How to install and use Nikto utility on Ubuntu

[easyazon_link identifier=”0124116442″ locale=”US” tag=”wn0d5-20″]Nikto[/easyazon_link]- one of the open source utilities that is widely used by Pentesters. Nikto has ability to identify potentially interesting files by referencing the robots.txt file, by spidering the surface of the application, and by cycling through a list of known files that contain sensitive information.

Nikto is a web server assessment tool that is able to :

  • Examine a web server to find potential problems and security vulnerabilities, including:
  • Server and software misconfigurations
  • Default files and programs
  • Insecure files and programs
  • Outdated servers and programs

Installation as well as use is very simple on [easyazon_link identifier=”013390539X” locale=”US” tag=”wn0d5-20″]Ubuntu[/easyazon_link].

 sudo apt-get install nikto

Update nikto database befoe scan and list availbale plugins

perl nikto.pl update
perl nikto.pl -list-plugins

You can now execute for example scan of webpage www.example.com by issuing this command:

perl nikto.pl -h example.com

Scan host on multiple ports

perl nikto.pl -h www.example.com -p 80,443

As well as you can scan the host for vulnerability and show verbose output

perl nikto.pl -D v -h www.example.com

One of my favourite scan option is use Nikto to run against a host with specific options and here ar ethe options:
0 – File Upload
1 – Interesting File // we will get in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service // Scan for DDOS
7 – Remote File Retrieval – Server Wide
8 – Command Execution // Remote Shell
9 – SQL Injection // Scan for mysql vulnerabilities
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options

Here is example to use the options – use [easyazon_link identifier=”0470639539″ locale=”US” tag=”wn0d5-20″] Nikto [/easyazon_link] scan against the host in order to discover SQL vulnerabilities on the host

 perl nikto.pl -Tuning 9 -h www.example.com

One more option is also scan and save the result output into html file for later review

perl nikto.pl -Display V -o scan_result.html -Format html -h www.example.com

As you can see this [easyazon_link identifier=”1782163123″ locale=”US” tag=”wn0d5-20″]Nikto[/easyazon_link] is a perl based security testing tool and this means it will run on most operating systems with the necessary [easyazon_link identifier=”1449303587″ locale=”US” tag=”wn0d5-20″]Perl[/easyazon_link] interpreter installed.It has a lot of options and features to offer. [easyazon_link identifier=”1783284773″ locale=”US” tag=”wn0d5-20″]Nikto[/easyazon_link] is a web scanner released under the GPL license, which is used to perform comprehensive tests on Web servers for multiple items including over 6500 potentially dangerous files/CGIs.

[easyazon_image align=”none” height=”160″ identifier=”0124116442″ locale=”US” src=”http://blog.technotesdesk.com/wp-content/uploads/2015/06/51XLVHgA2fL._SL160_.jpg” tag=”wn0d5-20″ width=”130″]

Leave a Reply