Using Nikto is fairly straightforward.
The main required arguments are the target host and port against
which the scan will be conducted. If no port is specified, port 80
(the default) is used. All command-line options except for
-debug
, -update
,
-dbcheck
, and -verbose
are
available by using the first letter as a short-form option. Execute
the program with no arguments, and a description of all available
options along with module-loading warning messages will be displayed.
You’ll see the warning messages if support modules
such as SSL are not installed correctly.
Here are the options you have available to you:
-
Cgidirs
This allows you to manually set a single CGI directory from which to start all tests. It overrides any of the CGI directory entries made in config.txt. Additionally it accepts the values
all
ornone
.all
forces the core plug-in to run checks against every CGI directory specified in config.txt.none
runs all CGI checks against the webroot (/
).-
cookies
This prints out cookies if the web server attempts to set them.
-
evasion+
LibWhisker lets you apply up to nine different URI obfuscation techniques to each request, with the goal of bypassing intrusion detection systems (IDSes) that do strict signature matching and no URI normalization/conversion. After seeing the evasion options by running Nikto with no arguments, specify as many of these numeric options as you want and they will be applied. For example:
$perl ./nikto.pl -h www.example.com -e 3489
-
findonly
This does a port scan only; no other checks will be run. If you are port-scanning only, I suggest you use Nmap or some other tool that is dedicated to that task.
-
Format
This controls the output format when the -
output
flag is used. Valid values arehtm
,csv
, andtxt
. If this option is not used,txt
will be used as the default output format.-
generic
This forces all checks in the scan database to be executed, regardless of web server banner.
-
host+
Use this to specify the target host or a file that contains target entries in the format
domain.com:80:443
. Each line should contain one entry; any other command-line options such as -ssl
will be applied to all the hosts in the file.-
id+
Use this to specify HTTP Basic authentication credentials in the form
username:password:realm
. Therealm
is optional.-
mutate+
The
mutate
options are special, in that each integer placed in these options activates a different “conditional” plug-in. For example, by entering13
you enable theMutate
andEnum_apache
plug-ins.-
nolookup
This avoids hostname DNS lookups.
-
output+
This specifies an output filename. The default format is plain text.
-
port+
This is the port the checks will be run against. The default is 80.
-
root+
This prepends a directory to all requests. This is useful for web servers that are configured to redirect all requests to a static virtual directory.
-
ssl
This forces use of HTTPS. On occasion this option is unreliable. A workaround is to use Nikto in combination with an HTTPS proxy agent such as sslproxy, stunnel, or openssl.
-
timeout
This is the connection timeout (the default is 10 seconds). If you are on a fast link and are scanning a multitude of hosts, lowering this helps to reduce scan time.
-
useproxy
This tells Nikto to use the proxy information defined in config.txt, for all requests. At the time of this writing, only HTTP proxies are supported.
-
Version
This will print the version of all found plug-ins and databases.
-
vhost+
This sets the virtual host that will be used for the HTTP
Host
header. This is crucial when scanning a domain that is hosted on a server virtually. To get the most coverage you should run a scan against the web server’s IP, and against the domain.-
debug
This enables debug mode, which outputs a large amount of detail regarding every request and response.
-
dbcheck
This does a basic syntax-check against the scan_database.db and user_scan_data base.db databases that the main scanning engine uses.
-
update
This retrieves and updates databases and plug-ins, getting the latest version from cirt.net. By default Nikto will never automatically download and install updates. It will prompt the user for acknowledgment.
-
verbose
This enables verbose mode.
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.