LabEx
Log InJoin Free

Perform a Scan with Basic Authentication in Nikto

Kali LinuxBeginner
Practice Now

Introduction

Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.

Many web applications have restricted areas that are only accessible after a user provides valid credentials. HTTP Basic Authentication is one of the simplest methods used to protect these areas. To perform a thorough security assessment, it's crucial to scan these authenticated sections.

In this lab, you will learn how to use Nikto to perform an authenticated scan on a web directory protected by Basic Authentication. You will use the -id option to provide the necessary credentials, allowing Nikto to access and test the protected resources for vulnerabilities.

Identify a web resource protected by Basic Authentication

In this step, you will first verify that the target web resource is indeed protected by Basic Authentication. A common way to check this is by using the curl command to inspect the HTTP headers returned by the server when you try to access the resource.

An unprotected resource will return a 200 OK status, while a protected one will return a 401 Unauthorized status along with a WWW-Authenticate header, indicating the type of authentication required.

Let's try to access the protected directory http://localhost/protected/ using curl with the -I option, which fetches only the HTTP headers.

Execute the following command in your terminal:

curl -I http://localhost/protected/

You should see output similar to the following. Notice the HTTP/1.1 401 Unauthorized status and the WWW-Authenticate: Basic realm="..." header. This confirms that the directory is protected.

HTTP/1.1 401 Unauthorized
Date: [current_date]
Server: Apache/2.4.52 (Ubuntu)
WWW-Authenticate: Basic realm="Restricted Content"
Content-Type: text/html; charset=iso-8859-1

Obtain the required username and password

In this step, we will acknowledge the credentials required to access the protected area. In a real-world penetration test, you might obtain these through various means like password guessing, finding them in public code repositories, or through social engineering.

For this lab, the environment has been pre-configured with a specific username and password. You will need these credentials for the subsequent steps to perform an authenticated scan.

The credentials are:

  • Username: labex
  • Password: P@ssw0rd123

There are no commands to execute in this step. Simply take note of the credentials above and proceed to the next step, where you will use them to authenticate.

Use the -id option with the format 'user:password'

In this step, you will learn about Nikto's -id option, which is used to supply credentials for HTTP authentication. The format is a single string containing the username and password, separated by a colon (:).

The syntax is: -id <username>:<password>

Before using this with Nikto, it's a good practice to verify that the credentials work. You can do this again with curl, this time using the --user option to provide the credentials.

Run the following command to access the protected page with the correct credentials:

curl --user labex:P@ssw0rd123 http://localhost/protected/

If the credentials are correct, the server will grant access and return the content of the page, as shown below. This confirms that you can successfully authenticate.

This is a protected page accessible only with credentials.

Now that you've confirmed the credentials and understand the format, you are ready to use them in a Nikto scan.

Run the authenticated scan against the protected area

In this step, you will combine your knowledge from the previous steps to run a full authenticated scan with Nikto. You need to specify the target host and the authentication credentials.

The command structure will be:

  • nikto: The program to run.
  • -h http://localhost/protected/: The -h (host) option, pointing directly to the directory you want to scan.
  • -id labex:P@ssw0rd123: The -id option with the username and password.

Now, execute the complete command in your terminal. The scan may take a few minutes to complete.

nikto -h http://localhost/protected/ -id labex:P@ssw0rd123

Nikto will start the scan. Because you provided valid credentials, it will be able to access http://localhost/protected/ and test for vulnerabilities within that directory. The output will look something like this:

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        80
+ Start Time:         [scan_start_time]
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ /: Server may leak inodes via ETags, header found with file /, fields: 0x1ed 0x5f7e21e8a2e80
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD.
+ /: Apache/2.4.52 appears to be outdated (current is at least Apache/2.4.54).
+ 8142 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           [scan_end_time] (30 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Verify that Nikto successfully accessed protected resources

In this step, you will analyze the scan output to confirm that Nikto successfully authenticated and scanned the protected area. A key indicator of a successful authenticated scan is the absence of widespread authentication errors.

A good practice for analyzing scan results is to save the output to a file. You can do this with the -o (output) option. Let's re-run the scan and save the report to a text file named nikto_report.txt.

nikto -h http://localhost/protected/ -id labex:P@ssw0rd123 -o nikto_report.txt -Format txt

After the scan completes, a file named nikto_report.txt will be created in your current directory (~/project). You can inspect this file to verify the results. A quick way to check for success is to look at the summary line for the number of errors.

Use the grep command to search for the line containing "error(s)" in your report file:

grep "error(s)" nikto_report.txt

The output should show 0 error(s), which confirms that Nikto did not encounter issues like 401 Unauthorized when making requests. This, combined with the list of findings, proves that the authenticated scan was successful.

+ 8142 requests: 0 error(s) and 5 item(s) reported on remote host

Summary

Congratulations on completing this lab! You have successfully performed an authenticated web vulnerability scan using Nikto.

In this lab, you learned how to:

  • Identify a web resource protected by HTTP Basic Authentication using curl.
  • Understand the format of credentials required for an authenticated scan.
  • Use Nikto's -id option to provide a username and password.
  • Run a scan against a protected directory and verify its success by analyzing the output.

Mastering authenticated scanning is a critical skill for any security professional, as it allows for a much deeper and more comprehensive assessment of a web application's security posture by uncovering vulnerabilities that are hidden behind a login wall.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux