Scan your web site and server immediately with the popular Nikto Web Scanner. This testing service can be used to test a Web Site, Virtual Host and Web Server for known security vulnerabilities and mis-configurations.
Nikto performs over 6000 tests against a website. The large number of tests for both security vulnerabilities and mis-configured web servers makes it a go to tool for many security professionals and systems administrators. It can find forgotten scripts and other hard to detect problems from an external perspective.
- Discover known web application and script vulnerabilities in a website.
- Test for web server mis-configurations that have security implications.
- Identify installed software on web servers via headers, favicons and files
- Determine how effective an intrusion detection system is performing. This scan generates a fair amount of noise that should be detected by a network or host based IDS.
How do I perform a Nikto website scan?
Enter the Web site URL, Hostname or IP Address to test. It may be a good idea depending on your web server configuration to test both the web host name and the IP address of the server. You may find there are vulnerabilities within both the default location and the virtual hosts of the web server.
Target address to scan with Nikto should use the format:
Typical website on default Port 80: www.mywebsitetotest.com
IP address of a website on Port 80: 10.3.12.31
SSL website on default Port 443: https://www.mywebsitetotest.com
Note that if you have multiple virtual hosts on a web server, to fully test the server you can run the scan against each virtual host.
Due to the number of security checks that this tool performs a scan can take up to 45 mins, depending on the speed of your web server.
Nikto does quite well in detecting web server configurations that return HTTP 200 OK on actual “page not found” results. Since Nikto is checking hundreds of URL’s for the presence of old scripts, vulnerable applications and other problems. This can sometimes result in many false positives if the detection of the 404 -> 200 is not discovered by Nikto. It is not difficult to spot as you will receive a great deal of invalid urls as positives. These are easily checked manually to ensure they are actual false positives.
About the open source Nikto tool
The Nikto web server scanner is a security tool that will test a web site for thousands of possible security issues. Including dangerous files, mis-configured services, vulnerable scripts and other issues. It is open source and structured with plugins that extend the capabilities. These plugins are frequently updated with new security checks.
Nikto is by no means a stealthy tool. It will make over 2000 HTTP GET requests to the web server, creating a large number of entries in the web servers log files. This noise is actually an excellent way to test an in place Intrusion Detection System (IDS) that is in place. Any web server log monitoring, host based intrusion detection (HIDS) or network based intrusion detection (NIDS) should detect a Nikto scan.
Custom scans can be initiated using IDS bypass methods from libwhisker, however the current version of our on-line scan is a default (no evasion) scan.
The Nikto Web Vulnerability Scanner is a popular tool found in the grab bag of many penetration testers and security analysts. It will often discover interesting information about a web server or website that can be used for deeper exploitation or vulnerability assessment.
We have put together a small tutorial on running your own installation of Nikto on Ubuntu Linux. If you are a Windows user why not have a go at running Nikto in an Ubuntu Linux virtual machine. It is all free and easy to setup. Many excellent open source security tools are available only in Linux versions.