Kali Vulnerability Scanning with Nikto

Introduction

In this lab, you will learn the essentials of web vulnerability scanning using Nikto, a powerful open-source tool, within a Kali Linux environment. The goal is to understand how to identify potential security issues on web servers by running scans, interpreting results, and saving reports for further analysis. Through step-by-step exercises in the LabEx VM, you will gain practical experience with Nikto's command-line interface. This lab is designed for beginners, guiding you through each process in a controlled container environment to build foundational skills in web security assessments.

This is a Guided Lab, which provides step-by-step instructions to help you learn and practice. Follow the instructions carefully to complete each step and gain hands-on experience. Historical data shows that this is a intermediate level lab with a 65% completion rate. It has received a 94% positive review rate from learners.

Setting Up the Environment and Installing Nikto

In this first step, you will set up your working environment in the Kali Linux container and ensure that Nikto, the web vulnerability scanner, is installed and ready to use. This lab is conducted within the LabEx VM, and when you open the terminal, you will be automatically connected to the Kali Linux container's shell. There is no need to manually start the container or enter the shell; the environment is already configured for you.

Let's begin by understanding the setup. The LabEx VM runs on an independent cloud host with Docker pre-installed, and a Kali Linux container has been set up to run automatically. All your operations will take place inside this container's terminal. Nikto is a tool used to scan web servers for vulnerabilities such as outdated software or misconfigurations, and we need to ensure it is installed before proceeding.

First, update the package list in the Kali Linux container to make sure you have the latest information on available software. Run the following command in the terminal:

apt update

This command fetches the latest package information from the configured repositories. It may take a few moments to complete, and you will see output indicating the progress, such as downloading package lists. A sample output might look like this:

Get:1 http://mirrors.cloud.aliyuncs.com/kali kali-rolling InRelease [30.9 kB]
Get:2 http://mirrors.cloud.aliyuncs.com/kali kali-rolling/main amd64 Packages [18.1 MB]
...
Fetched 18.5 MB in 5s (3,700 kB/s)
Reading package lists... Done

Once the update is complete, install Nikto if it is not already present in the container. Use the following command to install it:

apt install -y nikto iputils-ping

The -y flag automatically confirms the installation without prompting for input. This process might take a short while, and you will see output showing the installation progress, such as downloading and setting up the package. A sample output could be:

Reading package lists... Done
Building dependency tree... Done
...
Setting up nikto (1:2.1.5-3.1) ...

After installation, verify that Nikto is correctly installed by checking its version. Run this command:

nikto -Version

This command displays the version of Nikto installed, confirming that it is ready for use. The expected output should look similar to this:

Nikto 2.5.0 (LW 2.5)

With Nikto installed, you are ready to proceed to the next steps where you will use it to scan web servers. This step ensures that your environment is properly configured, and the necessary tools are available for the upcoming tasks.

Running a Basic Nikto Web Scan

Now that Nikto is installed in your Kali Linux container, you will learn how to run a basic web vulnerability scan. This step builds on the environment setup from the previous step and introduces you to using Nikto to identify potential security issues on a web server. Since you are already in the Kali Linux container's shell when you open the terminal in the LabEx VM, there is no need to manually start or enter the container.

Let's understand what a basic Nikto scan does. Nikto scans a target web server for common vulnerabilities, such as outdated software versions or misconfigurations that could be exploited. For this lab, we will use a publicly accessible test server, testphp.vulnweb.com, which is designed for learning and practicing vulnerability scanning. This ensures that we are scanning in an ethical and safe manner.

To start, run a basic scan on the test server using Nikto. Enter the following command in the terminal:

nikto -h testphp.vulnweb.com

The -h option specifies the host to scan, in this case, testphp.vulnweb.com. This scan may take a few minutes to complete, depending on network conditions and the target's configuration. During the scan, you will see output in the terminal showing the progress. A sample output might look like this:

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          44.228.249.3
+ Target Hostname:    testphp.vulnweb.com
+ Target Port:        80
+ Start Time:         2025-04-21 07:29:12 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx/1.19.0
+ /: Retrieved x-powered-by header: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1.
...
---------------------------------------------------------------------------
+ 1 host(s) tested

When scanning testphp.vulnweb.com with nikto, you may encounter error messages. This is expected; please focus on the key information.

