Mar 112010


Nikto is a free, open source, command line scanning script used for testing your web server’s security. It checks for thousands of vulnerabilities and potential security weaknesses such as default files and programs, outdated servers, insecure files, server and software misconfigurations. Nikto uses a configuration file, three dozen plugins for testing and a handful of templates for reporting.

Nikto is not a weapon nor is it a remedy for damage that’s already occurred. It is an assessment tool that, when used properly, may prevent a host of potential security threats from becoming reality.

The Warning

It’s no concern of mine how you run your websites but if you receive a notice from your hosting company that your site’s lack of security threatens everyone’s service, you could face obliteration. Security is one area where an ounce of prevention is worth a pound of cure. Before you receive that notice or your site falls prey to a cyber attack, install Nikto on a remote computer and begin your assessments.

Nikto’s installation is simple and painless–no compiling required. You must have the following prerequisites to use SSL support: Net::SSLeay, openssl-perl, perl-MD5 and perl-libwhisker2. Depending on your distribution, other dependencies may exist for these packages. Some distributions package nikto as well. My CentOS 5.x system gave me an outdated version to use when I performed a yum installation.

After you’ve satisfied the prerequisites and their dependencies, grab the tarball from the CIRT website at Unzip, untar and you’re ready to begin your security scans.

Nikto Tests

* IDS Evasion
* 2300+ New RFI Tests
* 6100+ Files and CGIs
* Outdated Versions of 950+ Servers
* Version-specific Problems on 260+ Servers
* SSL Information

The System

Nikto isn’t perfect but it’s a system that works. If you secure your websites to the point where nikto produces minimal results, I feel confident that your risks are also minimal. Once you’ve installed Nikto, it’s time to take it for a test drive.

At a command line, enter the following command to start a simple port 80 scan on ( is an example. Substitute your target for

$ ./ -h

- Nikto v2.1.1
+ Target IP:
+ Target Hostname:
+ Target Port: 80
+ Start Time: 2010-03-01 13:42:23
+ Server: Apache/2.2.3 (CentOS)
+ Number of sections in the version string differ from those in the database, the server reports: apache/2.2.3 while the database has: 2.2.14. This may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing is enabled: /icons
+ OSVDB-3233: /icons/README: Apache default file found.
+ 3818 items checked: 5 item(s) reported on remote host
+ End Time: 2010-03-01 13:42:54 (31 seconds)
+ 1 host(s) tested

The results you see are from a default Apache installation. Active site scans produce more verbose output. The -h switch means that this is the host you want to test. To see a list of all possible switches, enter ./ at the prompt.

Note: You will likely experience a long wait between the initial header’s appearance and useful scan information. Don’t kill the process. I’ve waited as much as 15 minutes for a response. Allow Nikto to do its job.

Another useful example is to scan ports 443 and 8080 for a more comprehensive look at security vulnerabilities. You can add several ports, including port 80 (the default), if you specify ports.

$ ./ -h -port 443,8080

+ No web server found on
+ No web server found on

I don’t have any services on ports 443 or 8080 and that’s why you see the “No web server found” notices. Some notices give you explicit information such as “Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE” and others provide little useful information: “Unauthorized Read Acces.”

Don’t ignore information you receive from these scans, investigate it. Yes, Nikto yields some false positives but they’re all worth checking into for your own security’s sake. You don’t want to go to the trouble of scanning and then ignore the information.

The Penalty

The penalty for provoking the actions of website attackers is too terrible to risk. It’s also risky to use Nikto for your own evil deeds, since Nikto isn’t as the developers put it, “designed as an overly stealthy tool.”

Web server access logs show the originating IP address of the scanning computer and that you’re using Nikto to scan for vulnerabilities. For this reason, I suggest you use Nikto to scan sites that you control and leave others alone. You don’t want an uninvited visitor warning you that your scans are perceived as an act of aggression.

The following is an entry from my access log: - - [01/Mar/2010:08:40:15 -0600] "GET /www/2 HTTP/1.1" 404 281 "-" "Mozilla/4.75 (Nikto/2.1.1) (Evasions:None) (Test:003848)" - - [01/Mar/2010:08:40:15 -0600] "GET /wp-content/plugins/akismet/readme.txt HTTP/1.1" 404 313 "-" "Mozilla/4.75 (Nikto/2.1.1) (Evasions:None) (Test:006181)"

You can see from this entry that Nikto doesn’t cover its tracks nor is it meant to. It is not a tool for those with malicious intent but for those who want to prevent such attacks from compromising their sites and data.

This brief introduction to Nikto and its use should give you adequate information to make you paranoid enough to download it and begin scanning those potentially unsecure websites. Nikto isn’t platform or web server specific. It responds equally well to Apache, Microsoft’s IIS and other web server software. Klaatu barada Nikto loosely translated means, “Klaatu recommends Nikto.”

 Posted by at 9:46 am