Ethical Hacking: Web Application Vulnerability Scanning with Nikto

Introducing the Nikto Scanner

Nikto is an open-source tool that can be used to perform enumeration and vulnerability scanning of web applications and web servers.

Installing Nikto

Nikto comes installed by default in Kali LinuxParrot Security, and other penetration testing Linux distributions. However, you can easily install Nikto completing the following steps in a Debian/Ubuntu based distribution:

  1. Update packages information: sudo apt update
  2. Install Nikto using aptsudo apt install nikto -y
  3. You can execute the Nikto program and access the help information by running the following command: nikto -H

Alternatively, you can clone the Nikto repository and execute the Perl script, as demonstrated below:

  1. Clone the Nikto GitHub repository: git clone https://github.com/sullo/nikto
  2. Access the program directory: cd nikto/program
  3. Nikto is written in Perl. You must have Perl installed in your Linux system. You can execute the Nikto program and access the help information by running the following command: perl nikto.pl -H

In the following steps you will learn how to scan and enumerate a web application using Nikto.

Scanning and Enumerating a Web Application using Nikto

Let’s enumerate and scan a web appplication running in system configured with the IP address 10.0.0.5 using Nikto.

┌───────┐       ┌──────────┐
│       │       │  APP 1   │
│ NIKTO ├───────┤          │
│       │       │ 10.0.0.5 │
└───────┘       └──────────┘

To scan the web application, simply execute the following command: nikto -h http://10.0.0.5

You can display the scan status during an active scan by pressing the SPACE bar in your keyboard. You can also turn on and off different features by pressing any of the following keys:

  • v: Turns verbose mode on/off
  • d: Turns debug mode on/off
  • e: Turns error reporting on/off
  • p: Turns progress reporting on/off
  • r: Turns 3xx/redirect display on/off
  • c: Turns cookie display on/off
  • o: Turns 200/OK display on/off
  • a: Turns auth display on/off
  • q: Quit (gracefully)
  • N: Next host/post
  • P: Pauses the scan

NOTE: Nikto checks for user input every 10 requests. Subsequently, slow scans may take a moment to respond.

The following are the scan results that you should see in the screen after launching Nikto against the web application running on 10.0.0.5.

$ nikto -h http://10.0.0.5
---------------------------------------------------------------------------
+ Target IP:          10.0.0.5
+ Target Hostname:    10.0.0.5
+ Target Port:        80
---------------------------------------------------------------------------
+ Server: nginx/1.14.2
+ Server leaks inodes via ETags, header found with file /, fields: 0x6116b2e9 0x20ae 
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3092: /admin/: This might be interesting...
+ /admin/index.html: Admin login page/section found.
+ /wp-admin/: Admin login page/section found.
+ /wp-login/: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2021-08-13 18:22:30 (GMT0) (7 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Exporting Nikto Scan Results in Different Formats

You can save the output of the Nikto scan to a file using the -o option. Nikto can export the scan results in any of the following formats, by using the -Format option:

  • csv: Comma-separated-value
  • json: JSON Format
  • htm: HTML Format
  • nbe: Nessus NBE format
  • sql: Generic SQL (see docs for schema)
  • txt: Plain text
  • xml: XML Format

NOTE: If you don’t specify the output format, Nikto tries to detect the format based on the file extension. The schema for the table used in SQL output can be found in docs/nikto_schema.sql.

Exporting Results in Comma-Separated Files

Let’s scan the web application and save the scan results in a comma-separated-value (CSV) file executing the following command:

nikto -h http://10.0.0.5 -o scan.csv -Format csv

Verify the results of the scan by invoking the following command:

cat scan.csv

Exporting Results in XML

Now launch a similar scan and export the results in an XML file:

nikto -h http://10.0.0.5 -o scan.xml -Format xml

Verify the results of the scan by invoking the following command:

cat scan.xml

Exporting Results in an HTML Report

Let’s scan the web application and save the scan results in HTML report file executing the following command:

nikto -h http://10.0.0.5 -o scan.html -Format htm

Verify the results of the scan by invoking the following command:

cat scan.html

Using Different Evasion Techniques

You can try to evade security monitoring tools by using different encoding techniques using the -evasion option. Nikto supports the following encoding (evasion) techniques:

  • 1: Random URI encoding (non-UTF8)
  • 2: Directory self-reference (/./)
  • 3: Premature URL ending
  • 4: Prepend long random string
  • 5: Fake parameter
  • 6: TAB as request spacer
  • 7: Change the case of the URL
  • 8: Use Windows directory separator ()
  • A: Use a carriage return (0x0d) as a request spacer
  • B: Use binary value 0x0b as a request spacer

In the following example, a fake parameter is used as an evasion technique:

nikto -h http://10.0.0.5 -evasion 4

You should notice that the Nikto scan summary lists the encoding method:

Using Encoding: Fake parameter

Explore some of the other options on your own