LabEx
Log InJoin Free

Use Evasion Techniques in Nikto

Kali LinuxBeginner
Practice Now

Introduction

Nikto is a popular open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific problems on over 270 servers.

When performing security scans, it's often desirable to avoid detection by security systems like Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Web Application Firewalls (WAF). These systems monitor network traffic for malicious patterns. Nikto includes built-in evasion techniques to help disguise its scans and make them less obvious to such systems.

In this lab, you will learn how to use Nikto's -evasion option to perform stealthier scans.

Understand the available evasion techniques with -evasion

In this step, you will learn how to list and understand the different evasion techniques available in Nikto. The -evasion option (or -e) is used to specify an evasion technique. To see all available techniques, you can run Nikto with just the -evasion option and no specific technique number.

Let's list the available techniques. Open your terminal and run the following command:

nikto -evasion

You will see a list of the available techniques with a number and a short description for each.

- Evasion options:
      1   Random URI encoding (non-UTF8)
      2   Directory self-reference (/./)
      3   Premature URL ending
      4   Prepend long random string to request
      5   Fake parameter
      6   GET instead of HEAD
      7   Use a random User-Agent
      8   Random case sensitivity
      A   Use a random IP for the Source-IP
      B   Obfuscate with TABs
      C   Use a carriage return (CR) as a line-ending
      D   Use a binary value as a line-ending
      E   Use a long false request to mis-direct an IDS
      F   Use Windows-style directory separators (\)

This output shows the various methods Nikto can use to alter its requests to avoid detection. In the following steps, we will practice using some of these techniques.

Run a scan using -evasion 1 for Random URI encoding

In this step, you will use the first evasion technique, "Random URI encoding". This technique encodes parts of the request URI in a non-standard way. While web servers typically understand these encodings, simple signature-based IDS may fail to match the patterns, allowing the request to pass undetected.

We will run a scan against the simple web server that was started for you in the lab setup. It is running on http://127.0.0.1:8000.

To use technique 1, you append the number to the -evasion option. Execute the following command in your terminal:

nikto -h http://127.0.0.1:8000 -evasion 1

Nikto will now start scanning the target. The scan will proceed as usual, but the requests sent to the server will have their URIs randomly encoded.

Here is a sample of the output you might see:

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    127.0.0.1
+ Target Port:        8000
+ Start Time:         ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ No CGI directories found (use '-C all' to force check all possible dirs)
+ Server leaks a possible file system path: /home/labex/project/test-site/. This may suggest the server is running on a Unix-like system.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS
+ Public HTTP Methods: GET, HEAD, OPTIONS
+ OSVDB-3233: /: HTTP TRACE method is active, suggesting the host is vulnerable to XST
...
+ 15 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           ... (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Notice that the scan completes and provides findings, but the underlying requests were modified to be more evasive.

Try a scan using -evasion 2 for Directory self-reference

Now, let's try another technique. Evasion technique 2 uses "Directory self-reference". This method inserts /./ into the request URLs (e.g., /cgi-bin/ becomes /./cgi-bin/). Most web servers will normalize this path and treat it as a regular request, but it can confuse some security filters that are looking for exact path matches.

Run a Nikto scan using evasion technique 2 against the same target:

nikto -h http://127.0.0.1:8000 -evasion 2

The scan will run again, but this time using the directory self-reference trick. The output will be very similar to the previous scan, as the server responds to the modified requests correctly.

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    127.0.0.1
+ Target Port:        8000
+ Start Time:         ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
...
+ 15 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           ...
---------------------------------------------------------------------------
+ 1 host(s) tested

The key takeaway is that you are still getting valid scan results while using techniques that can help bypass security monitoring.

Use -evasion 4 for Prepending long random strings

In this step, we will explore evasion technique 4, which prepends a long random string to the request. The idea behind this technique is to push the actual malicious or interesting part of the request past the buffer limit of some simple IDS/IPS devices. If the IDS only inspects the first part of a request, it might miss the actual payload.

Let's execute a scan using this technique.

nikto -h http://127.0.0.1:8000 -evasion 4

Once again, Nikto will perform its scan, but each request will be prepended with a long, random string. The web server will ignore this junk data, but it can be an effective way to fool pattern-matching security systems.

The output will be similar to the previous scans, demonstrating that the technique does not interfere with the scan's effectiveness against the target server.

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    127.0.0.1
+ Target Port:        8000
+ Start Time:         ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.12
...
+ 15 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           ...
---------------------------------------------------------------------------
+ 1 host(s) tested

Combine multiple evasion techniques in a single scan

One of the most powerful features of Nikto's evasion capabilities is the ability to combine multiple techniques in a single scan. This creates more complex and varied requests, making it even harder for an IDS to detect the scan.

To combine techniques, you simply list the numbers of the techniques you want to use one after another. For example, to combine Random URI encoding (1), Directory self-reference (2), and Prepending long random strings (4), you would use -evasion 124.

Let's run a scan combining these three techniques:

nikto -h http://127.0.0.1:8000 -evasion 124

Nikto will now apply all three techniques to its requests, creating a highly obfuscated scan. This layered approach significantly increases the chances of bypassing detection.

The output will again show the same findings, confirming that the combination of evasion techniques did not break the scan's functionality.

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    127.0.0.1
+ Target Port:        8000
+ Start Time:         ...
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/3.10.12
+ The anti-clickjacking X-Frame-Options header is not present.
...
+ 15 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           ...
---------------------------------------------------------------------------
+ 1 host(s) tested

By combining techniques, you can create a much more robust and stealthy scanning strategy tailored to the specific defenses you anticipate.

Summary

In this lab, you have learned how to use Nikto's powerful evasion features to conduct more stealthy web vulnerability scans. You started by listing the available techniques with the -evasion option. You then practiced applying individual techniques, including Random URI encoding (1), Directory self-reference (2), and Prepending long random strings (4).

Finally, you learned how to combine these techniques to create a multi-layered evasion strategy, significantly increasing the difficulty for Intrusion Detection Systems to identify your scanning activity. These skills are essential for performing effective and discreet security assessments in environments with active monitoring.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux