1NIKTO(1)                                                              NIKTO(1)
2
3
4

NAME

6       nikto - Scan web server for known vulnerabilities
7

SYNOPSIS

9       /usr/local/bin/nikto [options...]
10

DESCRIPTION

12       Examine a web server to find potential problems and security
13       vulnerabilities, including:
14
15       ·   Server and software misconfigurations
16
17       ·   Default files and programs
18
19       ·   Insecure files and programs
20
21       ·   Outdated servers and programs
22
23       Nikto is built on LibWhisker (by RFP) and can run on any platform which
24       has a Perl environment. It supports SSL, proxies, host authentication,
25       IDS evasion and more. It can be updated automatically from the
26       command-line, and supports the optional submission of updated version
27       data back to the maintainers.
28

OPTIONS

30       Below are all of the Nikto command line options and explanations. A
31       brief version of this text is available by running Nikto with the -h
32       (-help) option.
33
34       -Cgidirs
35           Scan these CGI directories. Special words "none" or "all" may be
36           used to scan all CGI directories or none, (respectively). A literal
37           value for a CGI directory such as "/cgi-test/" may be specified
38           (must include trailing slash). If this is option is not specified,
39           all CGI directories listed in config.txt will be tested.
40
41       -config
42           Specify an alternative config file to use instead of the config.txt
43           located in the install directory.
44
45       -dbcheck
46           Check the scan databases for syntax errors.
47
48       -Display
49           Control the output that Nikto shows. See Chapter 5 for detailed
50           information on these options. Use the reference number or letter to
51           specify the type, multiple may be used:
52
53           1 - Show redirects
54
55           2 - Show cookies received
56
57           3 - Show all 200/OK responses
58
59           4 - Show URLs which require authentication
60
61           D - Debug Output
62
63           V - Verbose Output
64
65       -evasion
66           Specify the LibWhisker IDS evasion technique to use (see the
67           LibWhisker docs for detailed information on these). Use the
68           reference number to specify the type, multiple may be used:
69
70           1 - Random URI encoding (non-UTF8)
71
72           2 - Directory self-reference (/./)
73
74           3 - Premature URL ending
75
76           4 - Prepend long random string
77
78           5 - Fake parameter
79
80           6 - TAB as request spacer
81
82           7 - Change the case of the URL
83
84           8 - Use Windows directory separator (\)
85
86       -findonly
87           Only discover the HTTP(S) ports, do not perform a security scan.
88           This will attempt to connect with HTTP or HTTPS, and report the
89           Server header.
90
91       -Format
92           Save the output file specified with -o (-output) option in this
93           format. If not specified, the default will be taken from the file
94           extension specified in the -output option. Valid formats are:
95
96           csv - a comma-seperated list
97
98           htm - an HTML report
99
100           txt - a text report
101
102           xml - an XML report
103
104       -host
105           Host(s) to target. Can be an IP address, hostname or text file of
106           hosts. A single dash (-) maybe used for stdout. Can also parse nmap
107           -oG style output
108
109       -Help
110           Display extended help information.
111
112       -id
113           ID and password to use for host Basic host authentication. Format
114           is "id:password".
115
116       -list-plugins
117           Will list all plugins that Nikto can run against targets and then
118           will exit without performing a scan. These can be tuned for a
119           session using the -plugins option.
120
121           The output format is:
122
123           Plugin name
124
125            full name - description
126
127            Written by author, Copyright (C) copyright
128
129       -mutate
130           Specify mutation technique. A mutation will cause Nikto to combine
131           tests or attempt to guess values. These techniques may cause a
132           tremendous amount of tests to be launched against the target. Use
133           the reference number to specify the type, multiple may be used:
134
135           1 - Test all files with all root directories
136
137           2 - Guess for password file names
138
139           3 - Enumerate user names via Apache (/~user type requests)
140
141           4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type
142           requests)
143
144           5 - Attempt to brute force sub-domain names, assume that the host
145           name is the parent domain
146
147           6 - Attempt to guess directory names from the supplied dictionary
148           file
149
150       -mutate-options
151           Provide extra information for mutates, e.g. a dictionary file
152
153       -nolookup
154           Do not perform name lookups on IP addresses.
155
156       -nossl
157           Do not use SSL to connect to the server.
158
159       -no404
160           Disable 404 (file not found) checking. This will reduce the total
161           number of requests made to the webserver and may be preferable when
162           checking a server over a slow link, or an embedded device. This
163           will generally lead to more false positives being discovered.
164
165       -output
166           Write output to the file specified. The format used will be taken
167           from the file extension. This can be over-riden by using the
168           -Format option (e.g. to write text files with a different
169           extenstion. Existing files will have new information appended.
170
171       -plugins
172           Select which plugins will be run on the specified targets. A comma
173           separated list should be provided which lists the names of the
174           plugins. The names can be found by using -list-plugins.
175
176           There are two special entries: ALL, which specifies all plugins
177           shall be run and NONE, which specifies no plugins shall be run. The
178           default is ALL
179
180       -port
181           TCP port(s) to target. To test more than one port on the same host,
182           specify the list of ports in the -p (-port) option. Ports can be
183           specified as a range (i.e., 80-90), or as a comma-delimited list,
184           (i.e., 80,88,90). If not specified, port 80 is used.
185
186       -Pause
187           Seconds to delay between each test.
188
189       -root
190           Prepend the value specified to the beginning of every request. This
191           is useful to test applications or web servers which have all of
192           their files under a certain directory.
193
194       -ssl
195           Only test SSL on the ports specified. Using this option will
196           dramatically speed up requests to HTTPS ports, since otherwise the
197           HTTP request will have to timeout first.
198
199       -Single
200           Perform a single request to a target server. Nikto will prompt for
201           all options which can be specified, and then report the detailed
202           output. See Chapter 5 for detailed information.
203
204       -timeout
205           Seconds to wait before timing out a request. Default timeout is 10
206           seconds.
207
208       -Tuning
209           Tuning options will control the test that Nikto will use against a
210           target. By default, if any options are specified, only those tests
211           will be performed. If the "x" option is used, it will reverse the
212           logic and exclude only those tests. Use the reference number or
213           letter to specify the type, multiple may be used:
214
215           0 - File Upload
216
217           1 - Interesting File / Seen in logs
218
219           2 - Misconfiguration / Default File
220
221           3 - Information Disclosure
222
223           4 - Injection (XSS/Script/HTML)
224
225           5 - Remote File Retrieval - Inside Web Root
226
227           6 - Denial of Service
228
229           7 - Remote File Retrieval - Server Wide
230
231           8 - Command Execution / Remote Shell
232
233           9 - SQL Injection
234
235           a - Authentication Bypass
236
237           b - Software Identification
238
239           c - Remote Source Inclusion
240
241           x - Reverse Tuning Options (i.e., include all except specified)
242
243           The given string will be parsed from left to right, any x
244           characters will apply to all characters to the right of the
245           character.
246
247       -useproxy
248           Use the HTTP proxy defined in the configuration file.
249
250       -update
251           Update the plugins and databases directly from cirt.net.
252
253       -Version
254           Display the Nikto software, plugin and database versions.
255
256       -vhost
257           Specify the Host header to be sent to the target.
258

