2024-12-10 15:58:50 -05:00

7.2 KiB
Raw Blame History

What is Nikto?

Nikto is an open-source, command-line vulnerability scanner that focuses on web servers and web applications. It identifies potentially dangerous files, outdated server components, and other security issues. While Nikto is not an exploit tool, it flags issues that may be leveraged by attackers if left unchecked. Its often used by penetration testers, security researchers, and system administrators to quickly assess the security posture of web servers.

🔥 You can complete several labs (including one about Nikto) in O'Reilly. They are listed at: https://hackingscenarios.com

Basic Usage

The simplest way to run Nikto:

nikto -h http://example.com

Here, -h specifies the target host. Nikto will enumerate known checks against http://example.com.

Targeting HTTPS

To scan an HTTPS site:

nikto -h https://example.com

Nikto will automatically handle SSL/TLS.

Specifying Ports and IPs

If your web server runs on a non-standard port:

nikto -h 10.6.6.6 -p 8080

This scans the IP 10.6.6.6 on port 8080.

Multiple Targets

You can supply a list of hosts in a text file:

http://10.6.6.23
https://web.test.local
http://www.example.com

Run:

nikto -h targets.txt

Nikto will scan each target sequentially.


Common Command-Line Options

  • -h <host>: Specifies the target host (or file containing hosts).
  • -p <port>: Specifies port other than 80/443.
  • -ssl: Forces SSL mode if Nikto doesnt detect it automatically.
  • -Tuning <options>: Controls what type of tests to run. Tuning options are digits representing categories like file uploads, injections, etc. For example:
    • -Tuning 1 might check for interesting file extensions.
    • -Tuning 1 2 3 would run tests of categories 1,2, and 3.
  • -Plugins <plugin-list>: Run specific plugins or exclude plugins.
  • -timeout <seconds>: Set a timeout per request.
  • -output <file>: Save the results to a file. You can also specify formats with -Format.
  • -Format <type>: Change the output format (html, xml, csv).

Example with Tuning and Output

nikto -h http://10.6.6.6 -Tuning 123 -output scan_results.html -Format html

This runs tests of categories 1, 2, and 3, and outputs the results to an HTML file named scan_results.html.


Running Nikto Against a Sample Target

Lets say we have a web server at http://10.6.6.6:

  1. Basic Scan:

    nikto -h http://10.6.6.6
    

    This will:

    • Enumerate known vulnerabilities and misconfigurations.
    • Check for default files, like /phpmyadmin/ directories, /test/, /admin/ pages.
    • Identify the server banner, giving clues about the server software and version.

    The output might look like:

    - Nikto v2.1.6
    ---------------------------------------------------------------------------
    + Target IP:          10.6.6.6
    + Target Hostname:    10.6.6.6
    + Target Port:        80
    + Start Time:         2025-12-10 10:00:00 (GMT)
    ---------------------------------------------------------------------------
    + Server: Apache/2.4.41 (Ubuntu)
    + The anti-clickjacking X-Frame-Options header is not present.
    + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
    + /server-status: Server status page is publicly accessible.
    + /phpmyadmin/: phpMyAdmin directory found. Possible configuration issue.
    + ...
    

    Nikto will list identified issues as well as informational messages.

  2. SSL Scans: If the site is https://10.6.6.6, run:

    nikto -h https://10.6.6.6
    

    Nikto will attempt SSL tests and report SSL-related issues (like weak ciphers or protocols if found).

  3. Specific Tuning: If you want only injection-related tests (just as an example), you need to know which tuning numbers correspond to injection. Usually, -list-plugins or referencing Niktos documentation helps. As an example:

    nikto -h http://10.6.6.6 -Tuning x
    

    Replace x with the correct number(s) for injection tests.

  4. More Controlled Testing: To avoid being too noisy, you might exclude certain tests:

    nikto -h http://10.6.6.6 -exclude /server-status
    

    This will skip checking /server-status.


Interpreting Results

Niktos output includes:

  • Server Headers and Banners:
    This shows what server software is running and can hint if its outdated or misconfigured.

  • Identified Directories and Files:
    Paths like /phpmyadmin/ or /test/ might be sensitive. Finding these can guide you to configuration changes (like removing or securing these directories).

  • Insecure HTTP Methods:
    If PUT, DELETE, or TRACE methods are enabled, Nikto will flag them, as these can be abused.

  • Missing Security Headers:
    If headers like X-Frame-Options, X-Content-Type-Options, or Content-Security-Policy are missing, Nikto will note it. While not always critical vulnerabilities, adding these headers helps harden the server.

  • Outdated Software:
    If it detects that the server or a known application is out of date, it will alert you to potential vulnerabilities in older versions.

After a Nikto scan, you should review the findings and prioritize them:

  • High-priority: Default admin panels accessible, outdated software with known CVEs, risky HTTP methods.
  • Medium-priority: Exposed server status pages or directory listings.
  • Low-priority: Missing headers or other best-practice improvements.

Reporting

Nikto supports output in different formats. For example, to generate HTML output:

nikto -h http://10.6.6.6 -Format html -output nikto_report.html

This creates a more presentable report which you can share with team members or integrate into documentation. XML or CSV outputs are useful for integrating results into other security tools or dashboards.


Advanced Usage

  • Using Proxies: If you want to pass Niktos traffic through a proxy (for logging or anonymization):

    nikto -h http://10.6.6.6 -useproxy http://127.0.0.1:8080
    

    This is useful when combining Nikto with tools like Burp Suite for traffic inspection.

  • Verbose and Debug Modes: Add -verbose or -Display V to see more details about whats happening:

    nikto -h http://10.6.6.6 -Display V
    
  • Plug-in Management: To see what plugins are available:

    nikto -list-plugins
    

    Then enable or disable plugins with -Plugins.


Limitations and Complementary Tools

  • No Exploitation:
    Nikto only identifies potential issues. It does not exploit them. Use other tools (like Metasploit) or manual methods to verify vulnerabilities and impact.

  • False Positives and Verification:
    Like any scanner, Nikto can produce false positives. Always verify findings manually or with another scanner.

  • Speed and Noise:
    Nikto can be noisy and somewhat slow. Its best for initial reconnaissance. For more stealthy, focused testing, consider other tools or refine your Nikto options.

  • Supplement with Other Tools:
    Combine Nikto with tools like Nmap (for port scanning and service version detection), Nuclei (for specific known-vulnerability checks), and manual inspection. analysis or remediation.