Install and Use Nikto Web Scanner on Ubuntu 20.04

Hello folks, today we are going to learn how to install and use Nikto web scanner on Ubuntu 20.04 server.

Nikto is a Perl based open-source web vulnerability scanner that can unearth every other potential threat on your web server including but not limited to;

• Insecure files and programs
• Outdated servers and programs
• Server and software misconfigurations
• Default files and programs

Nikto can run on almost any Operating system with Perl interpreter installed. It supports SSL, proxies, host authentication, attack encoding, IDS evation etc.

Installing Nikto Web Scanner on Ubuntu 20.04

Install Nikto on Ubuntu 20.04

Installation of nikto on Ubuntu 20.04 is pretty straight forward as the package is available on the default repositories. Thus, run the commands below to install nikto.

Update your package repos and upgrade your server;

apt update

Install Nikto on Ubuntu 20.04

Perl is already installed on Ubuntu 20.04:

apt list perl -a

Listing... Done
perl/focal-updates,focal-security,now 5.30.0-9ubuntu0.2 amd64 [installed,automatic]
perl/focal 5.30.0-9build1 amd64

Therefore, the command below will install Nikto and all the required dependencies.

apt install nikto -y

Basic Usage of Nikto

The basic nikto command line syntax is:

nikto [options...]

When run without any command line options, it shows basic description of various command options;

nikto

- Nikto v2.1.5
---------------------------------------------------------------------------
+ ERROR: No host specified

       -config+            Use this config file
       -Display+           Turn on/off display outputs
       -dbcheck            check database and other key files for syntax errors
       -Format+            save file (-o) format
       -Help               Extended help information
       -host+              target host
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -output+            Write output to this file
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -Plugins+           List of plugins to run (default: ALL)
       -port+              Port to use (default 80)
       -root+              Prepend root value to all requests, format is /directory 
       -ssl                Force ssl mode on port
       -Tuning+            Scan tuning
       -timeout+           Timeout for requests (default 10 seconds)
       -update             Update databases and plugins from CIRT.net
       -Version            Print plugin and database versions
       -vhost+             Virtual host (for Host header)
   		+ requires a value

	Note: This is the short help output. Use -H for full help text.

If you want to see more details about the options above, run the command below;

nikto -H

Using Nikto to Perform Web Scanning

In this section, we are going to see how Nikto is used with various command line options shown above to perform web scanning.

In its basic functionality, Nikto requires just an host an to scan. The target host can be specified with the -h or -host option. For example, to scan a web server whose IP address is 192.168.60.19, run Nikto as follows;

nikto -host 192.168.60.19

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.60.19
+ Target Hostname:    dvwa.kifarunix-demo.com
+ Target Port:        80
+ Start Time:         2021-07-12 19:24:17 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.37 (rocky)
+ Retrieved x-powered-by header: PHP/7.4.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie PHPSESSID created without the httponly flag
+ Cookie security created without the httponly flag
+ Root page / redirects to: login.php
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x1a 0x5c6f1b510366c 
+ File/dir '/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /config/: Directory indexing found.
+ /config/: Configuration information may be available remotely.
+ OSVDB-3268: /tests/: Directory indexing found.
+ OSVDB-3092: /tests/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /docs/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
+ 6544 items checked: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2021-07-12 19:24:26 (GMT0) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

As you can see from the output, when the target host is specified without a port, nikto scans port 80 by default.

However, if your web server is running on a different port, you have to specify the port using the -p or -port option.

See example below;

nikto -h 192.168.60.15 -p 8080

If you have multiple virtualhosts on the same host server listening on different ports, you can specify multiple ports by separating them with comma.

nikto -h 192.168.60.19 -p 8080,8888

You can also specify a range of ports in the format port1-portN for example,

nikto -h 192.168.60.19 -p 8080-8888

Instead of using the IP address to specify the target host, URLs can also be used for example;

nikto -h mydvwa.example.com

nikto -h https://mydvwa.example.com

You can also specify the port when you use URL;

nikto -h mydvwa.example.com -p 8080

nikto -h https://mydvwa.example.com -p 8443

or

nikto -h mydvwa.example.com:8080

nikto -h https://mydvwa.example.com:8443/

As much as target hosts can be specified using the -p option, it is also possible to specify a file containing a list of target hosts one per line. For instance, you file should should contains the targets in the format;

cat scan-targets

https://mydvwa.example.com:443/
192.168.60.19:8888
192.168.43.101

To scan these hosts at the same time, run the command below;

nikto -h scan-targets

It is also possible to scan the hosts in a network listening on web server ports using Nmap and pass the output to nikto. For example to scan for open port 80 in a network, 192.168.43.0/24,

nmap -p80 192.168.43.0/24 -oG - | nikto -h -

If you are going through a proxy server, you can ask nikto to use proxy by using the -useproxy option. You can set the proxy details on the nikto configuration file, /etc/nikto/config.txt or you can it on the command line as shown below;

To define the proxy server details in the /etc/nikto/config.txt file, use the format;

PROXYHOST=192.168.20.45
PROXYPORT=3128
PROXYUSER=username
PROXYPASS=password

When you have defined the proxy details as shown above, then run nikto as follows;

nikto -h 192.168.20.128 -useproxy

To specify the proxy connection details on the command line;

nikto -h 192.168.20.128 -useproxy http://id:[email protected]:3128/

nikto -h 192.168.20.128 -useproxy http://@192.168.20.23:3128/

Nikto can export scan results in different formats; CSV, HTML, XML, NBE, text. To save the results in a specific output format, you need to specify the -o/-output option as well as the -Format option to define the output format. See examples below to save the scan results in html format.

nikto -h 192.168.60.19 -o test.html -F html

You can therefore access the report via web browser. See screenshot below;

Nikto can also be fine tuned to perform specific scans. Below is a description of the tuning options that can be used to achieve this functionality.

1 - Interesting File / Seen in logs
2 - Misconfiguration / Default File
3 - Information Disclosure
4 - Injection (XSS/Script/HTML)
5 - Remote File Retrieval - Inside Web Root
6 - Denial of Service
7 - Remote File Retrieval - Server Wide
8 - Command Execution / Remote Shell
9 - SQL Injection
0 - File Upload
a - Authentication Bypass
b - Software Identification
c - Remote Source Inclusion
x - Reverse Tuning Options (i.e., include all except specified)

For example, to test for SQL Injection and Remote File Retrieval – Server Wide, you would use nikto like;

nikto -h 192.168.60.19 -Tuning 79 -o test.html -F html

Sample command output;

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.60.19
+ Target Hostname:    dvwa.kifarunix-demo.com
+ Target Port:        80
+ Start Time:         2021-07-12 19:35:10 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.37 (rocky)
+ Retrieved x-powered-by header: PHP/7.4.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie PHPSESSID created without the httponly flag
+ Cookie security created without the httponly flag
+ Root page / redirects to: login.php
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x1a 0x5c6f1b510366c 
+ File/dir '/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 21 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2021-07-12 19:35:10 (GMT0) (0 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Feel free to explore the basic usage of other command line options from Nikto Documentation page.

Other Tutorials

Detecting Malicious Files with Wazuh and VirusTotal

Intercept Malicious File Upload with ModSecurity and ClamAV

Install and use ClamAV on Ubuntu 20.04