Web Server Scanning With Nikto – A Comprehensive Guide

Web Server Scanning With Nikto – A Comprehensive Guide

Computer servers

Websites have become a critical gateway for businesses and organizations to reach customers and provide services. However, they also represent one of the most vulnerable attack surfaces that hackers actively target.

According to surveys, over 70% of websites have exploitable vulnerabilities that put user data and business operations at risk. The most common web application vulnerabilities include:

Web application security concept

  • SQL Injection Attacks: 65%
  • Cross-Site Scripting: 60%
  • Broken Authentication: 50%
  • Sensitive Data Exposure: 45%

This is why continuous web security scanning is crucial – to identify threats before hackers can find and exploit them.

This comprehensive guide will explore Nikto – an open source web server scanner that can automate much of the discovery process. We‘ll cover:

So if you‘re a web developer, IT admin, or security professional – read on!

Introducing Nikto

Nikto is an open source web server scanner written in Perl that enables comprehensive tests for multiple vulnerabilities. It is a veteran tool originally released in 2001, but thanks to ongoing community support, the latest version 4 continues to evolve.

Nikto is maintained by David Lodge with guidance from original author Chris Sullo. It runs on Linux, MacOS, and Windows (with Perl installed).

Why Use Nikto?

Here are some key reasons Nikto stands out as a go-to web scanning tool:

  • Powerful scanning engine: Nikto leverages a database of over 6700 potentially dangerous files and programs that it checks for.

  • Broad vulnerability detection: SQLI, XSS, file enumeration, outdated software – Nikto can find it.

  • Ease of use: Simple command line usage and intuitive output format lowers the barrier to entry.

  • Customization: Nikto supports useful options like output customization, HTTP proxying, and credential brute forcing.

  • Community Approved: Industry endorsements from Microsoft, US Department of Homeland Security, PCI Security Standards Council

Now let‘s explore how this popular scanner discovers vulnerabilities under the hood using some clever techniques.

How Nikto Works

Intelligent Filesystem Probing

At its core, Nikto relies on intelligent filesystem probing to extract information from web servers. It comes armed with an extensive database of common (often dangerous) file and program names across different platforms like Apache Tomcat, IIS, and Nginx.

When scanning a target, Nikto attempts to access as many files/directories as it can guess from this database:

/test.php
/config.py
/wordpress/wp-content/

If a file exists, Nikto parses the response to fingerprint the technology, version, and exposure level. Unique responses indicating success like HTTP codes 200 vs 403 errors allow Nikto to accurately draw conclusions.

Repeated over thousands of heuristic guesses, Nikto builds up an informative picture of your attack surface. It‘s able to identify not just low-hanging vulnerabilities, but subtle exposures from platform misconfigurations.

Hacker probing server

Optimized Crawl Speed

Filesystem probing is only effective if performed quickly at scale before defenses trip up. That‘s why Nikto developers have focused heavily on optimization techniques like:

  • Caching: Nikto maintains a temporary cache of already requested resources so duplicate requests are avoided. This significantly reduces overhead on the server side.

  • Concurrency: Multiple scanning threads allow Nikto to have multiple concurrent requests in flight for faster results.

  • Lean code: Programming in C and Perl allows Nikto to remain very efficient with minimal CPU and memory consumption.

With a lean 2000+ requests per second, Nikto minimizes detection by defenses and servers don‘t crash due to overload.

Subdomain Guessing

Expanding the attack surface, Nikto also attempts to guess associated subdomains related to the root domain using reverse DNS lookups and name variations. Additional hosts provide more points of entry for hackers, so it‘s important web security scanners check for them.

Credential Fuzzing

Many web apps requiring authentication have default credentials that are overlooked and never changed. Nikto capitalizes on this oversight through brute force password guessing using over 1200 default username and password combos including:

root / root
admin / 1234
test / test 

Getting access to authenticated parts of an app opens up more attack surface. Nikto helps find surefire ways in.

Integrated Scanning Database

The true power behind this versatility comes from Nikto‘s scanning database populated with:

  • Common web file and program names like /clientaccesspolicy.xml
  • Error messages unique to technologies like Apache and IIS
  • Default credential combinations for popular CMS platforms like WordPress and Joomla
  • Fingerprinting details for 2000+ software applications

Regular updates enhance this database, ensuring detection capabilities evolve to cover new threats.

Reporting & Next Steps

Output from Nikto scans comes in HTML, CSV, XML and other formats for easy analysis:

Nikto scan sample report

The findings highlight vulnerabilities discovered and serves as a risk assessment for the target. Going beyond just scanning, Nikto also tries to provide appropriate remediation guidance using best practice security advice tailored to what it finds.

For advanced testing, Nikto integrates further with Metasploit Framework to automatically convert results into input for exploitation modules as we‘ll cover next.

Now that you understand Nikto‘s approach, let‘s look at actually using it.

Installing Nikto

Since Nikto is written in Perl, it works across operating systems that have the Perl engine installed:

Linux

Most Linux distros like Kali and Parrot Sec have Nikto in the default package repositories for easy installation via:

$ sudo apt install nikto

MacOS

Easiest method is using Homebrew package manager:

$ brew install nikto

Windows

Requires installing ActiveState Perl from http://www.activestate.com/activeperl

Nikto can then be installed via the CPAN module:

$ cpan -i Nikto

With Perl and Nikto now available, let‘s explore usage.

