Nikto Training Lab - Web House

What is Nikto?

Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple security vulnerabilities and configuration issues. It's one of the most popular tools in the web security tester's arsenal.

Legal Warning

Only scan web servers you own or have explicit written permission to test. Unauthorized scanning is illegal and unethical. This training module provides a safe, simulated environment for learning.

Key Features

Detects over 6,700 potentially dangerous files and programs
Checks for outdated server software versions (over 1,250 server versions)
Identifies version-specific security problems on over 270 servers
Scans for dangerous HTTP server options and methods
Tests for common misconfigurations
Finds default files and directories
Supports SSL/TLS scanning
Performs subdomain enumeration
Exports results in multiple formats (HTML, XML, CSV, JSON)

How Nikto Works

Nikto operates by sending HTTP requests to a target web server and analyzing the responses. It doesn't perform sophisticated application-level testing but excels at identifying:

Server Information Leakage: Exposed server versions, technologies, and configurations
Dangerous Files: Admin interfaces, configuration files, backup files, and sensitive directories
Outdated Software: Old server versions with known vulnerabilities
HTTP Methods: Dangerous methods like PUT, DELETE, TRACE, and DEBUG
Security Headers: Missing or misconfigured security headers
Default Credentials: Common default installations and login pages

Important Limitation

Nikto is NOT a stealth tool. It makes numerous requests and is easily detected by intrusion detection systems (IDS). It's designed for authorized security assessments, not covert penetration testing.

Basic Nikto Syntax

The basic command structure for Nikto is straightforward:

nikto -h <target> [options]

Essential Options

Option	Description	Example
`-h`	Target host/IP (required)	`-h http://target.com`
`-p`	Target port(s)	`-p 80,443,8080`
`-ssl`	Force SSL/TLS mode	`-ssl`
`-Tuning`	Scan tuning (see below)	`-Tuning 123`
`-o`	Output file	`-o results.html`
`-Format`	Output format	`-Format html`

Example Commands

# Basic scan
nikto -h http://example.com

# SSL/TLS scan on specific port
nikto -h https://example.com -p 443 -ssl

# Tuned scan with HTML output
nikto -h http://example.com -Tuning 123 -o scan.html -Format html

# Scan multiple ports
nikto -h 192.168.1.10 -p 80,443,8080,8443
                            

Scan Tuning

Nikto's -Tuning option allows you to focus scans on specific vulnerability categories. You can combine multiple tuning codes.

Tuning Categories

Code	Category	Description
`0`	File Upload	Tests for file upload functionality
`1`	Interesting Files	Searches for interesting files (logs, backups, configs)
`2`	Misconfiguration	Checks for common misconfigurations
`3`	Information Disclosure	Tests for information leakage
`4`	Injection (XSS/Script)	Basic XSS and injection tests
`5`	Remote File Retrieval	Tests for remote file inclusion
`6`	Denial of Service	Checks for DoS vulnerabilities
`7`	Remote File Execution	Tests for command execution
`8`	Command Execution	Additional command injection tests
`9`	SQL Injection	Basic SQL injection tests
`a`	Authentication Bypass	Tests for auth bypass vulnerabilities
`b`	Software Identification	Identifies software versions
`x`	Reverse Tuning	Exclude the specified categories

Pro Tip: Combining Tuning Codes

Use -Tuning 123 to scan only for interesting files (1), misconfigurations (2), and information disclosure (3). This is one of the most common combinations for initial reconnaissance.

Understanding Nikto Output

Nikto provides detailed output about discovered vulnerabilities and server information. Here's how to interpret the results:

Typical Output Format

---------------------------------------------------------------------------
+ Target IP:          192.168.1.100
+ Target Hostname:    vulnerable-server.com
+ Target Port:        80
+ Start Time:         2025-12-22 10:30:00 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x12ab 0x4f3a
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /backup/: Directory indexing found.
+ 7535 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2025-12-22 10:45:00 (GMT-5) (900 seconds)
                            

Finding Severity Levels

Critical/High: Outdated software with known exploits, dangerous files (phpinfo.php, web shells)
Medium: Information disclosure, default credentials, dangerous HTTP methods
Low: Directory indexing, missing security headers, version disclosure
Informational: Server identification, available HTTP methods

OSVDB References

Many Nikto findings include OSVDB (Open Source Vulnerability Database) references. These numeric codes can be searched online for detailed vulnerability information, even though the OSVDB project itself has been discontinued.

Advanced Techniques

Evading Detection (Ethical Use Only)

While Nikto is inherently noisy, you can reduce its footprint:

-Pause: Add delay between requests (e.g., -Pause 5 for 5 seconds)
-mutate: Use mutation techniques to try different request variations
-useragent: Change User-Agent string to blend in
Tunnel through proxies for IP obfuscation

Authentication

Test authenticated areas of web applications:

# Basic authentication
nikto -h http://example.com -id username:password

# Use cookies for session-based auth
nikto -h http://example.com -usecookies sessionid=abc123xyz
                            

Plugin Management

Nikto uses plugins for different test categories. You can list, enable, or disable specific plugins:

# List available plugins
nikto -list-plugins

# Use specific plugins
nikto -h http://example.com -Plugins 'apacheusers;outdated'
                            

Real-World Application

Typical Security Assessment Workflow

Reconnaissance: Use Nmap to identify web servers and open ports
Initial Scan: Run Nikto with -Tuning 123b for quick identification
Focused Scanning: Based on initial findings, run targeted scans
Manual Verification: Verify high-priority findings manually (Nikto has false positives)
Documentation: Export results in HTML format for reporting
Remediation Tracking: Re-scan after fixes to verify resolution

Integration with Other Tools

Nikto works best as part of a comprehensive toolkit:

Nmap: Port scanning and service enumeration before Nikto
Burp Suite: Deep application testing of Nikto findings
Metasploit: Exploit verification for identified vulnerabilities
OWASP ZAP: Complementary web application scanning
SQLMap: Advanced SQL injection testing of flagged parameters

Best Practice

Always run Nikto from an authorized IP address, save all scan output for documentation, and verify findings manually before reporting. Remember: Nikto is a discovery tool, not a definitive proof of vulnerability.

root@kali:~$

Nikto Training Lab - Scanner Simulator

Select a target and enter a command to begin scanning...

Example commands:

nikto -h http://target.com

nikto -h https://target.com -ssl -Tuning 123

nikto -h http://target.com -p 80,443,8080

nikto -h http://target.com -Tuning 1 -Format html -o output.html

Security Challenges

Test your Nikto skills with these practical challenges. Use the Scanner Lab to investigate targets!

0 Challenges Completed

0 Points Earned

225 Total Available

Quick Reference Guide

Essential Command Options

Option	Description	Example
`-h [host]`	Target host/IP/URL (required)	`-h 192.168.1.1`
`-p [port(s)]`	Port number(s) to scan	`-p 80,443`
`-ssl`	Force SSL/TLS connection	`-ssl`
`-nossl`	Disable SSL/TLS	`-nossl`
`-Tuning [x]`	Scan tuning options (0-9,a,b,x)	`-Tuning 123`
`-o [file]`	Output file path	`-o scan.txt`
`-Format [fmt]`	Output format (txt, html, csv, xml, json)	`-Format html`
`-id [user:pass]`	HTTP basic authentication	`-id admin:p@ss`
`-useragent [ua]`	Custom User-Agent string	`-useragent "Mozilla/5.0"`
`-Pause [n]`	Pause n seconds between tests	`-Pause 5`
`-timeout [n]`	Timeout for requests (seconds)	`-timeout 10`
`-mutate [1-6]`	Mutation technique number	`-mutate 1`
`-Plugins [list]`	Select plugins to run	`-Plugins "outdated"`
`-list-plugins`	List available plugins	`-list-plugins`
`-update`	Update database and plugins	`-update`

Tuning Categories Reference

Code	Category	What It Tests
`0`	File Upload	Upload forms and file handling vulnerabilities
`1`	Interesting Files	Logs, backups, configs, source files
`2`	Misconfiguration	Server misconfigurations, dangerous settings
`3`	Information Disclosure	Version numbers, server info, banner grabbing
`4`	Injection	XSS, script injection vulnerabilities
`5`	Remote File Retrieval	RFI (Remote File Inclusion) vulnerabilities
`6`	Denial of Service	DoS vulnerabilities and resource exhaustion
`7`	Remote File Execution	Code execution vulnerabilities
`8`	Command Execution	Command injection vulnerabilities
`9`	SQL Injection	SQLi vulnerabilities
`a`	Authentication Bypass	Auth bypass and broken authentication
`b`	Software Identification	Identify software and versions
`x`	Reverse Tuning	Exclude specified tuning codes

Output Formats

Format	Description	Use Case
`txt`	Plain text (default)	Command line viewing, grep parsing
`html`	HTML report	Client reports, web viewing
`csv`	Comma-separated values	Spreadsheet analysis, data processing
`xml`	XML format	Integration with other tools, parsing
`json`	JSON format	API integration, modern toolchains

Common Vulnerability Findings

Finding Type	Example	Severity
Outdated Software	Apache/2.2.15 (known exploits)	High/Critical
Default Files	/phpinfo.php, /admin/, /test.php	Medium/High
Directory Indexing	/backup/, /uploads/ listing enabled	Low/Medium
Dangerous HTTP Methods	PUT, DELETE, TRACE enabled	Medium
Information Disclosure	Server version in headers	Low
Missing Headers	X-Frame-Options, CSP, HSTS	Low/Medium
Default Credentials	Admin panels with default passwords	Critical
Backup Files	.bak, .old, ~ files accessible	Medium/High

Quick Command Examples

# Basic HTTP scan
nikto -h http://target.com

# HTTPS scan with SSL
nikto -h https://target.com -ssl

# Scan specific ports
nikto -h 192.168.1.10 -p 80,443,8080,8443

# Tuned scan for misconfigurations and info disclosure
nikto -h http://target.com -Tuning 23

# Comprehensive scan with HTML output
nikto -h http://target.com -Tuning 123b -o report.html -Format html

# Scan with authentication
nikto -h http://target.com -id admin:password123

# Slow scan to evade detection
nikto -h http://target.com -Pause 5 -timeout 20

# Multiple targets from file
nikto -h targets.txt

# Update Nikto database
nikto -update

# List all plugins
nikto -list-plugins
                            

Export Progress

Save your challenge progress and settings to continue later.

Export your progress data

Import Progress

Load previously saved progress.

Import progress data

Reset Progress

Clear all challenge progress and start fresh.

This cannot be undone!

Appearance

Theme

Default

Dark Mode

Statistics

Total Challenges Completed 0

Total Points Earned 0

Scans Executed 0

Vulnerabilities Found 0

Learning Panel

Welcome to Nikto Training!

This interactive lab will teach you how to use Nikto to identify web server vulnerabilities and misconfigurations.

Getting Started

Start with the Learn tab for fundamentals, then practice in the Scanner Lab!

Your Progress

Challenges: 0/10

Points: 0/225

Quick Actions

Try these scenarios:

Legal Warning

Only scan web servers you own or have explicit written permission to test. Unauthorized scanning is illegal!