LabEx
Log InJoin Free

Set a Delay Between Scan Requests in Nikto

Kali LinuxBeginner
Practice Now

Introduction

Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.

By default, Nikto sends requests to the target server as fast as it can. While this is efficient, it can be easily detected by security systems and may put a heavy load on the target server. The -Pause option allows you to control the pace of the scan by adding a delay between each test.

In this lab, you will learn how to use the -Pause option in Nikto to conduct slower, less intrusive scans.

Understand the purpose of the -Pause option

In this step, you will learn about the -Pause option in Nikto. This option is used to specify a delay in seconds between each scan request. This is a crucial feature for performing stealthy scans or for testing fragile systems that might not handle a high volume of requests well.

Let's start by viewing the help information for Nikto to see the description of the -Pause option. This is a good practice to understand the functionality of any tool's options.

Execute the following command in the terminal:

nikto -Help

Scroll through the output and look for the -Pause option. You will see a description explaining its function.

...
-Pause <seconds>      Pause between tests (seconds, integer or float)
...

This confirms that -Pause accepts a number (integer or float) representing the seconds to wait between each test.

Run a scan with -Pause 5 to wait 5 seconds between tests

In this step, you will perform a Nikto scan using the -Pause option. Our lab environment has a simple web server running at http://localhost:8000 for you to scan.

We will set a pause of 5 seconds between each test. This means Nikto will wait for 5 seconds after sending one request before sending the next one.

Run the following command in your terminal to start the scan:

nikto -h http://localhost:8000 -Pause 5

Let's break down the command:

  • nikto: The command to run the Nikto scanner.
  • -h http://localhost:8000: The -h (or -host) option specifies the target host. In this case, it's our local test server.
  • -Pause 5: This tells Nikto to pause for 5 seconds between each test it performs.

After executing the command, the scan will begin. You will see the output appear in the terminal.

Observe the slower pace of the scan

In this step, you will observe the output of the command you ran in the previous step. You don't need to run any new commands here.

Look at the terminal where the Nikto scan is running. You should notice that new lines of output, which represent the results of individual tests, appear much more slowly than they would in a default scan. There will be a noticeable 5-second gap between each new test result appearing on the screen.

Here is an example of what the output might look like, with each line appearing after a delay:

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        8000
+ Start Time:         2023-10-27 10:30:00 (GMT0)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
... (new lines appear every 5 seconds) ...

This deliberate pacing is the direct result of using the -Pause 5 option. A full scan can take a significant amount of time with this setting. You can stop the scan at any time by pressing Ctrl+C in the terminal. For this lab, you can let it run for a minute to observe the effect and then stop it before proceeding.

Analyze how this can help evade rate-limiting firewalls

In this step, we will discuss a primary security-related reason for using the -Pause option: evading rate-limiting defenses.

Many modern security systems, such as Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS), employ rate-limiting as a defense mechanism. Rate-limiting works by tracking the number of requests from a single IP address over a specific time period. If the number of requests exceeds a predefined threshold (e.g., 100 requests per minute), the system might temporarily or permanently block that IP address.

A default Nikto scan is very aggressive and sends hundreds or thousands of requests in a very short time. This behavior would almost certainly trigger any rate-limiting rule, causing the scan to be blocked and rendering its results incomplete and inaccurate.

By using -Pause 5, you change the scan's request rate to one request every 5 seconds, which translates to only 12 requests per minute. This much lower rate is far more likely to go unnoticed by simple rate-limiting defenses, allowing your scan to complete successfully without being blocked. This makes the -Pause option a valuable tool for stealthier penetration testing.

Use this option for scanning fragile or sensitive systems

In this step, we'll explore another important use case for the -Pause option: scanning fragile or sensitive systems responsibly.

Aggressive, high-speed scanning doesn't just risk detection; it can also negatively impact the stability of the target system. A web server, especially an older, underpowered, or poorly configured one, might struggle to handle a sudden flood of requests from a scanner. This can lead to severe performance degradation, making the application slow or unresponsive for legitimate users, or in a worst-case scenario, it could cause the web service or the entire server to crash.

When you are tasked with assessing a live production environment or a known-fragile system, causing a denial of service is unprofessional and counterproductive.

Using the -Pause option is a key part of conducting a responsible and professional security assessment. By slowing down the scan, you significantly reduce the load on the target server, minimizing the risk of disrupting its normal operation. This ensures that your security testing does not interfere with business operations.

Summary

In this lab, you have learned how to control the speed of a Nikto web server scan using the -Pause option.

You practiced running a scan with a 5-second delay between requests and observed how this dramatically slowed the pace of the scan. You also explored the two primary benefits of this technique:

  1. Stealth: Slowing down requests helps to evade simple rate-limiting rules implemented in firewalls and intrusion detection systems.
  2. Stability: Reducing the request rate minimizes the load on the target server, which is crucial when scanning fragile, underpowered, or critical production systems.

Mastering the -Pause option is an important step in becoming a more effective and responsible security professional.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux