Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).
Not every check is a security problem. There are some items that are "info only" type checks that look for things that may not have a security flaw, but Pentester may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.
The goal of the project is to examine a web server to find potential problems and security vulnerabilities, including:
Server and software misconfigurations;
Default files and programs;
Insecure files and programs;
Outdated servers and programs;
Pointers to lead a human tester to better manual testing.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License only.
⧽ Installation:
Installing Nikto on Ubuntu system is basically straightforward as the package is already accessible on the default repositories.
First to update the system repositories we will use the following command:
sudo apt-get update && sudo apt-get upgrade
After updating your system run the following command to Install Nikto:
sudo apt-get install nikto -y
⧽ Usage:
Option help:
nikto -help
Scan domain/host:
nikto -h 10.0.0.1
nikto -h website.com
To specify an SSL website:
nikto -h website.com -ssl
Specifying Ports:
nikto -t 10.0.0.1 -p 80
nikto -t 10.0.0.1 -p 80,443
nikto -t 10.0.0.1 -p 1-100
Report via browser:
nikto -h 10.0.0.1 -o report.html -F html
Pairing scans with Metasploit:
nikto -h 10.0.0.1 -Format msf+
Scan Multiple IP Addresses From a Text File:
nikto -h domains.txt
To export a scan result, use the -o flag followed by the file name:
nikto -h scanme.nmap.org -o scan.txt
nikto -h scanme.nmap.org -o scan.csv -Format csv
Nikto can also be used on the local network to search for any embedded servers. To do that, we’ll need to know our IP address. Type the following in command terminal to see the IP address of your local machine’s use.
ifconfig
The IP address that we require is the one followed by ‘inet’, so note it down. You can work out your network range by running an ipcalc on it, which you can easily download and install with apt install ipcalc if you don’t have it installed already.
Let’s scan for services running on our local network by scanning port 80 within our range using Nmap. This will extract only the hosts that are currently up and running, as these are the ones with their port 80 open. Here, we’re exporting this data into a file we’ll name hosts.txt:
sudo nmap -p 80 192.168.0.0/24 -oG hosts.txt
To forward the list of all the current hosts extracted by Nmap to Nikto, we can use the cat to read the file we exported the info to. Here’s the code to run to do so:
cat hosts.txt |awk'/Up$/{print $2}'|cat>> targetIP.txt
Send its output over to Nikto with the following command:
nikto -h targetIP.txt
Notice how similar the results here are when compared to those we received in SSL web scanning.
Tuning:
Tuning options will control the test that Nikto will use against a target. By default, if any options are specified, only those tests will be performed. If the “x” option is used, it will reverse the logic and exclude only those tests. Use the reference number or letter to specify the type, multiple may be used:
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)
So, to only perform an SQL injection test against your target:
nikto -Tuning 9 -h example.com
or to run everything except DOS:
nikto -Tuning x 6 -h example.com
Saving results:
nikto -Display V -o results.html -Format htm -Tuning 9 -h example.com
Comments