.\" Title: nikto

.\" Author:

.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>

.\" Date: 02/03/2010

.\" Manual: Vulnerability Scanner

.\" Source: http://cirt.net/ 2.1.1

.\"

.TH "NIKTO" "1" "02/03/2010" "http://cirt\&.net/ 2\&.1" "Vulnerability Scanner"

.\" disable hyphenation

.nh

.\" disable justification (adjust text to left margin only)

.ad l

.SH "NAME"

nikto \- Scan web server for known vulnerabilities

.SH "SYNOPSIS"

.HP 21

\fBnikto\fR [options...]

.SH "DESCRIPTION"

.PP

Examine a web server to find potential problems and security vulnerabilities, including:

.sp

.RS 4

\h'-04'\(bu\h'+03'Server and software misconfigurations

.RE

.sp

.RS 4

\h'-04'\(bu\h'+03'Default files and programs

.RE

.sp

.RS 4

\h'-04'\(bu\h'+03'Insecure files and programs

.RE

.sp

.RS 4

\h'-04'\(bu\h'+03'Outdated servers and programs

.RE

.PP

Nikto is built on LibWhisker (by RFP) and can run on any platform which has a Perl environment\&. It supports SSL, proxies, host authentication, attack encoding and more\&. It can be updated automatically from the command\-line, and supports the optional submission of updated version data back to the maintainers\&.

.SH "OPTIONS"

.PP

Below are all of the Nikto command line options and explanations\&. A brief version of this text is available by running Nikto with the \-h (\-help) option\&.

.PP

\fB\-Cgidirs\fR

.RS 4

Scan these CGI directories\&. Special words "none" or "all" may be used to scan all CGI directories or none, (respectively)\&. A literal value for a CGI directory such as "/cgi\-test/" may be specified (must include trailing slash)\&. If this is option is not specified, all CGI directories listed in nikto\&.conf will be tested\&.

.RE

.PP

\fB\-config\fR

.RS 4

Specify an alternative config file to use instead of the nikto\&.conf located in the install directory\&.

.RE

.PP

\fB\-dbcheck\fR

.RS 4

Check the scan databases for syntax errors\&.

.RE

.PP

\fB\-Display\fR

.RS 4

Control the output that Nikto shows\&. See Chapter 5 for detailed information on these options\&. Use the reference number or letter to specify the type, multiple may be used:

.sp

1 \- Show redirects

.sp

2 \- Show cookies received

.sp

3 \- Show all 200/OK responses

.sp

4 \- Show URLs which require authentication

.sp

D \- Debug Output

.sp

V \- Verbose Output

.RE

.PP

\fB\-evasion\fR

.RS 4

Specify the LibWhisker encoding technique to use (see the LibWhisker docs for detailed information on these)\&. Use the reference number to specify the type, multiple may be used:

.sp

1 \- Random URI encoding (non\-UTF8)

.sp

2 \- Directory self\-reference (/\&./)

.sp

3 \- Premature URL ending

.sp

4 \- Prepend long random string

.sp

5 \- Fake parameter

.sp

6 \- TAB as request spacer

.sp

7 \- Change the case of the URL

.sp

8 \- Use Windows directory separator (\e)

.sp

A \- Use a carriage return (0x0d) as a request spacer

.sp

B \- Use binary value 0x0b as a request spacer

.RE

.PP

\fB\-findonly\fR

.RS 4

Only discover the HTTP(S) ports, do not perform a security scan\&. This will attempt to connect with HTTP or HTTPS, and report the Server header\&.

.RE

.PP

\fB\-Format\fR

.RS 4

Save the output file specified with \-o (\-output) option in this format\&. If not specified, the default will be taken from the file extension specified in the \-output option\&. Valid formats are:

.sp

csv \- a comma\-seperated list

.sp

htm \- an HTML report

.sp

txt \- a text report

.sp

xml \- an XML report

.RE

.PP

\fB\-host\fR

.RS 4

Host(s) to target\&. Can be an IP address, hostname or text file of hosts\&. A single dash (\-) maybe used for stdout\&. Can also parse nmap \-oG style output

.RE

.PP

\fB\-Help\fR

.RS 4

Display extended help information\&.

.RE

.PP

\fB\-id\fR

.RS 4

ID and password to use for host Basic host authentication\&. Format is "id:password"\&.

.RE

.PP

\fB\-list\-plugins\fR

.RS 4

Will list all plugins that Nikto can run against targets and then will exit without performing a scan\&. These can be tuned for a session using the \-plugins option\&.

.sp

The output format is:

.sp

Plugin

\fIname\fR

.sp

\ \&\fIfull name\fR

\-

\fIdescription\fR

.sp

\ \&Written by

\fIauthor\fR, Copyright (C)

\fIcopyright\fR

.RE

.PP

\fB\-mutate\fR

.RS 4

Specify mutation technique\&. A mutation will cause Nikto to combine tests or attempt to guess values\&. These techniques may cause a tremendous amount of tests to be launched against the target\&. Use the reference number to specify the type, multiple may be used:

.sp

1 \- Test all files with all root directories

.sp

2 \- Guess for password file names

.sp

3 \- Enumerate user names via Apache (/~user type requests)

.sp

4 \- Enumerate user names via cgiwrap (/cgi\-bin/cgiwrap/~user type requests)

.sp

5 \- Attempt to brute force sub\-domain names, assume that the host name is the parent domain

.sp

6 \- Attempt to guess directory names from the supplied dictionary file

.RE

.PP

\fB\-mutate\-options\fR

.RS 4

Provide extra information for mutates, e\&.g\&. a dictionary file

.RE

.PP

\fB\-nointeractive\fR

.RS 4

Disable interactive features\&.

.RE

.PP

\fB\-nolookup\fR

.RS 4

Do not perform name lookups on IP addresses\&.

