Scanning Webservers with Nikto for vulnerabilities


Nikto is a very popular and easy to use webserver assessment tool to find potential problems and vulnerabilities very quickly. This tutorial shows you how to scan webservers for vulnerabilities using Nikto in Kali Linux. Nikto comes standard as a tool with Kali Linux and should be your first choice when pen testing webservers and web applications. Nikto is scanning for 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers according to the official Nikto website. You should know that Nikto is not designed as a stealthy tool and scans the target in the fastest way possible which makes the scanning process very obvious in the log files of an intrusion detection systems (IDS).

Nikto comes with the following features:

These are some of the major features in the current version:

  • SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
  • Full HTTP proxy support
  • Checks for outdated server components
  • Save reports in plain text, XML, HTML, NBE or CSV
  • Template engine to easily customize reports
  • Scan multiple ports on a server, or multiple servers via input file (including nmap output)
  • LibWhisker’s IDS encoding techniques
  • Easily updated via command line
  • Identifies installed software via headers, favicons and files
  • Host authentication with Basic and NTLM
  • Subdomain guessing
  • Apache and cgiwrap username enumeration
  • Mutation techniques to “fish” for content on web servers
  • Scan tuning to include or exclude entire classes of vulnerability
  • Guess credentials for authorization realms (including many default id/pw combos)
  • Authorization guessing handles any directory, not just the root
  • Enhanced false positive reduction via multiple methods: headers,
    page content, and content hashing
  • Reports “unusual” headers seen
  • Interactive status, pause and changes to verbosity settings
  • Save full request/response for positive tests
  • Replay saved positive requests
  • Maximum execution time per target
  • Auto-pause at a specified time
  • Checks for common “parking” sites
  • Logging to Metasploit
  • Thorough documentation

Another nice feature in Nikto is the possibility to define the test using the -Tuning parameter. This will let you run only the tests you need which can safe you a lot of time:

0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection

a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)

Nikto has it’s own updating mechanism. We encourage you to check for updates before using Nikto. Nikto can be updated using the following command:

nikto -update

Scanning webservers with Nikto

Let’s start Nikto to scan for interesting files with option 1 using the following command:
nikto -host [hostname or IP]-Tuning 1

Nikto webserver scanner kali

Nikto will now display the Apache, OpenSSL and PHP version of the targeted webserver. Also it will give you an overview of possible vulnerabilities including the Open Source Vulnerabilities Database (OSVDB) reference. When you search the OSVDB website for the reference code it will explain the possible vulnerability in more detail. The OSVDB project currently covers more than 120,980 vulnerabilities, spanning 198,973 products from 4,735 researchers, over 113 years.

Running all Nikto scans against a host

To run all scans against a particular host you can use the following command:

nikto -host [hostname or IP]

Running all scans will take a lot of time to complete.

Running Nikto against multiple hosts

Nikto offers several options to test multiple hosts:

  • By using a valid hosts file containing one host per line
  • Piping Nmap output to Nikto.

A valid host file is a text file containing the hosts, you have to use one line for each host in order to make it valid for Nikto. Instead of using the hostname as an argument for the -h option you should use the filepath to the valid hosts file.

Another solution is to pipe the Nmap output to Nikto. Nmap will output the valid hosts to Nikto and Nikto will run the selected scans against these hosts. The following command will run a Nmap scan on host – using a grepable output which is defined by the -oG- flag:

nmap -p80 -oG – | nikto -h –

Please note that you should use a dash (-) for Nikto’s host option to use the hosts supplied by Nmap.

Nikto Video Tutorial

Thanks for watching and please subscribe to my YouTube channel for more hacking tutorials :)

Sitewide3of4-Oct-15dollars160x600 If you’re interested in learning more about web penetration testing you can follow any of these online courses:

Online Hacking Courses

Web Penetration Tester

You will learn hacking tools, methodologies and techniques. This is a both practical and theoretical step-by-step course. Read more…

How to be an Independent security researcher

If you are a web developer, Bug Hunter or any it security researcher then this course will be very help full.
Read more…


Leave A Reply