Introduction
Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.
One of its key features is scanning for Common Gateway Interface (CGI) directories. CGI scripts can be a source of significant vulnerabilities if not properly secured. By default, Nikto scans for a predefined list of common CGI directories. However, for more efficient and targeted scanning, it's crucial to know how to control this behavior.
In this lab, you will learn how to use Nikto's -Cgidirs option to manage CGI directory scanning, including disabling it, scanning all possible directories, and specifying custom directories to test.
Understand Nikto's default CGI directory scanning behavior
In this step, you will start a simple web server and run a default Nikto scan to observe its standard behavior for finding CGI directories.
First, let's set up a simple web server to scan. We will use Python's built-in http.server module for this.
Navigate to the webroot directory we prepared for you.
cd ~/project/webroot
Now, start the web server on port 8000. The & at the end of the command will run the server in the background, allowing you to continue using the terminal.
python3 -m http.server 8000 &
You should see a message indicating the server is running.
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
With the server running, let's perform a basic Nikto scan against it. The -h option is used to specify the target host.
nikto -h http://localhost:8000
After the scan completes, review the output. Nikto checks for many things, but you should find a line indicating it found the /cgi-bin/ directory. This is because /cgi-bin/ is one of the common directories Nikto checks by default.
- Nikto v2.x
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" not found.
+ OSVDB-3233: /: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /: This might be interesting...
+ /index.html: This might be interesting...
+ 7 items found on remote host
+ End Time: ...
---------------------------------------------------------------------------
+ 1 host(s) tested
Note: In some newer Nikto versions or configurations, the default scan might not report
/cgi-bin/unless a specific test triggers it. The key takeaway is understanding that a default set of paths is being checked. We will force these checks in the next steps to see clearer results.
Use -Cgidirs none to disable all CGI directory scanning
In this step, you will learn how to completely disable CGI directory scanning. This is useful when you want to perform a quick scan focused on other vulnerabilities or when you are certain the target server does not use CGI scripts.
The -Cgidirs option controls CGI scanning. By setting its value to none, you instruct Nikto to skip this part of the test entirely.
Run the following command to scan the server again, but this time with CGI scanning disabled:
nikto -h http://localhost:8000 -Cgidirs none
Examine the output. You will notice it's very similar to the previous scan, but it explicitly confirms that CGI directories were not scanned. The line No CGI directories found will still be present, but this time it's because we told Nikto not to look for them. This makes the scan slightly faster.
- Nikto v2.x
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ CGI directory scanning has been disabled.
+ "robots.txt" not found.
+ OSVDB-3233: /: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /: This might be interesting...
+ /index.html: This might be interesting...
+ 7 items found on remote host
+ End Time: ...
---------------------------------------------------------------------------
+ 1 host(s) tested
Notice the line + CGI directory scanning has been disabled. which confirms our command worked as expected.
Use -Cgidirs all to scan all configured CGI directories
In this step, you will use the all value for the -Cgidirs option. This forces Nikto to perform the most comprehensive CGI scan by checking every directory listed in its internal configuration. This is more thorough than the default scan.
Run the Nikto scan with the -Cgidirs all option:
nikto -h http://localhost:8000 -Cgidirs all
Now, inspect the output carefully. This time, Nikto will explicitly report the /cgi-bin/ directory because our test server has it and the all flag ensures it's checked.
- Nikto v2.x
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3233: /cgi-bin/: Directory indexing found.
+ OSVDB-3092: /cgi-bin/: This might be interesting...
+ "robots.txt" not found.
+ OSVDB-3233: /: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /: This might be interesting...
+ /index.html: This might be interesting...
+ 8 items found on remote host
+ End Time: ...
---------------------------------------------------------------------------
+ 1 host(s) tested
You can see two new findings related to /cgi-bin/, confirming that the forceful scan was successful.
Specify a custom CGI directory path to scan
In this step, you'll learn how to scan for specific, non-standard CGI directories. This is extremely useful when you are assessing a custom web application that places its scripts in unique locations.
Our setup includes a directory named /cgi-custom/. A default Nikto scan would not find this. We can tell Nikto to check for it specifically by passing the path to the -Cgidirs option.
Run the following command to scan only for the /cgi-custom/ directory:
nikto -h http://localhost:8000 -Cgidirs /cgi-custom/
Review the output. Nikto will now report that it has found /cgi-custom/. It will not report /cgi-bin/ because we limited the scan to only the path we specified.
- Nikto v2.x
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3233: /cgi-custom/: Directory indexing found.
+ OSVDB-3092: /cgi-custom/: This might be interesting...
+ "robots.txt" not found.
+ OSVDB-3233: /: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /: This might be interesting...
+ /index.html: This might be interesting...
+ 8 items found on remote host
+ End Time: ...
---------------------------------------------------------------------------
+ 1 host(s) tested
As you can see, the scan successfully identified the custom directory, demonstrating how you can tailor Nikto's CGI scanning to your specific needs.
Compare results from different CGI scanning strategies
In this final step, let's review and compare the results from the different scanning strategies you've used. This will help solidify your understanding of how to control Nikto's CGI scanning.
You have performed four distinct types of scans:
- Default Scan (
nikto -h ...): Scanned a default list of common directories. In our case, it didn't flag/cgi-bin/initially but the directory was present. This scan provides a good baseline. - No CGI Scan (
-Cgidirs none): Completely skipped all CGI directory checks. The output confirmed thatCGI directory scanning has been disabled. This is the fastest option if you don't need to check for CGI. - All CGI Scan (
-Cgidirs all): Forced a check of all CGI directories known to Nikto. This scan successfully found and reported our/cgi-bin/directory. This is the most thorough but also the slowest option. - Custom CGI Scan (
-Cgidirs /cgi-custom/): Scanned only for the specific directory/cgi-custom/and successfully found it, ignoring all others like/cgi-bin/. This is the most targeted approach.
Choosing the right strategy depends on your goal:
- For a quick overview, the default scan is often sufficient.
- To be absolutely thorough, use
all. - To save time on a known non-CGI server, use
none. - For custom applications, specifying custom paths is the most efficient method.
Finally, let's clean up by stopping the Python web server. Since it was the first and only background job you started, you can stop it with the kill %1 command.
kill %1
You will see a "Terminated" message, confirming the server has been shut down.
Summary
In this lab, you have gained hands-on experience with controlling CGI directory scanning in Nikto. You learned how to start a simple web server for testing purposes and then applied different scanning strategies using the -Cgidirs option.
You have successfully:
- Performed a default Nikto scan.
- Disabled CGI scanning entirely using
-Cgidirs none. - Conducted a comprehensive scan of all known CGI directories with
-Cgidirs all. - Targeted a specific, non-standard directory by providing a custom path.
By mastering these options, you can now run more efficient, targeted, and effective web server vulnerability scans with Nikto, tailoring your tests to the specific characteristics of your target.
