Sign up to save your podcasts
Or
Share Nikto: a practical website vulnerability scanner
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Nikto: a practical website vulnerability scanner
Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
The most critical part of any website is its web server. The web server is responsible for accepting requests from your visitors, understanding them, and giving your website visitors answers to their requests.
Consequently, your web server is also the first component of your website in the line of attack. That's because attackers target your web server to find any vulnerabilities, configuration-related errors and SSL certificate-related security issues.
As part of the Securitytrails blog series highlighting both online vulnerability scanning tools and information gathering utilities, today we'll explore a tool focused on scanning web servers called Nikto. Let's learn more about Nikto and how to use it to scan your web server.
What is Nikto?
**Nikto**, also known as Nikto 2, is an open source (GPL) and free-to-use web server scanner which performs vulnerability scanning against web servers for multiple items including dangerous files and programs, and checks for outdated versions of web server software. It also checks for server configuration errors and any possible vulnerabilities they might have introduced.
The Nikto vulnerability scanner project is a fast-moving effort, frequently updated with the latest known vulnerabilities. This allows you to scan your web servers with confidence as you search for any possible issues.
Main features:
Nikto is free to use, open source and frequently updated.
Can be used to scan any web server: Apache, Nginx, Lighttpd, Litespeed, et cetera.
Scans against 6700+ known vulnerabilities and version checks for 1250+ web servers (and growing).
Scans for configuration-related issues such as open index directories.
SSL certificate scanning.
Ability to scan multiple ports on a server with multiple web servers running.
Ability to scan through a proxy and with http authentication.
Ability to specify maximum scan time, exclude certain types of scans and unusual report headers seen as well.
Nikto installation
The Nikto vulnerability scanner can be installed in multiple ways on both Windows and Linux-based systems. It is available in package format on Linux for easy installation via a package manager (apt, yum, etc.) and also available via Github to be installed or run directly from the project source.
For our tutorial, we'll install Nikto from an operating system distribution package as well as from Github directly. This will give us multiple ways to install and integrate the Nikto web scanner into our tool sets.
Github-based installation
While the Nikto web scanner can be installed from most operating systems' software repositories, installation from Github will always ensure you have the latest version of Nikto working with your system. This is important for any security analysis tool, ensuring the search for vulnerabilities is working with the most current information possible.
The Github-based installation method is also ideal for Linux distributions which do not carry Nikto in their software repositories, which makes installing Nikto possible on nearly every Linux distribution/platform.
To begin the installation from Github, clone the git repository:
Switch to the nikto, program folder:
You can now use the Nikto website vulnerability scanner to scan any website or IP address. Simply replace "" with any domain or IP address you wish to scan:
If the above command does not work, you can try:
Kali Linux-based installation
Kali Linux is the go-to Linux distribution for users who are into pentesting and security analysis. And adding the Nikto vulnerability scanner to your security analysis tool set on Kali Linux can be achieved with just a couple of commands, as shown below.
First, refresh your APT package lists and install any pending updates:
Next, install the Nikto web scanner with the command:
To verify that the Nikto website v...
View all episodes
By SecurityTrailsNote: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
The most critical part of any website is its web server. The web server is responsible for accepting requests from your visitors, understanding them, and giving your website visitors answers to their requests.
Consequently, your web server is also the first component of your website in the line of attack. That's because attackers target your web server to find any vulnerabilities, configuration-related errors and SSL certificate-related security issues.
As part of the Securitytrails blog series highlighting both online vulnerability scanning tools and information gathering utilities, today we'll explore a tool focused on scanning web servers called Nikto. Let's learn more about Nikto and how to use it to scan your web server.
What is Nikto?
**Nikto**, also known as Nikto 2, is an open source (GPL) and free-to-use web server scanner which performs vulnerability scanning against web servers for multiple items including dangerous files and programs, and checks for outdated versions of web server software. It also checks for server configuration errors and any possible vulnerabilities they might have introduced.
The Nikto vulnerability scanner project is a fast-moving effort, frequently updated with the latest known vulnerabilities. This allows you to scan your web servers with confidence as you search for any possible issues.
Main features:
Nikto is free to use, open source and frequently updated.
Can be used to scan any web server: Apache, Nginx, Lighttpd, Litespeed, et cetera.
Scans against 6700+ known vulnerabilities and version checks for 1250+ web servers (and growing).
Scans for configuration-related issues such as open index directories.
SSL certificate scanning.
Ability to scan multiple ports on a server with multiple web servers running.
Ability to scan through a proxy and with http authentication.
Ability to specify maximum scan time, exclude certain types of scans and unusual report headers seen as well.
Nikto installation
The Nikto vulnerability scanner can be installed in multiple ways on both Windows and Linux-based systems. It is available in package format on Linux for easy installation via a package manager (apt, yum, etc.) and also available via Github to be installed or run directly from the project source.
For our tutorial, we'll install Nikto from an operating system distribution package as well as from Github directly. This will give us multiple ways to install and integrate the Nikto web scanner into our tool sets.
Github-based installation
While the Nikto web scanner can be installed from most operating systems' software repositories, installation from Github will always ensure you have the latest version of Nikto working with your system. This is important for any security analysis tool, ensuring the search for vulnerabilities is working with the most current information possible.
The Github-based installation method is also ideal for Linux distributions which do not carry Nikto in their software repositories, which makes installing Nikto possible on nearly every Linux distribution/platform.
To begin the installation from Github, clone the git repository:
Switch to the nikto, program folder:
You can now use the Nikto website vulnerability scanner to scan any website or IP address. Simply replace "" with any domain or IP address you wish to scan:
If the above command does not work, you can try:
Kali Linux-based installation
Kali Linux is the go-to Linux distribution for users who are into pentesting and security analysis. And adding the Nikto vulnerability scanner to your security analysis tool set on Kali Linux can be achieved with just a couple of commands, as shown below.
First, refresh your APT package lists and install any pending updates:
Next, install the Nikto web scanner with the command:
To verify that the Nikto website v...