What is Nikto?
Nikto is an open-source website vulnerability scanner, it performs comprehensive tests on servers in several directions, including more than 6,700 potentially dangerous files/programs, checking for outdated versions of more than 1250 servers and problems specific to versions of more than 270 servers. The scanner also checks server configuration items, such as the presence of multiple index files, HTTP server options, and tries to determine the name and version of the webserver and software.
Nikto was not created to be inconspicuous. He will test the webserver for the fastest time possible, it is obvious that his activity will fall into the logs of the web server and in the field of vision IPS / IDS (intrusion detection/prevention systems). However, there is support for anti-IDS methods from LibWhisker - in case you want to try them (or test your IDS system).
Not every check relates to a security issue, although most do. Some items are information-only checks that look for things that may not have security flaws, but a webmaster or security engineer may not know that this is present on the server. Typically, in the output information, these elements are marked accordingly. There are also some checks for unknown items that have been seen in the log files.
Features and capabilities of Nikto
Here are some of the main features of Nikto.
- SSL support (Unix with OpenSSL or maybe Windows with Perl / NetSSL in ActiveState);
- Full HTTP proxy support;
- Check for obsolete server components;
- Saving a report as plain text, XML, HTML, NBE or CSV;
- Template engine for easy customization of reports;
- Scanning multiple ports on a server or multiple servers obtained from an input file (including Nmap output );
- LibWhisker IDS Coding Techniques;
- Identification of installed software by headers, icons (favicon) and files;
- Host Authentication with Basic and NTLM;
- Subdomain guessing;
- Listing Apache and Cgiwrap Usernames;
- Mutation Techniques for “Fishing” for Web Server Content;
- Scan tuning to include or exclude entire classes of vulnerability checks;
- Assumption of credentials for the authorization area (including many standard login/password combinations);
- Guessing authorization works with any directory, not just the root;
- Improved suppression of false positives through several methods: headers, page content, and hash calculation;
- Reporting “unusual” headings seen;
- Interactive status, you can pause and change the verbality settings;
- Saving full requests/responses for tests that give positive results;
- Repeat positive requests;
- Maximum lead time per target;
- Automatic pause at a specific time;
- Checks for common parking sites;
- Login to Metasploit.
Nikto Installation
Although Nikto is preinstalled on Kali Linux, at the time of writing, the package has not been updated for 2 years.
At the same time, there is life around the project on GitHub, and it’s quite active.
Therefore, despite the installed version, we will download Nikto from GitHub and will use it for scans:
cd nikto/program/
./nikto.pl -Version
Simple checks with Nikto
Nikto's simplest scan only requires a host as the target, since port 80 is implied if not specified. The host can be either IP or hostname of the machine, indicated using the -h -host option.
./nikto.pl -h 192.168.43.46
To check on another port, specify the port number with the -p ( -port ) option. The following command will scan 192.168.43,46 on TCP port 443:
Hosts, ports, and protocols can also be specified using the full URL syntax:
./nikto.pl -h https://192.168.43.46:443/
No need to specify port 443 for SSL, as Nikto will start with plain HTTP, and if that doesn't work, he will switch to HTTPS. If you are sure that this is a server with SSL, specifying -s ( -SSL ) will speed up the test.
./nikto.pl -h 192.168.43.46 -p 443 -ssl
Scan multiple ports in Nikto
Nikto can scan multiple ports in one scan session. To test more than one port on the same host, specify a list of ports in the -p ( -port ) option. Ports can be specified as a range (i.e. 80-90), as a comma-separated list (i.e. 80.88.90). The following command will scan the host on ports 80, 88, and 443:
./nikto.pl -h 192.168.43.46 -p 80,88,443
Scan multiple hosts in Nikto
Nikto supports scanning multiple hosts in a single session. They can be specified in a text file of hostnames or IPs. Instead of passing the hostname or IP for the -h ( -host ) option, you can pass the file name. The host file must be in the format of one host per line with the number (s) of ports at the end of each line. Ports can be separated from the host and other ports by a colon or comma. If no port is specified, port 80 is assumed.
This is an example of a valid hosts file:
http://192.168.43.46:8080/
192.168.43.46
The host file can also be Nmap output in "greppable" format (ie output with the -oG option ).
The file can be transferred to Nikto via standard output/input using a “ - ” as the file name. For instance:
nmap -p 80 192.168.43.46/24 -oG - | nikto.pl -h
Scanning hosts and ports using proxies
Nikto can use a proxy when specifying it in the configuration file ( nikto.conf ), or in a command-line option.
To use the nikto.conf file set the PROXY * variables, and then run Nikto with the -useproxy option. All connections will be transmitted through the HTTP proxy specified in the configuration file.
./nikto.pl -h localhost -p 80 -useproxy
To install a proxy on the command line, use the -useproxy option with the proxy settings as an argument, for example:
./nikto.pl -h localhost -useproxy http://localhost:8080/
Interactive Features
Nikto contains several options that can be changed during active scanning.
During an active scan, pressing any of the keys below will enable or disable the specified function or perform the specified action. They are case sensitive.
- Spacebar - Report current scan status
- v - Enable / enable verbal mode
- d - Enable / disable debug mode
- e - Enable / enable error messages
- p - Enable / enable progress message
- r - Enable / enable redirect displays
- c - Enable / disable the display of cookies
- o - Enable / enable display OK
- a - Enable / enable authentication mapping
- q - Exit
- N - Next host
- P - Pause
Anonymous Scan with Nikto
For anonymous scans, you can use the services of the Tor network. But since Nikto does not support working with SOCKS, we also need to configure Privoxy in addition.
On Kali Linux, installing Privoxy is done like this:
sudo apt-get install tor privoxy
Note: configuration in Arch Linux / BlackArch is done in a similar way, but with the exception of the package installation command. Instead of the above, you need to use:
sudo pacman -S tor privoxy
Add the following lines to the /etc/privox / config file:
forward-socks4a / localhost:9050 .
forward-socks5t / localhost:9050 .
We start and add service to startup:
sudo systemctl enable tor
sudo systemctl start privoxy
sudo systemctl enable privoxy
Now, in order to scan through Tor, add -useproxy http: // localhost: 8118 / to each command. For instance:
nikto -h URL -useproxy http://localhost:8118/
Free online scan service for Nikto
For those who do not want to deal with the launch of Nikto, a free online scanner is offered that uses all the features of Nikto.
The scanner is really absolutely free and does not even require registration for access, but lengthy scans, especially when the server is busy, can be reset before it is completed.