.RE

.PP

\fB\-nossl\fR

.RS 4

Do not use SSL to connect to the server\&.

.RE

.PP

\fB\-no404\fR

.RS 4

Disable 404 (file not found) checking\&. This will reduce the total number of requests made to the webserver and may be preferable when checking a server over a slow link, or an embedded device\&. This will generally lead to more false positives being discovered\&.

.RE

.PP

\fB\-output\fR

.RS 4

Write output to the file specified\&. The format used will be taken from the file extension\&. This can be over\-riden by using the \-Format option (e\&.g\&. to write text files with a different extenstion\&. Existing files will have new information appended\&.

.RE

.PP

\fB\-plugins\fR

.RS 4

Select which plugins will be run on the specified targets\&. A comma separated list should be provided which lists the names of the plugins\&. The names can be found by using \-list\-plugins\&.

.sp

There are two special entries: ALL, which specifies all plugins shall be run and NONE, which specifies no plugins shall be run\&. The default is ALL

.RE

.PP

\fB\-port\fR

.RS 4

TCP port(s) to target\&. To test more than one port on the same host, specify the list of ports in the \-p (\-port) option\&. Ports can be specified as a range (i\&.e\&., 80\-90), or as a comma\-delimited list, (i\&.e\&., 80,88,90)\&. If not specified, port 80 is used\&.

.RE

.PP

\fB\-Pause\fR

.RS 4

Seconds (integer or floating point) to delay between each test\&.

.RE

.PP

\fB\-root\fR

.RS 4

Prepend the value specified to the beginning of every request\&. This is useful to test applications or web servers which have all of their files under a certain directory\&.

.RE

.PP

\fB\-ssl\fR

.RS 4

Only test SSL on the ports specified\&. Using this option will dramatically speed up requests to HTTPS ports, since otherwise the HTTP request will have to timeout first\&.

.RE

.PP

\fB\-Single\fR

.RS 4

Perform a single request to a target server\&. Nikto will prompt for all options which can be specified, and then report the detailed output\&. See Chapter 5 for detailed information\&.

.RE

.PP

\fB\-timeout\fR

.RS 4

Seconds to wait before timing out a request\&. Default timeout is 10 seconds\&.

.RE

.PP

\fB\-Tuning\fR

.RS 4

Tuning options will control the test that Nikto will use against a target\&. By default, if any options are specified, only those tests will be performed\&. If the "x" option is used, it will reverse the logic and exclude only those tests\&. Use the reference number or letter to specify the type, multiple may be used:

.sp

0 \- File Upload

.sp

1 \- Interesting File / Seen in logs

.sp

2 \- Misconfiguration / Default File

.sp

3 \- Information Disclosure

.sp

4 \- Injection (XSS/Script/HTML)

.sp

5 \- Remote File Retrieval \- Inside Web Root

.sp

6 \- Denial of Service

.sp

7 \- Remote File Retrieval \- Server Wide

.sp

8 \- Command Execution / Remote Shell

.sp

9 \- SQL Injection

.sp

a \- Authentication Bypass

.sp

b \- Software Identification

.sp

c \- Remote Source Inclusion

.sp

x \- Reverse Tuning Options (i\&.e\&., include all except specified)

.sp

The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character\&.

.RE

.PP

\fB\-useproxy\fR

.RS 4

Use the HTTP proxy defined in the configuration file, or given as argument in the format http://server:port\&.

.RE

.PP

\fB\-update\fR

.RS 4

Update the plugins and databases directly from cirt\&.net\&.

.RE

.PP

\fB\-Version\fR

.RS 4

Display the Nikto software, plugin and database versions\&.

.RE

.PP

\fB\-vhost\fR

.RS 4

Specify the Host header to be sent to the target\&.

.RE

.SH "FILES"

.PP

\fInikto\&.conf\fR

.RS 4

The Nikto configuration file\&. This sets Nikto\'s global options\&. Several nikto\&.conf files may exist and are parsed in the below order\&. As each configuration file is loaded is supersedes any previously set configuration:

.sp

.RS 4

\h'-04'\(bu\h'+03'System wide (e\&.g\&. /etc/nikto\&.conf)

.RE

.sp

.RS 4

\h'-04'\(bu\h'+03'Home directory (e\&.g\&. $HOME/nikto\&.conf)

.RE

.sp

.RS 4

\h'-04'\(bu\h'+03'Current directory (e\&.g\&. \&./nikto\&.conf)

.RE

.RE

.PP

\fI${NIKTO_DIR}/plugins/db*\fR

.RS 4

db files are the databases that nikto uses to check for vulnerabilities and issues within the web server\&.

.RE

.PP

\fI${NIKTO_DIR}/plugins/*\&.plugin\fR

.RS 4

All nikto\'s plugins exist here\&. Nikto itself is just a wrapper script to manage CLI and pass through to the plugins\&.

.RE

.PP

\fI${NIKTO_DIR}/templates\fR

.RS 4

Contains the templates for nikto\'s output formats\&.

.RE

.SH "BUGS"

.PP

The current features are not supported:

.sp

.RS 4

\h'-04'\(bu\h'+03'SOCKS Proxies

.RE

.SH "AUTHORS"

.PP

Nikto is written and maintained by Chris Sullo and David Lodge\&. See the main documentation for other contributors\&.

.PP

All code is Copyright CIRT, Inc., except LibWhisker which is Copyright (c) 2009, Jeff Forristal (wiretrip.net)\&. Other portions of code may be (C) as specified\&.

.SH "SEE ALSO"

.PP

\fINikto Homepage\fR\&[1]

.SH "NOTES"

.IP " 1." 4

Nikto Homepage

.RS 4

\%http://cirt.net/

.RE