Skip to content

Nikto

Official Documentation: https://cirt.net/nikto/

Cheat Sheet: Nikto Commands

Purpose

Nikto is a web server scanner that checks for thousands of known issues (outdated software, insecure files, misconfigurations, default scripts). It’s simple and fast for initial web testing.

Scenarios

  • CTF: Quickly find obvious bad things (default admin pages, exposed backups) on a web server to capture flags.
  • Real world: Initial external web scan to find low-hanging misconfigurations before deeper manual testing.

All needed info to run

  • Target website URL or IP (http:// or https://).
  • Common flags:
  • -h <host> → host
  • -p <port> → specify port
  • -o <file> → output file
  • -Format <format> → txt, csv, xml
  • -Tuning <n> → tune tests (1-9 categories)
  • -evasion <option> → evade filters (slow/obfuscate)
  • Nikto is noisy — get permission on real systems. It may generate many requests and false positives.

Example commands & outputs

# Basic scan of a web server
$ nikto -h http://192.168.56.101
# Output snippet:
# + Target IP:          192.168.56.101
# + Server: Apache/2.4.29 (Ubuntu)
# + The anti-clickjacking X-Frame-Options header is not present.
# + /admin/: This might be interesting (HTTP 301)
# + OSVDB-3092: /backup.zip found (potential sensitive file)

# Save XML report
$ nikto -h https://example.com -o nikto-report.xml -Format xml
# Report saved to nikto-report.xml

Nikto Basics

  • Nikto finds many low-to-medium issues; verify findings manually to avoid false positives.
  • Use -Tuning to narrow checks and -evasion carefully if dealing with WAFs.
  • Combine with WhatWeb and Gobuster for better context.
  • Don’t run Nikto against targets you do not own or have permission to test.

Nikto Commands