DEV Community 👩‍💻👨‍💻

jmau111⭐⭐
jmau111⭐⭐

Posted on • Updated on • Originally published at jmau111.github.io

Cheat sheet Nikto

Nikto is a phenomenal web server scanner that eases enumeration significantly. It's free and open-source.

It might be a bit less popular than similar tools, such as dirbuster, gobuster or OWASP ZAP, but it's quite efficient to automate your enumeration.

Indeed, its goal is to deliver quickly, so it's not meant for stealthiness, but there are some configurations to improve such "weakness."

Still, it's one of the best utilities to find vulnerabilities in a targeted server, like default files and programs or outdated dependencies, for example.

Disclaimer

While it's a cheat sheet, I do not list all options all the time. Read the wiki for more details.

Installation

Quite straightforward with a git clone:

git clone https://github.com/sullo/nikto
cd nikto/program
./nikto.pl -h https://www.example.com
Enter fullscreen mode Exit fullscreen mode

However, you have other intesting modes like the Docker container, and Kali Linux has a pre-packaged version.

I prefer using Kali because I know it's well maintained and stable, but some edge cases may require the latest releases of Nikto (e.g., bug fixes), so do not hesitate to use it as a standalone package.

Best Features

Here is why I like this sharp tool.

Simplicity is a feature

I like simple hacking tools that work with a few options but can be tweaked for more sophisticated uses. Nikto is the perfect candidate for that.

A very basic usage can reveal many details:

nikto -h {URL/IP} -port {PORT}
Enter fullscreen mode Exit fullscreen mode

If you have to test a live website URL, the default port is 80, so you won't even need the -port option.

Detects Misconfigurations

Server misconfigurations are such a powerful attack vector, and Nikto is particularly efficient to detect them:

Retrieved x-powered-by header: PHP/5.5.29

/admin/: This might be interesting...

Apache mod_negotiation is enabled with MultiViews

robots.txt contains 7 entries which should be manually reviewed

High Speed, modularity 🚀

It's sometimes even faster than Gobuster that is built with Go! Besides, you can disable tests you don't need, like DNS lookups:

nikto -h {URL/IP} -nolookup
Enter fullscreen mode Exit fullscreen mode

You can also whitelist Nikto plugins to use:

nikto -h {URL/IP} -Plugins headers
Enter fullscreen mode Exit fullscreen mode

The above would only load HTTP headers, for example. If you want to know the list of available plugins before, just run this:

nikto -list-plugins
Enter fullscreen mode Exit fullscreen mode

By default, Nikto loads all plugins. It's also possible to pass parameters for each plugin:

nikto -h target.txt -Plugins "apache_expect_xss(verbose,debug)"
Enter fullscreen mode Exit fullscreen mode

Clever Output

You can save output to a given file in a given format:

nikto -h {URL/IP} -o {/path/to/report} -F txt
Enter fullscreen mode Exit fullscreen mode

It's always a good practice to save results in files, as the terminal is not the best view, and you want to stay organized.

SSL vs. no SSL

nikto -h {URL/IP} -nossl # disable SSL
nikto -h {URL/IP} -ssl # force SSL
Enter fullscreen mode Exit fullscreen mode

Various Formats

Main formats are json, sql,csv, htm, txt, and xml. Use the -Format or -F option:

nikto -h {URL/IP} -o {/path/to/report.csv} -F csv
Enter fullscreen mode Exit fullscreen mode

N.B.: Nikto is smart enough to deduce the format from the file extension you provide with the -o option, but if you want to be sure...

Fine Tuning

You can pass tunings for your tests:

nikto -h {URL/IP} -tuning 0 # upload files
nikto -h {URL/IP} -tuning 2 # file misconfiguration
nikto -h {URL/IP} -tuning 3 # information disclosure
nikto -h {URL/IP} -tuning 4 # XSS
nikto -h {URL/IP} -tuning 6 # DoS
nikto -h {URL/IP} -tuning 8 # command injections
nikto -h {URL/IP} -tuning 9 # SQL injections
nikto -h {URL/IP} -tuning a # authentication
nikto -h {URL/IP} -tuning b # software
Enter fullscreen mode Exit fullscreen mode

The above list is not exhaustive, as you also have 1, 5, 7, c and x tunings, but I rarely use them specifically.

More displays

You can customize what information Nikto displays:

nikto -h {URL/IP} -Display 4 # Show URLs which require authentication
nikto -h {URL/IP} -Display 2 # Show cookies received
nikto -h {URL/IP} -Display V # Enable the verbose mode
Enter fullscreen mode Exit fullscreen mode

Let's try to fool detection

Again, Nikto is not designed for the ghost mode, but you can tweak some of its default settings.

User agent

By default, the user agent is quite recognizable by any basic logging system:

USERAGENT=Mozilla/5.00 (Nikto/@version) (Evasions:@EVASIONS) (Test:@TESTID)

Fortunately, you can modify it:

nikto -h {URL/IP} -useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0"
Enter fullscreen mode Exit fullscreen mode

ANti-WAF

Nikto can prevent classic blocking by WAF security protection thanks to the -Pause option:

nikto -h {URL/IP} -Pause 5
Enter fullscreen mode Exit fullscreen mode

The above command would set a pause of 5 seconds between each test.

More evasion

It's possible to encode your requests thanks to built-in evasion techniques:

nikto -h {URL/IP} -evasion 1 # Random URI encoding (non-UTF8)
nikto -h {URL/IP} -evasion 5 # Fake parameter
nikto -h {URL/IP} -evasion 8 # Use Windows directory separator (\)
nikto -h {URL/IP} -evasion B # Use binary value 0x0b as a request spacer
Enter fullscreen mode Exit fullscreen mode

It's not exhaustive, so check the help menu.

Bonus

Here are additional tricks and combinations for Nikto.

Nikto proxy

Nikto provides native support for HTTP proxy:

nikto -h www.website.com -useproxy http://localhost:8080/
Enter fullscreen mode Exit fullscreen mode

Nikto + Nmap

Nikto can take Nmap scans as inputs:

nikto -h nmap-scan.gnmap
Enter fullscreen mode Exit fullscreen mode

Pass Multiple parameters

Don't run multiple scans, pass multiple parameters instead:

nikto -h {URL/IP} target.txt # multiple hosts
nikto -h {URL/IP} -p 80,88,443 # multiple ports
Enter fullscreen mode Exit fullscreen mode

Many options can be combined (e.g., tunings -T 58) or shorten (e.g., -p for -port, etc).

Top comments (0)

🌚 Friends don't let friends browse without dark mode.

Just kidding, it's a personal preference. But you can change your theme, font, etc. in your settings.

The more you know. 🌈