Nikto Web Vulnerability Scan

Nikto Help

Test your web server and site with the well known Nikto Scanning Tool.

Nikto is a tool for testing your web server and web site. It checks the web server and web site for security issues using a database of URL based checks.

Enter the Web Host Target as : 

www.mywebsitetotest.com or an IP address 10.3.12.31

Note that if you have multiple virtual hosts on a web server, to fully test the server you can run the scan against each virtual host.

Sample Results

---------------------------------------------------------------------------
- Nikto 1.36/1.39 - www.cirt.net
+ Target IP: xx.126.xx.110
+ Target Hostname: www.testsite.com
+ Target Port: 80
+ Start Time: Sun Jul 29 14:48:24 2007
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache
+ Server: Apache/1.3.29 (Unix) mod_perl/1.28 PHP/4.3.4
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt - contains 19 'disallow' entries which should be manually
viewed (added to mutation file lists) (GET).
+ Apache/1.3.29 appears to be outdated (current is at least
Apache/2.0.47). Apache 1.3.28 is still maintained and considered secure.
+ mod_perl/1.28 appears to be outdated (current is at least 1.99_10)
+ PHP/4.3.4 appears to be outdated (current is at least 4.3.4RC2)
+ /.htaccess - Contains authorization information (GET)
+ /.htpasswd - Contains authorization information (GET)
+ /phpBB2/includes/db.php - Some versions of db.php from phpBB2 allow
remote file inclusions. Verify the current version is running. See
http://www.securiteam.com/securitynews/5BP0F2A6KC.html for more info (GET)
+ /\">

Note that due to the number of security checks that this tool performs a scan can take up to 45 mins, depending on the speed of your web server.

False Positives
Nikto does quite well in detecting web server configurations that return HTTP 200 OK on actual “page not found” results. Since Nikto is checking hundreds of URL’s for the presence of old scripts, vulnerable applications and other problems. This can sometimes result in many false positives if the detection of the 404 -> 200 is not discovered by Nikto. It is not difficult to spot as you will receive a great deal of invalid urls as positives. These are easily checked manually to ensure they are actual false positives.

More Information
Be sure to head over to the Nikto Project page for full documentation. We have also put together a tutorial for installing this great tool yourself in an Ubuntu Virtual Machine. As with all the tools we have here, our aim is to encourage users to become more familiar with the excellent open source tools and what better way to get familiar with it than to install it and run it.

Scan your web site immediately with the popular Nikto Web Scanner. It is used to test a Web Site, Virtual Host and Web Server for known security vulnerabilities and mis-configurations.

Note that you must have permission to scan the site you nominate. This is an aggressive scan and it is possible that it will upset listening services, fill up log files and trigger IDS.

Enter the URL or IP Address of the web site you wish to test; this scan can take up to 20 mins or longer to complete. Results will be emailed upon completion.

Launch Nikto Web Security Test

Access to this scan is restricted.

Membership is required to use this security scan. Immediate access is available to new members or login now if you have a valid membership. This restriction has recently been added, see this blog post for full details of the changes.

About Nikto

The Nikto web server scanner is a security tool that will test a web site for thousands of possible security issues. Including dangerous files, mis-configured services, vulnerable scripts and other issues. It is open source and structured with plugins that extend the capabilities. These plugins are frequently updated with new security checks.

Nikto is by no means a stealthy tool. It will make over 2000 HTTP GET requests to the web server, creating a large number of entries in the web servers log files. This noise is actually an excellent way to test an in place Intrusion Detection System (IDS) that is in place. Any web server log monitoring, host based intrusion detection (HIDS) or network based intrusion detection (NIDS) should detect a Nikto scan.

Custom scans can be initiated using IDS bypass methods from libwhisker, however the scan current version of our on-line scan is a default (no evasion) scan.

We have put together a small tutorial on running your own installation of Nikto on Ubuntu Linux. If you are a Windows user why not have a go at running Nikto in an Ubuntu Linux virtual machine. It is all free and easy to setup. Many excellent open source security tools are available only in Linux versions.


×