This output provides initial information about the target, such as its IP address, hostname, and port. It also lists potential issues, like missing security headers or outdated components. Don't worry if the output seems detailed; the focus here is to run the scan and observe the process. In the next steps, we will analyze these results more closely.

If the scan does not start or no output appears, ensure your internet connection is active within the LabEx VM. You can test connectivity to the target by running:

ping -c 4 testphp.vulnweb.com

This command sends a few packets to the target to check if it is reachable. If you see responses, the server is accessible; if not, retry the scan or check your network settings in the LabEx VM.

PING testphp.vulnweb.com (44.228.249.3) 56(84) bytes of data.
64 bytes from ec2-44-228-249-3.us-west-2.compute.amazonaws.com (44.228.249.3): icmp_seq=1 ttl=55 time=21.4 ms
64 bytes from ec2-44-228-249-3.us-west-2.compute.amazonaws.com (44.228.249.3): icmp_seq=2 ttl=55 time=21.7 ms
64 bytes from ec2-44-228-249-3.us-west-2.compute.amazonaws.com (44.228.249.3): icmp_seq=3 ttl=55 time=21.5 ms
64 bytes from ec2-44-228-249-3.us-west-2.compute.amazonaws.com (44.228.249.3): icmp_seq=4 ttl=55 time=21.5 ms

--- testphp.vulnweb.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 21.435/21.523/21.699/0.103 ms

This step has introduced you to running a basic Nikto scan, setting the foundation for more specific scanning and analysis in the following steps. You have executed the scan command and observed the initial output directly in the Kali Linux container's terminal.

Using Nikto's Tuning Options for Targeted Scanning

Building on the basic scan you performed in the previous step, you will now learn how to perform more targeted scans using Nikto's tuning options. Nikto allows you to focus your scans on specific types of vulnerabilities, which is useful when you're looking for particular issues or want to reduce scan time.

In this step, you'll learn how to use Nikto's tuning feature to customize your scans in the Kali Linux container environment.

Let's first understand what tuning options are available in Nikto. You can view the full list of available tuning options with the following command:

nikto -h testphp.vulnweb.com -Display V

The -Display V option shows verbose output, including tuning information. In the output, you'll see different test categories labeled with numbers and letters.

Now, let's run a targeted scan focusing on common file-related vulnerabilities. Execute the following command:

nikto -h testphp.vulnweb.com -Tuning 2

The -Tuning 2 option specifically tests for file disclosure vulnerabilities. This scan may take a few minutes to complete, and you will see output in the terminal similar to the following:

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          44.228.249.3
+ Target Hostname:    testphp.vulnweb.com
+ Target Port:        80
---------------------------------------------------------------------------
+ Server: nginx/1.19.0
+ Scanning for File Upload vulnerabilities...
+ Multiple file upload fields found on login.php
...

You can also combine multiple tuning options. For example, to scan for both file disclosure (2) and misconfiguration (9) vulnerabilities, use:

nikto -h testphp.vulnweb.com -Tuning 2,9

This combined scan will check for both categories of issues, giving you a more comprehensive view of specific vulnerability types without running a full scan.

If the scan fails to produce output or encounters errors, ensure your internet connection is active by testing connectivity with:

ping -c 4 testphp.vulnweb.com

This step has helped you understand how to use Nikto's tuning options to perform more targeted scans, allowing you to focus on specific security concerns. In the next steps, we'll explore additional Nikto features that enhance your vulnerability scanning capabilities.

Customizing Output Formats and Saving Scan Results

After learning how to perform targeted scans with Nikto, you'll now explore how to customize output formats and save scan results for documentation and analysis. Properly documenting your findings is a crucial aspect of security assessments, and Nikto provides several options to format and save your scan results.

In this step, you will learn how to generate reports in different formats directly in the Kali Linux container's terminal.

Let's start by examining the different output format options that Nikto offers. The most common formats are:

Text (default): Plain text output
HTML: Formatted HTML report
CSV: Comma-separated values for import into spreadsheets
XML: Structured XML data for automated processing

To save the scan results in the default text format, run:

nikto -h testphp.vulnweb.com -o /root/nikto_text_report.txt

The -o option specifies the output file path. After the scan completes, verify that the file was created by viewing its contents:

cat /root/nikto_text_report.txt

To generate an HTML report, which provides a more readable and structured format, use:

nikto -h testphp.vulnweb.com -Format htm -o /root/nikto_report.html

The -Format htm option tells Nikto to format the output as HTML. While you can't directly view the HTML file in the terminal, you can check that it was created:

ls -l /root/nikto_report.html

For data that needs to be imported into other tools or spreadsheets, you can generate a CSV format report:

nikto -h testphp.vulnweb.com -Format csv -o /root/nikto_report.csv

After the scan completes, check the CSV file:

head /root/nikto_report.csv

This will display the first few lines of the CSV file, showing how the data is structured.

These different output formats serve different purposes:

Text reports are easy to read in a terminal
HTML reports are visually organized and good for sharing with teams
CSV and XML formats are excellent for importing into other security tools or databases

By learning how to customize output formats, you've enhanced your ability to document and communicate your findings effectively.

Advanced Nikto Options for Deeper Scanning

In this final step, you will explore some advanced Nikto options that allow for deeper and more comprehensive scanning. These features help you uncover hidden vulnerabilities and provide more context about potential security issues. This builds on the knowledge from previous steps, focusing on Nikto's advanced capabilities within the Kali Linux container environment.

Let's explore some of the most useful advanced options in Nikto:

First, let's use the -evasion technique to bypass simple intrusion detection systems. This can be useful when testing security controls:

nikto -h testphp.vulnweb.com -evasion 1

The -evasion 1 option encodes the URL using random uppercase and lowercase characters. You might see output similar to:

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          44.228.249.3
+ Target Hostname:    testphp.vulnweb.com
+ Target Port:        80
+ Evasion technique:  Random URI encoding (non-UTF8)
---------------------------------------------------------------------------
+ Server: nginx/1.19.0
...

Next, let's scan with a specific port and protocol. While we've been scanning the default HTTP port 80, you can specify different ports:

nikto -h testphp.vulnweb.com -port 443 -ssl

The -port 443 option targets port 443, and -ssl tells Nikto to use HTTPS protocol. For this test server, this may not return results since it might not have HTTPS enabled, but it demonstrates how to scan secure web services.

For sites requiring authentication, Nikto provides options to handle basic HTTP authentication:

nikto -h testphp.vulnweb.com -id admin:password

The -id option allows you to specify credentials in the format username:password. For the test server, these credentials won't work, but it shows how to configure authenticated scans.

You can also increase the verbosity of the scan to get more detailed information:

nikto -h testphp.vulnweb.com -Display V -o /root/nikto_verbose_report.txt

The -Display V option provides verbose output, showing more details about each test performed. Saving this to a file with -o gives you comprehensive documentation of the scan.

Finally, let's combine several options for a comprehensive scan:

nikto -h testphp.vulnweb.com -Tuning x -no404 -Format htm -o /root/final_report.html

In this command:

-Tuning x tests for everything except DoS vulnerabilities
-no404 reduces false positives by not reporting 404 errors
-Format htm saves the report in HTML format
-o specifies the output file

This step has introduced you to several advanced Nikto options that expand your web vulnerability scanning capabilities. By combining these different techniques, you can perform thorough security assessments and generate comprehensive reports tailored to your specific needs.

Summary

In this lab, you have learned how to use Nikto, a powerful web vulnerability scanner, within a Kali Linux environment. You began by setting up the environment and installing Nikto, then progressed through increasingly sophisticated scanning techniques.

You started with basic scans to identify common vulnerabilities on a test server, then learned how to perform targeted scans using Nikto's tuning options to focus on specific types of vulnerabilities. You explored different output formats, including text, HTML, and CSV, to effectively document and communicate your findings.

Finally, you discovered advanced options for deeper scanning, including evasion techniques, port and protocol specification, authentication handling, and verbose output. These skills provide a solid foundation for conducting web security assessments, whether for educational purposes or professional security testing.

The hands-on experience gained in this lab equips you with practical knowledge of Nikto's command-line interface and the ability to customize scans according to your specific requirements. These are essential skills for anyone interested in web security and vulnerability assessment.