Introduction
Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.
A common web server configuration is virtual hosting, where a single server with one IP address hosts multiple websites (e.g., site1.example.com and site2.example.com). When you scan the server's IP address directly, a scanner like Nikto might only test the default website configured on the server, completely missing the other sites.
In this lab, you will learn how to use Nikto's -vhost option to specifically target one of the virtual hosts on the server, ensuring your scan is accurate and focused.
Identify a server hosting multiple websites on one IP
In this step, you will verify that the web server in our environment is hosting two different websites on the same IP address (127.0.0.1). We can do this by sending HTTP requests with different Host headers using the curl command. The Host header tells the web server which website the client wants to access.
First, let's send a request to site1.labex.io. The --header "Host: site1.labex.io" option tells curl to send the specified host header.
curl --header "Host: site1.labex.io" http://127.0.0.1
You should see the HTML content for the first site:
<html><body><h1>Welcome to Site 1</h1></body></html>
Next, let's send a request to site2.labex.io by changing the Host header.
curl --header "Host: site2.labex.io" http://127.0.0.1
This time, you will see the content from the second site:
<html><body><h1>This is Site 2</h1><p>This site has a test.txt file.</p></body></html>
This confirms that our server at 127.0.0.1 is serving different content based on the hostname, which is the definition of virtual hosting.
Find the hostname of the specific target virtual host
In this step, we will confirm the hostnames that are configured for our local server. In a real-world scenario, you would use reconnaissance techniques like DNS enumeration or analyzing SSL certificates to find virtual hosts. For this lab, the hostnames have been pre-configured in the /etc/hosts file. This file is used by the operating system to map hostnames to IP addresses.
Let's examine the contents of the /etc/hosts file using the cat command to see the mappings.
cat /etc/hosts
The output will show the standard localhost mappings, plus the two custom entries we added for our virtual hosts:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 site1.labex.io
127.0.0.1 site2.labex.io
From this output, we can confirm that site1.labex.io and site2.labex.io are the hostnames we can use for our targeted scan. We will target site2.labex.io in the following steps.
Use the -vhost option to specify the target hostname
In this step, you'll learn about the Nikto option used to scan a specific virtual host. By default, nikto -h 127.0.0.1 would scan the first virtual host configured (site1.labex.io). To tell Nikto to scan a different virtual host, we must use the -vhost (or -host+) option.
This option instructs Nikto to use the provided hostname in the Host header of all its HTTP requests, ensuring the web server routes the requests to the correct website.
The syntax is: nikto -h <IP_ADDRESS> -vhost <HOSTNAME>
Let's do a quick test without running a full scan. We can use the -Display V option to print the verbose output, which will show us the effective configuration for the scan. We will target site2.labex.io.
nikto -h 127.0.0.1 -vhost site2.labex.io -Display V
The output will show details about the scan configuration. Look for the Host header value to confirm it's set correctly.
...
---------------------------------------------------------------------------
- Nikto 2.x
---------------------------------------------------------------------------
...
- Scan Options:
...
Host -> 127.0.0.1
...
VHost -> site2.labex.io
...
- Headers:
...
Host: site2.labex.io
...
---------------------------------------------------------------------------
+ 1 host(s) to test
The output clearly shows that Nikto will use Host: site2.labex.io in its requests, which is exactly what we want.
Execute the scan against the server IP with the vhost flag
Now that you understand how the -vhost option works, it's time to execute the full scan against our target virtual host, site2.labex.io.
Run the following command in your terminal. The scan will take a few moments to complete as Nikto runs through its various tests.
nikto -h 127.0.0.1 -vhost site2.labex.io
After the scan starts, you will see output similar to the following. Note that the output shows the Target Host is site2.labex.io, confirming we are scanning the correct virtual host.
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: site2.labex.io
+ Target Port: 80
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI directories found (use '-C all' to force check all possible dirs)
+ /test.txt: A text file was found.
+ 7 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: ...
+ 1 host(s) tested
Notice the line + /test.txt: A text file was found.. This file only exists on site2.labex.io, which further confirms our scan was correctly targeted.
Confirm the results are specific to the targeted vhost
In this final step, we will run another scan, but this time without the -vhost flag, to demonstrate the difference in results. This will prove that the -vhost option is essential for accurately scanning a specific site in a virtual hosting environment.
Execute a standard Nikto scan against the server's IP address:
nikto -h 127.0.0.1
Observe the output from this new scan.
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: ...
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
...
(other findings)
...
+ End Time: ...
+ 1 host(s) tested
Compare this output to the scan from the previous step. You will notice two key differences:
- The
Target Hostnameis nowlocalhost(or127.0.0.1), which is the server's default. - The finding
+ /test.txt: A text file was found.is missing. This is becausetest.txtdoes not exist on the default site (site1.labex.io), and this scan did not targetsite2.labex.io.
This comparison clearly shows that without -vhost, you would have missed vulnerabilities and information specific to site2.labex.io.
Summary
In this lab, you have learned a critical technique for web server vulnerability scanning. You now understand what virtual hosting is and why it requires special handling during a security assessment.
You practiced:
- Using
curlwith a customHostheader to manually inspect different websites on the same IP. - Identifying the purpose of Nikto's
-vhostoption. - Executing a targeted scan against a specific virtual host using
nikto -h <IP> -vhost <HOSTNAME>. - Comparing the results of a targeted scan and a default scan to understand the importance of this technique.
This skill is essential for any penetration tester or security analyst to ensure that all web applications on a server are tested thoroughly, not just the default one.
