top of page

Nikto- A Beginner's Guide

mknsec

Updated: Jul 18, 2022



Introduction

Nikto is an open source web server and web application scanner. Nikto can perform comprehensive tests against web servers for multiple security threats, including over 6700 potentially dangerous files/programs. Nikto can also perform checks for outdated web servers software, and version-specific problems. Nikto was written and maintained by Sullo, CIRT, Inc. It is written in Perl and was originally released in late 2001.

Here are some of the cool things that Nikto can do:

  • Find SQL injection, XSS, and other common vulnerabilities

  • Identify installed software (via headers, favicons, and files)

  • Guess subdomains

  • Includes support for SSL (HTTPS) websites

  • Saves reports in plain text, XML, HTML or CSV

  • “Fish” for content on web servers

  • Report unusual headers

  • Check for server configuration items like multiple index files, HTTP server options, and so on

  • Has full HTTP proxy support

  • Guess credentials for authorization (including many default username/password combinations)

  • Is configured with a template engine to easily customize reports

  • Exports to Metasploit

Installation:

Since Nikto is a Perl-based program, it can run on most operating systems with the necessary Perl interpreter installed.

If you’re using Kali Linux, Nikto comes preinstalled and will be present in the “Vulnerability Analysis” category.

If you don’t have Nikto on Kali (for some reason), you can get Nikto from GitHub or just use the “apt install nikto” command.

How to Scan with Nikto

Now that you know what Nikto is and how to install it, let's go ahead and run some scans.

Warning:

Before we get into scanning, I want to emphasize that I am not responsible for any damage you do trying to attack systems. Doing so is illegal.


You should have written permission before you ever try to scan a system or network.

Since Nikto is a command-line tool, you can use the help command to get a list of options:

> nikto -Help



How to Scan a Domain

To perform a simple domain scan, use the -h (host) flag:

> nikto -h testphp.vulnweb.com


Nikto will perform a basic scan on port 80 for the given domain and give you a complete report based on the scans performed:




How to Scan a Domain with SSL Enabled

For domains with HTTPS enabled, you have to specify the -ssl flag to scan port 443:

> nikto -h https://hackthissite.org/ -ssl



How to Scan an IP Address

Sometimes you just want to scan an IP address where a web server is hosted.

To do that, use the same -h flag you used for domain scanning:

> nikto -h 137.74.187.102





How to Scan Multiple IP Addresses From a Text File

To scan multiple IP addresses or domains, just put them in a text file separated by newlines. Nikto will know that the scan has to be performed on each domain / IP address.

Let's assume we have a file named domains.txt with two domain names:

  • testphp.vulnweb.com

  • hackthisite.org

To scan both of them with Nikto, run the following command:

> nikto -h domains.txt

Nikto will start scanning the domains one after the other:





How to Export Scan Results

Nikto scans take a while to complete. When you are a professional pen-tester, you don't want to repeat scans very often unless there are major changes to the web application.

To export a scan result, use the -o flag followed by the file name:

> nikto -h testphp.vulnweb.com -o scan.txt

You can also use the -Format flag to specify an output format. You can choose from CSV, HTML, nbe (Nessus format), SQL, txt, and XML:

> nikto -h testphp.vulnweb.com -o scan.csv -Format csv



How to Pair Nikto with Metasploit

Metasploit is a powerful framework that lets you do everything from scanning to exploiting systems.

Nikto offers a way to export scans to Metasploit so that it gets easier when you try to exploit systems based on the scan results from Nikto.

To do that, append the -Format msf+ flag to the end of a scan:

$ nikto -h <domain/ip> -Format msf+


Great alternatives include Arachini, OWASP ZAP, and Skipfish.




 
 
 

Comments


  • Instagram
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube

COPYRIGHT © 2022  |  SECURITY ERA  |  ALL RIGHTS RESERVED  

bottom of page