Introduction
Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.
When Nikto sends requests to a target server, it identifies itself using a default "User-Agent" string. This string can be easily detected by firewalls or intrusion detection systems, which might block the scan. To perform a more stealthy scan, you can "spoof" or change the User-Agent to mimic a common web browser.
In this lab, you will learn how to identify Nikto's default User-Agent and then change it using the -useragent option to make your scans less conspicuous.
Identify the default Nikto User-Agent from a test scan
In this step, you will run a basic Nikto scan against a local web server to see its default User-Agent string. A simple Python web server has been started for you in the background, which logs all incoming requests to a file named access.log.
First, run a standard Nikto scan targeting the local server running on port 8000. Open your terminal and execute the following command:
nikto -h http://localhost:8000
Nikto will perform a series of tests. We are not interested in the scan results themselves, but in the log entry it creates.
After the scan completes, view the contents of the log file to see how the server recorded Nikto's request. Use the cat command:
cat ~/project/access.log
You should see log entries that include Nikto's default User-Agent. It will look something like this, clearly identifying the scanner.
127.0.0.1 - "GET / HTTP/1.1" Mozilla/5.0 (X11; Linux x86_64) Nikto/2.5.0 (Evasions:None) (Test:Port Check)
127.0.0.1 - "GET /icons/blank.gif HTTP/1.1" Mozilla/5.0 (X11; Linux x86_64) Nikto/2.5.0 (Evasions:None) (Test:Port Check)
... (other log entries) ...
Notice the Nikto/2.5.0 part of the string. This is the signature we want to hide in the next steps.
Choose a common browser User-Agent string to mimic
In this step, we will select a User-Agent string from a common web browser. The goal is to make our scanning traffic look like it's coming from a regular user, not an automated tool. This helps in evading simple detection rules that block traffic based on known scanner User-Agents.
There are many resources online to find current User-Agent strings. For this lab, we will use a typical User-Agent for the Firefox browser on a Windows machine.
Here is the string we will use:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
This step is purely informational. You don't need to execute any commands. Just familiarize yourself with the string above, as you will use it in the following steps.
Use the -useragent option to set the new string
In this step, you will learn how to construct the Nikto command to use the new, spoofed User-Agent. Nikto provides a specific command-line option for this purpose: -useragent.
The syntax for this option is straightforward. You append -useragent to your command, followed by the new string you want to use. Because User-Agent strings contain spaces and special characters, it is crucial to enclose the entire string in double quotes (").
Here is how you would construct the command to scan our local server with the Firefox User-Agent we chose in the previous step:
nikto -h http://localhost:8000 -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0"
In this step, you only need to understand how the command is built. You will execute it in the next step.
Run a scan with the spoofed User-Agent
In this step, you will execute the Nikto scan using the custom User-Agent. To ensure we are only seeing the results of our new scan, it's a good practice to clear the old log file first.
Clear the access.log file with the following command:
> ~/project/access.log
This command overwrites the file, leaving it empty. Now, run the Nikto scan with the -useragent option and the Firefox string.
nikto -h http://localhost:8000 -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0"
Nikto will now run the same scan as before, but every request it sends will carry the Firefox User-Agent string instead of the default Nikto one. Let the scan run to completion.
Verify the new User-Agent in server logs or a proxy
In this final step, you will verify that the User-Agent spoofing was successful. We will check the server's log file again to see what User-Agent was recorded during the last scan.
Use the cat command to display the contents of access.log:
cat ~/project/access.log
This time, the output should look different. Instead of seeing "Nikto" in the logs, you will see the Firefox User-Agent string that you specified.
127.0.0.1 - "GET / HTTP/1.1" Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
127.0.0.1 - "GET /icons/blank.gif HTTP/1.1" Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
... (other log entries) ...
As you can see, the log now shows a standard Firefox User-Agent. The word "Nikto" is gone, successfully hiding the identity of our scanner from the server's basic logs.
Summary
In this lab, you have learned a fundamental technique for making security scans more stealthy. You successfully spoofed the User-Agent string in Nikto to mimic a regular web browser.
You have learned how to:
- Run a default Nikto scan to establish a baseline.
- Inspect server logs to identify the default Nikto User-Agent.
- Use the
-useragentcommand-line option to specify a custom string. - Run a new scan with the spoofed User-Agent.
- Verify the change by checking the server logs again.
This skill is essential for penetration testers and security professionals who need to perform vulnerability assessments without being immediately blocked or detected by security systems.
