MITRE ATT&CK Mapping
The primary function of Wikto aligns with reconnaissance and resource discovery phases of an attack.
- **TA0043 - Reconnaissance**
- T1598 - Gather Victim Identity Information (If used externally to map infrastructure)
- T1595 - Active Scanning
- T1595.002 - Internet Scan (Scanning web services)
- **TA0001 - Initial Access** (Less direct, but scanning can precede exploitation attempts)
- T1190 - Exploit Public-Facing Application (If the tool is checking for known vulnerable pages/files)
## Functionality
### Core Capabilities
- **Directory and File Discovery:** Attempts to locate hidden or existing files and directories on the target web server.
- **Back-End Mining:** Probes the underlying technology stack of the web application.
- **Non-Standard Error Handling:** Utilizes a unique methodology where it requests a genuinely non-existent file (like `/admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp`) and compares the server response against the response for a file it is actually checking (e.g., `login.asp`). If the responses are similar—even if neither returns a 404—it deduces the requested resource is likely missing. This helps bypass servers intentionally configured to obscure 404 errors.
### Advanced Features
- **Humorous Probing String:** The specific probing string (`dat_Gareth_at_sensepost_hackslikeagirl_.asp`) acts as a signature of the tool's internal logic. The article notes this string was made user-configurable in newer builds.
- **Java Port Development:** Mention of a Java port (`wiktoJ?`) suggests cross-platform capability was being pursued.
## Indicators of Compromise
The primary IOCs associated with the observed activity stem from the tool's characteristic probing requests logged in web server access logs.
- File Hashes: N/A (Tool execution artifacts not detailed)
- File Names: N/A (Tool execution artifacts not detailed)
- Registry Keys: N/A
- Network Indicators: Requests containing the string pattern: `GET /admin/dat_Gareth_at_sensepost_hackslikeagirl_.asp`
- Behavioral Indicators: Unusual frequency of HTTP GET requests to paths containing known internal probing strings; observation of server responses being analyzed for content similarity rather than standard response codes (4xx/5xx).
## Associated Threat Actors
- Primarily used by **Penetration Testers and Security Researchers** associated with SensePost or users utilizing their tools openly. Not associated with established malicious APT groups based on this context.
## Detection Methods
- **Signature-based detection:** Search web server access logs for the specific request URI containing the string pattern detailed above.
- **Behavioral detection:** Monitoring for high volumes of seemingly random or intentionally obscure file requests targeted at common administrative paths (`/admin/`).
- **YARA rules:** Not applicable for log-based detection, but could be created for endpoint detection if the executable were present.
## Mitigation Strategies
- **Inbound Log Monitoring:** Maintain and actively inspect web server access logs, as the user concerned rightfully did.
- **Hardening Web Server Responses:** While not strictly necessary for security unless obfuscation is desired, developers should ensure standard HTTP error codes (like 404) are returned consistently, or deploy WAFs/IPS to monitor for tool signatures.
- **Use of Parameterized Probing Strings:** If configuring the tool, users should change the unique probe string to avoid easy detection by signatures targeting the default string.
## Related Tools/Techniques
- **Nikto:** Wikto is explicitly described as a "Win32 Nikto Replacement."
- **Web Scanners/Vulnerability Scanners:** General class of tools performing automated discovery against web applications (e.g., DirBuster, Gobuster, Wfuzz).