FILES

260       nikto.conf
261           The Nikto configuration file. This sets Nikto´s global options.
262           Several nikto.conf files may exist and are parsed in the below
263           order. As each configuration file is loaded is supersedes any
264           previously set configuration:
265
266           ·   System wide (e.g. /etc/nikto.conf)
267
268           ·   Home directory (e.g. $HOME/nikto.conf)
269
270           ·   Current directory (e.g. ./nikto.conf)
271
272       ${NIKTO_DIR}/plugins/db*
273           db files are the databases that nikto uses to check for
274           vulnerabilities and issues within the web server.
275
276       ${NIKTO_DIR}/plugins/*.plugin
277           All nikto´s plugins exist here. Nikto itself is just a wrapper
278           script to manage CLI and pass through to the plugins.
279
280       ${NIKTO_DIR}/templates
281           Contains the templates for nikto´s output formats.
282

BUGS

284       The current features are not supported:
285
286       ·   SOCKS Proxies
287

AUTHORS

289       Nikto was originally written and maintained by Sullo, CIRT, Inc. It is
290       currently maintained by David Lodge. See the main documentation for
291       other contributors.
292
293       All code is (C) CIRT, Inc., except LibWhisker which is (C) rfp.labs
294       (wiretrip.net). Other portions of code may be (C) as specified.
295

SEE ALSO

297       Nikto Homepage[1]
298

NOTES

300        1. Nikto Homepage
301           http://www.cirt.net/
302
303
304
305                                  01/19/2010                          NIKTO(1)
Impressum