Nikto v2 / The Manual

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.

Nikto is PERL software designed to find many types of web server problems, including:

Nikto is built on LibWhisker (by RFP) and can run any platform which has a PERL environment, and supports SSL, proxies, host authentication, IDS evasion and more. It can be updated automatically from the command-line, and supports the optional submission of updated version data back to the maintainers.

The name "Nikto" is taken from the movie "The Day the Earth Stood Still", and of course subsequent abuse by Bruce Campbell in "Army of Darkness". More information on the pop-culture popularity of Nikto can be found at http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html

Nikto version 2.0 utilizes multiple methods to understand how a server responds to various requests. Nikto will use the fastest and most accurate method of determining if a request is successful. This could include basic HTTP response codes, rely on page content, or even use md5 hashing of content (minus some common date/time strings). When testing starts against a server, tests are performed to determine which type works best for the server and file type location. This eliminates many of the false-positives common in other web scanners, including the 1.xx tree of Nikto.

The Nikto 1.00 Beta was released on December 27, 2001, (followed almost immediately by the 1.01 release). Over the course of two years Nikto's code evolved into the most popular freely available web vulnerability scanner.

The 2.0 release in September, 2007 represents over two years of improvements.

This document is a trimmed version of a larger work, available at http://cirt.net/ .

Any system which supports a basic PERL installation should allow Nikto to run. It has been extensively tested on:

The only required PERL module that does not come standard is LibWhisker. Nikto comes with and is configured to use a local LW.pm file (in the plugins directory), but users may wish to change Nikto to use a version installed on the system. See Section 2 for further information.

For SSL support the Net::SSLeay PERL module must be installed (which in turn requires OpenSSL on the Unix platform). Windows support for SSL is dependent on the installation package, but is rumored to exist for ActiveState's Perl.

The nmap scanner can be used, if desired. In some cases using nmap will slow down Nikto execution, as it must call an external program. For scanning many ports across one or more servers, using nmap will be faster than using Nikto's internal PERL scanning.

These instructions do not include information on installing PERL, PERL Modules, OpenSSL or LibWhisker.

Unpack the Nikto distribution file:

Assuming a standard OS/PERL installation, Nikto should now be usable. See Chapter 4 (Options) or Chapter 8 (Troubleshooting) for further configuration information.

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:

To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:

There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.

Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.

Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. Ports can be separated from the host and other ports via a colon or a comma. If no port is specified, port 80 is assumed.

This is an example of a valid hosts file:

If the machine running Nikto only has access to the target host (or update server) via an HTTP proxy, the test can still be performed. Set the PROXY* variables (as described in section 4), then execute Nikto with the -u (-useproxy) command. All connections will be relayed through the HTTP proxy specified in the configuration file.

To update to the latest plugins and databases, simply run Nikto with the -update command.

Screen output will show if updates have been downloaded or if none are required. Updates may also be manually downloaded from http://updates.cirt.net/

A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target, and are often impractible. Use the reference number to specify the type, multiple may be combined.

1 - Test all files with all root directories.

2 - Guess for password file name.

3 - Enumerate user names via Apache (/~user type requests).

4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests).

The Display option

1 - Show redirects. This will display all requests which elicit a "redirect" response from the server.

2 - Show cookies received. This will display all cookies that were sent by the remote host.

3 - Show all 200/OK responses. This will show all responses which elicit an "okay" (200) response from the server. This could be useful for debugging.

4 - Show URLs which require authentication. This will show all responses which elicit an "authorization required" header.

D - Debug Output. Show debug output, which shows the verbose output and extra information such as variable content.

V - Verbose Output. Show verbose output, which typically shows where Nikto is during program execution.

Scan tuning can be used to decrease the number of tests performed against a target. By specifying the type of test to include or exclude, faster, focused testing can be completed. This is useful in situations where the presence of certain file types are undesired--such as XSS or simply "interesting" files.

Test types can be controlled at an individual level by specifying their identifier to the -T (-Tuning) option. In the default mode, if -T is invoked only the test type(s) specified will be executed. For example, only the tests for "Remote file retrieval" and "Command execution" can performed against the target:

If an "x" is passed to -T, the include or exclude logic is reversed such that all tests except those specified will be performed. In this example, all tests except "Remote file retrieval" and "Command execution" are performed against the target:

The valid tuning options are:

0 - File Upload. Exploits which allow a file to be uploaded to the target server.

1 - Interesting File / Seen in logs. An unknown but suspicious file or attack that has been seen in web server logs (note: if you have information regarding any of these attacks, please contact CIRT, Inc.).

2 - Misconfiguration / Default File. Default files or files which have been misconfigured in some manner. This could be documentation, or a resource which should be password protected.

