Nikto2: Web Server Vulnerability

Scanner
Team 1
Introduction
Nikto 2 is an Open Source (GPL) web server scanner that scans web servers for
dangerous files/CGIs, outdated server software and other problems. It performs
generic and server type specific checks. It also captures and prints any cookies
received.

Nikto 2 is by no means a stealthy tool. It will make over 2000 HTTP GET
requests to the web server, creating a large number of entries in the web servers
log files. This noise is actually an excellent way to test an in place Intrusion
Detection System (IDS) that is in place. Any web server log monitoring, host
based intrusion detection (HIDS) or network based intrusion detection (NIDS)
should detect a Nikto scan.
Platform
1. Nikto 2 is not platform independent.
2. It is written in Perl.
3. It can be run only on unix-like operating systems.
4. For windows 10, we can use Windows Subsystem for Linux
(WSL) or other unix based distributions.
5. Docker can be used to install it.
Open Source or Proprietary
1. It is indeed open-source and following is the link:
https://github.com/sullo/nikto
2. License: GNU General Public License v2.
Features
1. Nikto can detect over 6700 potentially dangerous files/CGIs, checks for outdated versions
of over 1250 servers, and version specific problems on over 270 servers.
2. It also checks for server configuration items such as the presence of multiple index files
and HTTP server options, and will attempt to identify installed web servers and software.
3. Scan items and plugins are frequently updated and can be automatically updated.
4. Save reports in plain text, XML, HTML, NBE or CSV
5. Template engine for easy customize reports
6. Scan multiple ports on a server
7. Enhanced false positive reduction
8. Reports "unusual" headers
9. Provides SSL Support
Usage
There are many ways to use Nikto:

● Using Kali Linux

● Docker container
● Using binary on UNIX-based distro or Windows
Variations
There are some variations of Nikto, one of which is MacNikto.

MacNikto is an AppleScript GUI shell script wrapper built in Apple's Xcode and
Interface Builder, released under the terms of the GPL.

It provides easy access to a subset of the features available in the command-line

version, installed along with the MacNikto application.
Advantages
There is a number of online vulnerability scanner to test your web applications on
the Internet. However, to test Intranet applications or in-house applications, then
you can use the Nikto web scanner.

Limitations
Nikto 2 doesn’t offer any countermeasures for vulnerabilities found nor provide any
risk assessment features.
References
1. https://cirt.net/Nikto2
2. https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner)
3. https://geekflare.com/nikto-webserver-scanner/
4. https://hackertarget.com/nikto-website-scanner/