How to use NIKTO
Before attacking any website, a hacker or penetration tester will first compile a list of target surfaces. After they've used some good recon and found the right places to point their scope at, they'll use a web server scanning tool such as Nikto for hunting down vulnerabilities that could be potential attack vectors.
Nikto is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
Installing Nikto
if it’s not installed, you can run apt-get install nikto command:
Nikto –H
You can check the manual or usage of nikto by executing nikto –H or nikto -help command.
You can check the manual or usage of nikto by executing nikto –H or nikto -help command.
Usage of Nikto
You can usage nikto by the typing nikto and then the targeted domain name (nikto www.domain.com).
Since we are not allowed to test on any other website until we have a written permission, we will try on our apache local host server.
That IP (192.168.1.7) is my public Apache server ip which is running in windows 7 virtual machine and I’m testing from ma kali Linux virtual machine letter this ip will be changed to different IP like (192.168.1.10) because I have turned my machine off during the making of this article.

The scan result shows some vulnerabilities like:
- The anti-clickjacking X-Frame-Options header is not present.
Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.
Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.
There are several variations of the clickjacking attack, such as:
- Likejacking – a technique in which the Facebook “Like” button is manipulated, causing users to “like” a page they actually did not intend to like.
- Cursorjacking – a UI redressing technique that changes the cursor for the position the user perceives to another position. Cursorjacking relies on vulnerabilities in Flash and the Firefox browser, which have now been fixed.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Solution: Configure your web server to include an X-Frame-Options header.
Solution: Configure your web server to include an X-Frame-Options header.
- The X-XSS-Protection header is not defined. (cross-site scripting attack or inline javascript attack)
XSS header is not encrypted so any attacker can use cross site script attack method to hijack the scripts of the target. - + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST (A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods. RACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information
- + OSVDB-3268: /img/: Directory indexing found.
- + OSVDB-3092: /img/: This might be interesting...
- + OSVDB-3268: /icons/: Directory indexing found.
- + OSVDB-3233: /icons/README: Apache default file found. (allows attackers to write anywhere in the file system.)
Now I will test on my wordpress testsite which I have installed it in xamp httdocs folder
-list-plugins
nikto -h 192.168.1.10/testsite -list-plugins
-list-plugins:
This option will list all plugins that Nikto can run against targets and then will exit without performing a scan. These can be tuned for a session using the -plugins option.
The output format is:
Plugin name
full name – description
Display the Proces
nikto -D v -h 192.168.1.10
While scanning for vulnerabilities we can see the process, If we need to see the live process we need to use option Display.
nikto.pl -D v -h www.google.com
Where,
- -D = Display
- v = Verbose
- -h = hostname
Scan report
Scan and save the result to a file using below command to find the vulnerabilities.
Scan and save the result to a file using below command to find the vulnerabilities.
nikto -o /root/Desktop/nikto_scan_result.html -Format html -h 192.168.1.10
After scan completes we will get the result in html format in current directory as shown below.
Comments
Post a Comment