Conducting a security audit with Nikto

A detailed tutorial on how to install Nikto and use it to conduct a security audit of a web server.

Introduction to Nikto

According to the Nikto website:

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.

In this tutorial, I will show you how to install Nikto and use it to carry out a security audit of a HTTP server running your web application.

Installation

As Nikto is written in Perl, you will need to have Perl installed. On most Linux systems you will probably have Perl already installed as a dependency for something else. To check if it is installed, try:

$ perl -v

This is perl 5, version 14, subversion 3 (v5.14.3) built for x86_64-linux-thread-multi

Copyright 1987-2012, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

As you can see, this tells us we already have Perl 5.14.3 installed. If it is not already installed on your system, try (as root):

$ yum install perl

Now you will need to download the Nikto package itself (check the version number here in case there is a newer version available):

$ wget http://cirt.net/nikto/nikto-2.1.5.tar.gz

...and extract:

$ tar -zxvf nikto-2.1.5.tar.gz

Usage

Before you begin to us Nikto, it is a good idea to run the following command to update Nikto to the latest version:

$ perl nikto.pl -update
+ No updates required.
+ CIRT.net message: Please submit Nikto bugs to http://trac2.assembla.com/Nikto_2/report/2

To run a test scan on your local HTTP server with Nikto, use the following command:

$ perl nikto.pl -h localhost -output report.html

Nikto will now run all of its tests and send the output to the report.html file. Open that file in a web browser once the scan has finished, here is an example of the summary from a HTML report generated by Nikto:

At this point, you will need to spend some time studying the report from Nikto to determine if there are any items which you need to act upon (in my initial tests with the tool there were plenty of false positives but each report item still needs to be reviewed). The report will contain a test link for each item, enabling you to quickly assess the priority of each item flagged.

For more detailed information about Nikto, check the manual.

John Collins

I have been writing about web technology and software development since 2001. I am the developer of the Alpha Framework for PHP, and the five.today personal productivity app. I love open source, technology, and economics.