LabEx
Log InJoin Free

Select Specific Plugins for a Focused Scan in Nikto

Kali LinuxBeginner
Practice Now

Introduction

Nikto is a powerful open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.

By default, Nikto runs a wide array of plugins, which can be time-consuming. For more efficient and targeted scanning, you can select specific plugins to run. This is useful when you want to check for a particular vulnerability or a specific type of misconfiguration.

In this lab, you will learn how to list all available Nikto plugins and then execute a focused scan using a single, specific plugin.

List all available plugins using -list-plugins

In this step, you will learn how to view all the plugins that Nikto has available for scanning. This is the first step in performing a focused scan, as you need to know the names of the plugins you can choose from.

The -list-plugins option tells Nikto to print a detailed list of all plugins and then exit, without performing a scan.

Execute the following command in your terminal to list all available plugins:

nikto -list-plugins

You will see a long list of plugins scroll by. The output is formatted into columns showing the plugin's name, author, and a brief description of its purpose.

Here is a truncated example of what the output will look like:

- Nikto 2.5.0
---------------------------------------------------------------------------
Plugin: apache_expect_header
  Author:      David Lodge <dave at cirt.net>
  Description: See if an Expect header will crash Apache. Bugtraq ID 5253.
  Type:        Standard
  Version:     2.5.0
  CVSID:       $Id: apache_expect_header.plugin,v 1.6 2023/03/28 17:00:00 cirt Exp $

Plugin: apacheusers
  Author:      Chris Forte
  Description: Enumerate apache users via ~user requests
  Type:        Standard
  Version:     2.5.0
  CVSID:       $Id: apacheusers.plugin,v 1.6 2023/03/28 17:00:00 cirt Exp $

... (many more plugins) ...

Take a moment to look through the list to get an idea of the variety of tests Nikto can perform.

Choose a specific plugin to run e.g. apacheusers

In this step, we will review the list from the previous step and choose a specific plugin for our focused scan. This is a conceptual step where you identify a plugin based on a specific testing goal.

For this lab, we will choose the apacheusers plugin. As its description states, this plugin attempts to "Enumerate apache users via ~user requests". This is a common test to see if a web server exposes valid system usernames.

Even though our target server is a simple Python server and not Apache, we will use this plugin to demonstrate the selection and execution process. The plugin will run, but it will not find any vulnerabilities on our non-Apache server, which is a valid and expected result.

In the next step, you will learn how to construct the command to use only this plugin.

Use the -plugins option with the desired plugin name

In this step, you will learn how to construct the Nikto command to run only the plugin you selected.

To specify which plugins to run, you use the -plugins option followed by the name of the plugin. You can also provide a comma-separated list of plugins if you want to run more than one, but for this lab, we will focus on a single plugin.

The basic command structure is: nikto -h <target_host> -plugins <plugin_name>

For our chosen plugin, apacheusers, and our test server running locally on port 8000, the command will be: nikto -h 127.0.0.1:8000 -plugins apacheusers

Let's break down this command:

  • nikto: The program we are running.
  • -h 127.0.0.1:8000: The -h (host) option specifies the target. Our test server is running on the local machine (127.0.0.1) at port 8000.
  • -plugins apacheusers: This is the key part of the command. It tells Nikto to only run the apacheusers plugin and skip all others.

In the next step, you will execute this command and see the results of the focused scan.

Execute the focused scan on the target

In this step, you will execute the command you just learned to perform a focused scan against the test web server.

Run the following command in your terminal. This will start Nikto, but instead of running for several minutes, it will complete very quickly because it's only running a single plugin.

nikto -h 127.0.0.1:8000 -plugins apacheusers

The output will be much shorter than a standard Nikto scan. It will look something like this:

- Nikto 2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    127.0.0.1
+ Target Port:        8000
+ Start Time:         2023-10-27 10:30:00 (GMT0)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ Allowed HTTP Methods: GET, HEAD
+ 1 host(s) tested
+ 0 error(s) and 0 item(s) reported on remote host
+ End Time:           2023-10-27 10:30:01 (GMT0) (1 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Notice how quickly the scan finished. This demonstrates the primary advantage of using specific plugins for targeted testing.

Analyze the plugin-specific output

In this final step, let's analyze the output from our focused scan. This is a crucial skill in security testing—understanding what the results mean.

Look again at the output from the previous step:

- Nikto 2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    127.0.0.1
+ Target Port:        8000
+ Start Time:         ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
...
+ 0 error(s) and 0 item(s) reported on remote host
+ End Time:           ...
---------------------------------------------------------------------------
+ 1 host(s) tested

The most important line for our analysis is: + 0 error(s) and 0 item(s) reported on remote host

This line tells us that the apacheusers plugin ran but did not find any of the conditions it was designed to detect. This is the expected outcome because our target is a Python server, not an Apache server configured to expose user directories.

In penetration testing, a negative result (finding no vulnerability) is just as important as a positive one. It means that, for this specific test, the server appears to be secure. By running only the apacheusers plugin, we were able to quickly and efficiently confirm this without the noise and time of a full scan.

Summary

Congratulations on completing this lab!

You have successfully learned how to perform a focused scan with Nikto by selecting a specific plugin. This technique is essential for efficient and targeted web security assessments.

In this lab, you practiced the following skills:

  • Listing all available Nikto plugins using the -list-plugins option.
  • Understanding how to choose a relevant plugin for a specific test.
  • Using the -plugins option to tell Nikto to run only the specified plugin(s).
  • Executing a focused scan and analyzing the concise, plugin-specific output.

By mastering this skill, you can significantly speed up your testing workflow and focus your efforts on the vulnerabilities that matter most for a given target.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux