Additional menu

How to find Web Server Vulnerabilities with Nikto Scanner

How to find Web Server Vulnerabilities with Nikto Scanner

 Scan your web server for vulnerabilities, misconfiguration in FREE with Nikto scanner

97% of application tested by Trustwave had one or more weaknesses.

trustwave-vulnerable-applications

And 14% of investigated intrusion was due to misconfiguration. Misconfiguration can lead to serious risks.

trustwave-factors

There is a number of online vulnerability scanner to test your web applications on the Internet.

However, if you are looking to test Intranet applications or in-house applications, then you can use Nikto web scanner.

Nikto is an open source scanner written by Chris Sullo, and you can use with any web servers (Apache, Nginx, IHS, OHS, Litespeed, etc.). Sounds like a perfect in-house tool for web server scanning.

Nikto scan for over 6700 items to detect misconfiguration, risky files, etc. and some of the features include;

  • You can save report in HTML, XML, CSV
  • It supports SSL
  • Scan multiple ports on the server
  • Find subdomain
  • Apache user enumeration
  • Checks for outdated components
  • Detect parking sites

Let’s get started with installation and how to use this tool

This can be installed on Kali Linux or other OS (Windows, Mac OSX, Redhat, Debian, Ubuntu, BackTrack, CentOS, etc.) which support Perl.

In this article, I will explain how to use on Kali Linux & CentOS.

Note: performing scan makes lots of request to your web server.

Using Nikto on Kali Linux

Since it’s inbuilt in Kali, you don’t need to install anything.

  • Login into Kali Linux
  • Go to Applications >> Vulnerability Analysis and click nikto

kali-linux-nitko

It will open the terminal where you can run the scanning against your web server.

There is multiple ways/syntax you can use to run the scan. However, the quickest way to do is;

# nikto –h $webserverurl

Don’t forget to change $webserverurl with your web server actual IP or FQDN.

[email protected]:~# nikto -h thewebchecker.com
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:                  128.199.222.244
+ Target Hostname:     thewebchecker.com
+ Target Port:              80
+ Start Time:                2016-08-22 06:33:13 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2c39 0x53a938fc104ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7596 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:                  2016-08-22 06:54:44 (GMT8) (1291 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

As you can see the above scan is against default configuration of Apache 2.4, and there are many items needs attention.

You can refer my Apache Security & Hardening Guide to fix these.

Using Nikto on CentOS

  • Login to CentOS or any Linux based OS
  • Download the latest version from Github using wget
wget https://github.com/sullo/nikto/archive/master.zip .
  • Extract using unzip command
unzip master.zip
  • It will create new folder called “nikto-master”
  • Go inside the folder nikto-master>program
cd /nikto-master/program

Execute nikto.pl with the target domain

Note: you may get the following warning.

+ WARNING: Module JSON::PP missing. -Savedir and replay functionality cannot be used.

If you are getting this warning, then you need to install Perl module by the following.

# yum install perl-CPAN*

Once installed execute nikto and should be fine.

This time, I will run a scan against Nginx web server to see how it performs.

./nikto.pl -h 128.199.222.244

nikto-nginx

So as you can see default Nginx, web server configuration is vulnerable too and this security guide will help you to mitigate them.

Go ahead and play around with the Nikto software and if interested in learning more then check out this hacking and penetration testing course.

Reader Interactions

Chandan Kumar
About Chandan
Chandan Kumar is the founder and editor of Geek Flare. Learn more here and connect with him on Twitter.

Comments

  1. Hello Genius!!
    How to Find ISP (Internet Service Provider) Bug Host for get Free Internet???

    Note: Even when ISP didn’t give offers any free web sites including isp homepage also!

  2. Nice posting! Is there a way to get a similar report for missing updates? Missing OS update and missing updates for installed services / libraries?

  3. Chandan,
    Thank you so much for this post. I’m new to WordPress and It really gave me vital information for part of my thesis that I’m working on: Web App Security.

    Unfortunately, however, when I place these in wp-config in the test site I created in WordPress, it does not even load. When I remove it, it loads. Checking on the net, I only find references to these being placed in the .htaccess or functions.php files. Is there anything I need to do to make these work with wp-config.php?

    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *