Web Server Scanning With Nikto – A Beginner‘s Guide
Introduction
As a full-stack developer and security professional with over a decade of experience, I‘ve seen countless web applications and servers compromised due to unpatched vulnerabilities. In today‘s threat landscape, proactively identifying and fixing security holes is not optional – it‘s a necessity.
One of the most powerful tools in my web penetration testing arsenal is Nikto – a free, open source web server and application scanner. Since its initial release in 2001, Nikto has become an industry standard for efficiently finding web security issues at scale.
In this comprehensive guide, I‘ll share:
- What Nikto is and why it‘s an essential tool
- Key features and technical architecture
- Step-by-step Nikto installation and scanning
- Real-world vulnerability discovery examples
- Tips and best practices from the trenches
- How Nikto fits into a complete web security program
Whether you‘re a developer, system administrator, or aspiring ethical hacker, by the end of this guide you‘ll be well-equipped to put Nikto into practice. Let‘s start with the basics!
What is Nikto?
Nikto is an open source (GPL) web server scanner originally written in Perl by Chris Sullo of CIRT, Inc. It‘s now maintained by David Lodge and has been ported to Windows and macOS in addition to Linux.
The goal of Nikto is to quickly find known web vulnerabilities and misconfigurations with minimal user interaction. It has a vast database of over 6,700 potentially dangerous files, scripts, and programs to check for, plus tests for outdated server software and other security issues.
How Nikto Works
Under the hood, Nikto is essentially a web crawler that parses target websites and enumerates installed software, plugins, and directories. It then compares these findings against various databases, including:
- Outdated server versions with known vulnerabilities
- Default or insecure files, scripts, and programs
- Misconfigurations like directory indexing, weak HTTP headers, etc.
Nikto leverages a flexible plugin architecture and template engine, making it highly customizable. This allows developers to easily create new vulnerability tests and reporting formats.
Some key features of Nikto include:
- Identifying web server software, frameworks, and plugins
- Finding known software vulnerabilities via version checking
- Guessing subdomains and login credentials
- Scanning ports, directories, and files for insecure permissions
- Outputting results in various formats like HTML, CSV, XML
- Saving reports for collaboration and comparison
- Multithreading support for faster scanning
- Proxy support for testing internal web assets
- Integration with Metasploit for proof-of-concept exploits
Why Use Nikto? Web Security Statistics
Web vulnerabilities are prevalent and costly. According to recent research:
- 86% of websites have at least one serious vulnerability (Acunetix, 2020)
- The average time to fix critical web app bugs is 69 days (WhiteHat Security, 2021)
- 39% of web attacks target web apps (Verizon DBIR, 2022)
- Global web app security market forecast to reach $36B by 2030 (Allied Market Research, 2023)
Equipped with Nikto, developers and security teams can root out web security holes before attackers do, shrinking attack surface and minimizing breach risk. Regular Nikto scanning should be a core component of any organization‘s web security program.
Installing Nikto
Nikto is cross-platform and can be installed on any operating system with Perl, including Linux, macOS, and Windows. Below are step-by-step instructions for each.
Linux Installation
Nikto comes pre-installed in Kali Linux, the popular penetration testing distribution. You can find it under the "Web Application Analysis" category.
For other Debian-based distros like Ubuntu, you can install Nikto from the official repositories:
sudo apt update
sudo apt install niktoOn Fedora, CentOS, or RHEL, use dnf or yum:
sudo dnf install niktomacOS Installation
Installing Nikto on macOS requires the Homebrew package manager. If you don‘t have Homebrew yet, install it with:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"Then install Nikto:
brew install niktoWindows Installation
To run Nikto on Windows, you‘ll first need to install Perl. Download and run the Perl installer from ActiveState.
Next, download the Nikto ZIP archive and extract it to a directory like C:\Nikto.
Finally, open the Command Prompt, navigate to the Nikto program directory, and run the nikto.pl script:
C:\> cd C:\Nikto\program
C:\Nikto\program> perl nikto.plRunning Nikto
With Nikto installed, you‘re ready to start scanning! As always, make sure you have explicit permission to scan the target in scope. Unauthorized scanning is unethical and illegal.
Basic Scanning
To run a basic Nikto scan against a target host, use the -h flag:
nikto -h http://scanme.nmap.orgNikto will crawl the target website, enumerate installed software, and test for common web vulnerabilities and misconfigurations.
Results will display in the terminal, including security issues found, web server details, and interesting files. Each finding has a unique OSVDB ID that you can research further.
By default, Nikto scans port 80 for HTTP services. Use the -p option to specify a custom port:
nikto -h scanme.nmap.org -p 8080Scanning HTTPS
Nikto supports SSL-enabled web servers with the -ssl flag:
nikto -h https://scanme.nmap.org -sslIn HTTPS mode, Nikto will connect to the target over port 443 and encrypt communication. This allows you to assess SSL/TLS configurations and certificates along with standard web scanning.
Scanning Multiple Targets
For larger assessments, you‘ll often need to scan multiple web assets. With Nikto, you can automate this by providing a list of target hosts in a text file:
nikto -h targets.txtSimply create a text file with one hostname or IP address per line, and Nikto will iterate through them sequentially.
Saving and Exporting Results
By default, Nikto prints scan results to standard output (the terminal). Use the -o flag to save output to a file instead:
nikto -h scanme.nmap.org -o scanme-results.txtTo specify a format, combine the -o and -Format options:
nikto -h scanme.nmap.org -o scanme-output.csv -Format csvNikto supports saving to TXT, CSV, HTML, and XML. This is crucial for documenting findings, comparing results over time, and integrating with other tools.
The -Format msf+ flag will create a Metasploit-compatible output file for easy exploitation of discovered vulnerabilities:
nikto -h scanme.nmap.org -Format msf+Nikto Scan Workflow
To maximize the effectiveness of Nikto, I recommend the following workflow:
- Reconnaissance – Gather target web assets in scope
- Staging – Install/update Nikto and plugins
- Scanning – Run Nikto with relevant options against staging targets
- Analysis – Triage scan results to validate findings
- Reporting – Document validated vulnerabilities with risk ratings
- Remediation – Share findings with developers and IT for patching
- Rescan – Verify fixes in production and continuously monitor
Here are a few more pro tips I‘ve learned over the years:
- Always scan staging websites before production
- Use Nikto‘s
404_STRINGoption to reduce false positives - Scan during off-peak hours to minimize system impact
- Filter out noise with the
SKIPFILEandMUSTHAVEoptions - Create multiple scanning profiles for different use cases
- Leverage the REST API for automation and integration
Limitations of Nikto
While powerful, Nikto is not a silver bullet. It‘s designed to quickly find low-hanging fruit, but won‘t provide full coverage of all possible web vulnerabilities.
Nikto relies on comparing scan results to predefined databases. This means it can miss issues that require manual verification, like business logic flaws or chained exploits.
As with any single tool, Nikto is most effective when combined with others as part of the reconnaissance phase of web penetration testing. For example, you might use EyeWitness to take screenshots of discovered web assets, then Burp Suite to manually probe them.
Semi-automated scanners like Arachni and OWASP ZAP are also great complements to Nikto. They can crawl web applications more thoroughly and discover complex bugs.
Conclusion
Web security is a never-ending battle, and automated scanners like Nikto are essential weapons. But they‘re only a starting point.
Ultimately, web penetration testing requires a combination of tools and manual analysis, tailored to each unique web property. Nikto is a key puzzle piece that can identify common vulnerabilities at scale, but it‘s up to the expertise of developers and security pros to paint the full picture.
As you integrate Nikto into your own security program, stay curious and keep learning. Web threats are constantly evolving, and so must our defenses. But equipped with the right tools and mindset, we can help make the web a safer place for everyone.
Now, go forth and scan! And remember, with great power comes great responsibility. Use Nikto wisely, get permission, and disclose ethically. The rest is up to you.