Finding Technical Weakness with Nikto
7 min read
In the previous article of this series, we learned how to use Recon-ng. Through this tool, we have known how we can gather information about our target. Now it's time to identify technical weakness the target may have in its services like web apps, networks, servers, etc...
But before doing so keep in mind that Nikto sends a huge amount of requests which may crash your target application or service. So, it's recommended to use Nikto in a sandboxed environment, or in a target, you have permission to run this tool.
For the purpose of this tutorial, we will be using the DVWA running in our Vmware instance as part of Metasploitable2.
The primary purpose of Nikto is to find web server vulnerabilities by scanning them. It can identify outdated components, and also allows you to replay your findings so that you can manually validate after a bug is mitigated or patched.
Nikto can also be used to find software and server misconfigurations as well as to locate insecure and dangerous files and scripts. In addition to that, it also provides full proxy support so that you can use it will Burp or ZAP.
According to the MITRE ATT&CK framework, Nikto falls under the Technical Weakness Identification category. That means by using this tool an attacker can leverage T1293: Analyze application security posture and T1288: Analyze architecture and configuration posture.
If you want to follow along with this tutorial, make sure you have setup DVWA properly and have Installed Nikto on your system. The easiest way to get started is to use an OS like Kali or Parrot with a Metasploitable instance running in your virtualized environment.
Anyway, when you are all ready you can just type in
nikto in your command line. And it will show all the available options you can use while running Nikto.
For a detailed list of options, you can use
So we will begin our scan with the following command:
nikto --host http://192.168.128.131/dvwa
Now it will start an automated scan. Depending on your internet speed and the server these scans can take a lot of time. So, in that scenario, if you want to know the progress of your scan you can type the spacebar to see the progress and status of your current scan.
One of the great features of Nikto is its capability of using plugins, you can list all the available plugins by using this command:
and now you should be able to see a huge list of plugins you can use with your scan. Now, let's see how can we use those plugins. Robots.txt files are extremely useful when comes to pen-testing, those files tell some of the restricted parts of the website, which are generally not available to the users.
By using the Robots plugin we can leverage the capability of Nikto to automatically find some useful or restricted URLs in the robots.txt file.
nikto -Plugins robots -host http://192.168.128.131/mutillidae/
Now we can see it has found 6 entries in the robots.txt files which should be manually reviewed. If it was something sensitive like
/etc/passwd then it would have itself gone and check for those directories.
Saving a scan
We can save a Nikto scan to replay later to see if the vulnerability still exists after the patch.
To save a scan we can use
-Save flag with our desired file name to save the scan file in the current directory.
nikto -host http://192.168.128.131/dvwa -Save .
So, now after running the scan the scan file will be saved in the current directory with a random name.
Replaying a scan:
After we have a save scan we can replay the scan by navigating into the generated folder and running the below script:
Using Nikto with a Proxy:
So, now that we know how to use Nikto and save the scan, we might want to know how we can intercept or log every request Nikto makes and can Fuzz or repeat those requests later with Burpsuite or OWASP ZAP.
Todo so firstly, we need to configure our proxy so that we can listen to a specific port. Here I will be using the default settings of the Burpsuite community edition, and configure Nikto to forward everything to that proxy.
To do so we can use the following script:
nikto -host http://192.168.128.131/DVWA/ -useproxy http://127.0.0.1:8080
Now that we have every request and response in our proxy we can do whatever we want like repeating the requests with the burp repeater, fuzzing endpoints with the burp intercept and the possibility is endless.
If you want to automatically log everything from Nikto to a proxy with the same settings. You can edit the config file of Nikto located at
/etc/nikto.conf and uncomment and change the values of these lines with your desired settings.
... PROXY_HOST=127.0.0.1 PROXY_PORT=8080 ...
Now, after adding the proxy settings in the config file we don't need to specify the URL and port of our proxy we can just run this:
nikto -host http://192.168.128.131/DVWA/ -useproxy
Scanning an authenticated webpage:
As of now, we know the basics of Nikto, how to scan a webpage, save a scan, and performing a scan with a proxy. But what if our target application is behind a login page.
In that scenario, we can use the session cookie of that webserver after we have logged in and pass it in Nikto to perform an authenticated scan.
So to provide Nikto with a session cookie, First, we will grab our session cookie from the website by using Burp, ZAP, or Browser Devtools. If you are using Burp or ZAP then you can turn on Break or the intruder after login and can grab the cookie from there.
If you are using Devtools you can switch to the network tab and can click on a 200 OK response (of course, after login), and from there you can grab the session cookie.
Once we have our session cookie we need to add it to the config file of Nikto located at
After opening the file, we will use the
STATIC-COOKIE parameter and pass our cookie to it. Once we do so, it will look something like this:
... # Cookies: send cookies with all requests # Multiple can be set by separating with a semi-colon, e.g.: # "cookie1"="cookie value";"cookie2"="cookie val" #STATIC-COOKIE="name=value";"something=nothing"; STATIC-COOKIE="security=high";"PHPSESSID=c6f4e63d1a43d816599af07f52b3a631"; ...
Now, every time we run Nikto it will run authenticated scans through our web app. But remember to change the session cookie every time.
Now, up to this point, we know how we can use Nikto and we can also perform some advanced scans. But Nikto is mostly used in automation in the DevSecOps pipeline. You will not be manually performing and testing everything each time.
To fit this tool in our DevSecOps pipeline we need a way to somehow generate a report on every scan. The good news is Nikto developers have kept this thing in mind. So that we bother less about generating reports and focus more on our pen-testing.
Nikto gives us options to generate reports on the various formats so that we can fit the tool on our automation pipeline.
So, the next time you run Nikto, if you want to generate a report you can do it by using this:
nikto -host http://192.168.128.131/DVWA/ -Format htm -output nikto.html
Once, your scan has been completed you can view the report in your browser and it should look like this:
Great, now if you want to generate the report in any other format for further automation you can do it by just changing the
-Format and the
-output name to your desired format and output.
In this article, we looked at Nikto, understood how we can use it in general, and also in some advanced scenarios. We also looked at how we can Proxy our scans into Burpsuite and ZAP then finally we understood how we can fit Nikto in our automation pipeline and generate reports.
Nikto has the capabilities to be integrated with other tools like Metasploit, Nmap, Nessus, etc... In this article, we just saw it's integration with Burpsuite.
We've only scratched the surface of what Nikto can do. To know more about the tool and its capabilities you can see its documentation.
But at a minimum, I hope you've gained enough of an understanding that you can begin putting this capability to work for you immediately. Thank you for reading this article, and I hope you join me to add to your arsenal of red team tools in the series and enhance it in the future. Till then have a nice day...