Before trying to break into a website, a hacker or penetration tester will make a list they want to target. Once they’ve done some research and found the best spots to focus on, they’ll use a tool like Nikto to search for weak spots in the website’s server that they could use to get in.
Nikto is an open-source web server scanner designed to perform comprehensive tests against web servers for various security vulnerabilities, misconfigurations, and potential issues. Also, it’s one of the most widely used website vulnerabilities tools in the industry, and in many circles, considered the industry standard by security professionals, system administrators, and penetration testers to assess the security posture of web servers.
Using Nikto Effectively
If you only use Nikto on a website, you might not understand what to do with the results. Nikto is like a pointer guiding a bigger plan, and you’ll see how that plays out in a little bit.
First, let’s talk about the target areas. These are basically any places a hacker might try to attack, like printers connected to the network or a web server. When we use Nikto later, we’ll have to give it one of three types of information: either an IP address for a local service, a web address to target, or a secure website with SSL/HTTPS. Before jumping into a scan with Nikto, it’s best to do some extra investigation using a free intelligence tool like Maltego. These tools help create a profile and a more focused list of targets to concentrate on. Once that’s done, Nikto can be used to zoom in on potential vulnerabilities for the targets on the list.
If you’re fortunate, you might find a vulnerability along with a ready-to-use exploit, which is a tool designed to take advantage of the weakness. With the appropriate tool, which will automatically exploit the vulnerability, a hacker can gain access to the target to perform any number of behind-the-scenes attacks, like adding code to perform a malicious activity.
Step 1: Nikto Installation
If you’re running Kali Linux, Nikto comes preinstalled, so you don’t have to download or install anything. It’ll be located in the “Vulnerability Analysis” category. If you don’t have it for some reason, you can get Nikto from GitHub or just use the apt install command.
apt install nikto
If you’re doing this on a Mac, you can use Homebrew to install Nikto.
brew install nikto
Step 2: Nikto Help
Before you dive into scanning web servers with Nikto, lets you use the -Help option to see everything that can be done inside Nikto.
nikto -Help
Options: -ask+ Whether to ask about submitting updates yes Ask about each (default) no Don't ask, don't send auto Don't ask, just send -Cgidirs+ Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/" -config+ Use this config file -Display+ Turn on/off display outputs: 1 Show redirects 2 Show cookies received 3 Show all 200/OK responses 4 Show URLs which require authentication D Debug output E Display all HTTP errors P Print progress to STDOUT S Scrub output of IPs and hostnames V Verbose output -dbcheck Check database and other key files for syntax errors -followredirects Follow 3xx redirects to new location -evasion+ Encoding technique: 1 Random URI encoding (non-UTF8) 2 Directory self-reference (/./) 3 Premature URL ending 4 Prepend long random string 5 Fake parameter 6 TAB as request spacer 7 Change the case of the URL 8 Use Windows directory separator (\) A Use a carriage return (0x0d) as a request spacer B Use binary value 0x0b as a request spacer -Format+ Save file (-o) format: csv Comma-separated-value htm HTML Format msf+ Log to Metasploit nbe Nessus NBE format txt Plain text xml XML Format (if not specified the format will be taken from the file extension passed to -output) -Help Extended help information -host+ Target host -IgnoreCode Ignore Codes--treat as negative responses -id+ Host authentication to use, format is id:pass or id:pass:realm -key+ Client certificate key file -list-plugins List all available plugins, perform no testing -maxtime+ Maximum testing time per host -mutate+ Guess additional file names: 1 Test all files with all root directories 2 Guess for password file names 3 Enumerate user names via Apache (/~user type requests) 4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests) 5 Attempt to brute force sub-domain names, assume that the host name is the parent domain 6 Attempt to guess directory names from the supplied dictionary file -mutate-options Provide information for mutates -nointeractive Disables interactive features -nolookup Disables DNS lookups -noslash Strip trailing slash from URL (e.g., '/admin/' to '/admin') -nossl Disables the use of SSL -no404 Disables nikto attempting to guess a 404 page -output+ Write output to this file ('.' for auto-name) -Pause+ Pause between tests (seconds, integer or float) -Plugins+ List of plugins to run (default: ALL) -port+ Port to use (default 80) -RSAcert+ Client certificate file -root+ Prepend root value to all requests, format is /directory -Save Save positive responses to this directory ('.' for auto-name) -ssl Force ssl mode on port -Tuning+ Scan tuning: 1 Interesting File / Seen in logs 2 Misconfiguration / Default File 3 Information Disclosure 4 Injection (XSS/Script/HTML) 5 Remote File Retrieval - Inside Web Root 6 Denial of Service 7 Remote File Retrieval - Server Wide 8 Command Execution / Remote Shell 9 SQL Injection 0 File Upload a Authentication Bypass b Software Identification c Remote Source Inclusion x Reverse Tuning Options (i.e., include all except specified) -timeout+ Timeout for requests (default 10 seconds) -Userdbs Load only user databases, not the standard databases all Disable standard dbs and load only user dbs tests Disable only db_tests and load udb_tests -until Run until the specified time or duration -update Update databases and plugins from CIRT.net -useproxy Use the proxy defined in nikto.conf -usecookies Use cookies from responses in future requests -Version Print plugin and database versions -vhost+ Virtual host (for Host header) + requires a value
Step 3: Use the Basic Syntax
As you saw in the last step, Nikto has lots of choices, but we’ll keep it simple for what we need. Here’s the basic format we’ll use. Just replace <IP or hostname> with the real IP address or hostname without the brackets.
nikto -h <IPorhostname>
However, Nikto is capable of doing a scan that can go after SSL and port 443, the port that HTTPS websites use (HTTP uses port 80 by default). This means we’re not only restricted to scanning older sites; we can also conduct vulnerability assessments on sites using SSL, which is almost essential nowadays for search engine indexing. If we know it’s an SSL site that we’re targeting, we can specify it in Nikto to save some time on the scan by adding -ssl to the end of the command.
nikto -h <IPorhostname> -ssl
Step 4: Scan an SSL-Enabled Website
For instance, let’s begin by scanning pbs.org to observe the kinds of information revealed by a Nikto scan. Upon connecting to port 443, we find useful details about the cipher and other server-related information, such as it being Nginx. However, there isn’t much particularly intriguing data for our purposes here.
nikto -h pbs.org -ssl
- Nikto v2.1.6------------------------------------------------------------------------------- STATUS: Starting up!+ Target IP: 54.225.198.196+ Target Hostname: pbs.org+ Traget Port: 443------------------------------------------------------------------------------+ SSl Info: Subject: /CN=www.pbs.org Altnames: account.pbs.org, admin.pgs.org, dipsy-tc.pbs.org, docs.pbs.org, ga.video.cdn.pbs.org, git.pbs.org, heart.ops.pbs.org, hub-dev.pbs.org, image.pbs.org, jaws..pbs.org, kids.pbs.org, koth-qa.svp.pbs.org, login.pbs.org, ops.pbs.org, pbs.org, player.pbs.org, projects.pbs.org, sentry.pbs.org, teacherline.pbs.org, urs.pbs.org, video.pbs.org, weta-qa.svp.pbs.org, whut-qa.svp.pbs.org, wnet.video-qa.pbs.org, wnet.video-staging.pbs.org, www-cache.pbs.org, www.pbs.org Ciphers: ECDHE-RSA-AES128-GCM-SHA256 Issuer: /C-US/0=Let's Encrypt/CN=Let's Encrypt Authority X3+ Start Time: 2018-12-05 23:34:06 (GMT-8)------------------------------------------------------------------------------+ Server: nginx+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ Uncommon header 'x-pbs-fwsrvname' found, with contents: fwcacheproxy1+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ Root page / redirects to: https://www.pbs.org/+ No CGI Directories found (use '-C all' to force check all possible dirs)+ RC-1918 IP address found in the 'x-pbs-appsvrip' header: The IP is "10.137.181.52".+ Uncommon header 'x-cache-fs-status' found, with contents: EXPIRED+ Uncommon header 'x-pbs-appsvrname' found, with contents: fwcacheproxy1+ Uncommon header 'x-pbs-appsvrip' found, with contents: 10.137.181.52+ Server leaks inodes via ETags, header found with file /pbs.org.zip, fields: 0x5b96537e 0x1678+ 7446 requests: 0 error(s) and 10 item(s) reported on remote host+ End Time: 2018-12-06 00:30:29 (GMT-8) (3383 seconds)------------------------------------------------------------------------------+ 1 host(s) tested
Step 5: Scan an IP Address
After conducting a swift scan of a website, let’s attempt utilizing Nikto on a local network to discover embedded servers, like a router login page or an HTTP service on another machine functioning solely as a server without a website. To begin, let’s locate our IP address using ifconfig.
