In this blog, we will see how to identify security issues and vulnerabilities in a web server using an open-source tool called Nikto.
Nikto runs extensive testing on web servers for a variety of things, which includes over 6700 potentially harmful files and programs, over 1250 outdated versions of servers, and version-specific issues on over 270 servers.
Additionally, it looks for HTTP server options and the existence of multiple index files and directories and will try to identify any installed web servers and software.
The Plugins and scan components of Nikto automatically update and get updates frequently.
Nikto also provides information related to files and versions that lead a human tester to better penetration testing.
The Plugins and scan components of Nikto automatically update and get updates frequently.
Nikto also provides information related to files and versions that lead a human tester to better penetration testing.
Here are the major Features of Nikto
- SSL Support (Unix with OpenSSL or Windows with ActiveState's Perl/NetSSL)
- Full HTTP proxy support
- Checks for outdated or vulnerable web server components
- Save reports in various formats like plain text, XML, HTML, NBE, or CSV
- Template engine that allows us to customize reports easily
- Scan multiple ports on a web server or multiple servers via input file (including nmap output)
- Identifies installed software/plugins via headers, favicons, and front-end code files
- Reports unusual or custom HTTP/HTTPS headers
- Identify interesting files and directories
Now we will see how to install Nikto on Linux.
To install the Nikto, first, update the APT repository.
Command: apt-get update
Install the Nikto
Command: apt-get install nikto
Once the Nikto is installed, run the command nikto -h to check the help
Now we will see to scan the web server using Nikto
Command Syntex: nikto -host <IP/Host name> -port <Port Number> -Format <Report Format (CSV, json, htm, nbe, sql, txt or xml) -output <Report Name> -Display <Display Output>
example: nikto -host 127.0.0.1 -p 3000 -Format txt -output nikto_scan.txt -Display v
Once the scan is complete, we can check the scan results in the saved report.