Introduction
Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers. However, sometimes a full scan can be too "noisy" or produce false positives. In this lab, you will learn how to refine your Nikto scans by excluding specific plugins, making your results more focused and actionable.
Identify a noisy or unwanted plugin from a full scan
In this step, we will perform a basic Nikto scan against a test web server. This initial scan will serve as a baseline, allowing us to see all the findings generated by the default set of plugins. From this full report, we can identify plugins that we might want to exclude in future scans.
First, ensure you are in the ~/project directory. Our setup script has already started a simple web server in the background. Let's run a standard Nikto scan against it. The -h option is used to specify the target host.
Execute the following command in your terminal:
nikto -h http://127.0.0.1:8000
After the scan completes, you will see a report. Your output will look similar to this, though the server version and other details may vary.
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ No CGI directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3233: /cgi-bin/: This might be interesting...
+ 7558 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: ...
---------------------------------------------------------------------------
+ 1 host(s) tested
In the output above, notice the line: + OSVDB-3233: /cgi-bin/: This might be interesting.... This finding is generated by the cgi plugin. For this lab, we will pretend this is an expected directory and the finding is just "noise" that we want to suppress.
Use the -plugins option with a leading hyphen
In this step, we'll learn about the syntax used to control which plugins Nikto runs. Nikto provides the -plugins option for this purpose. To exclude a plugin, you provide its name with a leading hyphen (-).
To know which plugins are available to be included or excluded, you can use the -list-plugins option. This will print a list of all available plugins with a brief description of each.
Let's list all the plugins:
nikto -list-plugins
The output will be a long list. Here is a small sample of what you will see:
- Nikto v2.5.0
---------------------------------------------------------------------------
Loaded Main Plugins:
- apache_expect_header
Apache Expect header XSS (CVE-2006-3918)
- apache_users
Checks for sensitive files in ~user directories
- auth
Checks for authentication problems
- cgi
Checks for CGI directories
- clientaccesspolicy
Checks for permissive Client Access Policy (Silverlight)
... (list continues) ...
From this list, you can find the exact names of plugins you wish to exclude, such as cgi which we identified in the previous step.
Construct the command to exclude a single plugin
In this step, we will combine what we've learned to construct the command for a new scan that excludes a single plugin. We will target the cgi plugin that we identified in Step 1.
The syntax is straightforward: you append the -plugins option to your normal scan command, followed by the plugin name prefixed with a hyphen.
The command structure is: nikto -h [target] -plugins -[plugin_to_exclude]
Based on this structure, the command to scan our local server while excluding the cgi plugin is:
nikto -h http://127.0.0.1:8000 -plugins -cgi
This command tells Nikto to perform its standard scan on http://127.0.0.1:8000 but to skip any checks associated with the cgi plugin. In the next step, we will execute this command and observe the difference in the output.
Run the scan and verify the plugin was skipped
In this step, you will execute the command we constructed in the previous step. By running the scan with the cgi plugin excluded, we expect the report to no longer contain the finding related to the /cgi-bin/ directory.
Now, run the command in your terminal:
nikto -h http://127.0.0.1:8000 -plugins -cgi
The scan will run again, but this time it will be slightly faster as it's performing fewer checks. The output should look like this:
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ 7557 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: ...
---------------------------------------------------------------------------
+ 1 host(s) tested
Compare this output to the one from Step 1. You will notice that the line + OSVDB-3233: /cgi-bin/: This might be interesting... is now missing. This confirms that we have successfully excluded the cgi plugin from our scan.
Exclude multiple plugins in a single command
In this step, you will learn how to exclude multiple plugins in a single scan. This is useful when you want to suppress several noisy or irrelevant plugins at once.
To exclude multiple plugins, you provide a comma-separated list of plugin names after the -plugins option. Each plugin name in the list must be prefixed with a hyphen.
The syntax is: nikto -h [target] -plugins -[plugin1],-[plugin2],-[plugin3]
Let's expand on our previous command to also exclude the apache_expect_header plugin, which is another common finding that might be considered low-priority in some contexts.
Construct and run the following command:
nikto -h http://127.0.0.1:8000 -plugins -cgi,-apache_expect_header
The output will now be even more concise, as checks from both the cgi and apache_expect_header plugins have been skipped.
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 8000
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ ... requests: 0 error(s) and 2 item(s) reported on remote host
+ End Time: ...
---------------------------------------------------------------------------
+ 1 host(s) tested
As you can see, by selectively excluding plugins, you can tailor Nikto's scanning behavior to fit your specific needs, resulting in cleaner and more relevant reports.
Summary
In this lab, you learned how to customize Nikto scans by excluding specific plugins. You started by running a full baseline scan to identify a plugin to exclude. Then, you learned about the -plugins option and the -list-plugins command. Finally, you practiced constructing and executing commands to exclude both a single plugin and multiple plugins, verifying the results by observing the changes in the scan output. This technique is essential for running more efficient, targeted, and less noisy vulnerability scans with Nikto.
