Nikto v2.1.0 - The Manual

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.

Examine a web server to find potential problems and security vulnerabilities, including:

Nikto is built on LibWhisker (by RFP) and can run on any platform which has a PERL environment. It supports SSL, proxies, host authentication, IDS evasion and more. It can be updated automatically from the command-line, and supports the optional submission of updated version data back to the maintainers.

The name "Nikto" is taken from the movie "The Day the Earth Stood Still", and of course subsequent abuse by Bruce Campbell in "Army of Darkness". More information on the pop-culture popularity of Nikto can be found at http://www.blather.net/blather/2005/10/klaatu_barada_nikto_the_day_th.html

Most web security tools, (including Nikto 1.32 and below), rely heavily on the HTTP response to determine if a page or script exists on the target. Because many servers do not properly adhere to RFC standards and return a 200 "OK" response for requests which are not found or forbidden, this can lead to many false-positives. In addition, error responses for various file extensions can differ--the "not found" response for a .html file is often different than a .cgi.

Some testing tools, such as Nessus, also look at the content of the response to help eliminate these false positives. While often effective, this method relies on pre-defined strings to help eliminate false positives.

As of version 2.0 Nikto no longer assumes the error pages for different file types will be the same. A list of unique file extensions is generated at run-time (from the test database), and each of those extensions is tested against the target. For every file type, the "best method" of determining errors is found: standard RFC response, content match or MD4 hash (in decreasing order of preference). This allows Nikto to use the fastest and most accurate method for each individual file type, and therefore help eliminate the false positives seen for some servers in version 1.32 and below.

For example, if a server responds with a 404 "not found" error for a non-existent .txt file, Nikto will match the HTTP response of "404" on tests. If the server responds with a 200 "OK" response, it will try to match on the content, and assuming it finds a match (for example, the words "could not be found"), it will use this method for determining missing .txt files. If the other methods fail, Nikto will attempt to remove date and time strings (which can constantly change) from the returned page's content, generate an MD5 hash of the content, and then match that hash value against future .txt tests. The latter is by far the slowest type of match, but in many cases will provide valid results for a particular file type.

The Nikto 1.00 Beta was released on December 27, 2001, (followed almost immediately by the 1.01 release). Over the course of two years Nikto's code evolved into the most popular freely available web vulnerability scanner. The 2.0 release, in November, 2007 represents several years of improvements.

In 2008, due to other commitments, Sullo, the original author couldn't continue to support Nikto and the code was released under the GPL and passed to the community for support.

Any system which supports a basic PERL installation should allow Nikto to run. It has been extensively tested on:

The only required PERL module that does not come standard is LibWhisker. Nikto comes with and is configured to use a local LW.pm file (in the plugins directory), but users may wish to change Nikto to use a version installed on the system. See Section 2 for further information.

For SSL support the Net::SSLeay PERL module must be installed (which in turn requires OpenSSL on the Unix platform). Windows support for SSL is dependent on the installation package, but is rumored to exist for ActiveState's Perl.

The nmap scanner can also be used, if desired. In some cases using nmap will slow down Nikto execution, as it must call an external program. For scanning many ports across one or more servers, using nmap will be faster than using Nikto's internal PERL scanning.

These instructions do not include information on installing PERL, PERL Modules, OpenSSL, LibWhisker or any of the utilities that may be needed during installation (such as gzip, tar, etc.). Please see the distributor's documentation for information on how to install and configure those software packages.

Unpack the download file:

tar -xvfz nikto-current.tar.gz

Assuming a standard OS/PERL installation, Nikto should now be usable. See Chapter 4 (Options) or Chapter 8 (Troubleshooting) for further configuration information.

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:

perl nikto.pl -h 192.168.0.1

To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:

perl nikto.pl -h 192.168.0.1 -p 443

Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:

perl nikto.pl -h https://192.168.0.1:443/

There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.

perl nikto.pl -h 192.168.0.1 -p 443 -ssl

	Note
	-mutate 1 increases the number of tests so that all filenames are tested against all databases inc db_tests. This will produce over 2,000,000 extra tests, which will use up a massive amount of resource.

More complex tests can be performed using the -mutate parameter, as detailed later. This can produce extra tests, some of which may be provided with extra parameters through the -mutate-options parameter. For example, using -mutate 3, with or without a file attempts to brute force usernames if the web server allows ~user URIs:

perl nikto.pl -h 192.168.0.1 -mutate 3 -mutate-options user-list.txt

Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.

perl nikto.pl -h 192.168.0.1 -p 80,88,443

Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Ports can be separated from the host and other ports via a colon or a comma. If no port is specified, port 80 is assumed.

This is an example of a valid hosts file:

192.168.0.1:80
http://192.168.0.1:8080/
192.168.0.3

	Note
	For win32 users: due to peculiaries in the way that cmd.exe works with pipes, the above example may not work for you. In this case a temporary file will have to be used to store the output from nmap

A host file may also be an nmap output in "greppable" format (i.e. from the output from -oG).

A file may be passed to Nikto through stdout/stdin using a "-" as the filename. For example:

nmap -p80 192.168.0.0/24 -oG - | nikto.pl -h -

If the machine running Nikto only has access to the target host (or update server) via an HTTP proxy, the test can still be performed. Set the PROXY* variables (as described in section 4), then execute Nikto with the -u (-useproxy) command. All connections will be relayed through the HTTP proxy specified in the configuration file.

perl nikto.pl -h 192.168.0.1 -p 80 -u

Nikto can be automatically updated, assuming you have Internet connectivity from the host Nikto is installed on. To update to the latest plugins and databases, simply run Nikto with the -update command.

	Note
	The -update option cannot be abbreviated.

perl nikto.pl -update

If updates are required, you will see a list of the files downloaded:

 perl nikto.pl -update
 + Retrieving 'nikto_core.plugin'
 + Retrieving 'CHANGES.txt'
      

Updates may also be manually downloaded from http://www.cirt.net/

Nessus (http://www.nessus.org/nessus/) can be configured to automatically launch Nikto when it finds a web server. Ensure Nikto works properly, then place the directory containing nikto.pl in root's PATH environment variable. When nessusd starts, it should see the nikto.pl program and enable usage through the GUI.

Below are all of the Nikto command line options and explanations. A brief version of this text is available by running Nikto with the -h (-help) option.

A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be combined.

By default only some basic information about the target and vulnerabilities is shown. Using the -Display parameter can produce more information for debugging issues.

Scan tuning can be used to decrease the number of tests performed against a target. By specifying the type of test to include or exclude, faster, focused testing can be completed. This is useful in situations where the presence of certain file types are undesired -- such as XSS or simply "interesting" files.

Test types can be controlled at an individual level by specifying their identifier to the -T (-Tuning) option. In the default mode, if -T is invoked only the test type(s) specified will be executed. For example, only the tests for "Remote file retrieval" and "Command execution" can performed against the target:

perl nikto.pl -h 192.168.0.1 -T 58

If an "x" is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploit. For example:

perl nikto.pl -h 192.168.0.1 -T 58xb

The valid tuning options are:

Single request mode is designed to preform a solitary request against the target. This is useful to confirm a test result using the same resources Nikto used during a scan. The single option allows manual setting of most variables used by Nikto and LibWhisker, and upon completion will display both the request and the result of the operation.

Most options have a default value or can be left blank. The most common and required values are at the beginning of the "questions" section for slightly easier use. True and false are specified by numeric equivalents, 1 and 0 respectively. Please note that Single mode is not very user-friendly. Here is an example Nikto run with the -Single option.

