LabEx
Log InJoin Free

Run a Basic Web Server Scan with Nikto

Kali LinuxBeginner
Practice Now

Introduction

Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files and HTTP server options.

In this lab, you will learn the fundamentals of using Nikto to conduct a basic scan. We will start by setting up a simple local web server to act as our target, and then use Nikto to scan it and analyze the results.

Identify the target IP address or hostname

In this step, we will identify and confirm the address of our target web server. Before running any scan, you must know the target's IP address or hostname. For this lab, the setup script has already started a simple web server running on your local machine.

In a network context, your own machine can be referred to by the hostname localhost or the IP address 127.0.0.1. This special address is a "loopback" address, meaning it always points back to the local machine.

Let's verify that our web server is running and accessible. We can use the curl command to send a request to our local server. The server is running on port 8000.

Execute the following command in your terminal:

curl http://localhost:8000

You should see the HTML content of our simple web page, which confirms the server is active and ready for scanning.

<h1>Welcome to the Test Server</h1>

Now that we have confirmed our target at localhost:8000, we can proceed to the next step.

Construct the basic scan command using the -h flag

In this step, we will learn how to construct a basic Nikto scan command. Nikto has many options, but the most fundamental one is specifying the target host.

The -h or -host flag is used to tell Nikto which server to scan. To familiarize yourself with this and other options, you can view Nikto's help menu.

Run the following command to display the help information:

nikto -Help

The output will be quite long, listing all available options. Scroll through it or use the search function of your terminal to find the -h option. You will see a description similar to this:

...
-h, -host       Target host/IP/SSL-name
...

Since our server is not running on the standard HTTP port (80), we also need to specify the port number. We can do this using the -p or -port flag.

Based on this, the command to scan our local server on port 8000 would be nikto -h localhost -p 8000. We will execute this command in the next step.

Execute the scan against the target server

In this step, you will execute the Nikto scan using the command we constructed. This will initiate the scanning process, where Nikto sends a series of requests to the target server to probe for potential issues.

Now, run the scan against your local web server.

nikto -h localhost -p 8000

Once you execute the command, Nikto will start the scan. It will first display some basic information about the target and then begin running its tests. The process may take a few moments to complete. You will see the results printed directly to your terminal in real-time.

Observe the real-time output during the scan

In this step, we will examine the output generated by the Nikto scan. As the scan runs, Nikto reports its findings. Each finding is typically prefixed with a plus sign (+).

The output from the previous step should look similar to the following. Note that the version numbers and times will vary.

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        8000
+ Start Time:         2023-10-27 10:30:00 (GMT0)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, OPTIONS
+ OSVDB-3233: /: HTTP TRACE method is active, suggesting the host is vulnerable to XST
...
+ 1 host(s) tested

Take a moment to read through the output. You can see that Nikto identifies the server software, checks for important security headers (like X-Frame-Options), lists allowed HTTP methods, and reports potential vulnerabilities. This information is crucial for understanding a server's security posture.

Identify the server banner and version information

In this step, we will focus on one of the most important pieces of information that Nikto provides: the server banner. A server banner is a text string sent by the web server in its response headers that typically identifies the server software and its version.

Attackers use this information to find known vulnerabilities associated with a specific software version. In your scan results from the previous step, you should see a line that starts with + Server:.

+ Server: SimpleHTTP/0.6 Python/3.10.12

This line tells us that the web server is SimpleHTTP/0.6 running on Python/3.10.12.

To practice isolating specific information from a larger output, you can re-run the scan and use the grep command to filter the results, showing only the line containing "Server".

Execute the following command:

nikto -h localhost -p 8000 | grep Server

This command pipes the output of Nikto to grep, which then filters and displays only the lines that contain the word "Server". This is a very useful technique for parsing large log files or command outputs. Your output should be the single line identifying the server.

+ Server: SimpleHTTP/0.6 Python/3.10.12

Summary

In this lab, you have successfully performed a basic web server scan using Nikto. You learned how to identify a target, construct a basic scan command with the -h and -p flags, and execute it. You also practiced observing the real-time output and isolating specific information, such as the server banner, using tools like grep.

This is just the beginning of what Nikto can do. It has a vast array of options for more targeted and in-depth scanning, including SSL checks, vulnerability database lookups, and various output formats. You are now equipped with the foundational knowledge to explore these advanced features and enhance your web security testing skills.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux