{"id":2792,"date":"2010-03-11T09:46:27","date_gmt":"2010-03-11T14:46:27","guid":{"rendered":"http:\/\/g33kinfo.com\/info\/?p=2792"},"modified":"2010-03-11T09:46:27","modified_gmt":"2010-03-11T14:46:27","slug":"nikto-web-security-check","status":"publish","type":"post","link":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/","title":{"rendered":"Nikto: Web security check"},"content":{"rendered":"<p>From <a href=\"http:\/\/www.linux-mag.com\/cache\/7720\/1.html\" target=\"_blank\" rel=\"noopener noreferrer\">linuxmag.com<\/a><\/p>\n<p>Nikto is a free, open source, command line scanning script used for testing your web server\u2019s security. It checks for thousands of vulnerabilities and potential security weaknesses such as default files and programs, outdated servers, insecure files, server and software misconfigurations. Nikto uses a configuration file, three dozen plugins for testing and a handful of templates for reporting.<\/p>\n<p>Nikto is not a weapon nor is it a remedy for damage that\u2019s already occurred. It is an assessment tool that, when used properly, may prevent a host of potential security threats from becoming reality.<\/p>\n<p>The Warning<\/p>\n<p>It\u2019s no concern of mine how you run your websites but if you receive a notice from your hosting company that your site\u2019s lack of security threatens everyone\u2019s service, you could face obliteration. Security is one area where an ounce of prevention is worth a pound of cure. Before you receive that notice or your site falls prey to a cyber attack, install Nikto on a remote computer and begin your assessments.<\/p>\n<p>Nikto\u2019s installation is simple and painless\u2013no compiling required. You must have the following prerequisites to use SSL support: Net::SSLeay, openssl-perl, perl-MD5 and perl-libwhisker2. Depending on your distribution, other dependencies may exist for these packages. Some distributions package nikto as well. My CentOS 5.x system gave me an outdated version to use when I performed a yum installation.<\/p>\n<p>After you\u2019ve satisfied the prerequisites and their dependencies, grab the tarball from the CIRT website at http:\/\/cirt.net\/Nikto2. Unzip, untar and you\u2019re ready to begin your security scans.<\/p>\n<p>Nikto Tests<\/p>\n<p>    * IDS Evasion<br \/>\n    * 2300+ New RFI Tests<br \/>\n    * 6100+ Files and CGIs<br \/>\n    * Outdated Versions of 950+ Servers<br \/>\n    * Version-specific Problems on 260+ Servers<br \/>\n    * SSL Information<\/p>\n<p>The System<\/p>\n<p>Nikto isn\u2019t perfect but it\u2019s a system that works. If you secure your websites to the point where nikto produces minimal results, I feel confident that your risks are also minimal. Once you\u2019ve installed Nikto, it\u2019s time to take it for a test drive.<\/p>\n<p>At a command line, enter the following command to start a simple port 80 scan on website.com (website.com is an example. Substitute your target for website.com):<br \/>\n<code><br \/>\n$ .\/nikto.pl -h website.com<\/p>\n<p>- Nikto v2.1.1<br \/>\n---------------------------------------------------------------------------<br \/>\n+ Target IP:          192.168.1.250<br \/>\n+ Target Hostname:    website.com<br \/>\n+ Target Port:        80<br \/>\n+ Start Time:         2010-03-01 13:42:23<br \/>\n---------------------------------------------------------------------------<br \/>\n+ Server: Apache\/2.2.3 (CentOS)<br \/>\n+ Number of sections in the version string differ from those in the database, the server reports: apache\/2.2.3 while the database has: 2.2.14. This may cause false positives.<br \/>\n+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE<br \/>\n+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST<br \/>\n+ OSVDB-3268: \/icons\/: Directory indexing is enabled: \/icons<br \/>\n+ OSVDB-3233: \/icons\/README: Apache default file found.<br \/>\n+ 3818 items checked: 5 item(s) reported on remote host<br \/>\n+ End Time:           2010-03-01 13:42:54 (31 seconds)<br \/>\n---------------------------------------------------------------------------<br \/>\n+ 1 host(s) tested<br \/>\n<\/code><br \/>\nThe results you see are from a default Apache installation. Active site scans produce more verbose output. The -h switch means that this is the host you want to test. To see a list of all possible switches, enter .\/nikto.pl at the prompt.<\/p>\n<p>Note: You will likely experience a long wait between the initial header\u2019s appearance and useful scan information. Don\u2019t kill the process. I\u2019ve waited as much as 15 minutes for a response. Allow Nikto to do its job.<\/p>\n<p>Another useful example is to scan ports 443 and 8080 for a more comprehensive look at security vulnerabilities. You can add several ports, including port 80 (the default), if you specify ports.<br \/>\n<code><br \/>\n$ .\/nikto.pl -h website.com -port 443,8080<\/p>\n<p>---------------------------------------------------------------------------<br \/>\n+ No web server found on 192.168.1.250:443<br \/>\n---------------------------------------------------------------------------<br \/>\n+ No web server found on 192.168.1.250:8080<br \/>\n---------------------------------------------------------------------------<br \/>\n<\/code><br \/>\nI don\u2019t have any services on ports 443 or 8080 and that\u2019s why you see the \u201cNo web server found\u201d notices. Some notices give you explicit information such as \u201cAllowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE\u201d and others provide little useful information: \u201cUnauthorized Read Acces.\u201d<\/p>\n<p>Don\u2019t ignore information you receive from these scans, investigate it. Yes, Nikto yields some false positives but they\u2019re all worth checking into for your own security\u2019s sake. You don\u2019t want to go to the trouble of scanning and then ignore the information.<\/p>\n<p>The Penalty<\/p>\n<p>The penalty for provoking the actions of website attackers is too terrible to risk. It\u2019s also risky to use Nikto for your own evil deeds, since Nikto isn\u2019t as the developers put it, \u201cdesigned as an overly stealthy tool.\u201d<\/p>\n<p>Web server access logs show the originating IP address of the scanning computer and that you\u2019re using Nikto to scan for vulnerabilities. For this reason, I suggest you use Nikto to scan sites that you control and leave others alone. You don\u2019t want an uninvited visitor warning you that your scans are perceived as an act of aggression.<\/p>\n<p>The following is an entry from my access log:<br \/>\n<code><br \/>\n192.168.1.73 - - [01\/Mar\/2010:08:40:15 -0600] \"GET \/www\/2 HTTP\/1.1\" 404 281 \"-\" \"Mozilla\/4.75 (Nikto\/2.1.1) (Evasions:None) (Test:003848)\"<\/p>\n<p>192.168.1.73 - - [01\/Mar\/2010:08:40:15 -0600] \"GET \/wp-content\/plugins\/akismet\/readme.txt HTTP\/1.1\" 404 313 \"-\" \"Mozilla\/4.75 (Nikto\/2.1.1) (Evasions:None) (Test:006181)\"<br \/>\n<\/code><br \/>\nYou can see from this entry that Nikto doesn\u2019t cover its tracks nor is it meant to. It is not a tool for those with malicious intent but for those who want to prevent such attacks from compromising their sites and data.<\/p>\n<p>This brief introduction to Nikto and its use should give you adequate information to make you paranoid enough to download it and begin scanning those potentially unsecure websites. Nikto isn\u2019t platform or web server specific. It responds equally well to Apache, Microsoft\u2019s IIS and other web server software. Klaatu barada Nikto loosely translated means, \u201cKlaatu recommends Nikto.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>From linuxmag.com Nikto is a free, open source, command line scanning script used for testing your web server\u2019s security. It checks for thousands of vulnerabilities and potential security weaknesses such as default files and programs, outdated servers, insecure files, server and software misconfigurations. Nikto uses a configuration file, three dozen plugins for testing and a&#8230; <\/p>\n<div class=\"read-more navbutton\"><a href=\"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/\">Read More<i class=\"fa fa-angle-double-right\"><\/i><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-2792","post","type-post","status-publish","format-standard","hentry","category-info"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Nikto: Web security check - Linux Shtuff<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Nikto: Web security check - Linux Shtuff\" \/>\n<meta property=\"og:description\" content=\"From linuxmag.com Nikto is a free, open source, command line scanning script used for testing your web server\u2019s security. It checks for thousands of vulnerabilities and potential security weaknesses such as default files and programs, outdated servers, insecure files, server and software misconfigurations. Nikto uses a configuration file, three dozen plugins for testing and a... Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/\" \/>\n<meta property=\"og:site_name\" content=\"Linux Shtuff\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/fb.me\/g33kinf0\" \/>\n<meta property=\"article:author\" content=\"https:\/\/fb.me\/g33kinf0\" \/>\n<meta property=\"article:published_time\" content=\"2010-03-11T14:46:27+00:00\" \/>\n<meta name=\"author\" content=\"g33kadmin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/drsinger1111\" \/>\n<meta name=\"twitter:site\" content=\"@drsinger1111\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/nikto-web-security-check\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/nikto-web-security-check\\\/\"},\"author\":{\"name\":\"g33kadmin\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\"},\"headline\":\"Nikto: Web security check\",\"datePublished\":\"2010-03-11T14:46:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/nikto-web-security-check\\\/\"},\"wordCount\":787,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\"},\"articleSection\":[\"General Info\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/g33kinfo.com\\\/info\\\/nikto-web-security-check\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/nikto-web-security-check\\\/\",\"url\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/nikto-web-security-check\\\/\",\"name\":\"Nikto: Web security check - Linux Shtuff\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#website\"},\"datePublished\":\"2010-03-11T14:46:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/nikto-web-security-check\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/g33kinfo.com\\\/info\\\/nikto-web-security-check\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/nikto-web-security-check\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Nikto: Web security check\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#website\",\"url\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/\",\"name\":\"Linux Shtuff\",\"description\":\"Because I have CRS Syndrome...\",\"publisher\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\",\"name\":\"g33kadmin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\",\"url\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\",\"contentUrl\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\",\"width\":512,\"height\":512,\"caption\":\"g33kadmin\"},\"logo\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\"},\"description\":\"I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com\\\/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....\",\"sameAs\":[\"https:\\\/\\\/thelinuxreport.com\",\"https:\\\/\\\/fb.me\\\/g33kinf0\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/twitter.com\\\/drsinger1111\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Nikto: Web security check - Linux Shtuff","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/","og_locale":"en_US","og_type":"article","og_title":"Nikto: Web security check - Linux Shtuff","og_description":"From linuxmag.com Nikto is a free, open source, command line scanning script used for testing your web server\u2019s security. It checks for thousands of vulnerabilities and potential security weaknesses such as default files and programs, outdated servers, insecure files, server and software misconfigurations. Nikto uses a configuration file, three dozen plugins for testing and a... Read More","og_url":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/","og_site_name":"Linux Shtuff","article_publisher":"https:\/\/fb.me\/g33kinf0","article_author":"https:\/\/fb.me\/g33kinf0","article_published_time":"2010-03-11T14:46:27+00:00","author":"g33kadmin","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/drsinger1111","twitter_site":"@drsinger1111","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/#article","isPartOf":{"@id":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/"},"author":{"name":"g33kadmin","@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547"},"headline":"Nikto: Web security check","datePublished":"2010-03-11T14:46:27+00:00","mainEntityOfPage":{"@id":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/"},"wordCount":787,"commentCount":0,"publisher":{"@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547"},"articleSection":["General Info"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/","url":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/","name":"Nikto: Web security check - Linux Shtuff","isPartOf":{"@id":"https:\/\/g33kinfo.com\/info\/#website"},"datePublished":"2010-03-11T14:46:27+00:00","breadcrumb":{"@id":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/g33kinfo.com\/info\/nikto-web-security-check\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/g33kinfo.com\/info\/"},{"@type":"ListItem","position":2,"name":"Nikto: Web security check"}]},{"@type":"WebSite","@id":"https:\/\/g33kinfo.com\/info\/#website","url":"https:\/\/g33kinfo.com\/info\/","name":"Linux Shtuff","description":"Because I have CRS Syndrome...","publisher":{"@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/g33kinfo.com\/info\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547","name":"g33kadmin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif","url":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif","contentUrl":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif","width":512,"height":512,"caption":"g33kadmin"},"logo":{"@id":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif"},"description":"I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com\/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....","sameAs":["https:\/\/thelinuxreport.com","https:\/\/fb.me\/g33kinf0","https:\/\/x.com\/https:\/\/twitter.com\/drsinger1111"]}]}},"_links":{"self":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/posts\/2792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/comments?post=2792"}],"version-history":[{"count":0,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/posts\/2792\/revisions"}],"wp:attachment":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/media?parent=2792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/categories?post=2792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/tags?post=2792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}