The IP address we want is the “inet” one. Then we can run ipcalc on it to get our network range. If you don’t have ipcalc, you can install it with apt install ipcalc, then try again. The range will be next to “Network,” in my case, 192.168.0.0/24.
Next, we’ll use Nmap to discover services operating within the network range. We’ll scan port 80 within our specified range and include the -oG option to generate grepable output, showing only the active hosts that are responsive, indicating that port 80 is open. Afterwards, we’ll save all the data to a file named wonder-hack.txt, though you can choose any desired name.
nmap -p 80 192.168.0.0/24 -oG wonder-hack.txt
Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-05 00:43 PSTNmap scan report for 192.168.0.1Host is up (0.021s latency).PORT STATE SERVICE80/tcp open httpNmap scan report for 192.168.0.2Host is up (0.088s latency).PORT STATE SERVICE80/tcp open httpNmap scan report for 192.168.0.4Host is up (0.032s latency).PORT STATE SERVICE80/tcp open httpNmap scan report for 192.168.0.5Host is up (0.020s latency).PORT STATE SERVICE80/tcp open httpNmap scan report for 192.168.0.11Host is up (0.068s latency).PORT STATE SERVICE80/tcp closed httpNmap scan report for 192.168.0.24Host is up (0.023s latency).PORT STATE SERVICE80/tcp closed httpNmap scan report for 192.168.0.31Host is up (0.059s latency).PORT STATE SERVICE80/tcp closed httpNmap scan report for 192.168.0.48Host is up (0.030s latency).PORT STATE SERVICE80/tcp closed httpNmap scan report for 192.168.0.60Host is up (0.092s latency).PORT STATE SERVICE80/tcp closed httpNmap done: 256 IP addresses (9 hosts up) scanned in 8.92 seconds
Here’s a neat trick to streamline the process: We can use cat to read the output stored in our wonder-hack.txt document (or whatever you named it). Then, we’ll employ awk, a Linux tool, to search for the pattern where Up indicates the host is up, and print $2 will print out only the second word in that line, i.e., just the IP address. Finally, we’ll send that data to a new file called targetIP.txt (or whatever name you prefer).
This is perfect for Nikto because it can easily interpret files like this. So we can send this output over to Nikto with the following command.
nikto -h targetIP.txt
The results will look similar to the ones we got when performing the SSL scan.
Step 6: Pair Scans with Metasploit
Nikto offers a valuable feature: you can export information in a format readable by Metasploit during a scan. Simply execute the commands provided earlier for the scan, but add -Format msf+ at the end. This format enables us to swiftly match retrieved data with a weaponized exploit.
nikto -h <IPorhostname> -Format msf+
In this guide, we progressed from identifying the target’s surface area to discovering a vulnerability and then aligning it with a weaponized exploit, streamlining the process. As Nikto isn’t particularly stealthy, it’s prudent to conduct such scans through a VPN, Tor, or another service to avoid having your real IP address flagged for suspicious activity. Overall, Nikto is a powerful and versatile tool for conducting web server security assessments, helping organizations identify and mitigate potential security risks to their web infrastructure. However, it’s important to use Nikto responsibly and with proper authorization, as scanning websites without permission may violate legal and ethical guidelines.
A guy who's really intrigued by the world of hacking, cybersecurity, and the internet. I just want to bring you the most accurate and valuable information possible.
