Nikto: Web Server Vulnerability Scanning with Examples

byEngr. M.A. Rashid Rony
0

 

Comprehensive Guide to Nikto: Web Server Vulnerability Scanning with Examples

Introduction

Nikto is an open-source web server scanner that automates the process of identifying security vulnerabilities, misconfigurations, and outdated software on web servers and applications. Written in Perl and maintained by Chris Sullo and David Lodge, Nikto is widely used by penetration testers, security researchers, and bug bounty hunters due to its simplicity and extensive database of checks. It scans for issues like outdated server versions, dangerous files, and common vulnerabilities, making it a valuable tool in the reconnaissance phase of ethical hacking.

This article provides a detailed tutorial on Nikto, covering its installation, key features, usage, and a practical example of scanning a web server. Aimed at beginners and intermediate pentesters, this guide assumes basic familiarity with command-line interfaces and web security concepts. All examples are for educational purposes and must only be performed on systems you have explicit permission to test, such as lab environments or bug bounty targets.

What is Nikto?

Nikto is a command-line tool that performs comprehensive scans of web servers to identify potential security issues. It checks for over 6,700 known vulnerabilities and misconfigurations, including outdated software, default files, insecure configurations, and common vulnerabilities like XSS or directory indexing. Unlike tools like sqlmap (which focuses on SQL injection) or Burp Suite (for manual testing), Nikto is designed for quick, automated reconnaissance to highlight low-hanging fruit and potential entry points.

Key Features

  • Vulnerability Scanning: Detects over 6,700 issues, including outdated server software, misconfigured headers, and dangerous files (e.g., /phpinfo.php).
  • Server Support: Works with HTTP/HTTPS servers like Apache, Nginx, IIS, and more.
  • Extensive Database: Uses a regularly updated database (db_tests) to check for known vulnerabilities.
  • Output Formats: Supports text, HTML, XML, and CSV output for easy reporting.
  • Tuning Options: Allows selective scanning (e.g., only check for XSS or outdated versions).
  • Proxy Integration: Can route scans through proxies like Burp Suite for deeper analysis.
  • Plugins: Extensible via plugins for custom checks (e.g., authentication testing).
  • Evasion Techniques: Supports basic IDS/IPS evasion with options like random User-Agents.
  • SSL Support: Scans HTTPS servers and validates SSL certificates.

System Requirements

  • Operating System: Linux (Kali recommended), Windows, macOS.
  • Dependencies: Perl 5.10+, OpenSSL, and optional libraries like libwhisker for advanced features.
  • Hardware: Minimum 2GB RAM; 4GB+ recommended for large scans.
  • Network: Internet access for updates; stable connection for scanning.

Installation Guide

Nikto is pre-installed on Kali Linux but can be installed on other systems via GitHub or package managers.

Method 1: Kali Linux

  1. Update Kali:

2.  sudo apt update

sudo apt install nikto

  1. Verify installation:

nikto -Version

Example Output:

+ Nikto v2.5.0

  1. Update Nikto’s database:

nikto -update

Method 2: GitHub Clone

  1. Install Perl:

sudo apt install perl

  1. Clone the repository:

3.  git clone https://github.com/sullo/nikto.git

cd nikto/program

  1. Install dependencies (optional for advanced features):

cpan install JSON::PP

  1. Run Nikto:

perl nikto.pl -h

Troubleshooting

  • Permission Errors: Run with sudo if access is denied.
  • Outdated Database: Regularly update with nikto -update.
  • Windows Installation: Use WSL or Cygwin for better compatibility.

Using Nikto

Nikto is a command-line tool with a straightforward syntax. Run nikto -h for a full list of options.

Basic Command Structure

nikto -h <host> [options]

  • -h <host>: Target host (e.g., example.com, 192.168.1.1, or http://example.com).
  • -p <port>: Specify port (default: 80 for HTTP, 443 for HTTPS).
  • -o <file>: Save output (e.g., text, HTML).
  • -Format <format>: Output format (htm, csv, txt, xml).
  • -Tuning <x>: Select specific test categories (e.g., x for XSS).

Key Options

  • Target Specification:
    • -h: Hostname, IP, or URL.
    • -id: Credentials for authenticated scans (e.g., -id user:pass).
    • -ssl: Force SSL for HTTPS targets.
  • Scan Control:
    • -T <x>: Tuning options (e.g., 0 for file checks, b for XSS).
    • -evasion <n>: Evasion techniques (e.g., 1 for random URI encoding).
    • -timeout <seconds>: Set request timeout.
  • Output:
    • -o <file>: Save to file.
    • -F <format>: Specify format (e.g., htm for HTML).
  • Advanced:
    • -Cgidirs <dirs>: Check specific CGI directories (e.g., /cgi-bin).
    • -Plugins <plugin>: Run specific plugins (e.g., apacheusers).
    • -vhost <name>: Specify virtual host for multi-hosted servers.

