Ethical Hacking #nikto#web-scanner#vulnerability-assessment

Nikto Web Vulnerability Scanner Tutorial

Comprehensive guide to using Nikto for automated web application security scanning and vulnerability discovery.

8 min read

Introduction to Nikto

Nikto is an open-source web server scanner that performs comprehensive security audits of web applications. This powerful tool identifies outdated software versions, misconfigurations, dangerous files, and known vulnerabilities across thousands of web servers. Unlike manual testing, Nikto automates the vulnerability discovery process, making it essential for security professionals conducting web application assessments.

Nikto’s extensive database contains checks for over 1,000 potential security issues, including outdated server software, common CGI vulnerabilities, and information disclosure problems. In authorized penetration testing environments, Nikto accelerates the reconnaissance phase by quickly identifying attack vectors.

Installation and Setup

Nikto is included on Kali Linux and most penetration testing distributions. Install on other systems using package managers:

# Kali Linux (pre-installed)
which nikto

# Ubuntu/Debian
sudo apt-get install nikto

# macOS with Homebrew
brew install nikto

# From source
git clone https://github.com/sullo/nikto.git
cd nikto/program
perl nikto.pl

Verify installation:

nikto -h | head -20

Basic Web Scanning

The simplest Nikto usage scans a single target:

nikto -h http://target-site.com

This command performs a standard scan against the specified host, testing for known vulnerabilities, outdated software, and misconfigurations.

Scanning with HTTPS

For secure connections:

nikto -h https://target-site.com -ssl

The -ssl flag forces SSL/TLS usage even if the URL specifies HTTP.

Specifying Custom Ports

Target non-standard ports:

nikto -h http://target-site.com:8080

Or explicitly define the port:

nikto -h target-site.com -p 8080

Advanced Scanning Options

Output Formats

Nikto supports multiple output formats for documentation and integration with other tools:

# HTML report (most readable)
nikto -h http://target-site.com -o report.html -F html

# CSV format (for parsing)
nikto -h http://target-site.com -o report.csv -F csv

# XML format (for automated processing)
nikto -h http://target-site.com -o report.xml -F xml

# Text format (default)
nikto -h http://target-site.com -o report.txt

Specifying Database Checks

Target specific vulnerability categories:

# Check only for outdated server versions
nikto -h http://target-site.com -Plugins outdated

# Check multiple plugin categories
nikto -h http://target-site.com -Plugins "cgi,apache"

# List all available plugins
nikto -list-plugins

Common plugins include:

  • cgi: Common Gateway Interface vulnerabilities
  • apache: Apache-specific issues
  • siebel: Oracle Siebel vulnerabilities
  • fp: FrontPage extensions

Authentication Testing

Include credentials for authenticated scanning:

nikto -h http://target-site.com -id username:password

For basic authentication:

nikto -h http://target-site.com -auth username:password

Custom Headers and Cookies

Add session cookies or custom headers:

nikto -h http://target-site.com -C "PHPSESSID=abc123def456"

Multiple headers:

nikto -h http://target-site.com \
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" \
  -H "Accept-Language: en-US"

Proxy Configuration

Route traffic through a proxy like Burp Suite:

nikto -h http://target-site.com -useproxy http://127.0.0.1:8080

This integration with Burp allows you to inspect Nikto requests in detail.

Controlling Scan Intensity

Tuning Scan Level and CVSS

Nikto can adjust scanning intensity based on plugin severity:

# Only show findings with CVSS score above 7.0
nikto -h http://target-site.com -Tuning c

# Exclude certain vulnerability types
nikto -h http://target-site.com -Tuning "-x"

Tuning options:

  • 1: Interesting files/dirs
  • 2: Misconfiguration/default files
  • 3: Information disclosure
  • 4: Injection flaws
  • 5: Remote file retrieval
  • 6: Denial of Service
  • 7: Authentication bypass
  • 8: Source code disclosure
  • 9: Administrative interfaces
  • 0: Cgi directories

Adjusting Connection Parameters

Control timeout and connection behavior:

nikto -h http://target-site.com \
  -timeout 10 \
  -Threads 5

Important flags:

  • -timeout: Seconds to wait for server response
  • -Threads: Number of concurrent requests

Practical Penetration Testing Scenario

Scan a web application during a comprehensive security assessment:

nikto -h http://vulnerable-site.local \
  -p 80 \
  -o assessment-report.html \
  -F html \
  -Tuning "1,2,3,4,5,7,8,9" \
  -C "session=admin123" \
  -useproxy http://127.0.0.1:8080 \
  -Threads 3

This command:

  • Targets vulnerable-site.local on port 80
  • Outputs HTML report for stakeholder review
  • Tests for multiple vulnerability types
  • Includes authentication cookie
  • Routes through Burp for request inspection
  • Uses 3 threads for moderate-speed scanning

Understanding Nikto Output

Nikto scan results display findings with severity ratings:

Example output:

+ The anti-clickjacking X-Frame-Options header is not present
+ Server-header reveals Apache 2.4.41 - vulnerable versions below are out of date
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration and information
+ OSVDB-3092: /login.php: This may allow admin accounts to be attacked
+ OSVDB-12184: /admin.php: Admin login page/section found

Each finding includes:

  • OSVDB database reference (if applicable)
  • Vulnerability description
  • Severity assessment
  • Potential impact

Integration with Other Tools

Using Nikto Results in Burp Suite

Export XML output for importing into Burp:

nikto -h http://target-site.com -o findings.xml -F xml

Use Burp’s “Add Scan Issues” feature to integrate findings.

Combining with Nmap

Run Nmap first to identify web services, then scan with Nikto:

# Identify web servers
nmap -sV --script=http-enum -p 80,443,8080,8443 target-site.com > nmap-results.txt

# Then scan discovered services with Nikto
nikto -h http://target-site.com

Best Practices for Web Scanning

Obtain authorization: Always ensure you have explicit written permission before scanning any web application.

Document findings: Use HTML output format for clear reporting to stakeholders.

Follow up with manual testing: Nikto identifies potential vulnerabilities; manual testing confirms and exploits them.

Schedule scans appropriately: Run scans during maintenance windows to avoid impacting production systems.

Use reasonable scanning rates: Aggressive scanning may trigger WAF/IDS systems or cause DoS conditions.

Verify false positives: Some Nikto findings may be false positives; manual verification is essential.

Limitations and Considerations

Nikto is a powerful reconnaissance tool but has limitations:

  • False positives: Some findings may not represent actual vulnerabilities
  • Noise: Large scans generate numerous findings requiring filtering
  • Detection: Aggressive scanning may trigger security monitoring
  • Outdated checks: Regular updates are necessary as new vulnerabilities emerge

Conclusion

Nikto is an essential tool for web application security assessment, providing automated vulnerability scanning that accelerates the reconnaissance phase. By understanding its various options, output formats, and integration capabilities, you can efficiently identify security issues in authorized testing environments.

Combine Nikto with manual testing, code review, and other security tools for comprehensive web application assessments. Practice on intentionally vulnerable applications like DVWA and WebGoat before conducting assessments on production systems.

#tools #web-security #vulnerability-assessment #web-scanner #nikto

// related articles

ethical-hacking Gobuster Directory Enumeration Tutorial 8 min read ethical-hacking JWT Attack Techniques and Exploitation Guide 7 min read ethical-hacking API Security Testing and Pentesting Guide 7 min read