Section 4.2. Using Nikto

4.2. Using Nikto

Using Nikto is fairly straightforward. The main required arguments are the target host and port against which the scan will be conducted. If no port is specified, port 80 (the default) is used. All command-line options except for -debug, -update, -dbcheck, and -verbose are available by using the first letter as a short-form option. Execute the program with no arguments, and a description of all available options along with module-loading warning messages will be displayed. You'll see the warning messages if support modules such as SSL are not installed correctly.

Here are the options you have available to you:

Cgidirs: This allows you to manually set a single CGI directory from which to start all tests. It overrides any of the CGI directory entries made in config.txt. Additionally it accepts the values all or none. all forces the core plug-in to run checks against every CGI directory specified in config.txt. none runs all CGI checks against the webroot (/).
cookies: This prints out cookies if the web server attempts to set them.
evasion+: LibWhisker lets you apply up to nine different URI obfuscation techniques to each request, with the goal of bypassing intrusion detection systems (IDSes) that do strict signature matching and no URI normalization/conversion. After seeing the evasion options by running Nikto with no arguments, specify as many of these numeric options as you want and they will be applied. For example:

$perl ./nikto.pl -h www.example.com -e 3489

findonly: This does a port scan only; no other checks will be run. If you are port-scanning only, I suggest you use Nmap or some other tool that is dedicated to that task.
Format: This controls the output format when the -output flag is used. Valid values are htm, csv, and txt. If this option is not used, txt will be used as the default output format.
generic: This forces all checks in the scan database to be executed, regardless of web server banner.
host+: Use this to specify the target host or a file that contains target entries in the format domain.com:80:443. Each line should contain one entry; any other command-line options such as -ssl will be applied to all the hosts in the file.
id+: Use this to specify HTTP Basic authentication credentials in the form username:password:realm. The realm is optional.
mutate+: The mutate options are special, in that each integer placed in these options activates a different "conditional" plug-in. For example, by entering 13 you enable the Mutate and Enum_apache plug-ins.
nolookup: This avoids hostname DNS lookups.
output+: This specifies an output filename. The default format is plain text.
port+: This is the port the checks will be run against. The default is 80.
root+: This prepends a directory to all requests. This is useful for web servers that are configured to redirect all requests to a static virtual directory.
ssl: This forces use of HTTPS. On occasion this option is unreliable. A workaround is to use Nikto in combination with an HTTPS proxy agent such as sslproxy, stunnel, or openssl.
timeout: This is the connection timeout (the default is 10 seconds). If you are on a fast link and are scanning a multitude of hosts, lowering this helps to reduce scan time.
useproxy: This tells Nikto to use the proxy information defined in config.txt, for all requests. At the time of this writing, only HTTP proxies are supported.
Version: This will print the version of all found plug-ins and databases.
vhost+: This sets the virtual host that will be used for the HTTP Host header. This is crucial when scanning a domain that is hosted on a server virtually. To get the most coverage you should run a scan against the web server's IP, and against the domain.
debug: This enables debug mode, which outputs a large amount of detail regarding every request and response.
dbcheck: This does a basic syntax-check against the scan_database.db and user_scan_data base.db databases that the main scanning engine uses.
update: This retrieves and updates databases and plug-ins, getting the latest version from cirt.net. By default Nikto will never automatically download and install updates. It will prompt the user for acknowledgment.
verbose: This enables verbose mode.