Integration with Burp Suite

  1. Configure Burp Proxy (127.0.0.1:8080).
  2. Run Nikto through the proxy:

nikto -h example.com -useproxy http://127.0.0.1:8080

  1. View Nikto’s requests in Burp’s Proxy > HTTP history for further analysis.

Practical Example: Scanning a Web Server

This example demonstrates using Nikto to scan a vulnerable web server, such as a lab from Web Security Academy (https://portswigger.net/web-security) or a test server like testphp.vulnweb.com. We’ll use example.com as a placeholder.

Step 1: Basic Scan

  1. Run a basic scan:

nikto -h example.com

Example Output:

+ Server: Apache/2.4.41 (Ubuntu)

+ The anti-clickjacking X-Frame-Options header is not present.

+ Retrieved x-powered-by header: PHP/7.2.24

+ /phpinfo.php: Output from phpinfo() detected, providing server configuration details.

+ /: Directory indexing found.

+ 8765 items checked: 2 error(s) and 5 item(s) reported on remote host

  1. Interpretation:
    • Missing X-Frame-Options suggests clickjacking vulnerability.
    • phpinfo.php exposes sensitive server info.
    • Directory indexing could reveal hidden files.

Step 2: Targeted Scan with Tuning

  1. Scan only for XSS and file vulnerabilities:

nikto -h example.com -Tuning bx

    • b: XSS checks.
    • x: File checks (e.g., dangerous files like config.php). Example Output:

+ /test.php: Potential XSS vulnerability, accepts user input without sanitization.

+ /backup/config.php: Configuration file exposed.

Step 3: Save Output

  1. Save results as HTML:

nikto -h example.com -o scan.html -Format htm

  1. Open scan.html in a browser for a formatted report.

Step 4: Scan with Proxy (Burp Suite)

  1. Ensure Burp Proxy is running (127.0.0.1:8080).
  2. Run Nikto:

nikto -h example.com -useproxy http://127.0.0.1:8080

  1. In Burp, analyze Nikto’s requests in Proxy > HTTP history and test identified issues (e.g., XSS) using Burp’s Repeater.

Step 5: Advanced Scan with Evasion

  1. Use evasion to bypass basic IDS/IPS:

nikto -h example.com -evasion 1

    • 1: Random URI encoding to avoid detection. Example Output:

+ /admin/: Admin directory found, possible sensitive area.

+ Server: Apache/2.4.41 (bypassed basic IDS checks).

Visual References

Nikto is a command-line tool, so visuals are primarily terminal outputs or HTML reports. For screenshots:

  • Official GitHub: https://github.com/sullo/nikto (README shows example outputs).
  • Web Security Academy: https://portswigger.net/web-security (labs may include Nikto usage).
  • Medium Tutorials: Search “Nikto tutorial” (e.g., https://medium.com/@youritguy/nikto-a-web-server-scanner-for-penetration-testing-7f8b2c1b5f9a) for terminal and HTML report screenshots.
  • TryHackMe: Rooms like “Web Scanning” show Nikto in action.

Best Practices and Tips

  • Legal Use: Only scan systems you have explicit permission to test. Unauthorized scanning is illegal.
  • Start Broad: Use a basic scan (nikto -h <host>) to identify obvious issues, then narrow with -Tuning.
  • Proxy Integration: Route through Burp Suite for manual verification of findings.
  • Evasion: Use -evasion sparingly, as it may slow scans or trigger advanced IDS.
  • Output Management: Save results (-o) for reporting; HTML format is great for clients.
  • Combine Tools: Use Nikto with sqlmap for SQL injection or Discover for reconnaissance.
  • Regular Updates: Run nikto -update to keep the vulnerability database current.
  • Learning Resources:
    • Official Site: https://cirt.net/Nikto2
    • GitHub: https://github.com/sullo/nikto
    • Web Security Academy: https://portswigger.net/web-security for labs.
    • TryHackMe: Rooms like “Web Scanning” or “VulnNet”.

Conclusion

Nikto is a powerful, user-friendly tool for web server vulnerability scanning, ideal for quick reconnaissance in penetration testing. Its extensive database and integration capabilities make it a staple in any pentester’s toolkit. By combining Nikto with tools like Burp Suite, sqlmap, or Discover, you can build a robust workflow for identifying and exploiting vulnerabilities. Always prioritize ethical use and practice in safe environments like Web Security Academy or Hack The Box.

Author: Engr. M A Rashid Rony
Date: September 6, 2025
For updates, visit: https://github.com/sullo/nikto

 

Tags:

Post a Comment

Previous Post Next Post