Scan your web site and server immediately with the popular Nikto Web Scanner. This testing service can be used to test a Web Site, Virtual Host and Web Server for known security vulnerabilities and mis-configurations.
Nikto performs over 6000 tests against a website. The large number of tests for both security vulnerabilities and mis-configured web servers makes it a go to tool for many security professionals and systems administrators. It can find forgotten scripts and other hard to detect problems from an external perspective.
Detect vulnerabilities in web servers, web applications and management scripts
- Discover known web application and script vulnerabilities in a website
- Test for web server configuration errors that may have security implications
- Identify installed software on web servers via headers, favicons and files
- Assess effectiveness of an intrusion detection system (IDS)
- Membership includes access to 27 Vulnerability Scanners and OSINT Tools
- Trusted Open Source Tools
How do I perform a Nikto website scan?
Selecting Target Address to Scan
Targets can be entered individually or as a list for bulk uploads:
www.mywebsitetotest.com - Typical website on default Port 80 10.3.12.31 - IP address of a website on Port 80 https://www.mywebsitetotest.com - SSL website on default Port 443
Testing Virtual Hosts with Nikto
If your web server hosts multiple sites using virtual hosts. You should test each virtual host using Nikto to get greater vulnerability coverage. In fact it can be helpful to scan the IP address as well as the hostname of the server to ensure all paths are tested for any vulnerable web applications and scripts.
Lengthy Nikto run time
Due to the number of security checks that this tool performs a scan can take 45 mins or even longer, depending on the speed of your web server.
False Positives with Nikto
Nikto does quite well in detecting web server configurations that return HTTP 200 OK on actual “page not found” results. Since Nikto is checking hundreds of URL’s for the presence of old scripts, vulnerable applications and other problems. This can sometimes result in many false positives if the detection of the 404 -> 200 is not discovered by Nikto. It is not difficult to spot as you will receive a great deal of invalid urls as positives. These are easily checked manually to ensure they are actual false positives.
About the open source Nikto tool
The Nikto web server scanner is a security tool that will test a web site for thousands of possible security issues. Including dangerous files, mis-configured services, vulnerable scripts and other issues. It is open source and structured with plugins that extend the capabilities. These plugins are frequently updated with new security checks.
Nikto is by no means a stealthy tool. It will make over 2000 HTTP GET requests to the web server, creating a large number of entries in the web servers log files. This noise is actually an excellent way to test an in place Intrusion Detection System (IDS) that is in place. Any web server log monitoring, host based intrusion detection (HIDS) or network based intrusion detection (NIDS) should detect a Nikto scan.
Custom scans can be initiated using IDS bypass methods from libwhisker, however the current version of our on-line scan is a default (no evasion) scan.
The Nikto Web Vulnerability Scanner is a popular tool found in the grab bag of many penetration testers and security analysts. It will often discover interesting information about a web server or website that can be used for deeper exploitation or vulnerability assessment.
We have put together a small tutorial on running your own installation of Nikto on Ubuntu Linux. If you are a Windows user why not have a go at running Nikto in an Ubuntu Linux virtual machine. It is all free and easy to setup. Many excellent open source security tools are available only in Linux versions.