[dave@yggdrasil nikto-2.03]$ ./nikto.pl -Single
--------------------------------------------  Nikto 2.1.0
--------------------------------------------  Single Request Mode
                              Hostname or IP: localhost
                                   Port (80):
                                     URI (/): /test.html
                                     SSL (0):
                                  Proxy host:
                                  Proxy port:
                      Show HTML Response (1):
                          HTTP Version (1.1):
                           HTTP Method (GET):
      User-Agent (Mozilla/4.75 (Nikto/2.1.0):
                     Connection (Keep-Alive):
                                        Data:
                        force_bodysnatch (0):
                             force_close (1):
                             http_space1 ( ):
                             http_space2 ( ):
                     include_host_in_uri (0):
           invalid_protocol_return_value (1):
                                max_size (0):
                             protocol (HTTP):
           require_newline_after_headers (0):
                                   retry (0):
                           ssl_save_info (0):
                                timeout (10):
                             uri_password ():
                              uri_postfix ():
                               uri_prefix ():
                                 uri_user ():
                         Enable Anti-IDS (0):
--------------------------------------------  Done with questions
        Host Name: localhost
        Host IP: 127.0.0.1
        HTTP Response Code: 404
--------------------------------------------  Connection Details
        Connection: Keep-Alive
        Host: localhost
        User-Agent: Mozilla/4.75 (Nikto/2.1.0
        data:
        force_bodysnatch: 0
        force_close: 1
        force_open: 0
        host: localhost
        http_space1:
        http_space2:
        ignore_duplicate_headers: 1
        include_host_in_uri: 0
        invalid_protocol_return_value: 1
        max_size: 0
        method: GET
        port: 80
        protocol: HTTP
        require_newline_after_headers: 0
        retry: 0
        ssl: 0
        ssl_save_info: 0
        timeout: 10
        trailing_slurp: 0
        uri: /test.html
        uri_param_sep: ?
        uri_postfix:
        uri_prefix:
        version: 1.1
--------------------------------------------  Response Headers
        Connection: close
        Content-Length: 268
        Content-Type: text/html; charset=iso-8859-1
        Date: Tue, 18 Aug 2009 10:13:57 GMT
        Server: Apache/2
        code: 404
        http_data_sent: 1
        http_eol:

        http_space1:
        http_space2:
        message: Not Found
        protocol: HTTP
        uri: /test.html
        version: 1.1
--------------------------------------------  Response Content
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /test.html was not found on this server.</p>
<hr>
<address>Apache/2 Server at localhost Port 80</address>
</body></html>

Nikto, like any non-trivial program needs to know a few things about how to work with the current environment. For most situations the default configuration file will work. Sometimes, tuning may be required, or some things may need to be changes.

Nikto will look for a configuration file in three places and if it finds one, will apply it in the strict order, listed below. A later found configuration file will overwrite any variables set in an earlier configuration file. The locations are:

The configuration files are formated like a standard Unix configuration file: blank lines are ignored, any line starting with a # is ignored, variables are set with VariableName=Value line.

The following variables may be set within the configuration file:

Nikto saved output comes in four flavours: text, CSV, XML or HTML. When using -output, an output format may be specified with -Format. Text format is assumed if nothing is specified with -Format. The DTD for the Nikto XML format can be found in the 'docs' directory (nikto.dtd).

HTML reports are generated from template files located in the templates directory. Variables are defined as #variable-name, and are replaced when the report is generated. The files htm_start.tmpl and htm_end.tmpl are included at the beginning and end of the report (respectively). The htm_summary.tmpl also appears at the beginning of the report. The htm_host_head appears once for every host, and the htm_host_item.tmpl and htm_host_im.tmpl appear once for each item found on a host and each "informational message" per host (respectively).

All valid variables are used in these templates. Future versions of this documentation will include a list of variables and their meaning.

The copyright statements must not be removed from the htm_end.tmpl without placing them in another of the templates. It is a violation of the Nikto licence to remove these notices.

Though some checks can be found in other plugins, the scan_database.db contains the bulk of the web test information. Here is a description of the field values:

Users can create their own, private tests for any of the databases. By placing a syntactically correct database file in the plugins directory, with a file name prefaced with a "u", the data will be loaded along with the built-in checks.

For example, create the file plugins/udb_tests and it will be loaded at the same time plugins/db_tests is loaded. These files will also be checked for syntax when -dbcheck is used.

For tests which require a "private" OSVDB ID, use the OSVDB ID 0 (zero). This should be used for all vulnerabilities that do not (or should not) exist in OSVDB, as ID 0 is for testing only. You are encouraged to send missing information to OSVDB at moderators@osvdb.org.

For the "Test ID", it is recommended you use unique numbers between 400000 and 499999 to allow for growth of the Nikto database without interfering with your own tests (note: numbers above 500000 are reserved for other tests).

Please help Nikto's continued success by sending test updates to <sullo@cirt.net>.

The scan database is a CSV delimited file which contains most of the tests. Fields are enclosed by quotes and separated by commas. The field order is:

Test-ID, OSVDB-ID, Tuning Type, URI, HTTP Method, Match 1, Match 1 Or, Match1 And, Fail 1, Fail 2, Summary, HTTP Data, Headers

Here is an example test:

"120","3092","2","/manual/","GET","200","","","","","Web server manual","",""

To allow a bit more flexibility, Nikto allows plugins so that there is easy expansion of existing capabilities and some future proofing.

Plugins are run in four different phases, these are:

Plugins are written in standard perl in the current context. They should be placed within the PLUGINDIR defined in the Nikto configuration file and must have a filename ending in .plugin.

An important concept to grasp about plugins and the order that are executed in is plugin weight: each phase will execute all defined plugins in the order defined by the weight. A plugin's weight is defined as a number between 1 and 100, where 1 is high priority and 100 is low priority. Plugins of equal weight will be executed in an undefined order.

 sub nikto_dictionary_attack_init
{
   my $id =
   {
      name         => "dictionary",
      full_name    => "Dictionary attack",
      author       => "Deity",
      description  => "Attempts to dictionary attack commonly known directories/files",
      recon_method => \&nikto_dictionary_attack,
      recon_cond   => '$CLI{mutate} =~ /6/',
      recon_weight => 20,
      copyright    => "2009 CIRT Inc"
   };

   return $id;
}  

"nikto_id","md5hash","description"

array[0]->{nikto_id}
array[0]->{md5hash}
array[0]->{description}

Each test, whether it comes from one of the databases or in code, must have a unique identifier. The numbering scheme for writing tests is as follows:

As much data as possible in the %TESTS hash should be populated for each new test that is defined in code (plugins). These fields include URI for the test, message to print on success, HTTP method and OSVDB ID. Without a 'message' value in %TESTS output will not be saved in HTML or XML reports. Not all tests are expected to have a uri, method or OSVDB ID. Here is an example of setting those fields:

$TESTS{999999}{uri}="/~root";
$TESTS{999999}{message}="Enumeration of users is possible by requesting ~username";
$TESTS{999999}{method}="GET";
$TESTS{999999}{osvdb}=637;

Any new or updated code, tests or information sent to the author is assumed to free of copyrights. By sending new or updated code, tests or information to the author you relinquish all claims of copyright on the material, and agree that this code can be claimed under the same copyright as Nikto.

Nikto does not currently support SOCKS proxies.

The major route to debugging Nikto requests is to use the -Display with v (verbose) or d (debug). This will output a vast amount of extra information to the screen, so it is advised to redirect output to a file when using them.

Nikto is licensed under the GNU General Public License (GPL), and copyrighted by CIRT, Inc.

LibWhisker is licensed under the GNU General Public License (GPL), and copyrighted by Rain Forrest Puppy.

The web tests are licensed for use with Nikto only, and may not be reused without written consent from CIRT, Inc.

Nikto was originally written and maintained by Sullo, CIRT, Inc. It is currently maintained by David Lodge. LibWhisker was written by Rain Forrest Puppy

Many people have provided feedback, fixes, and suggestions. This list attempts to make note of those people, though not all contributors are listed. In no particular order:

This document is © 2009 CIRT, Inc. and may not be reused without permission.