Table of Contents

  1. Introduction to Nikto
  2. What is Nikto?
  3. Capabilities of Nikto
    1. Use Cases: Nikto vs. OpenVAS vs. Nessus
  4. Basic Usage
    1. Command Syntax
    2. Common Options
  5. Scanning Techniques
    1. Basic Web Server Scanning
    2. Plugin-Specific Scanning
    3. SSL/TLS Scanning
  6. Advanced Techniques
    1. Scanning Multiple Hosts
    2. Customizing Scans with Configuration Files
    3. Output Formatting and Logging
  7. Combining Nikto with Other Tools
    1. Nmap and Nikto
    2. Metasploit and Nikto
  8. Monitoring and Managing Scans
    1. Real-time Monitoring
    2. Session Management
  9. Glossary

Introduction to Nikto

Nikto is a powerful and widely-used open-source web server scanner designed to identify potential vulnerabilities, misconfigurations, and outdated components in web servers. It is an essential tool for penetration testers, security auditors, and system administrators aiming to assess the security posture of web applications and servers.

What is Nikto?

Nikto, developed by Chris Sullo, is an open-source web server scanner that performs comprehensive tests against web servers for multiple vulnerabilities. Written in Perl, Nikto scans for over 6,700 potentially dangerous files, outdated server software, and version-specific issues. It supports a wide range of web servers and can be extended with additional plugins to enhance its capabilities.

Capabilities of Nikto

Nikto offers a robust set of features that make it a versatile tool for web server security assessments. Its primary capabilities include:

  • Comprehensive Vulnerability Scanning: Identifies a wide array of vulnerabilities, including outdated software, insecure files, and misconfigurations.
  • Extensive Plugin Support: Utilizes plugins to extend scanning capabilities and detect specific vulnerabilities.
  • Customizable Scans: Allows users to tailor scans to specific needs using various options and configuration files.
  • Multiple Output Formats: Supports various output formats for easy integration with other tools and reporting systems.
  • Support for SSL/TLS: Can assess SSL/TLS configurations and identify related vulnerabilities.

Use Cases: Nikto vs. OpenVAS vs. Nessus

When selecting a tool for vulnerability scanning, it’s essential to understand the strengths and limitations of each. Here’s a comparison of Nikto, OpenVAS, and Nessus:

Feature Nikto OpenVAS Nessus
Primary Function Web server vulnerability scanning Comprehensive vulnerability scanning for networks Comprehensive vulnerability scanning for networks and web applications
Vulnerability Coverage Focused on web server vulnerabilities Broad range covering network and web vulnerabilities Extensive, including compliance and configuration issues
Ease of Use Command-line interface, straightforward Web-based interface, steeper learning curve User-friendly interface, easy to configure
Customization Highly customizable with plugins and options Highly customizable with policies and configurations Customizable with plugins and scripts
Reporting Multiple output formats, customizable Detailed reports, customizable Professional reports, customizable
Cost Free and open-source Free and open-source Commercial with free limited version
Best For Quick and comprehensive web server scans Comprehensive network and web vulnerability assessments Professional-grade vulnerability scanning and reporting

Nikto is ideal for rapid and thorough scanning of web servers to identify specific vulnerabilities and misconfigurations. OpenVAS and Nessus offer more comprehensive network-wide vulnerability assessments, with Nessus providing more polished reporting features, suitable for enterprise environments.

Basic Usage

Understanding Nikto’s basic usage involves familiarizing yourself with its command syntax and common options. This foundational knowledge is essential before delving into more advanced functionalities.

Command Syntax

The general syntax for running Nikto is as follows:

nikto [options]
  • [options]: Flags and parameters that customize the scan.

Common Options

Below are some frequently used options in Nikto commands:

  • -h [host]: Specifies the target host or IP address.
  • -p [port]: Specifies the target port (default is 80 for HTTP and 443 for HTTPS).
  • -ssl: Forces SSL/TLS mode for scanning HTTPS servers.
  • -Tuning [num]: Specifies the types of tests to perform based on categories.
  • -o [file]: Outputs scan results to a specified file.
  • -Format [format]: Specifies the output format (e.g., txt, html, csv, xml).
  • -Plugins [plugin]: Specifies plugins to enable or disable during the scan.
  • -C [config_file]: Uses a custom configuration file.
  • -Display [mode]: Controls the verbosity of the output.
  • -evasion [method]: Applies evasion techniques to bypass filters or IDS.

Scanning Techniques

Nikto provides various scanning techniques to cater to different assessment needs. This section explores basic web server scanning, plugin-specific scanning, and SSL/TLS scanning with relevant examples.

Basic Web Server Scanning

Performing a basic scan with Nikto involves specifying the target host. This scan checks for common vulnerabilities and misconfigurations.

Example Command:

nikto -h http://target-website.com

Explanation:

  • -h http://target-website.com: Specifies the target web server to scan.

Sample Output:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.100
+ Target Hostname:    target-website.com
+ Target Port:        80
+ Start Time:         2024-04-27 10:00:00 (GMT)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ Server leaks inodes via ETags, header found with file /, inode: 12345
+ OSVDB-3092: /icons/README: Directory indexing found.
+ OSVDB-3093: /cgi-bin/: Apache default cgi-bin directory found.
+ 2563 items checked: 12 found

Plugin-Specific Scanning

Nikto allows users to run specific plugins to focus on particular vulnerabilities or functionalities. This is useful when you want to target specific aspects of a web server.

Example Command:

nikto -h http://target-website.com -Plugins "apache_users"

Explanation:

  • -Plugins "apache_users": Runs the apache_users plugin, which attempts to enumerate Apache users.

Sample Output:

+ Apache User Enumeration:
    VHost: target-website.com
    IP: 192.168.1.100
    Detected Apache users: admin, user1, user2

SSL/TLS Scanning

Nikto can assess SSL/TLS configurations and identify related vulnerabilities, such as weak ciphers or certificate issues.

Example Command:

nikto -h https://target-website.com -ssl

Explanation:

  • -h https://target-website.com: Specifies the target web server with HTTPS.
  • -ssl: Forces SSL/TLS mode for scanning.

Sample Output:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.100
+ Target Hostname:    target-website.com
+ Target Port:        443
+ Start Time:         2024-04-27 10:05:00 (GMT)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ SSL/TLS Protocol: TLSv1.2
+ Cipher: ECDHE-RSA-AES256-GCM-SHA384
+ Weak SSL Cipher: RC4 is supported.
+ OSVDB-3092: /icons/README: Directory indexing found.
+ 2563 items checked: 8 found

Advanced Techniques

Nikto offers several advanced features that enhance its effectiveness in various scenarios. These techniques allow for more nuanced and targeted scans, improving the quality of vulnerability assessments.

Scanning Multiple Hosts

Nikto can scan multiple hosts in a single command by providing a list of targets. This is useful for assessing multiple web servers efficiently.

Example Command:

nikto -h targets.txt

Explanation:

  • -h targets.txt: Specifies a file (targets.txt) containing a list of target hosts, one per line.

Contents of targets.txt:

http://webserver1.com
https://webserver2.com
http://192.168.1.101

Sample Output:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.100
+ Target Hostname:    webserver1.com
+ Target Port:        80
+ Start Time:         2024-04-27 10:10:00 (GMT)
---------------------------------------------------------------------------
...
---------------------------------------------------------------------------
+ Target IP:          192.168.1.101
+ Target Hostname:    192.168.1.101
+ Target Port:        80
+ Start Time:         2024-04-27 10:15:00 (GMT)
---------------------------------------------------------------------------
...

Customizing Scans with Configuration Files

Nikto allows users to create and utilize custom configuration files to tailor scans according to specific requirements. This includes enabling or disabling plugins, setting default options, and defining scan behaviors.

Example Command:

nikto -C myconfig.conf -h http://target-website.com

Explanation:

  • -C myconfig.conf: Uses a custom configuration file named myconfig.conf.
  • -h http://target-website.com: Specifies the target web server to scan.

