Nikto — Open-Source Web Server Vulnerability Scanner

Introduction

Nikto is a web server scanner that performs comprehensive tests against web servers for multiple security issues. It checks for over 7,000 potentially dangerous files, outdated server software versions, and server configuration problems. It is a foundational tool in web application security testing.

What Nikto Does

• Scans web servers for known vulnerable scripts, files, and programs
• Detects outdated server software versions with known security issues
• Identifies server configuration problems like directory listing and missing headers
• Tests for default credentials on administrative interfaces
• Checks SSL/TLS configuration and certificate issues

Architecture Overview

Nikto is written in Perl and uses a plugin-based scanning architecture. The core engine manages target connections, handles HTTP requests, and coordinates plugin execution. A database of known checks (CSV format) defines tests for specific vulnerabilities, files, and version signatures. Plugins extend the scanner with protocol-specific tests like SSL analysis and authentication brute-forcing.

Self-Hosting & Configuration

• Requires Perl with LibWhisker2 and Net::SSLeay modules
• Available in most Linux distribution repositories and in Kali Linux by default
• Configuration file (nikto.conf) sets defaults for user agent, proxy, and timeouts
• Scan databases can be updated with nikto -update for the latest vulnerability checks
• Supports HTTP and SOCKS proxy routing for testing through network boundaries

Key Features

• Tests for over 7,000 potentially dangerous files and CGI scripts
• Checks over 1,250 outdated server software versions
• Multiple output formats including HTML, XML, CSV, JSON, and plain text
• SSL/TLS testing for cipher strength, certificate validity, and protocol support
• Tuning options to focus scans on specific vulnerability categories

Comparison with Similar Tools

• OWASP ZAP — full proxy-based web app scanner; Nikto focuses on server-level checks
• Nmap (NSE scripts) — network-level scanning with some HTTP checks; Nikto goes deeper on web-specific issues
• Nuclei — template-based scanner with community templates; Nikto has a longer history and broader built-in database
• Wapiti — Python web vulnerability scanner; Nikto is faster for server-level checks
• Arachni — automated web app security scanner; more comprehensive for app-layer testing but heavier

FAQ

Q: How frequently is the vulnerability database updated? A: The scan database receives regular updates. Run nikto -update to pull the latest checks from the project repository.

Q: Can Nikto scan HTTPS sites? A: Yes. It supports SSL/TLS connections and can also evaluate cipher suite and certificate configuration.

Q: Is Nikto stealthy? A: No. Nikto is designed for speed and thoroughness, not evasion. It generates significant traffic and is easily detected by IDS/WAF systems.

Q: Can I scan multiple targets? A: Yes. Pass a file of target hosts with the -h flag or use the -host option with comma-separated values.

Sources

• https://github.com/sullo/nikto
• https://cirt.net/Nikto2