Perl<\/code><\/strong> based open-source web vulnerability scanner that can unearth every other potential threat on your web server including but not limited to;<\/p>\n\n\n\n\n- Insecure files and programs<\/li>\n\n\n\n
- Outdated servers and programs<\/li>\n\n\n\n
- Server and software misconfigurations<\/li>\n\n\n\n
- Default files and programs<\/li>\n<\/ul>\n\n\n\n
Nikto can run on almost any Operating system with Perl interpreter installed. It supports SSL, proxies, host authentication, attack encoding, IDS evation etc.<\/p>\n\n\n\n
You may also want to check our previous tutorials on Nessus<\/a>, OpenVAS<\/a>, ClamAV<\/a>.<\/p>\n\n\n\nWithout much theory, let us quickly have a look at how to install and use Nikto.<\/p>\n\n\n\n
Installing Nikto Web Scanner on Ubuntu 18.04<\/h2>\n\n\n\nInstall Nikto on Ubuntu 18.04<\/h3>\n\n\n\n
Installation of nikto on Ubuntu 18.04 is pretty straight forward as the package is available on the default repositories. Thus, run the commands below to install nikto.<\/p>\n\n\n\n
Update your package repos and upgrade your server;<\/p>\n\n\n\n
apt update<\/code><\/pre>\n\n\n\napt upgrade<\/code><\/pre>\n\n\n\nInstall nikto.<\/p>\n\n\n\n
Perl is already installed on Ubuntu 18.04. Therefore, the command below will install nikto and all the required dependencies.<\/p>\n\n\n\n
apt install nikto -y<\/code><\/pre>\n\n\n\nOnce the installation is done, nikto is ready perform its magics. Wait and see.<\/p>\n\n\n\n
Basic Usage of Nikto<\/h3>\n\n\n\n
The basic nikto command line syntax is:<\/p>\n\n\n\n
nikto [options...]<\/strong><\/code><\/pre>\n\n\n\nWhen run without any command line options, it shows basic description of various command options;<\/p>\n\n\n\n
\nnikto \n- Nikto v2.1.5\n---------------------------------------------------------------------------\n+ ERROR: No host specified\n\n -config+ Use this config file\n -Display+ Turn on\/off display outputs\n -dbcheck check database and other key files for syntax errors\n -Format+ save file (-o) format\n -Help Extended help information\n -host+ target host\n -id+ Host authentication to use, format is id:pass or id:pass:realm\n -list-plugins List all available plugins\n -output+ Write output to this file\n -nossl Disables using SSL\n -no404 Disables 404 checks\n -Plugins+ List of plugins to run (default: ALL)\n -port+ Port to use (default 80)\n -root+ Prepend root value to all requests, format is \/directory \n -ssl Force ssl mode on port\n -Tuning+ Scan tuning\n -timeout+ Timeout for requests (default 10 seconds)\n -update Update databases and plugins from CIRT.net\n -Version Print plugin and database versions\n -vhost+ Virtual host (for Host header)\n \t\t+ requires a value\n\n\tNote: This is the short help output. Use -H for full help text.\n<\/code><\/pre>\n\n\n\nIf you want to see more details about the options above, run the command below;<\/p>\n\n\n\n
nikto -H<\/code><\/pre>\n\n\n\nLaunching Nikto Web Scan<\/h3>\n\n\n\n
In this section, we are going to see how Nikto is used with various command line options shown above to perform web scanning.<\/p>\n\n\n\n
In its basic functionality, Nikto requires just an host an to scan. The target host can be specified with the -h <\/strong>or -host <\/strong>option e.g to scan a web server whose IP address is 192.168.43.154<\/strong>, run Nikto as follows;<\/p>\n\n\n\nnikto -host 192.168.43.154<\/code><\/pre>\n\n\n\n\n- Nikto v2.1.5\n---------------------------------------------------------------------------\n+ Target IP: 192.168.43.154\n+ Target Hostname: test.com\n+ Target Port: 80\n+ Start Time: 2018-11-01 18:01:35 (GMT3)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.29 (Ubuntu)\n+ The anti-clickjacking X-Frame-Options header is not present.\n+ Cookie PHPSESSID created without the httponly flag\n+ Root page \/ redirects to: login.php\n+ Server leaks inodes via ETags, header found with file \/robots.txt, fields: 0x1a 0x5797709ba2009 \n+ File\/dir '\/' in robots.txt returned a non-forbidden or redirect HTTP code (302)\n+ \"robots.txt\" contains 1 entry which should be manually viewed.\n+ OSVDB-3268: \/config\/: Directory indexing found.\n+ \/config\/: Configuration information may be available remotely.\n+ OSVDB-3268: \/docs\/: Directory indexing found.\n+ OSVDB-3233: \/icons\/README: Apache default file found.\n+ \/login.php: Admin login page\/section found.\n+ OSVDB-3092: \/.git\/index: Git Index file may contain directory listing information.