LabEx
Log InJoin Free

Disable DNS Lookups for Faster Scans in Nikto

Kali LinuxBeginner
Practice Now

Introduction

Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.

By default, Nikto performs reverse DNS lookups on IP addresses it finds in the web server's content. While this can be useful for discovering related hostnames, it can also significantly slow down the scan, especially when scanning large networks or unresponsive targets.

In this lab, you will learn how to use the -nolookup option to disable this feature and compare the scan times to understand the performance benefits.

Understand the purpose of the -nolookup option

In this step, you will learn about the -nolookup option in Nikto.

When Nikto scans a web server, it may find IP addresses in the server's configuration files, logs, or web pages. By default, Nikto attempts to perform a reverse DNS lookup for each of these IPs to find their associated hostnames. This process can be time-consuming.

The -nolookup option tells Nikto to skip this step entirely. This can result in a much faster scan, but you will miss out on potentially valuable information about other hostnames associated with the target.

You can see this option and others by viewing the Nikto help menu. Let's do that now.

Execute the following command in your terminal:

nikto -Help

Scroll through the output and find the -nolookup option. It will be listed with a brief description.

...
-nolookup           Skip name lookups
...

Now that you understand what -nolookup does, we can proceed to see it in action.

Run a baseline scan against a target using its IP address

In this step, you will perform a standard Nikto scan against a local web server. We will use the time command to measure how long the scan takes. This will serve as our baseline for comparison.

The lab environment has already started a simple Nginx web server running on 127.0.0.1. We will use this as our target.

To run the scan and time it, execute the following command:

time nikto -h 127.0.0.1

The scan will start, and you will see output similar to the following. Please be patient as it may take a minute to complete.

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        80
+ Start Time:         ...
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI directories found (use '-C all' to force check all possible dirs)
+ Retrieved x-powered-by header: PHP/8.1.2
+ Allowed HTTP Methods: GET, HEAD
+ Public HTTP Methods: GET, HEAD
+ OSVDB-3233: /index.html: Server may leak inodes via ETags, header found with file /var/www/html/index.html inode 262204, size 612, mtime ...
+ 7554 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           ... (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

real    0m15.543s
user    0m14.987s
sys     0m0.312s

Pay close attention to the last three lines, which are the output from the time command. The real time is the total wall-clock time elapsed. Note this value down for the next step.

Run the same scan again with the -nolookup flag

Now that you have a baseline execution time, let's run the exact same scan but with the -nolookup flag added. This will prevent Nikto from performing any reverse DNS lookups.

Execute the following command in your terminal:

time nikto -h 127.0.0.1 -nolookup

The scan will run again. The Nikto output itself will be very similar to the previous scan, but you should notice a difference in the execution time reported by the time command.

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    127.0.0.1
+ Target Port:        80
+ Start Time:         ...
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI directories found (use '-C all' to force check all possible dirs)
+ Retrieved x-powered-by header: PHP/8.1.2
+ Allowed HTTP Methods: GET, HEAD
+ Public HTTP Methods: GET, HEAD
+ OSVDB-3233: /index.html: Server may leak inodes via ETags, header found with file /var/www/html/index.html inode 262204, size 612, mtime ...
+ 7554 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           ... (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

real    0m8.123s
user    0m7.890s
sys     0m0.201s

Notice that the Target Hostname in the output is now 127.0.0.1 instead of localhost. This is because Nikto did not perform the reverse lookup to resolve the IP to a hostname. Also, take note of the new real time.

Compare the execution time of both scans

In this step, you will analyze the results from the previous two steps to see the performance impact of the -nolookup flag.

Let's look at the real time from both commands.

Scan 1 (Baseline): real 0m15.543s (Your time may vary slightly)

Scan 2 (with -nolookup): real 0m8.123s (Your time may vary slightly)

As you can see, the scan with the -nolookup flag completed significantly faster. In this example, it was almost twice as fast. The performance gain can be even more dramatic when scanning multiple hosts or targets on slow or misconfigured networks where DNS lookups might time out.

This simple comparison demonstrates the direct performance benefit of disabling DNS lookups in your Nikto scans.

Analyze when to use this performance optimization

In this final step, we'll discuss the trade-offs and determine when it's appropriate to use the -nolookup option.

While -nolookup provides a clear performance boost, it comes at the cost of potentially missing information. Reverse DNS lookups can help you discover other hostnames and virtual hosts associated with an IP address, which can be crucial for a comprehensive security assessment.

So, when should you use -nolookup?

  • Initial Scans & Triage: When you are scanning a large number of hosts and want to get a quick overview of potential vulnerabilities. Speed is more important than exhaustive detail at this stage.
  • Scanning by IP Address: If your target list consists solely of IP addresses and you are not concerned with discovering associated domain names, using -nolookup is a logical choice.
  • Unreliable Networks: When scanning over a slow or unreliable network connection where DNS queries might fail or time out, -nolookup can prevent the scan from stalling.
  • When Speed is Critical: In time-sensitive situations, such as a penetration testing competition or a rapid incident response, the speed gained from this option can be invaluable.

When should you avoid -nolookup?

  • Comprehensive Assessment: When performing a full, in-depth security audit of a specific target, you want as much information as possible. The hostnames discovered through DNS lookups could reveal additional attack surfaces.
  • Virtual Host Discovery: If you suspect the target IP hosts multiple websites (virtual hosting), you should allow Nikto to perform lookups to help identify them.

Understanding this trade-off between speed and thoroughness allows you to use Nikto more effectively for different scenarios.

Summary

In this lab, you learned how to optimize your Nikto scans for speed. You started by understanding the purpose of the -nolookup flag, which disables reverse DNS lookups.

You then performed two scans: a baseline scan and a second scan using the -nolookup option. By comparing the execution times with the time command, you observed a significant performance improvement.

Finally, you analyzed the trade-offs, concluding that -nolookup is ideal for rapid, large-scale scans or when speed is a priority, while full scans for comprehensive assessments should omit this flag to gather as much information as possible.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux