Full Report
A new version of Wikto is also available, which provides a more reliable web spider and also includes some minor bugfixes. More details regarding Wikto are available at http://www.sensepost.com/research/wikto
Analysis Summary
# Tool/Technique: Wikto
## Overview
Wikto is a security tool designed for web application security testing, specifically focusing on web spidering and discovery of vulnerabilities or potentially sensitive information on web servers. The update mentioned provides an improved web spider functionality.
## Technical Details
- Type: Tool
- Platform: Web servers/Environments accessible via HTTP/HTTPS
- Capabilities: Web spidering, testing web applications for vulnerabilities (implied by its nature as a security tool).
- First Seen: Information about the specific version update states it was published on 08 October 2007.
## MITRE ATT&CK Mapping
As Wikto is a tool used primarily for **Reconnaissance** and **Discovery** against web applications, the primary mappings relate to those phases.
- **TA0043 - Reconnaissance**
- T1595 - Active Scanning
- T1595.002 - Internet Scan (Applies to broad web scanning/discovery)
- **TA0003 - Discovery**
- T1046 - Network Service Scanning (Applicable if testing exposed ports/services)
## Functionality
### Core Capabilities
- Web Spidering: Discovering pages, links, and directories within a target web application.
- Bugfixes (Minor updates mentioned).
### Advanced Features
- More reliable web spider (Specific improvement in this version).
- Detailed functionality, including vulnerability scanning against web applications, is available via the linked documentation (though not detailed in the provided excerpt).
## Indicators of Compromise
- File Hashes: [N/A - Not provided]
- File Names: [N/A - Not provided]
- Registry Keys: [N/A]
- Network Indicators: [N/A (Tool usage indicators depend on the specific test being run)]
- Behavioral Indicators: [Spidering/crawling behavior against web servers]
## Associated Threat Actors
- This tool is typically associated with authorized security testers, pentesters, or potentially malicious actors performing unauthorized reconnaissance against web applications. No specific threat group is named in relation to this update.
## Detection Methods
- Signature-based detection: Signatures can be developed for the specific executables/scripts known as Wikto.
- Behavioral detection: Anomalous high-volume HTTP requests characteristic of a web spider/scanner originating from a specific user agent associated with Wikto.
- YARA rules: [N/A]
## Mitigation Strategies
- Implement robust Web Application Firewalls (WAFs) to detect and rate-limit aggressive scanning and spidering activity.
- Configure strict rate-limiting on web servers to prevent enumeration.
- Use CAPTCHAs on initial access points to deter automated scanning.
- Employ detailed logging and monitoring of HTTP request volumes and user agents.
## Related Tools/Techniques
- Web Proxies/Spidering tools (e.g., Burp Suite Spider, OWASP ZAP Spider).
- Other web application security scanners.