Nikto: A Practical Website Vulnerability Scanner
Reading time: 11 minutesThe most critical part of any website is its web server. The web server is responsible for accepting requests from your visitors, understanding them, and giving your website visitors answers to their requests.
Consequently, your web server is also the first component of your website in the line of attack. That's because attackers target your web server to find any vulnerabilities, configuration-related errors and SSL certificate-related security issues.
As part of the SecurityTrails blog series highlighting both online vulnerability scanning tools and information gathering utilities, today we'll explore a tool focused on scanning web servers called Nikto. Let's learn more about Nikto and how to use it to scan your web server.
- What is Nikto?
- Nikto installation
- 10 Nikto commands to perform vulnerability scanning
- What's next - defend or attack?
- Nikto vs. Nmap
- Nikto vs. Nessus
- Summary
What is Nikto?
Nikto, also known as Nikto2, is an open source (GPL) and free-to-use web server scanner which performs vulnerability scanning against web servers for multiple items including dangerous files and programs, and checks for outdated versions of web server software. It also checks for server configuration errors and any possible vulnerabilities they might have introduced.
The Nikto vulnerability scanner project is a fast-moving effort, frequently updated with the latest known vulnerabilities. This allows you to scan your web servers with confidence as you search for any possible issues.
Main features:
- Nikto is free to use, open source and frequently updated
- Can be used to scan any web server (Apache, Nginx, Lighttpd, Litespeed, etc.)
- Scans against 6,700+ known vulnerabilities and version checks for 1,250+ web servers (and growing)
- Scans for configuration-related issues such as open index directories
- SSL certificate scanning
- Ability to scan multiple ports on a server with multiple web servers running
- Ability to scan through a proxy and with http authentication
- Ability to specify maximum scan time, exclude certain types of scans and unusual report headers seen as well
Nikto installation
The Nikto vulnerability scanner can be installed in multiple ways on both Windows- and Linux-based systems. It is available in package format on Linux for easy installation via a package manager (apt, yum, etc.) and also available via GitHub to be installed or run directly from the project source.
For our tutorial, we'll install Nikto from an operating system distribution package as well as from GitHub directly. This will give us multiple ways to install and integrate the Nikto web scanner into our tool sets.
GitHub-based installation
While the Nikto web scanner can be installed from most operating systems' software repositories, installation from GitHub will always ensure you have the latest version of Nikto working with your system. This is important for any security analysis tool, ensuring the search for vulnerabilities is working with the most current information possible.
The GitHub-based installation method is also ideal for Linux distributions which do not carry Nikto in their software repositories, which makes installing Nikto possible on nearly every Linux distribution/platform.
To begin the installation from GitHub, clone the git repository:
git clone https://github.com/sullo/nikto
Switch to the nikto/program folder:
cd nikto/program
You can now use the Nikto website vulnerability scanner to scan any website or IP address. Simply replace "http://www.example.com" with any domain or IP address you wish to scan:
./nikto.pl -h http://www.example.com
If the above command does not work, you can try:
perl nikto.pl -h http://www.example.com
Kali Linux-based installation
Kali Linux is the go-to Linux distribution for users who are into pentesting and security analysis. And adding the Nikto vulnerability scanner to your security analysis tool set on Kali Linux can be achieved with just a couple of commands, as shown below.
First, refresh your APT package lists and install any pending updates:
sudo apt-get update && sudo apt-get upgrade
Next, install the Nikto web scanner with the command:
sudo apt-get install nikto -y
To verify that the Nikto website vulnerability scanner is installed and ready for use, run the command:
nikto
Which should then give you a similar output which lists the version of Nikto installed:
root@home:~# nikto
- Nikto v2.1.5
Note: The same installation commands work on other Debian-based distributions like Ubuntu or Debian itself.
10 Nikto commands to perform vulnerability scanning
Running a basic website scan
The most basic way to scan a host with Nikto is to use the -h flag with the nikto command:
nikto -h example.com
The output should look like this:
root@home:~# nikto -h example.com
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: X.X.X.X
+ Target Hostname: example.com
+ Target Port: 80
+ Start Time: 2020-11-09 14:26:17 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /, fields: 0x0 0x556193b323e4d
+ OSVDB-3931: /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query=: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ 6544 items checked: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2020-11-17 16:16:36 (GMT0) (95 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Note: Nikto does a deep scan of the web server, and it may take a long time to finish due to the number of vulnerabilities Nikto checks against. Run under a "screen" session if running Nikto scanner from a remote machine.
Running a scan on a website with SSL
Nikto also has an SSL scanner mode, for SSL certificates installed on a website. With this you can get SSL cipher and issuer information.
To run a website SSL scan run:
nikto -h example.com -ssl
Example output:
root@home:~# nikto -h example.com -ssl
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: X.X.X.X
+ Target Hostname: example.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
+ Start Time: 2020-11-17 13:46:06 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Ubuntu)
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Hostname 'example.com' does not match certificate's CN 'example.com'
+ Uncommon header 'link' found, with contents: <https://example.com/wp-json/>; rel="https://api.w.org/"
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-5292: /?_CONFIG[files][functions_page]=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-5292: /?npage=-1&content_dir=http://cirt.net/rfiinc.txt?%00&cmd=ls: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-5292: /?npage=1&content_dir=http://cirt.net/rfiinc.txt?%00&cmd=ls: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-5292: /?show=http://cirt.net/rfiinc.txt??: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
Unmatched [ in regex; marked by <-- HERE in m//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[ <-- HERE Itemid=1&GLOBALS=&mosConfig_absolute_path=http://cirt.net/rfiinc.txt?/ at /var/lib/nikto/plugins/nikto_core.plugin line 371.
As seen above, when scanning with the -ssl option enabled, we can find more vulnerabilities and configuration errors present in the web server we've just scanned when compared to the non-ssl scan. This is often observed with misconfigured web servers, which hastily include SSL support.
Thus scanning both http and https is vital for a complete picture of the vulnerabilities present in a web server setup.
Scanning specific ports with Nikto
On certain deployments, web servers are run on non-standard ports like 8081 or 8080, or multiple web servers are run on the same host on different network ports. It's therefore vital to have the ability to scan specific ports as well as the main 80 and 443 ports.
This can be achieved by running the command:
nikto -h example.com -port 8083
Replace example.com with the host or IP you wish to scan, and 8083 with the port you wish to scan. The output should look like:
Save Nikto output to a specific file
The Nikto scanner also includes the ability to save the scan output to a file for future reference. This is ideal when running multiple scans and/or large scans which can be easier to reference from a file.
This is achieved by running the command:
nikto -h example.com -output /path/to/file.name
Which should then output similar to:
Scanning through a network proxy
Certain websites may only be available through a network proxy or specific IP, and this feature allows Nikto to scan the website through that proxy address as well:
nikto -h example.com -useproxy proxy.ip.address.here
Scanning websites which require authentication
Nikto also includes the ability to scan websites which are protected by http authentication:
nikto -h example.com -id username:password
Ignore certain HTTP codes
When running a web server scan with Nikto, it's important to ignore certain HTTP codes such as 301 redirects, to prevent the scan from scanning unnecessary objects. In such a scenario we can use the -IgnoreCode flag:
nikto -h example.com -IgnoreCode 301
Maximum scan time
When scanning a web server for a large website, we may get a large number of results which can take hours to gather and analyse. In this scenario, it's often better to limit the scan to a few minutes or seconds to gather information, resolve the errors or vulnerabilities reported, and then retry the scan to find the next set of errors or vulnerabilities. Nikto makes this possible with the -maxtime flag, which takes input in number of seconds:
nikto -h example.com -maxtime number.of.seconds
Disable response cache
Modern web servers often cache websites to save on CPU performance as well as to serve websites more quickly. This is why it's possible to get a "cached" version of the website when trying a scan.
This cached website may not have all the vulnerabilities present, or it may still have vulnerabilities present which were cached, so it's important to flush the cache as well as use the -nocache flag to scan a non-cached version of the website.
nikto -h example.com -nocache
Updating Nikto
Maintaining an updated database or a list of vulnerabilities to check against is very important. With new vulnerabilities discovered almost every day, it's crucial to keep Nikto updated with the latest vulnerabilities to check against whenever you run a scan.
Updating Nikto is achieved by running the command:
nikto -update
What's next - defend or attack?
If you are working on the defensive side, you are now aware of some of your vulnerabilities (remember that Nikto only focuses on the web-server side). Take action by protecting weak and exposed areas of your public surface, update scripts if needed, setup new authentication methods, reconfigure your SSL certificates, disable all your weak ciphers and more.
And if you are part of the red team, you are probably going to jump straight into testing techniques to exploit these vulnerabilities and look for different attack vectors. In both cases, using Nikto is just the start - the real fun begins after you get the results of the scan.
Nikto vs. Nmap
Nmap is one of the better known tools for port scanning. It lets you know the port status on a device, whether there are any filtered, closed or open ports. And along with its effectiveness for checking on a web server, Nmap can also check against known vulnerabilities on ports/services running on a machine, as we covered in our previous topic: How to Detect CVEs Using Nmap Vulnerability Scan Scripts.
While the Nikto vulnerability scanner is an end-to-end scanner for the web server only, it scans the web server and checks against known vulnerabilities and lets you know right away about the possible security implications of any vulnerabilities it finds there.
It cannot scan or check other ports apart from the ones used by the web server, commonly port 80 (non-SSL) and 443 (SSL).
Nikto vs. Nessus
Nessus is a remote security scanning tool, which scans a computer for any vulnerabilities. Nessus is not limited to scanning web-servers only; it scans every port on the machine, to find vulnerabilities for any software that machine is running.
Nikto, on the other hand, is a tool for scanning vulnerabilities on the web server side and files on web servers only. Nikto is most effective for finding vulnerabilities on the web server, rather than on other services running on different ports on the machine.
Summary
To summarize our experience with the Nikto vulnerability scanner, we can safely say that adding this tool to your security analysis tool set is a must for scanning web servers. Nikto's easy installation on a range of platforms in multiple ways is a another big plus, allowing for integration into your existing tool set without much effort.
Nikto also remains a formidable tool for finding out everything you can about your web server, ranging from SSL certificate information to security vulnerabilities in the web server software, and for finding dangerous files on your web server as well.