Scan your web server for vulnerabilities, misconfiguration in FREE with Nikto scanner

97% of application tested by Trustwave had one or more weaknesses.


And 14% of investigated intrusion was due to misconfiguration. Misconfiguration can lead to serious risks.


There is a number of online vulnerability scanner to test your web applications on the Internet.

However, if you are looking to test Intranet applications or in-house applications, then you can use Nikto web scanner.

Nikto is an open source scanner written by Chris Sullo, and you can use with any web servers (Apache, Nginx, IHS, OHS, Litespeed, etc.). Sounds like a perfect in-house tool for web server scanning.

Nikto scan for over 6700 items to detect misconfiguration, risky files, etc. and some of the features include;

  • You can save report in HTML, XML, CSV
  • It supports SSL
  • Scan multiple ports on the server
  • Find subdomain
  • Apache user enumeration
  • Checks for outdated components
  • Detect parking sites

Let’s get started with installation and how to use this tool

This can be installed on Kali Linux or other OS (Windows, Mac OSX, Redhat, Debian, Ubuntu, BackTrack, CentOS, etc.) which support Perl.

In this article, I will explain how to use on Kali Linux & CentOS.

Note: performing scan makes lots of request to your web server.

Using Nikto on Kali Linux

Since it’s inbuilt in Kali, you don’t need to install anything.

  • Login into Kali Linux
  • Go to Applications >> Vulnerability Analysis and click nikto


It will open the terminal where you can run the scanning against your web server.

There is multiple ways/syntax you can use to run the scan. However, the quickest way to do is;

# nikto –h $webserverurl

Don’t forget to change $webserverurl with your web server actual IP or FQDN.

[email protected]:~# nikto -h
- Nikto v2.1.6
+ Target IP:        
+ Target Hostname:
+ Target Port:              80
+ Start Time:                2016-08-22 06:33:13 (GMT8)
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2c39 0x53a938fc104ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7596 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:                  2016-08-22 06:54:44 (GMT8) (1291 seconds)
+ 1 host(s) tested

As you can see the above scan is against default configuration of Apache 2.4, and there are many items needs attention.

You can refer my Apache Security & Hardening Guide to fix these.

Using Nikto on CentOS

  • Login to CentOS or any Linux based OS
  • Download the latest version from Github using wget
wget .
  • Extract using unzip command
  • It will create new folder called “nikto-master”
  • Go inside the folder nikto-master>program
cd /nikto-master/program

Execute with the target domain

Note: you may get the following warning.

+ WARNING: Module JSON::PP missing. -Savedir and replay functionality cannot be used.

If you are getting this warning, then you need to install Perl module by the following.

# yum install perl-CPAN*

Once installed execute nikto and should be fine.

This time, I will run a scan against Nginx web server to see how it performs.

./ -h


So as you can see default Nginx, web server configuration is vulnerable too and this security guide will help you to mitigate them.

Go ahead and play around with the Nikto software and if interested in learning more then check out this hacking and penetration testing course.