Nikto is a very popular and easy to use webserver assessment tool to find potential problems and vulnerabilities very quickly. This tutorial shows you how to scan webservers for vulnerabilities using Nikto in Kali Linux. Nikto comes standard as a tool with Kali Linux and should be your first choice when pen testing webservers and web applications. Nikto is scanning for 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers according to the official Nikto website. You should know that Nikto is not designed as a stealthy tool and scans the target in the fastest way possible which makes the scanning process very obvious in the log files of an intrusion detection systems (IDS).
Nikto comes with the following features:
Features
These are some of the major features in the current version:
- SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
Perl/NetSSL) - Full HTTP proxy support
- Checks for outdated server components
- Save reports in plain text, XML, HTML, NBE or CSV
- Template engine to easily customize reports
- Scan multiple ports on a server, or multiple servers via input file (including nmap output)
- LibWhisker’s IDS encoding techniques
- Easily updated via command line
- Identifies installed software via headers, favicons and files
- Host authentication with Basic and NTLM
- Subdomain guessing
- Apache and cgiwrap username enumeration
- Mutation techniques to “fish” for content on web servers
- Scan tuning to include or exclude entire classes of vulnerability
checks - Guess credentials for authorization realms (including many default id/pw combos)
- Authorization guessing handles any directory, not just the root
directory - Enhanced false positive reduction via multiple methods: headers,
page content, and content hashing - Reports “unusual” headers seen
- Interactive status, pause and changes to verbosity settings
- Save full request/response for positive tests
- Replay saved positive requests
- Maximum execution time per target
- Auto-pause at a specified time
- Checks for common “parking” sites
- Logging to Metasploit
- Thorough documentation
Another nice feature in Nikto is the possibility to define the test using the -Tuning parameter. This will let you run only the tests you need which can save you a lot of time:
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)
Nikto has it’s own updating mechanism. We encourage you to check for updates before using Nikto. Nikto can be updated using the following command:
nikto -update
Scanning webservers with Nikto
Let’s start Nikto to scan for interesting files with option 1 using the following command:
nikto -host [hostname or IP]-Tuning 1
Please not that may be illegal and punishable by law to scan hosts without written permission. Do not use nikto on HackingTutorials.org but use Virtual machines for practice and test purposes.
Nikto will now display the Apache, OpenSSL and PHP version of the targeted webserver. Also it will give you an overview of possible vulnerabilities including the Open Source Vulnerabilities Database (OSVDB) reference. When you search the OSVDB website for the reference code it will explain the possible vulnerability in more detail. The OSVDB project currently covers more than 120,980 vulnerabilities, spanning 198,973 products from 4,735 researchers, over 113 years.
Running all Nikto scans against a host
To run all scans against a particular host you can use the following command:
nikto -host [hostname or IP]
Running all scans will take a lot of time to complete.
Running Nikto against multiple hosts
Nikto offers several options to test multiple hosts:
- By using a valid hosts file containing one host per line
- Piping Nmap output to Nikto.
A valid host file is a text file containing the hosts, you have to use one line for each host in order to make it valid for Nikto. Instead of using the hostname as an argument for the -h option you should use the filepath to the valid hosts file.
Another solution is to pipe the Nmap output to Nikto. Nmap will output the valid hosts to Nikto and Nikto will run the selected scans against these hosts. The following command will run a Nmap scan on host 192.168.0.0 – 192.168.0.24 using a grepable output which is defined by the -oG- flag:
nmap -p80 192.168.0.0/24 -oG – | nikto -h –
Please note that you should use a dash (-) for Nikto’s host option to use the hosts supplied by Nmap.
Nikto Video Tutorial
Thanks for watching and please subscribe to my YouTube channel for more hacking tutorials :)
If you’re interested in learning more about web penetration testing you can follow any of these online courses:Online Hacking Courses
Web Penetration Tester
You will learn hacking tools, methodologies and techniques. This is a both practical and theoretical step-by-step course. Read more…
How to be an Independent security researcher
If you are a web developer, Bug Hunter or any it security researcher then this course will be very help full.
Read more…
3 Comments
Hi,
I’m making the assumption you are US based, or that the readers are, but I wanted to address this comment:
>Please not that it is illegal and punishable by law to scan hosts without written permission.
This is incorrect, it is not illegal. There are no federal laws that prohibit port scanning.
That would be “walking in mud” waters. Port scanning may not be illegal, but depending of what you scanned and how, you may face a long and expensive legal battle to prove the contrary. So I would not advise people to randomly scan public IPs without a written authorization.
It could actually be risky to portscan random IP addresses yes. It’s not illegal in most countries but still it’s difficult to argue in court that it isn’t part of a hacking attempt. Then again something actually needs to be hacked or damage needs to be done for someone to spend effort right?