Full Report
The latest version of Wikto (2.1) is available for download here. New features include time anomaly reporting and easier access to findings. A few bugfixes have also been made (thanx to some valuable user feedback). Happy holidays from the research and dev team. ./frankieg (v2.1 XMAS image)
Analysis Summary
# Tool/Technique: Wikto (v2.1 XMAS edition)
## Overview
Wikto is a security tool developed by SensePost, primarily designed for web application reconnaissance and vulnerability scanning. This version (2.1 XMAS edition) introduces new features focused on reporting time anomalies and improving the accessibility of scan results.
## Technical Details
- Type: Tool
- Platform: Not explicitly stated, but typically targets web servers/applications (likely Windows/Linux environments capable of running web scanners).
- Capabilities: Web application discovery, vulnerability scanning, time anomaly reporting (new feature).
- First Seen: December 15, 2008 (for this specific release)
## MITRE ATT&CK Mapping
*Since Wikto is a reconnaissance and scanning tool, the primary mapping focuses on the Reconnaissance tactic.*
- TA0043 - Reconnaissance
- T1595 - Active Scanning
- T1595.002 - Internet Scan
- T1598 - Gather Victim Identity Information (Potentially by discovering sensitive application paths/files)
## Functionality
### Core Capabilities
- Web application scanning and discovery.
- Bugfixes applied from user feedback to improve stability.
- Easier access to scan findings.
### Advanced Features
- **Time Anomaly Reporting:** Reporting discrepancies in how long different responses take, which can hint at specific back-end technologies or potential logic weaknesses.
## Indicators of Compromise
*(Note: As a legitimate security tool, standard IoCs for malware are not applicable. Indicators would relate to the network traffic generated during its active scans.)*
- File Hashes: N/A (Download link provided in text)
- File Names: Wikto (v2.1 XMAS image)
- Registry Keys: N/A
- Network Indicators: Request signatures associated with active web application scanning (e.g., a high volume of HTTP requests probing common directories like `/admin`, `/backup`, etc.).
- Behavioral Indicators: Rapid, sequential requests targeting various resources on a web server, typical of automated scanning tools.
## Associated Threat Actors
- Not associated with specific malicious threat actors, as it is a publicly available security testing tool.
## Detection Methods
- Signature-based detection: Web Application Firewall (WAF) rules tuned to recognized Wikto request patterns.
- Behavioral detection: Network Intrusion Detection Systems (NIDS) flagging high-frequency, systematic scanning activity directed at web applications.
- YARA rules: Not applicable for network tools unless specific binary signatures are sought.
## Mitigation Strategies
- Prevention measures: Implement strong Web Application Firewalls (WAFs) to filter malicious or excessive traffic patterns. Rate-limit incoming requests per IP address.
- Hardening recommendations: Ensure all web applications are patched and configured securely so that default tools like Wikto return minimal information or error codes.
## Related Tools/Techniques
- General web application scanners (e.g., Nikto, OWASP ZAP, Burp Suite Scanner).