1Nikto(1) Nikto(1)
2
6 Nikto - Web Server and CGI Scanner, Version 1.36
7
9 nikto.pl [-h target] [options]
10
12 Nikto is a tool for finding default web files and examing web server
13 and CGI security. It makes a lot of reqeusts to the remote server,
14 which in some cases may cause the server to crash. It may also be
15 illegal to use this software against servers you do not have permission
16 to do test.
17
19 Nikto is designed to examine web servers and look for items in multiple
20 categories:
21 · misconfigurations
23 · default files and scripts
25 · insecure files and scripts
27 · outdated software
29 It uses Rain Forest Puppy's LibWhisker (wiretrip.net) for HTTP func‐
31 tionality, and can perform checks in HTTP or HTTPS. It also supports
32 basic port scanning and will determine if a web server is running on
33 any open ports.
34 Nikto checks and code can be automatically udpated from the main dis‐
36 tribution server by using the -update option (see below) to ensure
37 Nikto is checking the most recent vulnerabilities.
38 Nikto will also load user defined checks at startup if they are placed
40 in a file named user_scan_database.db in the plugins directory. Unlike
41 scan_database.db, this file will not be over-written if the -update
42 option is used. This should always be used if you add your own checks
43 (and you should send those checks to sullo@cirt.net).
44 Nikto leaves a footprint on a server it scans--both in an invalid 404
46 check and in the User-Agent header. This can be changed by forcing the
47 $NIKTO{fingerprint} and $NIKTO{useragent} to new values in the source
48 code, or, if any IDS evasion (-e) option is used. Note that it's
49 pretty obvious when Nikto is scanning a server anyway--the large number
50 of invalid requests sticks out a lot in the server logs, although with
51 an IDS evasion technique it might not be extremely obvious that it was
52 Nikto.
53 Why the name Nikto? See the movies "The Day the Earth Stood Still" and,
55 of course "Army of Darkness" for the answer. For a full list of pop-
56 culture references to this, see http://www.blather.net/ar‐
57 chives2/issue2no21.html which has a lot of good information.
58
60 The options listed below are all optional except the -h target specifi‐
61 cation. They can all be abbreviated to the first letter (i.e., -m for
62 -mutate), with the exception of -verbose and -debug.
63 -config <config file>
65 Read the specified configuration file instead of the default
66 one.
67 -Cgidirs <dirs>
69 Optionally force the CGI directories to scan. Valid values are
70 'none' to not check any, 'all' to force scan all CGi directories
71 (like the deprecated -allcgi), or a value to use as the CGI
72 directory, i.e. '/cgi/'.
73 -cookies
75 Print out the cookie names and values that were received during
76 the scan.
77 -evasion <evasion method>
79 IDS evasion techniques. This enables the intrusion detection
80 evasion in LibWhisker. Multiple options can be used by string‐
81 ing the numbers together, i.e. to enable methods 1 and 5, use
82 "-e 15". The valid options are (use the number preceeding each
83 description):
84 1 Random URI encoding (non-UTF8)
86 2 Add directory self-reference /./
88 3 Premature URL ending
90 4 Prepend long random string to request
92 5 Fake parameters to files
94 6 TAB as request spacer instead of spaces
96 7 Random case sensitivity
98 8 Use Windows directory separator \ instead of /
100 9 Session splicing
102 See the LibWhisker source for more information, or
104 http://www.wiretrip.net/
105 -findonly
107 Use port scan to find valid HTTP and HTTPS ports only, but do
108 not perform checks against them.
109 -Format
111 Output format for the file specified with the -output option.
112 Valid formats are:
113 HTM HTML output format.
115 TXT Text output format. This is the default if -F is not
117 specified.
118 CSV Comma Seperated Value format.
120 -generic
122 Force full scan rather than trusting the "Server:" identifica‐
123 tion string, as many servers allow this to be changed.
124 -host <ip, hostname or file>
126 Target host(s) to check against. This can be an IP address or
127 hostname, or a file of IPs or hostnames. If this argument is a
128 file, it should formatted as described below. This is the only
129 required option.
130 -id <user:password:realm>
132 HTTP Authentication use, format is userid:password for authoriz‐
133 ing Nikto a web server realm. For NTLM realms, format is
134 id:password:realm.
