Introduction
Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.
While a default scan is thorough, it can also be time-consuming and generate a lot of output. For more targeted assessments, Nikto provides the -Tuning option. This feature allows you to specify which types of tests to run, making your scans faster and more focused.
In this lab, you will learn how to use the -Tuning option to control Nikto's scan behavior. You will practice running scans with different tuning levels to find specific vulnerabilities and compare the results.
Understand the purpose of the -Tuning option
In this step, you will learn about the -Tuning option and the different test categories it can control. The -Tuning option helps you focus the scan on specific areas of interest, saving time and reducing noise in the output.
Nikto categorizes its tests into several types. You can use a number or letter to select a specific category. Let's look at the main tuning options available. You can see these by viewing the help information.
Execute the following command to display Nikto's help menu:
nikto -h
Scroll through the output and find the -Tuning section. It will look similar to this:
-Tuning
Tuning options control the test that Nikto will use against a target.
By default, Nikto runs the default set of tests. The tuning options
are a bitwise value, so they can be combined (e.g. -Tuning 12).
The options are:
0 - File Upload
1 - Interesting File / Seen in logs
2 - Misconfiguration / Default File
3 - Information Disclosure
4 - Injection (XSS/Script/HTML)
5 - Remote File Retrieval - Inside Web Root
6 - Denial of Service
7 - Remote File Retrieval - Server Wide
8 - Command Execution / Remote Shell
9 - SQL Injection
a - Authentication Bypass
b - Software Identification
c - Remote Source Inclusion
x - Reverse Tuning Options (i.e., include all except specified)
As you can see, each number corresponds to a specific test category. For example, 1 is for "Interesting File", and 2 is for "Misconfiguration". The x option is special; it reverses the logic, telling Nikto to run all tests except the ones you specify.
Run a scan with -Tuning 1 for Interesting Files
In this step, you will perform a focused scan to search only for "Interesting Files". This type of scan looks for files that may not be directly linked from the web application but could contain sensitive information, such as backup files, configuration files, or logs. Our setup script created a config.bak file for this purpose.
We will use the -Tuning 1 option to tell Nikto to only run tests from the "Interesting File / Seen in logs" category. The web server is running on 127.0.0.1 at port 8000.
Run the following command in your terminal:
nikto -h http://127.0.0.1:8000 -Tuning 1
After the scan completes, you will see output similar to the following. Notice that Nikto found the config.bak file.
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ /config.bak: A backup file was found.
+ 1 host(s) tested
This demonstrates how you can quickly find potentially sensitive files without running a full, time-consuming scan.
Run a scan with -Tuning 2 for Misconfiguration
In this step, you will use the -Tuning 2 option to scan for common server misconfigurations and default files. A common misconfiguration is allowing directory indexing, which lists the contents of a directory if no index file (like index.html) is present. The simple Python server we are using has this behavior.
Let's run a scan focused solely on misconfigurations.
Execute this command:
nikto -h http://127.0.0.1:8000 -Tuning 2
The output will show findings related to misconfigurations. You should see a message indicating that directory indexing is enabled.
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ /: Directory indexing is enabled.
+ 1 host(s) tested
Note that this scan did not report the config.bak file because we limited the tests to the "Misconfiguration" category.
Use -Tuning x to perform an Inverse Tuning scan
In this step, you will learn how to use inverse tuning. Sometimes, you want to run a broad scan but exclude a specific category of tests that you know are irrelevant or too noisy. The x option in -Tuning allows you to do this.
For example, let's say you want to run all tests except for the "Interesting File" checks. You can achieve this by combining x with 1.
Run the following command to perform an inverse scan that excludes "Interesting File" tests:
nikto -h http://127.0.0.1:8000 -Tuning x1
Observe the output. You will see various findings, such as the directory indexing misconfiguration, but the config.bak file will not be reported.
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ /: Directory indexing is enabled.
...
+ 1 host(s) tested
Inverse tuning is a powerful way to customize your scans by removing specific checks that are not needed for your current assessment.
Compare the output from different tuning levels
In this final hands-on step, you will combine multiple tuning options to create a more comprehensive, yet still customized, scan. The -Tuning option accepts multiple values to run tests from all specified categories.
Let's run a scan that combines the search for "Interesting Files" (1) and "Misconfigurations" (2).
Execute the following command:
nikto -h http://127.0.0.1:8000 -Tuning 12
Now, examine the output. You will see that Nikto reports findings from both categories. It will find both the config.bak file and the directory indexing issue.
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ /: Directory indexing is enabled.
+ /config.bak: A backup file was found.
+ 1 host(s) tested
By comparing the results from this scan with the previous ones, you can clearly see how the -Tuning option allows you to precisely control the scope of your security assessment. You can mix and match options to build the exact scan you need.
Summary
In this lab, you have learned how to effectively control Nikto's scanning behavior using the -Tuning option. This powerful feature is essential for conducting efficient and focused web security assessments.
You practiced:
- Understanding the different test categories available in Nikto.
- Running a focused scan for "Interesting Files" using
-Tuning 1. - Scanning for "Misconfigurations" using
-Tuning 2. - Performing an inverse scan to exclude specific tests using
-Tuning x. - Combining multiple tuning options to create a custom scan profile.
By mastering the -Tuning option, you can significantly improve your workflow with Nikto, allowing you to quickly zero in on specific types of vulnerabilities and reduce the time spent analyzing scan results.
