Nikto web server assessment tool

nikto - web server security scanner

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.

Requirements

Any system which supports a basic PERL installation should allow Nikto to run. It has been extensively tested on. For SSL support the Net::SSLeay PERL module must be installed (which in turn requires OpenSSL on the Unix platform).

The nmap scanner can also be used, if desired. In some cases using nmap will slow down Nikto execution, as it must call an external program. For scanning many ports across one or more servers, using nmap will be faster than using Nikto’s internal PERL scanning.

PERL: http://www.cpan.org/
LibWhisker: http://www.wiretrip.net/
ActiveState Perl: http://www.activestate.com/
OpenSSL: http://www.openssl.org/
nmap: http://insecure.org/

Download

http://cirt.net/nikto/nikto-current.tar.gz

Unpack the download file:

tar -xvfz nikto-current.tar.gz

Basic Testing

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:

perl nikto.pl -h 192.168.0.1

To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:

perl nikto.pl -h 192.168.0.1 -p 443

Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:

perl nikto.pl -h https://192.168.0.1:443/

There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.