Nikto is a, non-stealth, web vulnerability scanner. So don’t think the NSA doesn’t know you are using it. This tool is easy to get some quick results, so I especially recommend it to beginners.
The real charm of nikto is that most positive results come with the layman’s description and a link. (Read the contents of these links to become better at life.)
You can initiate your first scan with this command
nikto -h <IP or Host name>
Lets see what we get!
First line is a finger print of the server’s operating system. Sometimes you get very specific info, sometimes you don’t. Obviously we didn’t get very specific data here.
Next is the header scanner, cookie scanner, standard stuff.
The next line of real interest, and I wish they made it stand out more, is:
Web Server returns a valid response with junk HTTP methods, this may cause false positives.
Be sure to keep an eye out for this line. This usually means the site is using some type of url route functionality, ie ng-route or $.route/$.Observe.
Then when the fluff clears, all that is left is a field of OSVDB numbers. I know I have not discussed OSVDB before, but you can check it out here. http://osvdb.org/ To be brief, they are well known and well used repository of vulnerabilities and I will probably give them their own blog post in the future.
But for today, just know that each of those numbers can be used at osvdb.org to find an in depth explanation
An exhaustive list of nikto commands can be found here: https://cirt.net/nikto2-docs/options.html
But I'll talk about some of the more interesting ones here:
nikto -evasion 8 -h <IP or Host name>
There are some different evasion options available to you:
1: Random URI encoding (non-UTF8)
2: Directory self-reference (/./)
3: Premature URL ending
4: Prepend long random string
5: Fake parameter
6: TAB as request spacer
7: Change the case of the URL
8: Use Windows directory separator (\)
A: Use a carriage return (0x0d) as a request spacer
B: Use binary value 0x0b as a request spacer
nikto -no404 -h <IP or Host name>
no404 disables 404 checking and will help keep your scan from becoming a DoS.
nikto -Tuning 4 -h <IP or Host name>
Not looking to throw the book at a target? You can use the tuning options listed below to waste less time and only scan what you are interested in:
0: File Upload
1: Interesting File / Seen in logs
2: Misconfiguration / Default File
3: Information Disclosure
4: Injection (XSS/Script/HTML)
5: Remote File Retrieval - Inside Web Root
6: Denial of Service
7: Remote File Retrieval - Server Wide
8: Command Execution / Remote Shell
9: SQL Injection
a: Authentication Bypass
b: Software Identification
c: Remote Source Inclusion
x: Reverse Tuning Options (i.e., include all except specified)