Nikto is a free and open source web server scanner used to identify vulnerabilities and help secure servers. It tests servers for over 6,500 dangerous files and scripts, outdated versions of software, and misconfigurations. Nikto scans target servers and outputs results that can help identify security problems. It has advantages like being fast, versatile, and open source, while its only disadvantage is needing to run via the command line.

1. Nikto
Sorina-Georgiana CHIRILĂ
Faculty of Computer Science
Alexandru Ioan Cuza University, Iași, Romania
Software Security - 2013

2. Overview
●
●
●
●
●
●
●
●
●
Idea
What is “Nikto” ?
Technical details
Structure
Installation
Case Studies
Features
Advantages/Disadvantages
Resources

3. Idea
● You manage several Web servers/applications
● Need to find potential problems and security
vulnerabilities, including:
- Server and software misconfigurations
- Default files and programs
- Insecure files and programs
- Outdated servers and programs

4. What is “Nikto” ?
●
●
●
●
●
●
Web server scanner,
Created by : David Lodge and Chris Sullo,
Version 1.00 Beta released on: December 27, 2001
Current version: 2.1.5,
Written in: Perl,
The name is taken from the movie: The Day The Earth
Stood Still,
● Sponsored by: Sunera LLC,
● Official page : http://www.cirt.net/nikto2.

5. Technical details
●
●
Open source, with support for SSL connections,
Performs test against web servers
for multiple items:
- Looks for over 6500 potentially dangerous files/CGIs,
- Checks for outdated versions of over 1250 servers,
- Looks for version specific problems on over 270 servers,
- Attempts to identify installed web servers and software,
- Checks for the presence of multiple index files and HTTP
server options,
●
Output can be saved in a variety of formats: text, XML, HTML.

6. Structure
Tests against vulnerabilities :
databases folder
Performed with code from:
plugins directory
Main File :nikto.pl
Replay File :replay.pl
replay a saved request

7. Installation
● Runs on Windows , Mac, Linux : any system with
support for basic Perl installation, allow Nikton to run.
● Requirements for Windows usage:
ActiveState Perl : typicall setting,
Nikto : download and extract the archive
content.

8. Command line tool
n
e
e
d
s
e
c
.
c
o
m
perl nikto.pl -host name.ro -port 80
perl nikto.pl -h name.ro -p 80

9. Simple Scan
perl nikto.pl -h 127.0.0.1 -p 80
Open Sourced
Vulnerability Database
Testing will reveal scripts, files and directories that
may leak information or have security problems

10. Case studies
●
●
●
●
●
●
●
perl nikto.pl -h 127.0.0.1
perl nikto.pl -h localhost -p 80,8080
perl nikto.pl -h hosts.txt
perl nikto.pl -h 127.0.0.1 -o results.txt
perl nikto.pl -h localhost -o results.html
perl nikto.pl -h 127.0.0.1 -dbcheck
perl nikto.pl -h localhost -update

11. Features
●
●
●
●
●
●
SSL support,
Template engine to easily
customize reports,
Support for LibWhisker’s antiIDS methods,
Easily updated via command line
Thorough documentation,
Projects like Wikto, MackNikto
and Services like Edgeos.com
and HackerTarget.com which
are related to Nikto or
incorporate/use Nikto databases,
●
●
●
●
Scans multiple ports on a server,
or multiple servers via input file
(including nmap output),
Logging to Metasploit,
Full HTTP proxy support - so by
using a tool (like Buirp Suite)
that can intercept the http
requests and show them in
proper format, we can analyse
the queries made by Nikto and
discover vulnerabilities,
It can be integrated in Nessus.

12. ●
●
●
●
Fast, versatile tool ,
Written in Perl , it
can be run in any
host operating
system,
Open source - it can
be easily extended
and customized,
Diverse output
formats - easy to
integrate with other
penetration testing
tools.
Advantages
●
/
Runs at the command
line , without any
graphical user interface
(GUI).
Disadvantages

13. Resources
●
●
●
●
●
●
●
●
●
●
,
http://www.linuxforu.com/2010/05/website-vulnerabilities-and-nikto/
,
http://hackingdemos.blogspot.ro/2013/09/view-possible-vulnerabilities-of-host.html
http://osvdb.org/
,
http://sectools.org/tool/nikto/
,
http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson13/
,
http://www.slideshare.net/rommzezz/security-testing-vrn-20022013?from_search=12
,
http://www.slideshare.net/namedeplume/penetration-testing-basics?from_search=9
,
http://www.devshed.com/c/a/Apache/Secure-Installation-and-Configuration/
,
http://memo-linux.com/nikto-outil-scanner-de-securite-serveur-web/
.
http://needsec.com/wp-content/uploads/2013/11/CheatSheetNikto.pdf
,

14. Resources
●
●
●
●
●
●
●
●
●
,
http://www.binarytides.com/nikto-hacking-tutorial-beginners/
,
http://www.cgisecurity.com/whitehat-mirror/wh-whitepaper_xst_ebook.pdf
http://www.madirish.net/547
,
,
http://memo-linux.com/nikto-outil-scanner-de-securite-serveur-web/
,
http://searchsecurity.techtarget.com/video/How-to-use-Nikto-to-scan-for-Web-server-vulnerabilities
,
https://www.youtube.com/watch?v=NJ8ixhgL8V8
,
https://www.youtube.com/watch?v=yV26jHKU38k,
https://www.youtube.com/watch?v=Jx6pTc8ikjU.
https://www.youtube.com/watch?v=goCm1TCJ29g

15. Questions ?