Contents of myconfig.conf:

# Custom Nikto Configuration
Plugins = "apache_users,ssl"
Tuning = 9

Sample Output:

+ Running custom configuration from myconfig.conf
+ Target IP:          192.168.1.100
+ Target Hostname:    target-website.com
+ Target Port:        80
+ Start Time:         2024-04-27 10:20:00 (GMT)
---------------------------------------------------------------------------
+ Apache User Enumeration:
    Detected Apache users: admin, user1, user2
+ SSL/TLS Protocol: TLSv1.2
+ Cipher: ECDHE-RSA-AES256-GCM-SHA384
+ 2563 items checked: 10 found

Output Formatting and Logging

Nikto supports multiple output formats, allowing users to integrate scan results with other tools or for reporting purposes. It also provides options to save scan results for later analysis.

Example Command:

nikto -h http://target-website.com -o scan_results.html -Format htm

Explanation:

  • -h http://target-website.com: Specifies the target web server to scan.
  • -o scan_results.html: Outputs scan results to scan_results.html.
  • -Format htm: Sets the output format to HTML.

Sample Output:

An HTML file (scan_results.html) containing a structured report of the scan, including identified vulnerabilities, server information, and other relevant details.

Another Example with XML Format:

nikto -h http://target-website.com -o scan_results.xml -Format xml

Explanation:

  • -Format xml: Sets the output format to XML, suitable for integration with other tools or automated processing.

Sample Output:

An XML file (scan_results.xml) containing structured data about the scan results, which can be parsed or imported into other systems for further analysis.

Combining Nikto with Other Tools

Integrating Nikto with other security tools can enhance your vulnerability assessment workflows, providing a more comprehensive evaluation of the target environment.

Nmap and Nikto

Nmap is a versatile network scanning tool that can identify open ports and services on a target system. Combining Nmap with Nikto allows for targeted web server enumeration based on discovered services.

Example Workflow:

  1. Scan with Nmap:

    First, identify open ports (e.g., HTTP on port 80 and HTTPS on port 443).

    nmap -p 80,443 target-ip-address

    Sample Output:

    PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

  2. Attack with Nikto:

    Use Nikto to scan the discovered web services.

    nikto -h http://target-ip-address -p 80 -o nikto_http.html -Format htm
nikto -h https://target-ip-address -p 443 -ssl -o nikto_https.html -Format htm

    Explanation:

    • -p 80 and -p 443: Specifies the target ports based on Nmap findings.
    • -ssl: Forces SSL/TLS mode for HTTPS scanning.
    • -o and -Format: Outputs results in HTML format for easy review.

Benefits:

  • Targeted Scanning: Focus enumeration efforts on active web services, reducing unnecessary scan time.
  • Comprehensive Assessment: Provides detailed insights into both HTTP and HTTPS configurations and vulnerabilities.

Metasploit and Nikto

Metasploit is a robust framework for developing, testing, and executing exploit code against remote targets. While Nikto is used for identifying vulnerabilities, Metasploit can be employed to exploit them.

Example Workflow:

  1. Discover Vulnerabilities with Nikto:

    nikto -h http://target-website.com -o nikto_results.txt

  2. Import Findings into Metasploit:

    • Open Metasploit Console:

      msfconsole

    • Use a relevant Metasploit module based on Nikto’s findings. For example, if Nikto identifies a vulnerable CGI script:

      use exploit/unix/webapp/cgi_script_exec
set RHOST target-website.com
set RPORT 80
run

Benefits:

  • Streamlined Exploitation: Transition seamlessly from vulnerability discovery to exploitation within the same framework.
  • Automated Exploits: Utilize Metasploit’s extensive library of exploits to take advantage of identified vulnerabilities.

Monitoring and Managing Scans

Effective monitoring and management of Nikto scans are crucial to ensure efficient operation, accurate results, and the ability to troubleshoot issues as they arise.

Real-time Monitoring

While Nikto doesn’t provide built-in real-time monitoring dashboards, you can utilize terminal multiplexers or logging tools to observe scan progress.

Using tee for Real-time and File Logging:

The tee command allows you to view Nikto’s output in real-time while simultaneously saving it to a file.

Example Command:

nikto -h http://target-website.com | tee nikto_scan.log

Explanation:

  • | tee nikto_scan.log: Pipes Nikto’s output to tee, which displays it in the terminal and writes it to nikto_scan.log.

