Scan Web Servers in Nikto

Introduction

In this lab, you will learn how to use Nikto, an open-source web server scanner, to detect potential vulnerabilities in web applications. You'll practice scanning techniques on the intentionally vulnerable bWAPP application while learning to interpret scan results effectively.

The lab covers Nikto installation, target configuration, scan execution, and result analysis. Through hands-on practice, you'll gain essential skills for performing basic web server vulnerability assessments using this widely-used security tool.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") subgraph Lab Skills nmap/save_output -.-> lab-549948{{"Scan Web Servers in Nikto"}} nmap/target_specification -.-> lab-549948{{"Scan Web Servers in Nikto"}} end

Install Nikto

In this step, you will install Nikto, an open-source web server scanner that helps identify security issues in web servers. Nikto checks for outdated server software, dangerous files/CGIs, and other common vulnerabilities. Understanding these vulnerabilities is crucial for securing web applications.

Before we begin, let's make sure we're in the right directory. The ~/project directory is where we'll perform all our lab work to keep files organized:

cd ~/project

Next, we need to update our package list. This ensures we'll install the latest available version of Nikto with all recent security updates:

sudo apt update

Now we're ready to install Nikto. The -y flag automatically confirms the installation, saving us from having to manually approve it:

sudo apt install -y nikto

After installation completes, let's verify it worked correctly by checking the installed version. This confirms Nikto is properly installed and shows which version we'll be using:

nikto -Version

You should see output similar to:

Nikto v2.1.6

Nikto is now successfully installed on your system. While Nikto has a configuration file at /etc/nikto.conf, we'll use the default settings for this introductory lab. These defaults provide a good balance between thorough scanning and reasonable speed for learning purposes.

Choose a Target Server

In this step, you'll learn how to select and verify a target web server for vulnerability scanning. We'll use Nikto to scan a deliberately vulnerable web application called "bWAPP" (Buggy Web Application) that's safely set up in our LabEx environment. This practice application is designed for security testing without affecting real systems.

First, let's navigate to the correct working directory where we'll perform our scans. This helps keep our project files organized:
```
cd ~/project
```
Before scanning, we need to confirm our target web server is running properly. We'll use curl with the -I flag to fetch just the HTTP headers:
```
curl -I http://localhost:8000
```
A successful response will show HTTP status code 200 OK, indicating the server is active:
```
HTTP/1.1 200 OK
```
Now we'll set our target URL as an environment variable. This makes it easier to reference later in our scans:
```
TARGET="http://localhost:8000"
```
Let's do a quick test to see the web server's response. We'll use curl to fetch the page content and display just the first 5 lines:
```
curl $TARGET | head -n 5
```
This gives us a sample of the HTML content, confirming we can successfully connect to the server.
Remember this target URL as we'll use it throughout the scanning process. Keeping track of your target is crucial when performing security assessments.

Run a Vulnerability Scan

In this step, you will use Nikto to perform a vulnerability scan against the target server we selected in the previous step. Nikto is an open-source web server scanner that tests for over 6700 potentially dangerous files/programs, checks for outdated server versions, and identifies common web server misconfigurations.

Before starting the scan, it's important to be in the correct directory where you have permission to run the tool and save results. The cd command changes your current working directory:

First, ensure you're in the correct working directory:
```
cd ~/project
```

Now we'll run a basic scan. The -h flag specifies the target host (in this case, our local test server). Nikto will automatically check for common vulnerabilities like:

Default files and programs
Insecure server configurations
Outdated server software
Potential XSS and SQL injection vulnerabilities

Run a basic Nikto scan against our target server (http://localhost:8000):
```
nikto -h http://localhost:8000
```

The scan will run and display results in real-time. You'll see output similar to:

- Nikto v2.1.6
- Target IP:          127.0.0.1
- Target Hostname:    localhost
- Target Port:        8000
- Start Time:         [timestamp]

For a more thorough examination, we can use tuning options. The -Tuning parameter lets you specify which tests to run. Here, x enables extended tests while 6 checks for common files that might expose sensitive information.

For a more comprehensive scan, you can add these options:
```
nikto -h http://localhost:8000 -Tuning x 6
```
This performs extended tests (x) and checks for common files (6).