3 - Information Disclosure. A resource which reveals information about the target. This could be a file system path or account name.

4 - Injection (XSS/Script/HTML). Any manner of injection, including cross site scripting (XSS) or content (HTML). This does not include command injection.

5 - Remote File Retrieval - Inside Web Root. Resource allows remote users to retrieve unauthorized files from within the web server's root directory.

6 - Denial of Service. Resource allows a denial of service against the target application, web server or host (note: no intention DoS attacks are attempted).

7 - Remote File Retrieval - Server Wide. Resource allows remote users to retrieve unauthorized files from anywhere on the target.

8 - Command Execution / Remote Shell. Resource allows the user to execute a system command or spawn a remote shell.

9 - SQL Injection. Any type of attack which allows SQL to be executed against a database.

a - Authentication Bypass. Allows client to access a resource it should not be allowed to access.

b - Software Identification. Installed software or program could be positively identified.

c - Remote source inclusion. Software allows remote inclusion of source code.

x - Reverse Tuning Options. Perform exclusion of the specified tuning type instead of inclusion of the specified tuning type.

The single option allows manual setting of most variables used by Nikto and LibWhisker, and upon completion will display both the request and the result of the operation.

Most options have a default value or can be left blank. True and false are specified by numeric equivalents, 1 and 0 respectively.

Nikto saved output comes in three flavors: text, CSV or HTML. When using -o (output), an output format may be specified with -F (Format). Text format is assumed if nothing is specified with -F. The DTD for the Nikto XML format can be found in the 'docs' directory (nikto.dtd).

HTML reports are generated from template files located in the "templates" directory. Variables are defined as #variable-name, and are replaced when the report is generated.

The files "htm_start.tmpl" and "htm_end.tmpl" are included at the beginning and end of the report (respectively). The "htm_summary.tmpl" also appears at the beginning of the report. The "htm_host_head" appears once for every host, and the "htm_host_item.tmpl" and "htm_host_im.tmpl" appear once for each item found on a host and each "informational message" per host (respectively).

All valid variables are used in these templates. Future versions of this documentation will include a list of variables and their meaning.

The copyright and OSVDB statements must not be removed from the "htm_end.tmpl" without placing them in another of the templates.

Though some checks can be found in other plugins, the scan_database.db contains the bulk of the web test information. Here is a description of the field values:

Users can create their own, private tests in the user_scan_database.db file. These tests should be written exactly as they appear in scan_database.db.

For tests which require a "private" OSVDB ID, use the OSVDB ID 0 (zero). This should be used for all testing, as it is not a real vulnerability in the database.

For the "Test ID", it is recommended you use unique numbers between 400000 and 499999 to allow for growth of the Nikto database without interfering with your own tests (note: numbers above 500000 are reserved for other tests).

The scan database is a CSV delimited file which contains most of the tests. Fields are enclosed by quotes and separated by commas. The field order is:

Test-ID, OSVDB-ID, Tuning Type, Server Type, URI, HTTP Method, Match 1, Match 1 And, Match1 Or, Fail 1, Fail 2, Summary, HTTP Data, Headers

Here is an example test:

"120","3092","2","generic","/manual/","GET","200","","","","","Web server manual","",""

Plugins are standard PERL which follow a standard Nikto naming format. All plugins must be named in the pattern nikto_name.plugin, where "name" is the name of the plugin. The file must have a subroutine named the same as the file name without the ".plugin" extension. For example, a plugin named nikto_mycode.plugin would need a subroutine called "sub nikto_mycode()", which would be executed when called.

All plugins must also be placed in the nikto_plugin_order.txt file in the proper location for execution, otherwise it will not be called.

Any new or updated code, tests or information sent to the author is assumed to free of copyrights. By sending new or updated code, tests or information to the author you relinquish all claims of copyright on the material, and agree that this code can be claimed under the same copyright as Nikto.

SOCKS proxies are not curently supported by Nikto

Nikto is licensed under the GNU General Public License (GPL), and copyrighted by CIRT, Inc.

LibWhisker is licensed under the GNU General Public License (GPL), and copyrighted by Rain Forrest Puppy.

The web tests are licensed for use with Nikto only, and may not be reused without written consent from CIRT, Inc.

Nikto is written and maintained by Sullo, CIRT, Inc. All code is © CIRT, Inc., except LibWhisker which is © rfp.labs (wiretrip.net). Other portions of code may be © as specified.

Many people have provided feedback, fixes, and suggestions. This list attempts to make note of those people, though not all contributors are listed. In no particular order:

This document is © 2008 CIRT, Inc. and may not be reused without permission.