NIKTO is one of the best and Most using Scanning tools widely by the Hackers and Penetration testers for SCANNING the web applications and servers for vulnerabilities.
Nikto comes as Pre-installed tool in Kali Linux, if you don’t have the package then you can get it from Git-hub Repositories.
Nikto is a Web Application Scanning tool used to find out the vulnerabilities, Hidden Directories, Files like “robots.txt” Unlike wordpress scan Nikto can scan any websites to check for vulnerability.
Nikto will easily pull out the Server Vulnerabilities like Random mis-configurations, mis-configured ports, and server names also.
STEP 1:- Let’s check for our IP first
STEP 2:- Why don’t we look for help from Nikto using a simple command “nikto -h or -H or –Help”. It will display the list of helping commands.
host (-h) – This a must parameter for Nikto scanning, This holds the IP and website’s URL to scan.
id – If the server or site needs an authentication, then we need to provide credentials like “id:password”.
output (-o) – As a Pen-testing Engineer we need to document everything, so this will help us to save it as we need.
port (-p) – We can Provide the port that needs to be scanned particularly.(Default 80)
version (-v) – It will retrieve us the information regarding the versions of Database and Plugins.
Let’s Dive in,
STEP 3:- Try pinging a website to find out the IP, here I tried My Organization Site to find out the IP to start scanning.
STEP 4:- We will be doing a simple scan to find out the vulnerabilities of a host with a simple command “nikto -h “IP”
STEP 5:- In this step we will be Saving the Result in an output file using the below command, because we pen-testers need to document everything we do.
STEP 6:- The below Screen shot shows the vulnerability in my website and it is took too much time to scan, so Interrupt in the middle using CTRL + C key. Here I hide some sensitive information in this picture for security purpose.
STEP 7:- Nikto scanning will Directly hit the server you are targetting, so it’s not advisable to go with your Personal IP, try Virtual Private Network(VPN) for Scanning a web application or server.
DISCLAIMER:- It’s specially made for Educational Purpose, Don’t try this with-out concern and end up in imprisonment. 🙂
I hope It will be useful for the Web application Pen-Testers, If you guys know any different type of scanning commands show it out in the comment section.
See you in another Blog, Until then bye bye!