The scan may take 1-2 minutes to complete. When finished, you'll see a summary of findings including:

+ Server may be vulnerable to XSS
+ Retrieved x-powered-by header: PHP/7.4.3
+ OSVDB-3092: Possible sensitive directory

Each finding includes:

A vulnerability description
The vulnerability type
Relevant references (like OSVDB IDs)
The affected component

Note that some findings may be false positives - we'll analyze these in the next step. Not all reported issues are actual vulnerabilities, which is why manual verification is crucial in security testing.

Review Scan Output

In this step, we'll carefully examine the scan results from Nikto to understand what vulnerabilities were found in the target web server. As a beginner, it's important to know that Nikto organizes its findings in a structured way to help you identify security issues efficiently.

First, ensure you're in the correct working directory where your scan results are stored:
```
cd ~/project
```
This command changes your current directory to where Nikto saved its output file.
Let's break down the main sections you'll see in the Nikto output file:
- Server Information: Reveals what web server software is running (like Apache or Nginx) and its version number
- Vulnerability Findings: Shows specific security problems Nikto detected, with indicators showing how serious each issue is
- Scan Summary: Gives you totals of what was found during the scan
To quickly find the most important vulnerabilities, run this command:
```
grep -E '\+|OSVDB' ~/project/nikto_scan.txt
```
This searches through your scan results and shows only lines containing vulnerability markers (+) or OSVDB references (which are vulnerability database IDs).
When reviewing the results, pay extra attention to:
- Any findings labeled "HIGH" risk - these are the most dangerous issues
- Old versions of server software - outdated programs often have known security holes
- Exposed directories or sensitive files - these shouldn't be publicly accessible
- Common web attacks like Cross-Site Scripting (XSS) or SQL Injection (SQLi)
Here's what typical findings might look like:
```
+ /config.php: PHP config file found
+ OSVDB-3092: /admin/: This might be interesting
```
The first line shows Nikto found a configuration file that shouldn't be public. The second line references a specific vulnerability ID from the Open Source Vulnerability Database.
To get more details about a specific OSVDB entry, you can query the vulnerability database:
```
curl -s "https://vulners.com/api/v3/search/id/?id=OSVDB-3092" | jq '.data.attributes'
```
This command fetches detailed information about vulnerability OSVDB-3092 from an online database and formats it nicely for reading.
As you go through the results, write down the most serious issues you find. We'll use these notes in the next step when we document our findings. Focus on understanding what each vulnerability means rather than trying to fix everything at once.

Save the Report

In this final step, you will save the Nikto scan results to a file for documentation and future reference. Saving reports is crucial in security testing as it provides evidence of vulnerabilities found and helps track remediation progress.

First, ensure you're in the correct working directory where you want to store your scan reports. The cd command changes directories:
```
cd ~/project
```
To save the scan results from the previous step in plain text format, run this command. The -output flag specifies the filename where Nikto will write its findings:
```
nikto -h http://localhost:8000 -output vuln_scan_report.txt
```
Verify the report was created successfully. The ls -l command lists files with details, and you should see your report file with content (non-zero size):
```
ls -l vuln_scan_report.txt
```
For better readability and sharing with team members, you can generate an HTML formatted report. The -Format html option creates a visually organized report:
```
nikto -h http://localhost:8000 -Format html -output vuln_scan_report.html
```
To quickly check the contents of your text report, use the head command which shows the first 20 lines. This helps verify the scan completed properly:
```
head -n 20 vuln_scan_report.txt
```
The report contains several important sections that security professionals analyze:
- Scan metadata (date, target, etc.) - shows when and what was scanned
- All identified vulnerabilities - the core findings needing attention
- Recommendations for remediation - suggested fixes for each issue
- Scan statistics and completion time - helps measure scan performance
These report files are now saved in your ~/project directory. You can:
- Share them with developers for fixing issues
- Compare with future scans to track progress
- Include them in security audit documentation
- Use them as evidence in compliance reports

Summary

In this lab, you have learned how to install and configure Nikto, a powerful open-source web server scanner, to detect vulnerabilities in target systems. The exercise guided you through verifying installation, checking server accessibility, and performing comprehensive scans against a vulnerable web application.

You gained hands-on experience in interpreting scan results and generating reports, demonstrating the critical role of vulnerability assessment in maintaining web security. This practical knowledge equips you with essential skills for identifying potential security risks in web servers.