135 -mutate
137 Mutate checks. This causes Nikto put all files with all directo‐
138 ries from the .db files and can the host. You might find some
139 oddities this way. Note that it generates a lot of checks.
140 -nolookup
142 Don't perform a host name lookup.
143 -output <filename>
145 Write output to this file when complete. Format is text unless
146 specified via -Format.
147 -port <port number>
149 Port number to scan, defaults to port 80 if missing. This can
150 also be a range or list of ports, which Nikto will check for web
151 servers. If a web server is found, it will perform a full scan
152 unless the -f option is used.
153 -root <root>
155 Always prepend this to requests, i.e., changes a request of
156 "/password.txt" to "/directory/password.txt" (assuming the value
157 passed on the CLI was "/directory")
158 -ssl Force SSL mode on port(s) listed. Note that Nikto attempts to
160 determine if a port is HTTP or HTTPS automatically, but this can
161 be slow if the server fails to respond or is slow to respond to
162 the incorrect one. This sets SSL usage for all hosts and ports.
163 -timeout <timeout>
165 Set timeout for each request, default is 10 seconds
166 -useproxy
168 Use the proxy defined in config.txt for all requests
169 -vhost <ip or hostname>
171 Virtual host to use for the "Host:" header, in case it is dif‐
172 ferent from the target.
173 -Version
175 Print version numbers of Nikto, all plugins and all databases.
176 -404 Pass a string to be matched against content. If a page
177 matches to this string, it cannot be treated as a positive (it
178 will be skipped, like a 404 response).
179 Print version numbers of Nikto, all plugins and all databases.
181 These options cannot be abbreviated to the first letter:
183 -dbcheck
185 This option will check the syntax of the checks in the
186 scan_database.db and user_scan_database.db files. This is really
187 only useful if you are adding checks or are having problems.
188 -debug Print a huge amount of detail out. In most cases this is going
190 to be more information than you need, so try -verbose first.
191 -update
193 This will connect to cirt.net and download updated scan_data‐
194 base.db and plugin files. Use this with caution as you are down‐
195 loading files--perhaps including code--from an "untrusted"
196 source. This option cannot be combined with any other, but
197 required variables (like the PROXY settings) will be loaded from
198 the config.txt file.
199 -verbose
201 Print out a lot of extra data during a run. This can be useful
202 if a scan or server is failing, or to see exactly how a server
203 responds to each request.
204
206 If a file is specified with -h instead of a hostname or IP, Nikto will
207 open the file to use it as a list of targets. The file should be for‐
208 matted with one host per line. If no port is specified, port 80 is
209 assumed. Multiple ports may be specified per host. If a host file is
210 used, any ports specified via -p are added to every host. Valid lines
211 would be:
212 10.100.100.100
214 10.100.100.100:443
215 10.100.100.100,443
216 10.100.100.100:443:8443
217 10.100.100.100,443,8443
218 evilash.example.com,80
219 (etc)
220
222 The config.txt file provides a means to set variables at run-time with‐
223 out modifying the Nikto source itself. The options below can be set in
224 the file. Options that accept multiple values (CGIDIRS, SKIPPORTS,
225 etc.) should just use a space to distinguish multiple values. None of
226 these are required unless you need them.
227 CLIOPTS
229 Add any option here to be added to every Nikto execution,
230 whether specified at the command line or not.
231 NMAP Path to nmap. If defined, Nikto will use nmap to port scan a
233 host rather than PERL code, and so should be faster.
234 SKIPPORTS
236 Port number never to scan (so you don't crash services, per‐
237 haps?).
238 PROXYHOST
240 Server to use as a proxy, either IP or hostname, no 'http://'
241 needed.
242 PROXYPORT
244 Port number that PROXYHOST uses as a proxy.
245 PROXYUSER
247 If the PROXYHOST requires authentication, use this ID. Nikto
248 will prompt for it if this is not set & it is needed.
249 PROXYPASS
251 If the PROXYHOST requires a password for PROXYUSER, use this
252 password. Nikto will prompt for it if this is not set & it is
253 needed.
254 PLUGINDIR
256 If Nikto can't find it's plugin directory for some reason, enter
257 the full path and the problem is solved.
258 UPDATES
260 Turns data push to cirt.net on. Please see the CIRT.NET UPDATES
261 section for details.
262 MAX_WARN
264 If the number of OK or MOVED messages reaches this number, a
265 warning will printed.
266 PROMPTS
268 If set to "no", Nikto will never prompt for anything--proxy
269 auth, updates, nothing...
270 DEFAULTHTTPVER
272 First try this HTTP method. If this fails, Nikto will attempt to
273 find a valid one. Useful if you want try something non-standard.
274 STATIC-COOKIE
276 The name/value of this cookie, if set, will be sent for every
277 request (useful for auth cookies).
278 Variables that start with the 'at' sign (@) will be used when scan
280 rules are loaded. For each value (seperated by space), the rule will be
281 duplicated. See the TEST DATABASES section for more information.
282 Predefined variables are:
284 @CGIDIRS
286 CGI directories to look for, valid ones (or all) will be used
287 for CGI checks against the remote host.
288 @MUTATEDIRS
290 Additional directories to use when operating under the Mutate
291 mode besides ones already defined the .db files.
292 @MUTATEFILES
294 Additional files to use when operating under the Mutate mode
295 besides ones already defined the .db files.
296 @ADMINDIRS
298 Typical administration directories.
299 @USERS Typical user names for the user guessing plugins.
301
303 In order to help keep the Nikto databases up-to-date, you have the
304 ability to easily submit some updates back to cirt.net for inclusion in
305 new copies of the databases. Currently, this only includes software
306 versions (such as "Apache/7.0.3"). If Nikto scans a host and sees a
307 newer version on the host than it has in the database, or it is missing
308 entirely, (and your databases are fairly recent), this information can
309 be automatically (or manually) sent back to cirt.net.
310 Behaviour of this option is controlled in config.txt through the
312 UPDATES variable. If UPDATES is set to "no", Nikto will not send or ask
313 about sending values to cirt.net. If set to "auto", it will automati‐
314 cally send the data through an HTTP request. If set to "yes" (which is
315 the default), when there are updates it will ask if you would like to
316 submit and show you the data (unless PROMPTS=no).
317 There is only one thing submitted to cirt.net when you do this: the
319 "updated" version string. No information specific to the host tested
320 is sent. No information from the scanning source is sent (it does log
321 your IP address as seen by cirt.net's web server, but... nothing else).
322 If you're not comfortable with this, you may also email it to me at
324 sullo@cirt.net or just set UPDATES=no. Please don't complain and say
325 I'm stealing your data... just trying to save me some work ;)
326 Again: the default configuration of Nikto does not send any data to
328 cirt.net.
329
331 Rules in the scan databases can use dynamic variables from config.txt.
332 Any variable that starts with the 'at' sign (@) will be substited in
333 rules. For example: A rule of
334 "generic","@CGIDIRStest.html","200","GET","Test"
336 with "@CGIDIRS=/cgi-bin/ /cgi-sys/" will test for:
338 · /cgi-bin/test.html
340 · /cgi-sys/test.html
342 Any number of these variables can be set, and any number can be used in
344 a rule (i.e., "@CGIDIRS@ADMINDIRStest.html"). Additionally, the
345 generic @HOSTNAME and @IP are available, which use the current target's
346 hostname or IP.
347 Rules can be specified which also have conditionals for test success.
349 This can allow a test to look for a 200 HTTP response but not contain
350 the word "home". This would look like "200!home" in the scan_data‐
351 base.db file.
352
354 A basic scan of a web server on port 80. The -h option is the only
355 option that is required for a basic scan of a web server on the stan‐
356 dard HTTP port.
357 nikto.pl -h 10.100.100.10
359 A basic scan of a web server on port 443, forcing SSL encryption and
361 ignoring the Server header. Note that Nikto does not assume port 443
362 to be SSL, but if HTTP fails it will try HTTPS.
363 nikto.pl -h 10.100.100.10 -p 443 -s -g
365 Scanning multiple ports on the server, letting Nikto determine if they
367 are HTTP and SSL encrypted.
