Nikto: Web application Security Scanner

Nikto is a straightforward tool for checking web server security. It identifies vulnerabilities caused by server misconfigurations, default or insecure files, and outdated server software. Nikto is based on LibWhisker2, making it compatible with various operating systems, SSL, host authentication methods (Like NTLM/Basic), proxies, and various IDS evasion techniques. It can also enumerate subdomains, perform application security checks (like XSS and SQL injection), and attempt to guess authorization credentials using dictionary attacks.

Hello everyone. Today, I'll show you how to use Nikto to discover potential security issues on websites. Let's dive in!

For this purpose, you must have 3 things to be ready:

• First, you'll need Kali Linux installed and running on a virtual machine. This virtual environment isolates your scanning activities and safeguards your main computer. Make sure the virtual machine's network adapter is configured in a special mode called "Host-only" to allow communication between Kali and your target website.

• Next, you'll need a website to scan. In this tutorial, we'll use a website called Metasploitable2, which is deliberately designed to be vulnerable for educational purposes. This provides a safe space to practice without harming a real website. Make sure the virtual machine's network adapter is configured in a special mode called "Host-only" to allow communication between Kali and your target website.

• Next, we need a Steady Internet Connection. A stable internet connection is essential for the scanning process to communicate with the target website. First, ensure you have a reliable internet connection. This is crucial for the scanning process to interact with the target website. Access your Kali VM, navigate to settings, then to Network adapter, and confirm that the second adapter is connected to the NAT network.

Once three prerequisites are in place, you're prepared to scan for vulnerabilities on target websites. To begin, we'll exploit a website running on Metasploitable2. 

Before proceeding with the scanning process, it's crucial to identify the target's address. Open a terminal window in Kali Linux and execute the "netdiscover" command.

┌──(kali㉿kali)-[~]

└─$ sudo netdiscover -i eth1

This command acts like a digital radar, searching your network for devices. It will list the discovered devices along with their IP addresses.

We already know previously that Metasploitable2 has a web page running on Port 80. Launch a browser, and you can access its web interface by typing the IP address into your web browser's address bar.

Let’s first scan this webpage and list out the web vulnerabilities.

You can locate Nikto in the "Web Applications" menu in Kali Linux, typically under "Web Vulnerability Scanners," or you can run the `nikto` command directly from the console.

Executing `nikto` will display all available options with detailed features. For more detailed information, you can also use the “man” command.

$ nikto -h

Option host requires an argument

   Options:

       -ask+               Whether to ask about submitting updates

                               yes   Ask about each (default)

                               no    Don't ask, don't send

                               auto  Don't ask, just send

       -check6             Check if IPv6 is working (connects to ipv6.google.com or value set in nikto.conf)

       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"

       -config+            Use this config file

       -Display+           Turn on/off display outputs:

                               1     Show redirects

                               2     Show cookies received

                               3     Show all 200/OK responses

                               4     Show URLs which require authentication

                               D     Debug output

                               E     Display all HTTP errors

                               P     Print progress to STDOUT

                               S     Scrub output of IPs and hostnames

                               V     Verbose output

       -dbcheck           Check database and other key files for syntax errors

       -evasion+          Encoding technique:

                               1     Random URI encoding (non-UTF8)

                               2     Directory self-reference (/./)

                               3     Premature URL ending

                               4     Prepend long random string

                               5     Fake parameter

                               6     TAB as request spacer

                               7     Change the case of the URL

                               8     Use Windows directory separator (\)

                               A     Use a carriage return (0x0d) as a request spacer

                               B     Use binary value 0x0b as a request spacer

        -followredirects   Follow 3xx redirects to new location

        -Format+           Save file (-o) format:

                               csv   Comma-separated-value

                               json  JSON Format

                               htm   HTML Format

                               nbe   Nessus NBE format

                               sql   Generic SQL (see docs for schema)

                               txt   Plain text

                               xml   XML Format

                               (if not specified the format will be taken from the file extension passed to -output)

       -Help              This help information

       -host+             Target host/URL

       -id+               Host authentication to use, format is id:pass or id:pass:realm

       -ipv4                 IPv4 Only

       -ipv6                 IPv6 Only

       -key+              Client certificate key file

       -list-plugins      List all available plugins, perform no testing

       -maxtime+          Maximum testing time per host (e.g., 1h, 60m, 3600s)

       -mutate+           Guess additional file names:

                               1     Test all files with all root directories

                               2     Guess for password file names

                               3     Enumerate user names via Apache (/~user type requests)

                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)

                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain

                               6     Attempt to guess directory names from the supplied dictionary file

       -mutate-options    Provide information for mutates

       -nointeractive     Disables interactive features

       -nolookup          Disables DNS lookups

       -nossl             Disables the use of SSL

       -noslash           Strip trailing slash from URL (e.g., '/admin/' to '/admin')

       -no404             Disables nikto attempting to guess a 404 page

       -Option            Over-ride an option in nikto.conf, can be issued multiple times

       -output+           Write output to this file ('.' for auto-name)

       -Pause+            Pause between tests (seconds)

       -Plugins+          List of plugins to run (default: ALL)

       -port+             Port to use (default 80)

       -RSAcert+          Client certificate file

       -root+             Prepend root value to all requests, format is /directory

       -Save              Save positive responses to this directory ('.' for auto-name)

       -ssl               Force ssl mode on port

       -Tuning+           Scan tuning:

                               1     Interesting File / Seen in logs

                               2     Misconfiguration / Default File

                               3     Information Disclosure

                               4     Injection (XSS/Script/HTML)

                               5     Remote File Retrieval - Inside Web Root

                               6     Denial of Service

                               7     Remote File Retrieval - Server Wide

                               8     Command Execution / Remote Shell

                               9     SQL Injection

                               0     File Upload

                               a     Authentication Bypass

                               b     Software Identification

                               c     Remote Source Inclusion

                               d     WebService

                               e     Administrative Console

                               x     Reverse Tuning Options (i.e., include all except specified)

       -timeout+          Timeout for requests (default 10 seconds)

       -Userdbs           Load only user databases, not the standard databases

                               all   Disable standard dbs and load only user dbs

                               tests Disable only db_tests and load udb_tests

       -useragent         Over-rides the default useragent

       -until             Run until the specified time or duration

       -url+              Target host/URL (alias of -host)

       -usecookies        Use cookies from responses in future requests

       -useproxy          Use the proxy defined in nikto.conf, or argument http://server:port

       -Version           Print plugin and database versions

       -vhost+            Virtual host (for Host header)

       -404code           Ignore these HTTP codes as negative responses (always). Format is "302,301".

       -404string         Ignore this string in response body content as negative response (always). Can be a regular expression.

                + requires a value

┌──(kali㉿kali)-[~]

└─$

Now, let's scan our target, which is Metasploitable2. Open a new terminal and type “nikto hyphen h” followed by the host IP address or URL. Then, specify the port using “-p 80”.

┌──(kali㉿kali)-[~]

└─$ nikto -h 192.168.56.104 -p 80

Nikto scans for vulnerabilities automatically and displays the results in the terminal.

- Nikto v2.5.0

---------------------------------------------------------------------------

+ Target IP:          192.168.56.104

+ Target Hostname:    192.168.56.104

+ Target Port:        80

+ Start Time:         2024-03-31 15:47:57 (GMT-4)

---------------------------------------------------------------------------

+ Server: Apache/2.2.8 (Ubuntu) DAV/2

+ /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10.

+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/

+ /index: Uncommon header 'tcn' found, with contents: list.

+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275

+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.

+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.

+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing

+ /phpinfo.php: Output from the phpinfo() function was found.

+ /doc/: Directory indexing found.

+ /doc/: The /doc/ directory is browsable. This may be /usr/doc. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678

+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184

+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184

+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184

+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184

+ /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

+ /phpMyAdmin/ChangeLog: Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec  9 12:24:00 2008. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418

+ /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

+ /test/: Directory indexing found.

+ /test/: This might be interesting.

+ /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552

+ /icons/: Directory indexing found.

+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/

+ /phpMyAdmin/: phpMyAdmin directory found.

+ /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

+ /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/

+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.

+ 8910 requests: 0 error(s) and 27 item(s) reported on remote host

+ End Time:           2024-03-31 15:48:38 (GMT-4) (41 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

                                                                                                                                             

┌──(kali㉿kali)-[~]

└─$ 

I've created a table based on this information for easy understanding. Unlike tools like Skipfish or Wapiti that generate graphical representations automatically, I used an AI tool to create this table to help me comprehend the data better.

Vulnerability	Description	Severity	Exploitation Difficulty	Potential Impact	Recommendations
Missing X-Frame-Options	Website is vulnerable to clickjacking attacks. An attacker can embed the website in their own frame, tricking users into interacting with the attacker's content.	Medium	Low	User data theft, unauthorized actions	Implement X-Frame-Options header to restrict where the website can be embedded.
Missing X-Content-Type-Options	Browser might render content differently than intended. Attackers could potentially use this to bypass security measures.	Low	Low	Content rendering issues, potential security bypasses	Implement X-Content-Type-Options header to specify how the browser should render the content.
Apache mod_negotiation	Allows brute-forcing filenames due to MultiViews option. Attackers can try different filename combinations to find hidden files.	Medium	Medium	Unauthorized access to hidden files, potential information disclosure	Disable MultiViews option in Apache configuration or restrict access to sensitive directories.
Outdated Apache Server	The Apache version (2.2.8) is outdated and no longer receives security updates. Upgrade to a current version (at least 2.4.54).	High	Low	Server compromise, various security vulnerabilities	Upgrade Apache to the latest version. Refer to the official Apache documentation for instructions.
TRACE method enabled	Website might be vulnerable to Cross-Site Tracing (XST) attacks that can steal user data or inject malicious scripts.	Medium	Medium	User data theft, session hijacking, injection of malicious scripts	Disable TRACE method in server configuration or implement appropriate security measures to mitigate XST vulnerabilities.
phpinfo.php disclosure	phpinfo.php script reveals potentially sensitive information about the server configuration. Remove it from the web accessible location.	Medium	Low	Information disclosure about server configuration	Remove phpinfo.php script from the web accessible location.
Directory Indexing Enabled	Directory listing exposes unnecessary information about the server and its contents. Disable directory indexing for non-essential directories.	Low	Low	Information disclosure about server structure and files	Disable directory indexing for non-essential directories in Apache configuration.
phpMyAdmin exposure	phpMyAdmin, a tool for managing MySQL databases, is publicly accessible. This could allow unauthorized access to databases.	High	High	Unauthorized access to databases, potential data theft or manipulation	Secure phpMyAdmin by restricting access with IP whitelisting or password protection. Consider using a separate server for phpMyAdmin.
Inode Leakage	Server might leak information about files through ETags.	Medium	Low	Information disclosure about files on the server	Update Apache to a version that addresses the ETag vulnerability (CVE-2003-1418) or disable ETags in server configuration.
Potentially sensitive info via specific queries	Specific HTTP requests with certain queries might reveal sensitive information about the server.	Medium	Medium	Information disclosure about server configuration or data	Review code and queries to identify and prevent leakage of sensitive information. Update or patch applications if necessary.
#wp-config.php found	A file potentially containing WordPress database credentials was found. This file should be secured and not publicly accessible.	High	Low	Unauthorized access to WordPress databases, potential data theft or manipulation	Secure the wp-config.php file by moving it outside the web root directory. Change file permissions to restrict access.

Now that you're comfortable with practicing in a safe environment, let's use Nikto to test a live website on the internet.

For this exercise, we'll scan a website named "testphp.vulnweb.com." Please note that this website is intentionally vulnerable for educational purposes.

The process is very similar to what we previously did. This time, instead of using the host ID for Metasploitable2, we'll use a URL link.

In the terminal type, the following command:

┌──(kali㉿kali)-[~]

└─$ nikto -h testphp.vulnweb.com -p 80 -T 3478b -t 3 -D \V -o webtest -F htm

• nikto -h, where -h is used to specify the hostname or IP address of the target website. In my case it is “testphp.vulnweb.com”.
• Port 80 is commonly used for HTTP traffic and is the default port for web servers.
• Now, use the “-T” command line switch followed by specific test numbers corresponding to the desired test types.
• We'll specifically select and execute tests related to Information Disclosure, Injection (XSS/Script/HTML), Remote File Retrieval (server-wide), Command Execution, and Software Identification against our target server.
• Next, include “-t” followed by a value to set the timeout in seconds for each test request. Additionally, use “-D \V" to specify the display output verbosity level.
• After that, specify “-o” followed by the desired file name, and then use “-F” to specify the format for the scan report. For example, you can use “-F htm” to generate the scan report in HTML format.

There are other advanced options such as -mutate, for guessing subdomains, files, directories, or usernames, -evasion, to bypass the IDS filter, and -Single, for conducting a single test mode to focus on specific assessments. These options allow for a more comprehensive assessment of your target.

Once you've configured your scan parameters, hit enter to start the scan. This will provide valuable information that can help identify vulnerabilities and guide efforts to secure your website.

- Nikto v2.5.0

---------------------------------------------------------------------------

V:Mon Apr  8 09:29:43 2024 - Initialising plugin nikto_robots

V:Mon Apr  8 09:29:43 2024 - Loaded "Robots" plugin.

V:Mon Apr  8 09:29:43 2024 - Initialising plugin nikto_report_xml

V:Mon Apr  8 09:29:43 2024 - Loaded "Report as XML" plugin.

V:Mon Apr  8 09:29:43 2024 - Initialising plugin nikto_report_csv

V:Mon Apr  8 09:29:43 2024 - Loaded "CSV reports" plugin.

V:Mon Apr  8 09:29:43 2024 - Initialising plugin nikto_tests

V:Mon Apr  8 09:29:43 2024 - Loaded "Nikto Tests" plugin.

V:Mon Apr  8 09:29:43 2024 - Initialising plugin nikto_put_del_test

V:Mon Apr  8 09:29:43 2024 - Loaded "Put/Delete test" plugin.

V:Mon Apr  8 09:29:43 2024 - Initialising plugin nikto_paths

V:Mon Apr  8 09:29:43 2024 - Loaded "Path Search" plugin.

-----------more--------

V:Mon Apr  8 09:31:40 2024 - 404 for GET:       /backup.tgz

+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response

V:Mon Apr  8 09:31:41 2024 -  for GET:

+ Scan terminated: 20 error(s) and 6 item(s) reported on remote host

+ End Time:           2024-04-08 09:31:41 (GMT-4) (116 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

V:Mon Apr  8 09:31:41 2024 + 265 requests made in 119 seconds

After the scan completes, Nikto will generate an HTML file named webtest in your Kali directory. Open this file to review any valuable findings.

If you have any questions or concerns related to this process, feel free to leave a comment for further discussion.