Web Server Scanning With Nikto — An Introduction

Tools Web App Attack

Nikto is an open-source scanner that helps find vulnerabilities in web servers. You can scan your web apps for vulnerabilities like misconfigured services, dangerous files, and thousands of other potential security issues using Nikto.

Websites are a critical part of almost every business or organization in the world. From your nearby florist to global brands, almost everyone uses a website as part of their branding.

Unfortunately, websites are also one of the most unsecured gateways through which an attacker can exploit your company. Since most websites are not backed by strong technical teams, it is important to understand website and web application security to protect your organization.

Introducing Nikto

Nikto is an Open Source web server and web application scanner. Nikto can perform comprehensive tests against web servers for multiple security threats, including over 6700 potentially dangerous files/programs. Nikto can also perform checks for outdated web servers software, and version-specific problems.

Nikto was written and maintained by Sullo, CIRT, Inc. It is written in Perl and was originally released in late 2001. It is currently maintained by David Lodge (you can find his blog here), though other contributors have been involved in the project as well.

Here are some of the cool things that Nikto can do:

  • Find SQL injection, XSS, and other common vulnerabilities
  • Identify installed software (via headers, favicons, and files)
  • Guess subdomains
  • Support for SSL (HTTPS) websites
  • Saves reports in plain text, XML, HTML or CSV
  • “Fish” for content on web servers
  • Report unusual headers
  • Check for server configuration items such as the presence of multiple index files, HTTP server options. etc.
  • Full HTTP proxy support
  • Template engine to easily customize reports
  • Guess credentials for authorization (including many default username/password combinations)
  • Exports to Metasploit

Installing Nikto

Since Nikto is a Perl-based program, it can run on most operating systems with the necessary Perl interpreter installed

If you’re using Kali Linux, Nikto comes preinstalled and will be present in the “Vulnerability Analysis” category. If you don’t have Nikto on Kali (for some reason), you can get Nikto from GitHub or just use the “apt install nikto” command.

For installing Nikto on windows, you must first install the Perl interpreter. It can be downloaded from: http://www.activestate.com/activeperl . For mac, you can use homebrew.

Complete installation instructions for all platforms can be found here.

Scanning With Nikto

Now that we know what Nikto is and how to install it, let’s go ahead and run some scans.

Before we get into scanning, I would like to emphasize that I am not responsible for any damage you do trying to attack systems. Its illegal. You should have written permission before you even try to scan a system or a network.

Since Nikto is a command-line tool, you can use the help command to get a list of options.

nikto -Help
Nikto Help

Scanning a Domain

To perform a simple domain scan, use the -h (host) flag.

nikto -h scanme.nmap.org

Nikto will perform a basic scan on port 80 for the given domain and give you a complete report based on the scans performed.

Nikto domain scan

Scanning a Domain with SSL enabled

For domains with HTTPS enabled, you have to specify the -ssl flag to scan port 443.

nikto -h https://nmap.org -ssl
Nikto SSL enabled scan

Scanning Ip Address

Sometimes you just want to scan an IP address where a web server is hosted. To do that, use the same -h flag we used for domain scanning.

nikto -h 45.33.32.156
Nikto IP Address Scan

Scanning Multiple Ip Addresses from a Text File

To scan multiple IP addresses or domains, just put them in a text file separated by newlines. Nikto will know that the scan has to be performed on each domain / IP address.

Let’s assume we have a file named domains.txt with two domain names: —

  • scanme.nmap.org
  • nmap.org.

To scan both of them with Nikto,

nikto -h domains.txt

Nikto will start scanning the domains one after the other.

Nikto Multi-domain scan

Exporting Scan Results

Nikto scans take a while to complete. When you are a professional pen-tester, you don’t want to repeat scans very often unless there are major changes to the web application.

To export a scan result, use the -o flag followed by the file name.

nikto -h scanme.nmap.org -o scan.txt

You can also use the -Format flag to specify an output format. You can choose from CSV, HTML, nbe (Nessus format), SQL, txt and XML.

nikto -h scanme.nmap.org -o scan.csv -Format csv
Nikto Output Formats

Pairing with Metasploit

Metasploit is a powerful framework that lets you do everything from scanning to exploiting systems. Professional pen-testers use Metasploit almost every day. I wrote a detailed article on Metasploit recently and you can find it here.

Nikto offers a way to export scans to Metasploit so that it gets easier when you try to exploit systems based on the scan results from Nikto. To do that, append the “-Format msf+” flag to the end of a scan.

nikto -h <domain/ip> -Format msf+

Nikto Alternatives

It is always good to have a backup tool in your pen-testing arsenal. Some of the best Nikto alternatives are:

  • Arachni: Open Source, modular, high-performance Ruby framework with a focus on evaluating the security of web applications.
  • OWASP Zed Attack Proxy (ZAP): Integrated pen-testing tool that provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
  • Skipfish: Fully automated, active web application security reconnaissance tool. Written in C to be fast, highly optimized HTTP handling, and minimal CPU footprint — easily achieving 2000 requests per second with responsive targets.

TLDR;

Nikto is an open-source scanner that helps you find potential security threats in your websites and web applications. It fully automates vulnerability scanning and can find issues like service misconfigurations, insecure files/programs, and thousands of other security issues. Great alternatives include Arachini, OWASP ZAP, and Skipfish.

References

Leave a Reply

Your email address will not be published. Required fields are marked *