Nikto -- Scan Vulnerabilities on Websites

Nikto is an Open Source web  vulnerability scanner which runs in command line. It can perform comprehensive tests against over 6700 potentially dangerous files or programs and checks for outdated versions on 1250 servers, and version specific problems on over 270 servers. Nikto can find vulnerabilities on hosts and web servers. Nikto comes pre-installed with Kali Linux.

Nikto Kali Linux Web vulnerability scanner


To use nikto on our Kali Linux, we fire up our Terminal, and type following commands to check the options in details in nikto:

nikto -H

We can see the detailed options in the following screenshot:

nikto options

Now run this tool against a vulnerable web target. In our case we have run Damn Vulnerable Web Application in our localhost, and we run nikto here.  So we use following command:

nikto -h http://127.0.0.1
This will take some time to complete the scan. Then the result comes like following screenshot:

nikto scan

Here we got the details nikto has find in this web server.

If we want to scan specific tuning then our command will be following:

nikto -h http://127.0.0.1 -Tuning 9
By using this command nikto will tuned for tune number 9. 9 number tune is for SQL Injection. We can see the tuning and other options in the -H (help) menu.


Nikto is an automated tool that find CGI and dangerous files and scan for vulnerabilities.  If we want to save the scan results and analyze later then we type following command:-

nikto -h http://127.0.0.1 -output /root/Desktop/nikto-scans -Format html
This command will save out scanned result in root/Desktop/nikto-scans and the file format will be in html.

nikto output

The HTML file looks like following screenshot:-

nikto scan output


We also can choose output file format as text,XML, NBE or CSV file format.

This is how we can use nikto in Kali Linux to scan for vulnerabilities, bad attackers takes advantage of this vulnerabilities but that will be a crime, searching for vulnerabilities may be crime in some cases.

So we always suggest to make a legal paper of penetration testing permission, and report the admins of the web application, that they can fix it.

Liked our tutorials then follow us on blogger and Twitter and visit our site regularly.

2 comments:

  1. Really its very useful information that you have shared and thanks for sharing the information with us.
    123.hp.com/dj3755
    123.hp.com/dj3630

    ReplyDelete

Please do not spam here. It is comment box not a spambox. Promotional links are not allowed.

Powered by Blogger.