Nikto Tutorial

Running Nikto yourself is not overly difficult. Follow through this Nikto Tutorial to get an overview of what is involved. Then you will be able to start your web server testing with one of the most well known website / server testing tools. This the same tool we use on our online nikto scanner page.

Nikto is a perl based security testing tool and this means it will run on most operating systems with the necessary Perl interpreter installed. We will guide you through using it on Ubuntu Linux, basically because it is our operating system of choice and it just works. Perl comes already installed in Ubuntu. So it is a matter of downloading the tool, unpacking it and running the command with the necessary options. In case there are any Windows users running this we will start with getting an Ubuntu install up and running.

If you are running Microsoft Windows as your main operating system you will probably find it the most convenient to run an install of Ubuntu Linux in a VM or Virtual Machine. You can test Nikto and many other open source security tools without affecting your production machine. If you require remote scanning like we do here at hackertarget.com you would do well to pay for a low cost Linux based VPS from a hosting company. Linode is an excellent option for this purpose, providing high quality and solid systems for the price.

Step 1: Install The Virtual Machine Software

We use Virtualbox as it is a free and solid virtual machine solution. Other options are VMware or Parallels.

Select Bridge for your adapter, alternatively you could do local adapter NAT or Host Only networking. Bridge mode means your VM will have an IP address on your local network making troubleshooting easier when you are playing with network based security testing tools. When you start to do any security testing you must ensure you only test on systems you own or have permission to scan.

Step 2: Ubuntu Installation

Download the latest Ubuntu iso from http://www.ubuntu.com, select the ISO as the boot media for your guest and start the virtual machine. Select the install option and Ubuntu will be installed onto the virtual hard disk on the machine.

Step 3: Nikto Installation

Perl is pre-installed in Ubuntu so all you need to do is download nikto from the project page, unpack it into a directory and start your testing.

wget https://cirt.net/nikto/nikto-2.1.4.tar.gz

You can unpack it with an archive manager tool or use tar and gzip together with this command.

tar zxvf nikto-2.1.4.tar.gz
cd nikto-2.1.4
perl nikto.pl

This should be your results from a working installation:

 - ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.4
---------------------------------------------------------------------------
+ ERROR: No host specified

       -config+            Use this config file
       -Cgidirs+           scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
       -dbcheck            check database and other key files for syntax errors
       -Display+           Turn on/off display outputs
       -evasion+           ids evasion technique
       -Format+            save file (-o) format
       -host+              target host
       -Help               Extended help information
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -mutate+            Guess additional file names
       -mutate-options+    Provide extra information for mutations
       -output+            Write output to this file
       -nocache            Disables the URI cache
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -port+              Port to use (default 80)
       -Plugins+           List of plugins to run (default: ALL)
       -root+              Prepend root value to all requests, format is /directory
       -ssl                Force ssl mode on port
       -Single             Single request mode
       -timeout+           Timeout (default 2 seconds)
       -Tuning+            Scan tuning
       -update             Update databases and plugins from CIRT.net
       -vhost+             Virtual host (for Host header)
       -Version            Print plugin and database versions
           + requires a value

    Note: This is the short help output. Use -H for full help.

The error is merely telling us we did not fill in the necessary parameters for a test to run. The SSL support can be enabled by installing the necessary perl ssl module (sudo apt-get install libnet-ssleay-perl).

For a simple test we will use test a single url.

perl nikto.pl -host http://www.google-no-dont-do-that.com

Note the above command is not recommended as you would be testing google.com and that is bad unless you have permission. Actually Google does allow testing of their services and has a bug finder program however you better read up on this before trying any testing or may just end up in a Google Goolag.

This will run a bunch of http requests that URL and web server. Note this will perform more than 2000 tests, which should be detected by any well managed Intrusion detection system, host based or network. As I said make sure you have permission!

Further information can be found in the documentation on the project page http://cirt.net/nikto2-docs/installation.html