368 nikto.pl -h 10.100.100.10 -p 80-90
370 Scanning specific ports on the system.
372 nikto.pl -h 10.100.100.10 -p 80,443,8000,8080
374 You may combine IDS evasion techniques as desired.
376 nikto.pl -h 10.100.100.10 -p 80 -e 167
378
380 config.txt
381 run-time configuration options, see the CONFIG FILE section
382 nikto_core.plugin
384 main Nikto code, absolutely required
385 nikto_plugin_order.txt
387 determines the order in which plugins are executed
388 LW.pm The stand-alone LibWhisker file.
390 user_scan_database.db
392 If it exists in the plugins directory, it will load these checks
393 as well. Same syntax as scan_database.db
394
396 LibWhisker is required for proper execution of Nikto. The LW.pm library
397 is included with Nikto, but it is recommended that you download and
398 install the full LibWhisker module from http://www.wiretrip.net/. If
399 you are not using an installed Libwhisker, you will need to change
400 Nikto.pl so that it includes the proper LW.pm file. Edit Nikto.pl and
401 comment the line:
402 require "$NIKTO{plugindir}/LW.pm";
404 and uncomment the line below it:
406 use LW;
408 nmap can be used to speed up port scans. This should be much faster
410 than relying on PERL code to perform port scans. Nmap can be obtained
411 from http://www.nmap.org/, it is not included with Nikto.
412 SSL software is required to test using HTTPS. For Windows systems, the
414 SSL software and libraries can be obtained from http://www.actives‐
415 tate.com/. For unix systems, OpenSSL from http://www.openssl.org/ and
416 the Net::SSLeay module from http://www.cpan.org/ are required.
417
419 Checks, both information and actual security problems, are derived from
420 a number of sources. These include the mailing lists BugTraq, NTBug‐
421 Traq, WebAppSec (WWW-Mobile-Code), and others. The web sites www.secu‐
422 ritytracker.com, www.securiteam.com, www.packetstormsecurity.com and
423 www.securityfocus.com. Additionally, updates to Nessus are watched and
424 many thanks to all the plugin writers (and to Renaud for Nessus itself)
425 (http://www.nessus.org/).
426
428 Nikto can cause harm to your local system, the remote system and/or the
429 network. Some options can generate over 70,000 HTTP requests to a tar‐
430 get. Do not run Nikto againsts hosts you are not authorized to perform
431 testing against. Cirt.net takes no responsibility for anything done
432 with this software, any problems it may cause or problems it may find.
433 Plugins are standard PERL. They are included and executed when Nikto
435 is run. If you run the -update option, new and updated plugins will be
436 downloaded from cirt.net. This means you are downloading code, and
437 potentially running it, without viewing it yourself. Please consider
438 the implications. Do not assume code distributed from Cirt.net is not
439 harmful, as accidents happen and a malicious third party may have
440 inserted a dangerous plugin. Cirt.net assumes no responsibility if any
441 malicious code is delivered via the -update option.
442
444 Nikto and updated databases and plugins is distributed from
445 http://www.cirt.net/
446
448 LibWhisker
449 http://www.wiretrip.net/
450 Nmap http://www.nmap.org/
452 OpenSSL
454 http://www.openssl.org/
455 CPAN http://www.cpan.org/
457 ActiveState
459 http://www.activestate.com/
460 Nessus http://www.nessus.org/
462
464 This copyright applies to all code included in this distribution, but
465 does not include the LibWhisker software, which is distributed under
466 its own license.
467 Copyright (C) 2001-2005 Sullo/CIRT.net
469 This program is free software; you can redistribute it and/or modify it
471 under the terms of the GNU General Public License as published by the
472 Free Software Foundation; either version 2 of the License, or (at your
473 option) any later version.
474 This program is distributed in the hope that it will be useful, but
476 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
477 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
478 Public License for more details.
479 You should have received a copy of the GNU General Public License along
481 with this program; if not, write to the Free Software Foundation, Inc.,
482 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
483 Contact Information: See the AUTHOR section.
485
487 Sullo, sullo@cirt.net
488 http://www.cirt.net/
489 Suggestions/fixes/support from: Jericho/attrition.org, rfp/wire‐
491 trip.net, Zel/firewallmonkeys.com, Zeno/cgisecurity.com,
492 Darby/cirt.net, Valdez/cirt.net, S Saady, P Eronen/nixu.com, M Arboi, T
493 Seyrat, J DePriest, P Woroshow, fr0stman, E Udassin, H Heimann and more
494 Many tests and contributed/suggested by: M Richardson, Jericho/attri‐
496 tion.org, Prickley Paw, M Arboi, H Heimann and more
497 And Xiola.net for kicking ass.
499Nikto 1.36 February 12, 2007 Nikto(1)