\n+ 6545 items checked: 0 error(s) and 11 item(s) reported on remote host\n+ End Time: 2018-11-01 18:01:48 (GMT3) (13 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested\n<\/code><\/pre>\n\n\n\nAs you can see from the output, when the target host is specified without a port, nikto scans port 80<\/strong> by default. However, if your web server is running on a different port, you have to specify the port using the -p<\/strong> or -port<\/strong> option. See example below;<\/p>\n\n\n\nnikto -h 192.168.43.154 -p 8080<\/code><\/pre>\n\n\n\nIf you have multiple virtualhosts on the same host server listening on different ports, you can specify multiple ports by separating them with comma.<\/p>\n\n\n\n
nikto -h 192.168.43.154 -p 8080,8888<\/code><\/pre>\n\n\n\nYou can also specify a range of ports in the format port1-portN<\/strong> for example,<\/p>\n\n\n\nnikto -h 192.168.43.154 -p 8080-8888<\/code><\/pre>\n\n\n\nInstead of using the IP address to specify the target host, URLs can also be used for example;<\/p>\n\n\n\n
nikto -h mydvwa.example.com\nnikto -h https:\/\/mydvwa.example.com<\/code><\/pre>\n\n\n\nYou can also specify the port when you use URL;<\/p>\n\n\n\n
nikto -h mydvwa.example.com -p 8080\nnikto -h https:\/\/mydvwa.example.com -p 8443<\/code><\/pre>\n\n\n\nor<\/p>\n\n\n\n
nikto -h mydvwa.example.com:8080\nnikto -h https:\/\/mydvwa.example.com:8443\/<\/code><\/pre>\n\n\n\nAs much as target hosts can be specified using the -p<\/strong> option, it is also possible to specify a file containing a list of target hosts one per line. For instance, you file should should contains the targets in the format;<\/p>\n\n\n\nless scan-targets<\/code><\/pre>\n\n\n\nhttps:\/\/mydvwa.example.com:443\/\n192.168.43.154:8888\n192.168.43.101<\/code><\/pre>\n\n\n\nTo scan these hosts at the same time, run the command below;<\/p>\n\n\n\n
nikto -h scan-targets<\/code><\/pre>\n\n\n\nIt is also possible to scan the hosts in a network listening on web server ports using Nmap and pass the output to nikto. For example to scan for open port 80 in a network, 192.168.43.0\/24,<\/p>\n\n\n\n
nmap -p80 192.168.43.0\/24 -oG - | nikto -h -<\/code><\/pre>\n\n\n\nIf you are going through a proxy server, you can ask nikto to use proxy by using the -useproxy<\/strong> option. You can set the proxy details on the nikto configuration file, \/etc\/nikto\/config.txt <\/strong>or you can it on the command line as shown below;<\/p>\n\n\n\nTo define the proxy server details in the \/etc\/nikto\/config.txt file, use the format;<\/p>\n\n\n\n
PROXYHOST=192.168.70.45\nPROXYPORT=3128\nPROXYUSER=username\nPROXYPASS=password<\/code><\/pre>\n\n\n\nWhen you have defined the proxy details as shown above, then run nikto as follows;<\/p>\n\n\n\n
nikto -h 192.168.70.128 -useproxy<\/code><\/pre>\n\n\n\nTo specify the proxy connection details on the command line;<\/p>\n\n\n\n
nikto -h 192.168.70.128 -useproxy http:\/\/id:password@192.168.70.23:3128\/<\/code><\/pre>\n\n\n\nnikto -h 192.168.70.128 -useproxy http:\/\/@192.168.70.23:3128\/<\/code><\/pre>\n\n\n\nNikto can export scan results in different formats; CSV, HTML, XML, NBE, text. To save the results in a specific output format, you need to specify the -o\/-output<\/strong> option as well as the -Format<\/strong> option to define the output format. See examples below to save the scan results in html format.<\/p>\n\n\n\nnikto -h 192.168.43.154 -o test.html -F html<\/code><\/pre>\n\n\n\nYou can therefore access the report via web browser. See screenshot below;<\/p>\n\n\n\n![\"Install](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/07\/sample_nikto-html-report.png\" "\\"\\"")
<\/figure>\n\n\n\nNikto can also be fine tuned to perform specific scans. Below is a description of the tuning options that can be used to achieve this functionality.<\/p>\n\n\n\n
\n1 - Interesting File \/ Seen in logs\n2 - Misconfiguration \/ Default File\n3 - Information Disclosure\n4 - Injection (XSS\/Script\/HTML)\n5 - Remote File Retrieval - Inside Web Root\n6 - Denial of Service\n7 - Remote File Retrieval - Server Wide\n8 - Command Execution \/ Remote Shell\n9 - SQL Injection\n0 - File Upload\na - Authentication Bypass\nb - Software Identification\nc - Remote Source Inclusion\nx - Reverse Tuning Options (i.e., include all except specified)\n<\/code><\/pre>\n\n\n\nFor example, to test for SQL Injection and Remote File Retrieval – Server Wide, you would use nikto like;<\/p>\n\n\n\n
nikto -h 192.168.43.154 -Tuning 79 -o test.html -F html<\/code><\/pre>\n\n\n\n