Website vulnerability scanning is an essential part of cybersecurity for identifying security flaws and potential threats that hackers might exploit. Ethical hackers use various tools to test the robustness of websites and their associated infrastructures. One of the most popular tools for website vulnerability scanning is Nikto, an open-source web server scanner designed to identify a wide range of vulnerabilities.

In this article, we’ll explore how ethical hackers use Nikto to scan websites for vulnerabilities, how to set it up, and some practical examples to illustrate its capabilities.

What is Nikto?

Nikto is a command-line tool designed to perform comprehensive vulnerability scans on web servers. It identifies issues such as:

• Outdated software versions that might have known vulnerabilities.

• Missing security headers in HTTP responses.

• Potentially dangerous files or scripts present on the server.

• Default configurations that could be exploited.

• Cross-site scripting (XSS) vulnerabilities, SQL injection points, and more.

Nikto is known for its speed, ease of use, and the extensive database of vulnerabilities and attack patterns that it supports. While it is not a comprehensive penetration testing tool, it serves as a powerful initial scanner for identifying potential weaknesses in a website’s configuration.

Setting Up Nikto for Website Vulnerability Scanning

Before ethical hackers can begin using Nikto, they must first install it on their system. Nikto is available for Linux, Windows, and macOS, and it is usually installed via package managers or from source.

Step 1: Installing Nikto

On Linux (Ubuntu/Debian-based systems):

sudo apt update

sudo apt install nikto

On macOS (using Homebrew):

brew install nikto

On Windows: Nikto is available as a Perl script, so you need to install Perl first. After installing Perl, you can download the Nikto files from GitHub or the official website, and run it directly from the command line.

Step 2: Verifying the Installation

After installation, you can verify Nikto’s installation by running:

nikto -Version

This command displays the current version of Nikto, ensuring the installation was successful.

How Ethical Hackers Use Nikto to Scan Websites

Nikto is a powerful tool, but like all tools in ethical hacking, it should be used responsibly and with permission. Scanning a website without explicit permission is illegal and unethical. Ethical hackers typically use Nikto in a controlled, authorized environment, such as a bug bounty program or an internal security audit.

Now, let’s go through a step-by-step process of how to use Nikto for scanning a website.

Step 1: Basic Website Scan

To perform a basic scan of a website with Nikto, ethical hackers simply provide the target domain or IP address. The basic syntax is as follows:

nikto -h http://example.com

This command will start scanning the target website for a range of common vulnerabilities and misconfigurations. Nikto checks for:

• Security headers (e.g., X-Frame-Options, Strict-Transport-Security).

• Potentially dangerous files (e.g., phpinfo.php, config.php).

• Outdated software versions.

Example:

nikto -h http://testsite.com

Nikto will produce output like the following:

+ HTTP Response Header: Server: Apache/2.4.29 (Ubuntu)

+ OSVDB-3092: /cgi-bin/phpinfo.php: PHP Info file found.

+ OSVDB-3233: /cgi-bin/status: Server Status page found.

+ OSVDB-3092: /phpmyadmin/: phpMyAdmin directory found.

+ OSVDB-3092: /admin/: Admin page found.

+ INFO: No robots.txt found.

+ INFO: SSL: No SSL certificate found.

+ INFO: SSLv3 is disabled.

+ INFO: HTTP Methods allowed: OPTIONS, GET, HEAD, POST, PUT, DELETE.

This output provides valuable insights into potential issues with the website, such as:

• Exposed phpMyAdmin directory.

• Exposed administrative pages.

• Lack of SSL certificate.

Step 2: Scan with Specific Options

Nikto allows for more refined scanning by specifying additional options to the basic scan. Some useful options include:

• -Tuning: This flag enables or disables certain types of tests (e.g., header checks, file checks, or CGI scripts).

• -Plugins: You can specify specific plugins to run tests for certain vulnerabilities or configurations.

Example:

nikto -h http://example.com -Tuning 1

Here, -Tuning 1 limits the scan to only file checks, skipping other checks like server information disclosure. This can be helpful if the ethical hacker is looking for specific vulnerabilities without generating unnecessary output.

Step 3: Scan with Authentication

If the target website requires authentication, Nikto can be configured to scan the site using HTTP authentication credentials. Use the -user and -pass options to provide the necessary credentials.

Example:

nikto -h http://example.com -user username -pass password

This command will perform a scan on the site while authenticating using the provided username and password.

Step 4: Scan for Specific Vulnerabilities

Nikto allows scanning for specific types of vulnerabilities, such as SQL injection or Cross-Site Scripting (XSS), by using the appropriate flags. These types of vulnerabilities can have a significant impact on the security of web applications.

Example: To focus on SQL injection testing:

nikto -h http://example.com -Tuning 5

The -Tuning 5 flag targets tests related to SQL injection and cross-site scripting.

Step 5: Output Results in Different Formats

Nikto provides different output formats, including plain text, HTML, CSV, and XML. Ethical hackers often use these formats to generate detailed reports that can be shared with clients or included in internal documentation.

Example:

nikto -h http://example.com -o nikto_scan_results.html -Format htm

This will save the results in an HTML file, which can be opened in a web browser for easy viewing.

Step 6: Using Nikto for Follow-up Actions

Once Nikto has completed its scan, the ethical hacker can use the results to plan follow-up actions. This could include:

• Fixing outdated software: Updating to the latest versions of software and libraries.

• Improving HTTP security headers: Adding headers like Strict-Transport-Security or X-Content-Type-Options to mitigate attacks.

• Securing potentially dangerous files: Removing or restricting access to files like phpinfo.php or admin directories.

• Enforcing HTTPS: Implementing SSL/TLS certificates and ensuring that communication is encrypted.

Examples of Vulnerabilities Detected by Nikto

1. Server Information Disclosure: Nikto can detect if a web server exposes information about its version (e.g., Apache/2.4.29), which can be used by attackers to exploit known vulnerabilities in that version.
2. Outdated Software: Nikto can identify outdated versions of web applications, such as old versions of PHP or WordPress, which may have known security holes.
3. Sensitive Files: Nikto identifies sensitive files that may be accessible from the web, such as phpinfo.php, which can provide attackers with valuable information about the server's configuration.
4. Default Files and Directories: Nikto checks for directories or files that are typically installed by default in certain CMS or server setups, such as /phpmyadmin/, which can lead to unauthorized access.

Conclusion

Nikto is an indispensable tool for ethical hackers looking to assess the security posture of a website or web application. It provides an efficient and easy-to-use means of scanning for common vulnerabilities like outdated software, insecure HTTP headers, and sensitive files. By leveraging Nikto, ethical hackers can identify potential weaknesses in a website before they are exploited by malicious attackers.

It is important to note that while Nikto can help identify vulnerabilities, it should be used as part of a broader penetration testing or vulnerability assessment strategy, which includes additional tools and techniques for a more comprehensive evaluation of security.

By using Nikto to perform regular vulnerability scans, ethical hackers can help organizations maintain secure websites and reduce the risk of security breaches.