jmau111

Hacking & Development

Cheat sheet Nikto

Table of Contents

Nikto is a phenomenal web server scanner that eases enumeration significantly. It’s free and open-source.

It might be a bit less popular than similar tools, such as dirbuster, gobuster or OWASP ZAP, but it’s quite efficient to automate your enumeration.

Indeed, its goal is to deliver quickly, so it’s not meant for stealthiness, but there are some configurations to improve such “weakness.”

Still, it’s one of the best utilities to find vulnerabilities in a targeted server, like default files and programs or outdated dependencies, for example.

Disclaimer

While it’s a cheat sheet, I do not list all options all the time. Read the wiki for more details.

Installation

Quite straightforward with a git clone:

git clone https://github.com/sullo/nikto
cd nikto/program
./nikto.pl -h https://www.example.com

However, you have other intesting modes like the Docker container, and Kali Linux has a pre-packaged version.

I prefer using Kali because I know it’s well maintained and stable, but some edge cases may require the latest releases of Nikto (e.g., bug fixes), so do not hesitate to use it as a standalone package.

Best Features

Here is why I like this sharp tool.

Simplicity is a feature

I like simple hacking tools that work with a few options but can be tweaked for more sophisticated uses. Nikto is the perfect candidate for that.

A very basic usage can reveal many details:

nikto -h {URL/IP} -port {PORT}

If you have to test a live website URL, the default port is 80, so you won’t even need the -port option.

Detects Misconfigurations

Server misconfigurations are such a powerful attack vector, and Nikto is particularly efficient to detect them:

Retrieved x-powered-by header: PHP/5.5.29
/admin/: This might be interesting...
Apache mod_negotiation is enabled with MultiViews
robots.txt contains 7 entries which should be manually reviewed

High Speed, modularity 🚀

It’s sometimes even faster than Gobuster that is built with Go! Besides, you can disable tests you don’t need, like DNS lookups:

nikto -h {URL/IP} -nolookup

You can also whitelist Nikto plugins to use:

nikto -h {URL/IP} -Plugins headers

The above would only load HTTP headers, for example. If you want to know the list of available plugins before, just run this:

nikto -list-plugins

By default, Nikto loads all plugins. It’s also possible to pass parameters for each plugin:

nikto -h target.txt -Plugins "apache_expect_xss(verbose,debug)"

Clever Output

You can save output to a given file in a given format:

nikto -h {URL/IP} -o {/path/to/report} -F txt

It’s always a good practice to save results in files, as the terminal is not the best view, and you want to stay organized.

SSL vs. no SSL 

nikto -h {URL/IP} -nossl # disable SSL
nikto -h {URL/IP} -ssl # force SSL

Various Formats

Main formats are json, sql,csv, htm, txt, and xml. Use the -Format or -F option:

nikto -h {URL/IP} -o {/path/to/report.csv} -F csv

N.B.: Nikto is smart enough to deduce the format from the file extension you provide with the -o option, but if you want to be sure…

Fine Tuning

You can pass tunings for your tests:

nikto -h {URL/IP} -tuning 0 # upload files
nikto -h {URL/IP} -tuning 2 # file misconfiguration
nikto -h {URL/IP} -tuning 3 # information disclosure
nikto -h {URL/IP} -tuning 4 # XSS
nikto -h {URL/IP} -tuning 6 # DoS
nikto -h {URL/IP} -tuning 8 # command injections
nikto -h {URL/IP} -tuning 9 # SQL injections
nikto -h {URL/IP} -tuning a # authentication
nikto -h {URL/IP} -tuning b # software

The above list is not exhaustive, as you also have 1, 5, 7, c and x tunings, but I rarely use them specifically.

More displays

You can customize what information Nikto displays:

nikto -h {URL/IP} -Display 4 # Show URLs which require authentication
nikto -h {URL/IP} -Display 2 # Show cookies received
nikto -h {URL/IP} -Display V # Enable the verbose mode

Let’s try to fool detection

Again, Nikto is not designed for the ghost mode, but you can tweak some of its default settings.

User agent

By default, the user agent is quite recognizable by any basic logging system:

USERAGENT=Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)

Fortunately, you can modify it:

nikto -h {URL/IP} -useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0"

ANti-WAF

Nikto can prevent classic blocking by WAF security protection thanks to the -Pause option:

nikto -h {URL/IP} -Pause 5

The above command would set a pause of 5 seconds between each test.

More evasion

It’s possible to encode your requests thanks to built-in evasion techniques:

nikto -h {URL/IP} -evasion 1 # Random URI encoding (non-UTF8)
nikto -h {URL/IP} -evasion 5 # Fake parameter
nikto -h {URL/IP} -evasion 8 # Use Windows directory separator (\)
nikto -h {URL/IP} -evasion B # Use binary value 0x0b as a request spacer

It’s not exhaustive, so check the help menu.

Bonus

Here are additional tricks and combinations for Nikto.

Nikto proxy

Nikto provides native support for HTTP proxy:

nikto -h www.website.com -useproxy http://localhost:8080/

Nikto + Nmap

Nikto can take Nmap scans as inputs:

nikto -h nmap-scan.gnmap

Pass Multiple parameters

Don’t run multiple scans, pass multiple parameters instead:

nikto -h target.txt # multiple hosts
nikto -h {URL/IP} -p 80,88,443 # multiple ports

Many options can be combined (e.g., tunings -T 58) or shorten (e.g., -p for -port, etc).