Nikto Web Scanner
||This article is written like a manual or guidebook. (May 2015) (Learn how and when to remove this template message)|
|Stable release||2.1.5 / December 17, 2012|
Nikto Web Scanner is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.
The Nikto code itself is Open Source (GPL), however the data files it uses to drive the program are not.
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
There are some variations of Nikto, one of which is MacNikto. MacNikto is an AppleScript GUI shell script wrapper built in Apple's Xcode and Interface Builder, released under the terms of the GPL. It provides easy access to a subset of the features available in the Open Source, command-line driven Nikto web security scanner, installed along with the MacNikto application.  
Nikto is an open source software which acts as a web server scanner which performs multiple tests against web servers for many items which include 6500 potentially dangerous CGIs or files. It also checks for outdated versions of about 1250 servers. It also checks for about the problems on specific servers of about 270 kinds. It checks for server configuration items.
To open up Nikto on Kali Linux:
Kali Linux > Vulnerability Analysis > Misc Scanners > Nikto
Once you have opened up Nikto from the menu, you can see the help options by typing nikto -help I won't explain each option in detail as it is self-explanatory.
Now this is how to use it.
- If you want to perform a database check then you need to type in nikto -dbcheck
- If you want to update your software( regardless of release date, it just takes a few seconds ) then type in nikto -update
- Before and after updating the software you can check the version of the software and to do the same you need to type in nikto -Version
- Now if in case you need to find out the plugins then you can type in nikto -list-plugins
- Now, the real game, the vulnerability check can be done by typing in the following syntax :
nikto -h <domain name>
for example: nikto -h www.anything(domain).com
After that you will be shown a detailed scan and you will also get to know how you will be able to penetrate the website. for example, you may get a message that shall tell you that Attackers may be able to crash FrontPage by requesting a DOS Device.
By pressing any of the below you can turn on or off the following features even during an active scan.
SPACE - Report current scan status
v - Turn verbose mode on/off
d - Turn debug mode on/off
e - Turn error reporting on/off
p - Turn progress reporting on/off
r - Turn redirect display on/off
c - Turn cookie display on/off
o - Turn OK display on/off
a - Turn auth display on/off
q - Quit
N - Next host
P - Pause
- "Data file distributed with Nikto with non-Open Source licence notice at the top".
- "OSVDB Profile".[dead link]
- "Yet another Nikto GUI".