LabEx
Log InJoin Free

Set a Request Timeout in Nikto

Kali LinuxBeginner
Practice Now

Introduction

Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.

When scanning web servers, especially over slow or unreliable networks, or against servers that are under heavy load, requests can take a long time to complete. By default, Nikto waits for 10 seconds for a response. If a server is slower than this, Nikto may report timeout errors and fail to complete the scan properly.

In this lab, you will learn how to use Nikto's -timeout option to control the request timeout period. This will allow you to adjust Nikto's behavior to successfully scan slow or unresponsive web servers.

Identify a slow or unresponsive web server

In this step, you will learn how to identify if a web server is slow. Before adjusting timeouts in a scanning tool, it's crucial to first measure the server's typical response time. A simple way to do this is with the curl command.

We have started a web server in the background that is intentionally slow; it waits 5 seconds before sending a response. Let's use curl to measure how long it takes to get a response from it. The -w flag allows us to format the output, and %{time_total} is a variable that holds the total time for the transaction.

Execute the following command in your terminal to measure the response time of the local server running on port 8000:

curl -o /dev/null -s -w 'Total time: %{time_total}\n' http://localhost:8000

You will see an output similar to the following. The time will be slightly over 5 seconds due to the artificial delay we added in the server.

Total time: 5.00...

This confirms that the server is slow and takes longer than a few seconds to respond. This information is vital for setting an appropriate timeout in Nikto.

Use the -timeout option to set a short timeout in seconds

In this step, you will learn about Nikto's -timeout option. This option allows you to specify the number of seconds to wait for any single request to complete before Nikto gives up and marks it as a timeout. The default value is 10 seconds.

To understand how Nikto behaves with a misconfigured timeout, we will intentionally set a value that is too short for our slow server. Since we know the server takes about 5 seconds to respond, we will set a timeout of 2 seconds. This will cause the scan to fail with timeout errors, which we will observe in the next step.

First, let's confirm the existence and description of the -timeout option using Nikto's help menu. You can pipe the output of nikto -Help to grep to find the specific option.

nikto -Help | grep timeout

The output will show you the -timeout option and its description:

-timeout <secs>     Timeout for requests (default 10 seconds)

This confirms how to use the option. In the next step, we will apply it in a real scan.

Run the scan and observe potential timeout errors

In this step, you will run the Nikto scan with the short timeout value we decided on. This will demonstrate what happens when the timeout is not sufficient for the target server.

Execute the following command to scan the local server with a 2-second timeout. The -h flag specifies the host, and -p specifies the port.

nikto -h localhost -p 8000 -timeout 2

As the scan runs, you will see multiple error messages printed to the console. Nikto will try to make requests, but since the server takes 5 seconds to respond, the 2-second timeout will be exceeded every time.

The output will be filled with errors similar to this:

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        8000
+ Start Time:         ...
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ ERROR: Connection timed out
+ ERROR: Connection timed out
... (many more errors) ...

The repeated ERROR: Connection timed out messages are a clear sign that the timeout value is too low. The scan results are unreliable, and many tests are likely being skipped.

Increase the timeout value for a more reliable scan

In this step, you will correct the issue from the previous step by setting an appropriate timeout value. To ensure a reliable scan, the timeout must be longer than the server's longest expected response time.

From our curl test in Step 1, we know the server takes about 5 seconds to respond. To be safe, we should add a small buffer. Let's set the timeout to 7 seconds. This gives the server enough time to process the request and send a response.

Run the Nikto scan again, but this time with a timeout of 7 seconds:

nikto -h localhost -p 8000 -timeout 7

This time, you should see a different result. The scan will proceed without the "Connection timed out" errors. Nikto will now be able to properly communicate with the server and perform its tests.

The output will look more like a normal, successful scan:

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        8000
+ Start Time:         ...
---------------------------------------------------------------------------
+ Server: Python/3.10.6 http.server/0.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" not found.
...

Notice the absence of timeout errors and the presence of a server banner. This indicates that the scan is now running reliably.

Find an optimal timeout value for the target network

In this step, we will discuss the strategy for finding an optimal timeout value. While we used a known delay in our controlled environment, in a real-world scenario, you won't know the exact response time.

Finding the optimal timeout is a balance:

  • Too short: Leads to timeout errors and an unreliable scan (as seen in Step 3).
  • Too long: Can make the scan unnecessarily slow if the server is actually fast. For example, setting a 30-second timeout for a server that usually responds in 1 second means you'll wait 30 seconds for every truly failed request, slowing down the overall scan.

A good strategy is:

  1. Perform a baseline measurement using ping or curl to understand the general latency.
  2. Start with a timeout that is a few seconds longer than your baseline measurement.
  3. If you still see timeout errors, increase the value incrementally until the scan runs smoothly.

For our server, a 7-second timeout worked well. Let's try one final scan with a slightly more generous timeout of 10 seconds (the Nikto default) and also introduce the -maxtime option, which limits the total duration of the scan. This is useful to ensure a scan doesn't run for hours on a very large website.

nikto -h localhost -p 8000 -timeout 10 -maxtime 60s

This command tells Nikto to wait up to 10 seconds for each request and to abort the entire scan if it takes longer than 60 seconds. This combination gives you control over both individual request timings and the total scan duration.

Summary

In this lab, you have learned how to effectively manage request timeouts in Nikto, a critical skill for performing reliable web vulnerability scans.

You started by identifying a slow web server using the curl command to measure its response time. You then explored Nikto's -timeout option, first setting it to a value that was too low, which resulted in connection errors. Subsequently, you increased the timeout to an appropriate value, allowing the scan to complete successfully.

Finally, you learned the strategy for finding an optimal timeout value by balancing scan reliability and efficiency, and you were introduced to the related -maxtime option for controlling the total scan duration. Properly configuring these settings ensures your Nikto scans are both thorough and timely.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux