Nikto for Web Security

Posted: March 8, 2010 in archlinux, Debian, Freebsd, Slackware

Nikto is a free, open source, command line scanning script used for testing your web server’s security. It checks for thousands of vulnerabilities and potential security weaknesses such as default files and programs, outdated servers, insecure files, server and software misconfigurations. Nikto uses a configuration file, three dozen plugins for testing and a handful of templates for reporting.

Nikto is not a weapon nor is it a remedy for damage that’s already occurred. It is an assessment tool that, when used properly, may prevent a host of potential security threats from becoming reality.

Download Nikto here.

http://cirt.net/nikto/nikto-2.1.1.tar.gz

Use nikto with the following guide.

$ ./nikto.pl -h website.com

- Nikto v2.1.1
---------------------------------------------------------------------------
+ Target IP:          192.168.1.250
+ Target Hostname:    website.com
+ Target Port:        80
+ Start Time:         2010-03-01 13:42:23
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ Number of sections in the version string differ from those in the database, the server reports: apache/2.2.3 while the database has: 2.2.14. This may cause false positives.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing is enabled: /icons
+ OSVDB-3233: /icons/README: Apache default file found.
+ 3818 items checked: 5 item(s) reported on remote host
+ End Time:           2010-03-01 13:42:54 (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
#################################################################################################################

$ ./nikto.pl -h website.com -port 443,8080

---------------------------------------------------------------------------
+ No web server found on 192.168.1.250:443
---------------------------------------------------------------------------
+ No web server found on 192.168.1.250:8080
---------------------------------------------------------------------------

Comments
  1. hosting says:

    thank you for this article. Ive looked at the end.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s