HTTP or HTTPS. It also supports basic port scanning and will determine if a web server is running on any open ports.

using the 'update' option (see below) to ensure Nikto is checking the most recent vulnerabilities.

the plugins directory. Unlike scan_database.db, this file will not be over-written if the -update option is used. This should always be used if you add your own checks (and you should send those checks to sullo@cirt.net).

be changed by forcing the $NIKTO{fingerprint} and $NIKTO{useragent} to new values in the source code, OR, if any

IDS evasion (-e) option is used. Note that it's pretty obvious when Nikto is scanning a server anyway--the large number of invalid requests sticks out a lot in the server logs, although with an IDS evasion technique it might not be extremely obvious that it was Nikto.

Why the name Nikto? See the movies The Day the Earth Stood Still" and, of course "Army of Darkness" for the answer. For a full list of pop-culture references to this, see http://www.blather.net/archives2/issue2no21.html which has a lot of good information.

The options listed below are all optional except the -h target specification. They can all be abbreviated to the first letter (i.e., -m for -mutate), with the exception of -verbose and -debug.

-allcgi Force scan of all possible CGI directories defined in the config.txt value CGIDIRS, regardless of whether they might exist or not.

-cookies Print out the cookie names and values that were received during the scan.

-evasion <evasion method>

IDS evasion techniques. This enables the intrusion detection evasion in LibWhisker. Multiple options can be used by stringing the numbers together, i.e. to enable methods 1 and 5, use "-e 15". The valid options are (use the number preceeding each description):

1 Random URI encoding (non-UTF8)

2 Add directory self-reference /./

3 Premature URL ending

4 Prepend long random string to request

5 Fake parameters to files

6 TAB as request spacer instead of spaces

7 Random case sensitivity

8 Use Windows directory separator instead of /

9 Session splicing See the LibWhisker source for more information, or http://www.wiretrip.net/

-findonly Use port scan to find valid HTTP and HTTPS ports only, but do not perform checks against them.

-Format Output format for the file specified with the -output option. Valid formats are: HTM - HTML output format. TXT - Text output format. This is the default if -F is not specified. CSV - Comma Seperated Value format.

-generic Force full scan rather than trusting the "Server:" identification string, as many servers allow this to be changed.

-host <ip, hostname or file>

Target host(s) to check against. This can be an IP address or hostname, or a file of IPs or hostnames. If this argument is a file, it should formatted as described below. This is the only required option.

-id <user:password:realm> HTTP Authentication use, format is userid:password for authorizing Nikto a web server realm. For NTLM realms, format is id:password:realm.

-mutate Mutate checks. This causes Nikto put all files with all directories from the .db files and can the host. You might find some oddities this way. Note that it generates a lot of checks.

-nolookup Don't perform a host name lookup.

-output <filename>

Write output to this file when complete. Format is text unless specified via -Format.

-port <port number>

Port number to scan, defaults to port 80 if missing. This can also be a range or list of ports, which

Nikto will check for web servers. If a web server is found, it will perform a full scan unless the -f option is used.

-root Always prepend this to requests, i.e., changes a request of "/password.txt" to "/directory/password.txt" (assuming the value passed on the CLI was "/directory")

-ssl

Force SSL mode on port(s) listed. Note that Nikto attempts to determine if a port is HTTP or HTTPS automatically, but this can be slow if the server fails to respond or is slow to respond to the incorrect one. This sets SSL usage for *all* hosts and ports.

-timeout Timeout for each request, default is 10 seconds

Use the proxy defined in config.txt for all requests

-vhost <ip or hostname> Virtual host to use for the "Host:" header, in case it is different from the target.

-Version Print version numbers of Nikto, all plugins and all databases.

These options cannot be abbreviated to the first letter: -dbcheck This option will check the syntax of the checks in the scan_database.db and user_scan_database.db files. This is really only useful if you are adding checks or are having problems.

-debug Print a huge amount of detail out. In most cases this is going to be more information than you need, so try -verbose first.

This will connect to cirt.net and download updated scan_database.db and plugin files. Use this with caution as you are downloading files--perhaps including code--from an "untrusted" source. This option cannot be combined with any other, but required variables (like the PROXY settings) will be loaded from the config.txt file.

Print out a lot of extra data during a run. This can be useful if a scan or server is failing, or to see exactly how a server responds to each request.

NMAP - Path to nmap. If defined, Nikto will use nmap to port scan a host rather than PERL code, and so should be faster. SKIPPORTS - Port number never to scan (so you don't crash services, perhaps?). PROXYHOST - Server to use as a proxy, either IP or hostname, no 'http://' needed. PROXYPORT - Port number that PROXYHOST uses as a proxy. PROXYUSER - If the PROXYHOST requires authentication, use this ID. Nikto will prompt for it if this is not set & it is needed.

PROXYPASS - If the PROXYHOST requires a password for PROXYUSER, use this password. Nikto will prompt for it if this is not set & it is needed. DEFAULTHTTPVER - First try this HTTP method. If this fails, Nikto will attempt to find a valid one. Useful if you want try something non-standard. PLUGINDIR - If Nikto can't find it's plugin directory for some reason, enter the full path and the problem is solved. STATIC-COOKIE - The name/value of this cookie, if set, will be sent for every request (useful for auth cookies).

will be duplicated. See the TEST DATABASES section for more information.

@CGIDIRS - CGI directories to look for, valid ones (or all) will be used for CGI checks against the remote host.

@MUTATEDIRS - Additional directories to use when operating under the Mutate mode besides ones already defined the .db files. @MUTATEFILES - Additional files to use when operating under the Mutate mode besides ones already defined the .db files.

@ADMINDIRS - Typical administration directories.

Rules in the scan databases can use dynamic variables from config.txt. Any variable that starts with the 'at' sign (@) will be substited in rules. For example:

/cgi-bin/test.html /cgi-sys/test.html

Any number of these variables can be set, and any number can be used in a rule (i.e., "@CGIDIRS@ADMINDIRStest.html"). Additionally, the generic @HOSTNAME and @IP are available, which use the current target's hostname or IP.

but not contain the word "home". This would look like "200!home" in the scan_database.db file.

A basic scan of a web server on port 80. The -h option is the only option that is required for a basic scan of a web server on the standard HTTP port.

A basic scan of a web server on port 443, forcing SSL encryption and ignoring the Server header. Note that Nikto does not assume port 443 to be SSL, but if HTTP fails it will try HTTPS.

nikto.pl -h 10.100.100.10 -p 80,443,8000,8080

You may combine IDS evasion techniques as desired.

be obtained from http://www.nmap.org/, it is not included with Nikto. Versions 3.0 and below should be fine.

SSL software is required to test using HTTPS. For Windows systems, the SSL software and libraries can be obtained from http://www.activestate.com/. For unix systems, OpenSSL from http://www.openssl.org/ and the Net::SSLeay module from http://www.cpan.org/ are required.

Plugins are standard PERL. They are included and executed when Nikto is run. If you run the -update option, new and updated plugins will be downloaded from cirt.net. This means you are downloading code, and potentially running it, without viewing it yourself. Please consider the implications. Do not assume code distributed from Cirt.net is not harmful, as accidents happen and a malicious third party may have inserted a dangerous plugin. Cirt.net assumes no responsibility if any malicious code is delivered via the -update option.

Darby/cirt.net, Valdez/cirt.net, S Saady, P Eronen/nixu.com, M Arboi, T Seyrat, J DePriest, P Woroshow, fr0stman, E Udassin, H Heimann