Scanning with Nikto

The power of Nikto comes from the command line. Here are some common examples – simply replace example domains with your own targets:

Scan a Domain

$ nikto -h example.com

Scan IP Address

$ nikto -h 192.168.1.105

Scan with SSL

$ nikto -h https://example.com -ssl   

Multiple Targets

Using a text file containing one target per line:

targets.txt:
example.com 
test.com

$ nikto -h targets.txt

Specify Output File

$ nikto -h example.com -o output.html 

Format

Formats like CSV, SQL, XML

$ nikto -Format csv -o output.csv

That covers the basics – now let‘s explore some more advanced scanning capabilities.

Advanced Nikto Scanning

Beyond basics, Nikto offers advanced options that unlock more detailed vulnerability insights.

Enumerate Users

Attempt to iterate and discover valid user accounts on the system:

$ nikto -h test.com -Enumerate u

Find All Possible Files

Aggressively enumerate all possible files and directories that may exist on target:

$ nikto -h test.com -Find all

Root Only Tests

Perform testing from perspective of root directory level only:

$ nikto -h test.com -rootonly

Credentials Brute Force

Execute brute force login attempts with custom username and password file:

$ nikto -h demo.test.com -id file_usernames.txt -pw file_passwords.txt 

Define Server Type

Manually specify target server type to improve accuracy of checks. Options like apache, iis, nginx

$ nikto -h test.com -server Apache

Verbose Output

Increase verbosity to see all checks performed by Nikto:

$ nikto -h test.com -v

Custom Port

Check non-standard web ports like 8081:

$ nikto -port 8081 -h test.com

Save Scanning Database

Save current scanning database contents to a file for analysis of coverage:

$ nikto -save db.txt

These are just a sample of over 100 options available. Leverage options like proxies, exclusion rules, and tuning parameters to customize scans further.

Review the full documentation for more details.

Now let‘s look at interpreting those results.

Analyzing Scan Results

A key skill beyond just running scans is analyzing the findings to determine actual risk and remediation steps. Here is an overview of interpreting Nikto output.

1. Review Server Technology

Nikto fingerprinting reveals web server type like Apache 2.2 on Linux. Knowing underlying technology often provides hints on associated vulnerabilities to focus attention on.

Reviewing server technology

2. Address Flagged Items

The scan output flags specific items like:

+ OSVDB-12184: /test.php: This might be interesting...
+ OSVDB-3092: /test.html: This might be interesting...

Research these references to understand risk of the file being exposed and how to address.

3. Identify Outdated Software

Files revealing unsupported software like old WordPress/PHP versions quickly show what urgently needs patching/updating.

4. Review Server Configurations

Notes like missing security headers and exposed Apache/PHP directives indicate weak baseline configurations needing hardening.

5. Notice Web App Issues

Vulnerabilities like SQL injection or XSS in custom web apps require code level fixes that Nikto can help uncover early.

Addressing these common areas flagged by Nikto goes a long way in eliminating obvious surface threats attackers actively exploit daily.

Integrating With Metasploit

The open source Metasploit Framework is a common next step used by security teams to confirm and exploit vulnerabilities revealed by Nikto.

Exporting scan findings directly avoids having to manually recreate Metasploit modules.

Export Format

$ nikto -Format msf_sql -o output.sql

Formats like msf_sql, msf_xml built-in

Metasploit Import

Inside Metasploit:

msf > db_import /tmp/output.sql
msf > hosts

# Displays hosts imported from Nikto output

This kickstarts Metasploit scanning and exploitation utilizing intelligence gathered by Nikto. The combined one-two punch is potent for penetration testing teams.

Nikto Alternatives

While Nikto remains afixture of seasoned pen testers‘ toolboxes, new emerging web scanners bring their own strengths. Here are leading open source alternatives worth evaluating:

Arachni Scanner

  • Powerful Ruby-based engine with full reporting
  • Extensive WebSocket protocol support
  • Scriptable via REST API

Wapiti

  • Detects 5000+ known CMS vulnerabilities
  • Built-in attack simulators
  • Burp extension available

W3af

  • Over 300 web app vulnerbility tests
  • Easy integration with CI/CD pipelines
  • Modern Python-based tool

Joomla Scanner

  • Specific focus on Joomla CMS testing
  • Code fixes via CR2 extension
  • Reduced false positives

CMSmap

  • Scanner optimized for major CMS platforms like WordPress, Joomla & Drupal
  • Fingerprinting capabilities
  • Attack module integration

Evaluate tools against OWASP benchmark sites to compare detection rates. Mix up your portfolio matching strengths to specific apps under test.

Conclusion

Hackers have shifted attention heavily toward vulnerable web apps which pose significant threats to companies. Lowering risk requires continuously scanning and detecting problems early before incidents happen.

As this comprehensive guide demonstrates, Nikto open source scanner brings together an intelligent filesystem probing engine, broad vulnerability definitions, and easy of use for identifying risks. Complemented by emerging alternatives and integrated with exploitation frameworks like Metasploit, Nikto gives defendenders an important open-sourced option to consider in securing websites.

Stay safe out there!

Similar Posts