ActiveState Perl ActiveState offers both a free community version and a commercially supported binary distribution of Perl for Win32 and Perl for Win64. Download ActivePerl. Strawberry Perl: A 100% Open Source Perl for Windows that is exactly the same as Perl everywhere else; this includes using modules from CPAN, without the need for binary packages. Nikto has it’s own updating mechanism. We encourage you to check for updates before using Nikto. Nikto can be updated using the following command: nikto -update. Scanning webservers with Nikto. Let’s start Nikto to scan for interesting files with option 1 using the following command: nikto -host hostname or IP-Tuning 1. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers.
Scan your web site and server immediately with the popular Nikto Web Scanner. This testing service can be used to test a Web Site, Virtual Host and Web Server for known security vulnerabilities and mis-configurations.
Nikto performs over 6000 tests against a website. The large number of tests for both security vulnerabilities and mis-configured web servers makes it a go to tool for many security professionals and systems administrators. It can find forgotten scripts and other hard to detect problems from an external perspective.
Detect vulnerabilities in web servers, web applications and management scripts
- Discover known web application and script vulnerabilities in a website
- Test for web server configuration errors that may have security implications
- Identify installed software on web servers via headers, favicons and files
- Assess effectiveness of an intrusion detection system (IDS)
- Membership includes access to 27 Vulnerability Scanners and OSINT Tools
- Trusted Open Source Tools
How do I perform a Nikto website scan?
Selecting Target Address to Scan
Targets can be entered individually or as a list for bulk uploads:
Testing Virtual Hosts with Nikto
If your web server hosts multiple sites using virtual hosts. You should test each virtual host using Nikto to get greater vulnerability coverage. In fact it can be helpful to scan the IP address as well as the hostname of the server to ensure all paths are tested for any vulnerable web applications and scripts.
Lengthy Nikto run time
Due to the number of security checks that this tool performs a scan can take 45 mins or even longer, depending on the speed of your web server.
False Positives with Nikto
Nikto does quite well in detecting web server configurations that return HTTP 200 OK on actual “page not found” results. Since Nikto is checking hundreds of URL’s for the presence of old scripts, vulnerable applications and other problems. This can sometimes result in many false positives if the detection of the 404 -> 200 is not discovered by Nikto. It is not difficult to spot as you will receive a great deal of invalid urls as positives. These are easily checked manually to ensure they are actual false positives.
About the open source Nikto tool
The Nikto web server scanner is a security tool that will test a web site for thousands of possible security issues. Including dangerous files, mis-configured services, vulnerable scripts and other issues. It is open source and structured with plugins that extend the capabilities. These plugins are frequently updated with new security checks.
Nikto is by no means a stealthy tool. It will make over 2000 HTTP GET requests to the web server, creating a large number of entries in the web servers log files. This noise is actually an excellent way to test an in place Intrusion Detection System (IDS) that is in place. Any web server log monitoring, host based intrusion detection (HIDS) or network based intrusion detection (NIDS) should detect a Nikto scan.
Custom scans can be initiated using IDS bypass methods from libwhisker, however the current version of our on-line scan is a default (no evasion) scan.
The Nikto Web Vulnerability Scanner is a popular tool found in the grab bag of many penetration testers and security analysts. It will often discover interesting information about a web server or website that can be used for deeper exploitation or vulnerability assessment.
We have put together a small tutorial on running your own installation of Nikto on Ubuntu Linux. If you are a Windows user why not have a go at running Nikto in an Ubuntu Linux virtual machine. It is all free and easy to setup. Many excellent open source security tools are available only in Linux versions.
Running a Nikto web server scan is a straight forward process. Follow through this Nikto Tutorial to get an overview of what is involved. Start your web server testing with one of the most well known website / server testing tools. This is the same tool we use in our hosted Nikto scanner service.Nikto is a perl based security testing tool and this means it will run on most operating systems with the necessary Perl interpreter installed. We will guide you through using it on Ubuntu Linux, basically because it is our operating system of choice and it just works. Perl comes already installed in Ubuntu. So it is a matter of downloading the tool, unpacking it and running the command with the necessary options. For Windows users running Nikto will involve installing a perl environment (activestate perl) or loading up a Linux virtual machine using Virtualbox or VMware.
If you are running Microsoft Windows as your main operating system you may find having a virtual machine with Kali Linux or Ubuntu will bring a number of benefits. For a starters it makes getting tools such as Nikto a very simple process, as well as develop some skills using Linux based operating system that will benefit all aspects of your security testing. The majority of free security testing tools are developed on and for Linux based systems. By using a virtual machine you can test Nikto and many other open source security tools without affecting your production workstation.
Nikto Installation on Ubuntu
On a default installation of Ubuntu, launch a terminal and using a standard user account download the latest version of Nikto.
You can unpack it with an archive manager tool or use tar and gzip together with this command.
You should see the following output after running nikto.plThis should be your results from a working installation:
If there are any errors regarding SSL support it may be necessary to apt install libnet-ssleay-perl. Without SSL/TLS support you will not be able to test sites over HTTPS.
Starting a Nikto Web Scan
For a simple test we will use test a single host name. In the example below we are testing the virtual host (nikto-test.com) on 16x.2xx.2xx.1xx over HTTPS. The web server on the target responds to the Nikto tests as it would any request to the web server, we can see from the results that the target is a WordPress based site.
In the output we can see the items that were detected as interesting by Nikto. As well as the time taken for the scan and total number of items tested. If we review the web server logs we will be able to see the different items that were tested by the scanner.
Nikto and the Web Server
Lets review the web server logs. An important thing to understand when testing a site with Nikto is the amount of noise that this creates in the web server log files. Essentially Nikto is testing for the presence of thousands of possible web paths, and checking the response from the web server - which for most items will be a 404 not found.
Here is a sample from an Nginx web server being tested by Nikto.
Now unless your intrusion detection or server monitoring is broken, over 5000 of these sorts of hits in the web log will probably trigger a few alarms. Now it is very unlikely that these will cause an impact on the server, but it is certainly easy to spot. We can see the Nikto User Agent is in the log entry. Check the documentation to change the user agent.
Adobe Acrobat Pro DC. Adobe Acrobat Pro DC is the original OCR software for scanning documents. Ocr software for mac free download.
Selecting the Target
Since the tool is checking for valid paths, it is important to remember that hitting a web server on different virtual host names, directly on the IP address and even on sub paths off the root of the site will give different results.
Lets take an example of PHPMyAdmin, this is a common tool for managing MySQL databases and can also be a good target for an attacker if it has not been patched or poorly managed. This application could be installed and available at https://2xx.xxx.xxx.xxx/phpmyadmin/ or https://mywebsite.com/phpmyadmin/ or http://mywebsite.com/admin/phpmyadmin/. So to find this application using Nikto we would have to target all three locations, and some servers might have hundreds of virtual hosts.
I am not suggesting running Nikto hundreds of times against every server, but consideration should be taken as to where to target the scan most effectively. Similar considerations come into play when performing simple file / directory brute forcing using Burp Suite or other web application testing tools.
Further information can be found in the documentation on the project page https://cirt.net/nikto2-docs/installation.html
Nicto
Conclusion
Download Nikto For Windows Mac
Nikto Web Site Scanning
Nikto continues to be an excellent web server testing tool, finding all sorts of obscure issues whether its directory indexing, admin panels or remote code execution in a rare web application. Take the time to run it and be surprised.
Download Nikto For Windows 10 Pro