Nikto Vulnerability scanner

Nikto Vulnerability scanner

Nikto what is it?

Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.

Nikto site: https://cirt.net/Nikto2

Alternative:

  • Vega
  • Shodan
  • Zed Attack Prozy (ZAP)
  • Arachni
  • Nmap
  • Nessus

Usage:

Basic usage no ssl:

nikto -h http://10.10.191.239 -nossl

Perform a basic Nikto scan against a target host:

nikto -h 192.168.0.1

Specify the port number when performing a basic scan:

nikto -h 192.168.0.1 -p 443

Scan ports and protocols with full URL syntax:

nikto -h https://192.168.0.1:443

Scan multiple ports in the same scanning session:

nikto -h 192.168.0.1 -p 80,88,443

Update to the latest plugins and databases:

nikto

Below are all of the Nikto command line options and explanations. A brief version of this text is available by running Nikto with the -h (-help) option.

Whether to ask about submitting updates: yes (ask about each-- the default), no (don't ask, just send), auto (don't ask, just send).

-ask

Scan these CGI directories. Special words "none" or "all" may be used to scan all CGI directories or none, (respectively). A literal value for a CGI directory such as "/cgi-test/" may be specified (must include trailing slash). If this is option is not specified, all CGI directories listed in nikto.conf will be tested.

-Cgidirs

Specify an alternative config file to use instead of the nikto.conf file located in the install directory.

-config

Check the scan databases for syntax errors.

-dbcheck

Control the output that Nikto shows. See Chapter 5 for detailed information on these options. Use the reference number or letter to specify the type. Multiple may be used:

-Display

1 - Show redirects

2 - Show cookies received

3 - Show all 200/OK responses

4 - Show URLs which require authentication

D - Debug Output

E - Display all HTTP errors

P - Print progress to STDOUT

V - Verbose Output

Specify the LibWhisker encoding/evasion technique to use (see the LibWhisker docs for detailed information on these). Note that these are not likely to actually bypass a modern IDS system, but may be useful for other purposes. Use the reference number to specify the type, multiple may be used:

-evasion

1 - Random URI encoding (non-UTF8)

2 - Directory self-reference (/./)

3 - Premature URL ending

4 - Prepend long random string

5 - Fake parameter

6 - TAB as request spacer

7 - Change the case of the URL

8 - Use Windows directory separator (\)

A - Use a carriage return (0x0d) as a request spacer

B - Use binary value 0x0b as a request spacer

Only discover the HTTP(S) ports, do not perform a security scan. This will attempt to connect with HTTP or HTTPS, and report the Server header. Note that as of version 2.1.4, -findonly has been deprecated and simply sets '-Plugins "@@NONE"' which will override any command line or config file settings for -Plugins.

-findonly

Save the output file specified with -o (-output) option in this format. If not specified, the default will be taken from the file extension specified in the -output option. Valid formats are:

-Format

csv - a comma-seperated list

htm - an HTML report

msf - log to Metasploit

txt - a text report

xml - an XML report

Host(s) to target. Can be an IP address, hostname or text file of hosts. A single dash (-) maybe used for stdin. Can also parse nmap -oG style output

-host

Display extended help information.

-Help

ID and password to use for host Basic host authentication. Format is "id:password".

-id

Ignore these HTTP codes as negative responses (always). Format is "302,301".

-IgnoreCode

Will list all plugins that Nikto can run against targets and then will exit without performing a scan. These can be tuned for a session using the

-plugins Options

-list-plugins

The output format is:

Plugin

Plugin name
full name -description
Written by author, Copyright (C) copyright

Maximum execution time per host, in seconds. Accepts minutes and hours such that all of these are one hour: 3600s, 60m, 1h

-maxtime

Specify mutation technique. A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be used:

-mutate

1 - Test all files with all root directories

2 - Guess for password file names

3 - Enumerate user names via Apache (/~user type requests)

4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)

5 - Attempt to brute force sub-domain names, assume that the host name is the parent domain

6 - Attempt to guess directory names from the supplied dictionary file

Provide extra information for mutates, e.g. a dictionary file

-mutate-options

Do not perform name lookups on IP addresses.

-nolookup

Disable response cache

-nocache

Disable interactive features

-nointeractive

Do not use SSL to connect to the server.

-nossl

Disable 404 (file not found) checking. This will reduce the total number of requests made to the webserver and may be preferable when checking a server over a slow link, or an embedded device. This will generally lead to more false positives being discovered.

-no404

Write output to the file specified. The format used will be taken from the file extension. This can be over-riden by using the -Format option (e.g. to write text files with a different extenstion. Existing files will have new information appended.

A single dot (.) may be specified for the output file name, in which case the file name will be automatically generated based on the target being tested. Note that the -Format option is required when this is used. The scheme is: nikto_HOSTNAME_PORT_TIMESTAMP.FORMAT

For '-Format msf' the output option takes special meaning. It should contain the password and location of the Metasploit RPC service. For example, it may look like: '-o msf:<password>@http://localhost:55553/RPC2'

-output

Select which plugins will be run on the specified targets. A semi-colon separated list should be provided which lists the names of the plugins. The names can be found by using -list-plugins.

There are two special entries: @@ALL, which specifies all plugins shall be run and @@NONE, which specifies no plugins shall be run. The default is @@DEFAULT

-Plugins

TCP port(s) to target. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). If not specified, port 80 is used.

-port

Seconds (integer or floating point) to delay between each test.

-Pause

Prepend the value specified to the beginning of every request. This is useful to test applications or web servers which have all of their files under a certain directory.

-root

Only test SSL on the ports specified. Using this option will dramatically speed up requests to HTTPS ports, since otherwise the HTTP request will have to timeout first.

-ssl

Save request/response of findings to this directory. Files are plain text and will contain the raw request/response as well as JSON strings for each. Use a "." to auto-generate a directory name for each target. These saved items can be replayed by using the included replay.pl script, which can route items through a proxy.

-Save

Seconds to wait before timing out a request. Default timeout is 10 seconds.

-timeout

Tuning options will control the test that Nikto will use against a target. By default, all tests are performed. If any options are specified, only those tests will be performed. If the "x" option is used, it will reverse the logic and exclude only those tests. Use the reference number or letter to specify the type, multiple may be used:

-Tuning

0 - File Upload

1 - Interesting File / Seen in logs

2 - Misconfiguration / Default File

3 - Information Disclosure

4 - Injection (XSS/Script/HTML)

5 - Remote File Retrieval - Inside Web Root

6 - Denial of Service

7 - Remote File Retrieval - Server Wide

8 - Command Execution / Remote Shell

9 - SQL Injection

a - Authentication Bypass

b - Software Identification

c - Remote Source Inclusion

x - Reverse Tuning Options (i.e., include all except specified)

The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character.

Load user defined databases instead of standard databases. User defined databases follow the same syntax as the standard files, but are prefixed with a 'u', e.g., 'udb_tests' all -Disable all standard databases and load only user databases tests - Disable db_tests and load udb_tests. All other databases are loaded normally.

-Userdbs

Run until the specified time or duration, then pause.Durations in hours, minutes or seconds, like: 1h, 60m, 3600s, Times like "mm dd hh:mm:ss" (mm, dd, ss optional): 12 1 22:30:00

-until

Update the plugins and databases directly from cirt.net.

-update

Use the HTTP proxy defined in the configuration file. The proxy may also be directly set as an argument.

-useproxy

Display the Nikto software, plugin and database versions.

-Version

Specify the Host header to be sent to the target.

-vhost