Using screen or tmux for Session Management:

Terminal multiplexers like screen or tmux allow you to manage multiple terminal sessions, making it easier to monitor long-running scans.

Example with tmux:

  1. Start a new tmux session:

    tmux new -s nikto-session

  2. Run Nikto within the tmux session:

    nikto -h http://target-website.com -o nikto_results.html -Format htm

  3. Detach from the session:

    Press Ctrl + B, then D.

  4. Reattach to the session later:

    tmux attach -t nikto-session

Benefits:

  • Session Persistence: Allows scans to continue running even if the terminal is closed.
  • Concurrent Monitoring: View and manage multiple scans simultaneously.

Session Management

Managing multiple Nikto scans efficiently is essential, especially when dealing with numerous targets or extended scanning periods.

Using Scripts for Automated Scanning:

Creating shell scripts can automate the initiation and management of multiple Nikto scans.

Example Script (run_nikto_scans.sh):

#!/bin/bash

# Define target list
targets=("http://target1.com" "https://target2.com" "http://192.168.1.101")

# Define output directory
output_dir="./nikto_results"

# Create output directory if it doesn't exist
mkdir -p $output_dir

# Loop through each target and run Nikto
for target in "${targets[@]}"
do
    echo "Starting Nikto scan on $target"
    nikto -h $target -o "$output_dir/$(echo $target | sed 's/http[s]*:\/\///g').html" -Format htm &
done

# Wait for all background scans to complete
wait

echo "All Nikto scans completed."

Explanation:

  • targets: An array containing the list of target URLs.
  • output_dir: Directory where scan results will be saved.
  • for loop: Iterates through each target and runs Nikto in the background.
  • wait: Waits for all background scans to complete before proceeding.

Running the Script:

chmod +x run_nikto_scans.sh
./run_nikto_scans.sh

Benefits:

  • Efficiency: Automates the scanning process for multiple targets.
  • Organization: Saves scan results systematically for easy access and review.

Glossary

Below is a comprehensive list of commands, options, and terms used in Nikto, along with their descriptions.

Command/Option Description
nikto The main command to invoke Nikto for various web server scanning tasks.
-h [host] Specifies the target host or IP address.
-p [port] Specifies the target port (default is 80 for HTTP and 443 for HTTPS).
-ssl Forces SSL/TLS mode for scanning HTTPS servers.
-Tuning [num] Specifies the types of tests to perform based on categories.
-o [file] Outputs scan results to the specified file.
-Format [format] Specifies the output format (e.g., txt, html, csv, xml).
-Plugins [plugin] Specifies plugins to enable or disable during the scan.
-C [config_file] Uses a custom configuration file.
-Display [mode] Controls the verbosity of the output (e.g., -Display V for verbose).
-evasion [method] Applies evasion techniques to bypass filters or IDS (e.g., -evasion 1).
Modes  
-Plugins Enables specific plugins for targeted scanning.
-Tuning Adjusts the type of tests performed during the scan based on predefined categories.
Terms  
Vulnerability Scanning The process of identifying weaknesses or vulnerabilities in systems and applications.
Plugin An add-on module that extends Nikto’s scanning capabilities to detect specific vulnerabilities or features.
Configuration File A file containing predefined settings and options to customize Nikto’s scanning behavior.
Output Formats Different formats in which Nikto can present scan results, such as text, HTML, CSV, or XML.
SSL/TLS Protocols for securing data transmitted over the internet, essential for HTTPS connections.
Evasion Techniques Methods used to bypass security measures like firewalls or intrusion detection systems (IDS).
Tuning Categories Predefined categories in Nikto that determine the types of tests to run during a scan.
Verbose Mode A setting that provides detailed information about the scan’s progress and results.
Real-time Monitoring The ability to observe the scan’s progress and output as it happens.
Session Management Techniques for handling multiple scans, including starting, detaching, and reattaching to scan sessions.
Target Host The web server or IP address that is being scanned for vulnerabilities.
Scan Results The output generated by Nikto after performing a scan, detailing identified vulnerabilities and server information.