Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
NIKTO(1)							      NIKTO(1)

       nikto - Scan web	server for known vulnerabilities

       /usr/local/bin/nikto [options...]

       Examine a web server to find potential problems and security
       vulnerabilities,	including:

       o   Server and software misconfigurations

       o   Default files and programs

       o   Insecure files and programs

       o   Outdated servers and	programs

       Nikto is	built on LibWhisker (by	RFP) and can run on any	platform which
       has a Perl environment. It supports SSL,	proxies, host authentication,
       IDS evasion and more. It	can be updated automatically from the
       command-line, and supports the optional submission of updated version
       data back to the	maintainers.

       Below are all of	the Nikto command line options and explanations. A
       brief version of	this text is available by running Nikto	with the -h
       (-help) option.

	   Scan	these CGI directories. Special words "none" or "all" may be
	   used	to scan	all CGI	directories or none, (respectively). A literal
	   value for a CGI directory such as "/cgi-test/" may be specified
	   (must include trailing slash). If this is option is not specified,
	   all CGI directories listed in config.txt will be tested.

	   Specify an alternative config file to use instead of	the config.txt
	   located in the install directory.

	   Check the scan databases for	syntax errors.

	   Control the output that Nikto shows.	See Chapter 5 for detailed
	   information on these	options. Use the reference number or letter to
	   specify the type, multiple may be used:

	   1 - Show redirects

	   2 - Show cookies received

	   3 - Show all	200/OK responses

	   4 - Show URLs which require authentication

	   D - Debug Output

	   V - Verbose Output

	   Specify the LibWhisker IDS evasion technique	to use (see the
	   LibWhisker docs for detailed	information on these). Use the
	   reference number to specify the type, multiple may be used:

	   1 - Random URI encoding (non-UTF8)

	   2 - Directory self-reference	(/./)

	   3 - Premature URL ending

	   4 - Prepend long random string

	   5 - Fake parameter

	   6 - TAB as request spacer

	   7 - Change the case of the URL

	   8 - Use Windows directory separator (\)

	   Only	discover the HTTP(S) ports, do not perform a security scan.
	   This	will attempt to	connect	with HTTP or HTTPS, and	report the
	   Server header.

	   Save	the output file	specified with -o (-output) option in this
	   format. If not specified, the default will be taken from the	file
	   extension specified in the -output option. Valid formats are:

	   csv - a comma-seperated list

	   htm - an HTML report

	   txt - a text	report

	   xml - an XML	report

	   Host(s) to target. Can be an	IP address, hostname or	text file of
	   hosts. A single dash	(-) maybe used for stdout. Can also parse nmap
	   -oG style output

	   Display extended help information.

	   ID and password to use for host Basic host authentication. Format
	   is "id:password".

	   Will	list all plugins that Nikto can	run against targets and	then
	   will	exit without performing	a scan.	These can be tuned for a
	   session using the -plugins option.

	   The output format is:

	   Plugin name

	    full name -	description

	    Written by author, Copyright (C) copyright

	   Specify mutation technique. A mutation will cause Nikto to combine
	   tests or attempt to guess values. These techniques may cause	a
	   tremendous amount of	tests to be launched against the target. Use
	   the reference number	to specify the type, multiple may be used:

	   1 - Test all	files with all root directories

	   2 - Guess for password file names

	   3 - Enumerate user names via	Apache (/~user type requests)

	   4 - Enumerate user names via	cgiwrap	(/cgi-bin/cgiwrap/~user	type

	   5 - Attempt to brute	force sub-domain names,	assume that the	host
	   name	is the parent domain

	   6 - Attempt to guess	directory names	from the supplied dictionary

	   Provide extra information for mutates, e.g. a dictionary file

	   Do not perform name lookups on IP addresses.

	   Do not use SSL to connect to	the server.

	   Disable 404 (file not found)	checking. This will reduce the total
	   number of requests made to the webserver and	may be preferable when
	   checking a server over a slow link, or an embedded device. This
	   will	generally lead to more false positives being discovered.

	   Write output	to the file specified. The format used will be taken
	   from	the file extension. This can be	over-riden by using the
	   -Format option (e.g.	to write text files with a different
	   extenstion. Existing	files will have	new information	appended.

	   Select which	plugins	will be	run on the specified targets. A	comma
	   separated list should be provided which lists the names of the
	   plugins. The	names can be found by using -list-plugins.

	   There are two special entries: ALL, which specifies all plugins
	   shall be run	and NONE, which	specifies no plugins shall be run. The
	   default is ALL

	   TCP port(s) to target. To test more than one	port on	the same host,
	   specify the list of ports in	the -p (-port) option. Ports can be
	   specified as	a range	(i.e., 80-90), or as a comma-delimited list,
	   (i.e., 80,88,90). If	not specified, port 80 is used.

	   Seconds to delay between each test.

	   Prepend the value specified to the beginning	of every request. This
	   is useful to	test applications or web servers which have all	of
	   their files under a certain directory.

	   Only	test SSL on the	ports specified. Using this option will
	   dramatically	speed up requests to HTTPS ports, since	otherwise the
	   HTTP	request	will have to timeout first.

	   Perform a single request to a target	server.	Nikto will prompt for
	   all options which can be specified, and then	report the detailed
	   output. See Chapter 5 for detailed information.

	   Seconds to wait before timing out a request.	Default	timeout	is 10

	   Tuning options will control the test	that Nikto will	use against a
	   target. By default, if any options are specified, only those	tests
	   will	be performed. If the "x" option	is used, it will reverse the
	   logic and exclude only those	tests. Use the reference number	or
	   letter to specify the type, multiple	may be used:

	   0 - File Upload

	   1 - Interesting File	/ Seen in logs

	   2 - Misconfiguration	/ Default File

	   3 - Information Disclosure

	   4 - Injection (XSS/Script/HTML)

	   5 - Remote File Retrieval - Inside Web Root

	   6 - Denial of Service

	   7 - Remote File Retrieval - Server Wide

	   8 - Command Execution / Remote Shell

	   9 - SQL Injection

	   a - Authentication Bypass

	   b - Software	Identification

	   c - Remote Source Inclusion

	   x - Reverse Tuning Options (i.e., include all except	specified)

	   The given string will be parsed from	left to	right, any x
	   characters will apply to all	characters to the right	of the

	   Use the HTTP	proxy defined in the configuration file.

	   Update the plugins and databases directly from

	   Display the Nikto software, plugin and database versions.

	   Specify the Host header to be sent to the target.

	   The Nikto configuration file. This sets Nikto's global options.
	   Several nikto.conf files may	exist and are parsed in	the below
	   order. As each configuration	file is	loaded is supersedes any
	   previously set configuration:

	   o   System wide (e.g. /etc/nikto.conf)

	   o   Home directory (e.g. $HOME/nikto.conf)

	   o   Current directory (e.g. ./nikto.conf)

	   db files are	the databases that nikto uses to check for
	   vulnerabilities and issues within the web server.

	   All nikto's plugins exist here. Nikto itself	is just	a wrapper
	   script to manage CLI	and pass through to the	plugins.

	   Contains the	templates for nikto's output formats.

       The current features are	not supported:

       o   SOCKS Proxies

       Nikto was originally written and	maintained by Sullo, CIRT, Inc.	It is
       currently maintained by David Lodge. See	the main documentation for
       other contributors.

       All code	is (C) CIRT, Inc., except LibWhisker which is (C) rfp.labs
       ( Other portions of code may be (C) as specified.

       Nikto Homepage[1]

	1. Nikto Homepage

				  01/19/2010			      NIKTO(1)


Want to link to this manual page? Use this URL:

home | help