LabEx
Log InJoin Free

Scan a Specific Port with Nikto

Kali LinuxBeginner
Practice Now

Introduction

Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers. By default, Nikto scans standard HTTP/HTTPS ports like 80 and 443. However, in real-world scenarios, web services are often hosted on non-standard ports to obscure them.

In this lab, you will learn how to use Nikto to scan a specific, non-standard port on a target. This is a fundamental skill for ensuring that all web-facing services, regardless of the port they operate on, are properly assessed for vulnerabilities.

Identify a non-standard HTTP port on a target

In this step, you will first identify open ports on the target machine. Before you can scan a specific port with Nikto, you need to know which ports are open and potentially hosting services. We will use nmap, a powerful network scanning tool, for this purpose.

Let's scan a range of ports on our local machine (localhost) to find the web server we set up. We'll scan the port range from 8000 to 9000.

Execute the following command in your terminal:

nmap -p 8000-9000 localhost

You should see output similar to the following, indicating that ports 8001 and 8088 are open.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000087s latency).
Not shown: 98 closed ports
PORT     STATE SERVICE
8001/tcp open  vcom-tunnel
8088/tcp open  radan-http

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

This output confirms that two services are running on non-standard ports within our specified range. We will focus on port 8088 for our first Nikto scan.

Use the -p flag to specify the target port

In this step, we will learn about the specific Nikto flag used for port scanning. By default, Nikto scans port 80. To direct Nikto to scan a different port, you must use the -p (or -port) command-line option.

The syntax is straightforward:

nikto -h <target_host> -p <port_number>

For example, to scan the host localhost on port 8088 that we discovered in the previous step, the command structure would be:

nikto -h localhost -p 8088

This command tells Nikto to perform its full suite of tests, but to direct all of them to port 8088 on the host localhost. In the next step, you will execute this command and see the results.

Run the scan against the host and specific port

Now that you know how to specify a target port, let's run the scan. You will use the command structure from the previous step to initiate a Nikto scan against localhost on port 8088.

Execute the following command in your terminal:

nikto -h localhost -p 8088

Nikto will start, and you will see output detailing its progress and findings. The output will look something like this (some details may vary):

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        8088
+ Start Time:         2023-10-27 10:05:10 (GMT0)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3092: /cgi-bin/: This might be interesting...
+ 7558 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2023-10-27 10:05:25 (GMT0) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

You have successfully performed a targeted vulnerability scan on a non-standard port.

Analyze the results for the non-standard service

In this step, you will analyze the output from the Nikto scan you just performed. Understanding the results is as important as running the scan itself.

Let's review the key findings from the previous step's output:

  • + Target Port: 8088: This confirms that Nikto correctly targeted the port you specified.
  • + Server: SimpleHTTP/0.6 Python/3.10.12: This is a very valuable piece of information. Nikto has identified the web server software and version. In this case, it's a simple server provided by Python. Knowing the server technology helps an attacker focus on specific exploits.
  • Missing Security Headers: Lines like The anti-clickjacking X-Frame-Options header is not present point to security misconfigurations. These headers help protect a web application from common attacks like clickjacking and cross-site scripting (XSS).
  • + OSVDB-3092: /cgi-bin/: This might be interesting...: Nikto identified a directory named cgi-bin. This directory traditionally holds executable scripts, making it a high-value target for attackers looking for vulnerabilities.

This analysis shows that even a simple service on a non-standard port can have discoverable characteristics and potential security weaknesses.

Scan a range of ports on a single host

In this final step, you will learn how to make your scanning even more efficient by providing Nikto with a range of ports to check. This is extremely useful when you have identified several potential ports from an nmap scan or suspect that services might be running within a specific range.

The -p flag also accepts a port range specified with a hyphen. The syntax is:

nikto -h <target_host> -p <start_port>-<end_port>

Let's use this to scan the range 8000-8100 on localhost. This range includes both of the web servers we have running (on ports 8001 and 8088).

Execute the following command:

nikto -h localhost -p 8000-8100

Nikto will now iterate through each port in the specified range. It will first scan port 8000, find nothing, then move to 8001, find the web server, scan it, and report the results. It will continue this process until it reaches port 8100, also scanning the server on port 8088 along the way.

The output will be extensive, showing two separate scan reports, one for each active port found:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        8001
... (Results for port 8001) ...
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        8088
... (Results for port 8088) ...
---------------------------------------------------------------------------
+ 2 host(s) tested

This demonstrates how efficiently you can check multiple ports on a single host with just one command.

Summary

In this lab, you learned how to extend Nikto's scanning capabilities beyond standard web ports. You started by using nmap to identify services running on non-standard ports. You then used Nikto's powerful -p flag to target a single, specific port and analyzed the resulting output to identify the server technology and potential misconfigurations.

Finally, you learned how to use the -p flag to scan a range of ports, a powerful technique for efficiently discovering hidden web services on a target. Mastering targeted scanning is a crucial skill for effective and thorough web application security testing.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux