Get it from the Developer’s Website!
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).
Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.
Nikto is written by Chris Sullo and David Lodge.
Here are some of the major features of Nikto. See the documentation for a full list of features and how to use them.
- SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
- Full HTTP proxy support
- Checks for outdated server components
- Save reports in plain text, XML, HTML, NBE or CSV
- Template engine to easily customize reports
- Scan multiple ports on a server, or multiple servers via input file (including nmap output)
- LibWhisker’s IDS encoding techniques
- Easily updated via command line
- Identifies installed software via headers, favicons and files
- Host authentication with Basic and NTLM
- Subdomain guessing
- Apache and cgiwrap username enumeration
- Mutation techniques to “fish” for content on web servers
- Scan tuning to include or exclude entire classes of vulnerability
- Guess credentials for authorization realms (including many default id/pw combos)
- Authorization guessing handles any directory, not just the root
- Enhanced false positive reduction via multiple methods: headers,
- page content, and content hashing
- Reports “unusual” headers seen
- Interactive status, pause and changes to verbosity settings
- Save full request/response for positive tests
- Replay saved positive requests
- Maximum execution time per target
- Auto-pause at a specified time
- Checks for common “parking” sites
- Logging to Metasploit
- Thorough documentation
The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:
perl nikto.pl -h 192.168.0.1
To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:
perl nikto.pl -h 192.168.0.1 -p 443
Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:
perl nikto.pl -h https://192.168.0.1:443/
There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.
perl nikto.pl -h 192.168.0.1 -p 443 -ssl
Note: The -mutate and -mutate-options parameters have been deprecated in nikto 2.1.2. Plugin selections, using the -Plugin parameter, should be used instead. Nikto will automagically turn a mutate option into the appropriate selection string.
More complex tests can be performed using the -mutate parameter, as detailed later. This can produce extra tests, some of which may be provided with extra parameters through the -mutate-options parameter. For example, using -mutate 3, with or without a file attempts to brute force usernames if the web server allows ~user URIs:
perl nikto.pl -h 192.168.0.1 -mutate 3 -mutate-options user-list.txt
Multiple Port Testing
Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.
perl nikto.pl -h 192.168.0.1 -p 80,88,443
Multiple Host Testing
Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Ports can be separated from the host and other ports via a colon or a comma. If no port is specified, port 80 is assumed.
This is an example of a valid hosts file:
Note for win32 users: due to peculiaries in the way that cmd.exe works with pipes, the above example may not work for you. In this case a temporary file will have to be used to store the output from nmap
A host file may also be an nmap output in “greppable” format (i.e. from the output from -oG).
A file may be passed to Nikto through stdout/stdin using a “-” as the filename. For example:
nmap -p80 192.168.0.0/24 -oG – | nikto.pl -h –
Using a Proxy
If the machine running Nikto only has access to the target host (or update server) via an HTTP proxy, the test can still be performed. There are two ways to use a proxy with Nikto, via the nikto.conf file or directly on the command line.
To use the nikto.conf file, set the PROXY* variables (as described in section 4), and then execute Nikto with the -useproxy option. All connections will be relayed through the HTTP proxy specified in the configuration file.
perl nikto.pl -h localhost -p 80 -useproxy
To set the proxy on the command line, use the -useproxy option with the proxy set as the argument, for example:
./nikto.pl -h localhost -useproxy http://localhost:8080/
Nikto can be automatically updated, assuming you have Internet connectivity from the host Nikto is installed on. To update to the latest plugins and databases, simply run Nikto with the -update command.
Note: The -update option cannot be abbreviated.
perl nikto.pl -update
If updates are required, you will see a list of the files downloaded:
perl nikto.pl -update
+ Retrieving ‘nikto_core.plugin’
+ Retrieving ‘CHANGES.txt’
Updates may also be manually downloaded from the appropriate version’s directory at http://cirt.net/nikto/UPDATES/. Plugin and database files from the server should replace those in the ‘plugins’ or ‘databases’ directories.
Integration with Nessus
Nessus (http://www.nessus.org/nessus/) can be configured to automatically launch Nikto when it finds a web server. Ensure Nikto works properly, that nikto.pl is in the PATH, and that nikto.nasl is present in the Nessus install. Run ‘nessusd -R’ and then restart nessusd.
See http://blog.tenablesecurity.com/2008/09/using-nessus-to.html for detailed instructions.
Nikto contains several options which can be changed during an active scan, provided it is running on a system which provides POSIX support, which includes *nix and some other operating systems. On systems without POSIX support, these features will be silently disabled.
During an active scan, pressing any of the keys below will turn on or off the listed feature or perform the listed action. Note that these are case sensitive.
- SPACE – Report current scan status
- v – Turn verbose mode on/off
- d – Turn debug mode on/off
- e – Turn error reporting on/off
- p – Turn progress reporting on/off
- r – Turn redirect display on/off
- c – Turn cookie display on/off
- o – Turn OK display on/off
- a – Turn auth display on/off
- q – Quit
- N – Next host
- P – Pause