LabEx
Log InJoin Free

Interpret Standard Nikto Scan Results

Kali LinuxBeginner
Practice Now

Introduction

Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.

Understanding how to read and interpret the results of a Nikto scan is a fundamental skill for anyone in cybersecurity, from penetration testers to system administrators. The output can seem cryptic at first, but it is structured to provide valuable insights into a web server's configuration and potential security weaknesses.

In this lab, you will learn how to dissect a standard Nikto scan report. To save time and focus on interpretation, a pre-generated scan result file has been provided for you. You will analyze this file to identify target information, differentiate between findings, understand vulnerability references, and review the final summary.

Locate the target information summary section

In this step, you will examine the beginning of the Nikto report to identify basic information about the scanned target. This section is crucial as it confirms what was tested and the basic server software detected.

A sample report file named nikto_scan_results.txt has been created in your ~/project directory. Use the cat command to display its contents in the terminal.

cat ~/project/nikto_scan_results.txt

Look at the first few lines of the output. This initial block provides a summary of the target.

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.17.0.2
+ Target Hostname:    labex-server
+ Target Port:        80
+ Start Time:         2023-10-27 10:30:00 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)

Here's what these lines mean:

  • Target IP: The IP address of the server that was scanned.
  • Target Hostname: The hostname of the server.
  • Target Port: The TCP port on which the web service is running (usually 80 for HTTP or 443 for HTTPS).
  • Server: The server software and version as reported in the HTTP Server header. In this case, it's Apache version 2.4.52 running on Ubuntu.

Identify informational findings and OSVDB references

In this step, you will learn to identify informational findings, which are marked with a + symbol. These are not always direct vulnerabilities but provide useful context about the server's configuration.

Many findings in Nikto are associated with an OSVDB (Open Source Vulnerability Database) ID. Although the OSVDB project is no longer active, these IDs can still be useful for historical reference and searching for details about a specific issue.

Let's use the grep command to filter the report and show only the lines that represent findings. In Nikto's output, these lines start with a +.

grep "^\+" ~/project/nikto_scan_results.txt

You will see a list of all the findings from the scan.

+ Target IP:          172.17.0.2
+ Target Hostname:    labex-server
+ Target Port:        80
+ Start Time:         2023-10-27 10:30:00 (GMT0)
+ Server: Apache/2.4.52 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ Uncommon header 'x-powered-by' found, with contents: PHP/8.1.2
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: The Apache web server is configured to return a valid response to a request for /icons/README.
+ /index.php: PHP is installed.
+ /admin/: Directory indexing found.
+ OSVDB-3233: /cgi-bin/: directory indexing found.
+ OSVDB-3268: /cgi-bin/test.cgi: This might be interesting...
+ 8123 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2023-10-27 10:38:20 (GMT0) (500 seconds)
+ 1 host(s) tested

Notice the line + OSVDB-3233: /icons/README: .... This indicates an informational finding (ID 3233) related to a publicly accessible README file in the /icons/ directory, which is common on Apache servers.

Differentiate between low and high-risk vulnerabilities

In this step, you will learn to distinguish between findings that represent a low risk and those that could be of higher concern. Nikto does not assign a severity level; it is up to you, the analyst, to interpret the results based on context.

Low-risk findings are typically related to security best practices that are not implemented. For example: + The anti-clickjacking X-Frame-Options header is not present. This is a missing security header. While it's good practice to have it, its absence alone does not usually lead to a direct compromise.

Higher-risk findings often point to information disclosure or a misconfiguration that could be exploited. For example: + /admin/: Directory indexing found. This is more serious. Directory indexing allows an attacker to see all the files and subdirectories in the /admin/ directory, potentially revealing sensitive files, application structure, or backup files.

Let's use grep to isolate this higher-risk finding from the report.

grep "Directory indexing" ~/project/nikto_scan_results.txt

This command will show you all instances where directory indexing was discovered.

+ /admin/: Directory indexing found.
+ OSVDB-3233: /cgi-bin/: directory indexing found.

Seeing these results should prompt an analyst to investigate these directories immediately to determine if any sensitive information is exposed.

Understand the meaning of CGI directory findings

In this step, you will focus on findings related to CGI directories. CGI (Common Gateway Interface) is a standard protocol that allows web servers to execute external programs, such as scripts. These directories are a common target for attackers because they often contain executable files that may have vulnerabilities.

Nikto specifically checks for common CGI directories like /cgi-bin/. Finding such a directory and the scripts within it is a significant event.

Let's use grep to find all lines in the report that mention /cgi-bin/.

grep "/cgi-bin/" ~/project/nikto_scan_results.txt

The output shows two findings related to this directory.

+ OSVDB-3233: /cgi-bin/: directory indexing found.
+ OSVDB-3268: /cgi-bin/test.cgi: This might be interesting...

The first line confirms that the /cgi-bin/ directory itself has directory indexing enabled, which is a high-risk finding as discussed in the previous step. The second line indicates that Nikto found a test.cgi script. Test scripts are often left behind by developers and can sometimes have vulnerabilities or disclose information about the server environment. An analyst would flag this for manual investigation.

Review the end-of-scan summary statistics

In this final step, you will examine the summary section at the end of the Nikto report. This section provides a quick overview of the scan's execution and scope.

To easily view the last few lines of the file, you can use the tail command. Let's view the last 10 lines of the report.

tail -n 10 ~/project/nikto_scan_results.txt

This will display the end of the report, which includes the summary statistics.

+ /admin/: Directory indexing found.
+ OSVDB-3233: /cgi-bin/: directory indexing found.
+ OSVDB-3268: /cgi-bin/test.cgi: This might be interesting...
+ 8123 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2023-10-27 10:38:20 (GMT0) (500 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Here's a breakdown of the key summary lines:

  • 8123 requests: 0 error(s) and 11 item(s) reported...: This tells you that Nikto sent 8,123 HTTP requests to the server, encountered no errors, and found 11 items of interest.
  • End Time: This shows the timestamp when the scan completed and the total duration.
  • 1 host(s) tested: This confirms that the scan was run against a single target.

This summary is useful for understanding the scale of the scan and getting a high-level count of the findings.

Summary

In this lab, you have learned the essential skills for interpreting a standard Nikto scan report. You practiced a systematic approach to analyzing the output, starting from the basic target information and moving to more detailed findings.

You learned to:

  • Identify the target server's IP, port, and software banner.
  • Recognize informational findings and the significance of OSVDB references.
  • Differentiate between low-risk findings (like missing headers) and higher-risk findings (like directory indexing).
  • Understand the importance of CGI directory discoveries.
  • Review the end-of-scan summary for a high-level overview.

This process of structured analysis is key to turning raw scanner output into actionable intelligence for securing web applications.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux