.\" Title: nikto .\" Author: .\" Generator: DocBook XSL Stylesheets v1.73.2 .\" Date: 02/03/2010 .\" Manual: Vulnerability Scanner .\" Source: http://cirt.net/ 2.1.1 .\" .TH "NIKTO" "1" "02/03/2010" "http://cirt\&.net/ 2\&.1" "Vulnerability Scanner" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .SH "NAME" nikto \- Scan web server for known vulnerabilities .SH "SYNOPSIS" .HP 21 \fBnikto\fR [options...] .SH "DESCRIPTION" .PP Examine a web server to find potential problems and security vulnerabilities, including: .sp .RS 4 \h'-04'\(bu\h'+03'Server and software misconfigurations .RE .sp .RS 4 \h'-04'\(bu\h'+03'Default files and programs .RE .sp .RS 4 \h'-04'\(bu\h'+03'Insecure files and programs .RE .sp .RS 4 \h'-04'\(bu\h'+03'Outdated servers and programs .RE .PP Nikto is built on LibWhisker (by RFP) and can run on any platform which has a Perl environment\&. It supports SSL, proxies, host authentication, attack encoding and more\&. It can be updated automatically from the command\-line, and supports the optional submission of updated version data back to the maintainers\&. .SH "OPTIONS" .PP Below are all of the Nikto command line options and explanations\&. A brief version of this text is available by running Nikto with the \-H (\-Help) option\&. .PP \fB\-Cgidirs\fR .RS 4 Scan these CGI directories\&. Special words "none" or "all" may be used to scan all CGI directories or none, (respectively)\&. A literal value for a CGI directory such as "/cgi\-test/" may be specified (must include trailing slash)\&. If this is option is not specified, all CGI directories listed in nikto\&.conf will be tested\&. .RE .PP \fB\-config\fR .RS 4 Specify an alternative config file to use instead of the nikto\&.conf located in the install directory\&. .RE .PP \fB\-dbcheck\fR .RS 4 Check the scan databases for syntax errors\&. .RE .PP \fB\-Display\fR .RS 4 Control the output that Nikto shows\&. See Chapter 5 for detailed information on these options\&. Use the reference number or letter to specify the type, multiple may be used: .sp 1 \- Show redirects .sp 2 \- Show cookies received .sp 3 \- Show all 200/OK responses .sp 4 \- Show URLs which require authentication .sp D \- Debug Output .sp V \- Verbose Output .RE .PP \fB\-evasion\fR .RS 4 Specify the LibWhisker encoding technique to use (see the LibWhisker docs for detailed information on these)\&. Use the reference number to specify the type, multiple may be used: .sp 1 \- Random URI encoding (non\-UTF8) .sp 2 \- Directory self\-reference (/\&./) .sp 3 \- Premature URL ending .sp 4 \- Prepend long random string .sp 5 \- Fake parameter .sp 6 \- TAB as request spacer .sp 7 \- Change the case of the URL .sp 8 \- Use Windows directory separator (\e) .sp A \- Use a carriage return (0x0d) as a request spacer .sp B \- Use binary value 0x0b as a request spacer .RE .PP \fB\-findonly\fR .RS 4 Only discover the HTTP(S) ports, do not perform a security scan\&. This will attempt to connect with HTTP or HTTPS, and report the Server header\&. .RE .PP \fB\-Format\fR .RS 4 Save the output file specified with \-o (\-output) option in this format\&. If not specified, the default will be taken from the file extension specified in the \-output option\&. Valid formats are: .sp csv \- a comma\-seperated list .sp htm \- an HTML report .sp txt \- a text report .sp xml \- an XML report .RE .PP \fB\-host\fR .RS 4 Host(s) to target\&. Can be an IP address, hostname or text file of hosts\&. A single dash (\-) maybe used for stdout\&. Can also parse nmap \-oG style output .RE .PP \fB\-Help\fR .RS 4 Display extended help information\&. .RE .PP \fB\-id\fR .RS 4 ID and password to use for host Basic host authentication\&. Format is "id:password"\&. .RE .PP \fB\-list\-plugins\fR .RS 4 Will list all plugins that Nikto can run against targets and then will exit without performing a scan\&. These can be tuned for a session using the \-plugins option\&. .sp The output format is: .sp Plugin \fIname\fR .sp \ \&\fIfull name\fR \- \fIdescription\fR .sp \ \&Written by \fIauthor\fR, Copyright (C) \fIcopyright\fR .RE .PP \fB\-mutate\fR .RS 4 Specify mutation technique\&. A mutation will cause Nikto to combine tests or attempt to guess values\&. These techniques may cause a tremendous amount of tests to be launched against the target\&. Use the reference number to specify the type, multiple may be used: .sp 1 \- Test all files with all root directories .sp 2 \- Guess for password file names .sp 3 \- Enumerate user names via Apache (/~user type requests) .sp 4 \- Enumerate user names via cgiwrap (/cgi\-bin/cgiwrap/~user type requests) .sp 5 \- Attempt to brute force sub\-domain names, assume that the host name is the parent domain .sp 6 \- Attempt to guess directory names from the supplied dictionary file .RE .PP \fB\-mutate\-options\fR .RS 4 Provide extra information for mutates, e\&.g\&. a dictionary file .RE .PP \fB\-nointeractive\fR .RS 4 Disable interactive features\&. .RE .PP \fB\-nolookup\fR .RS 4 Do not perform name lookups on IP addresses\&. .RE .PP \fB\-nossl\fR .RS 4 Do not use SSL to connect to the server\&. .RE .PP \fB\-no404\fR .RS 4 Disable 404 (file not found) checking\&. This will reduce the total number of requests made to the webserver and may be preferable when checking a server over a slow link, or an embedded device\&. This will generally lead to more false positives being discovered\&. .RE .PP \fB\-output\fR .RS 4 Write output to the file specified\&. The format used will be taken from the file extension\&. This can be over\-riden by using the \-Format option (e\&.g\&. to write text files with a different extension\&. Existing files will have new information appended\&. .RE .PP \fB\-plugins\fR .RS 4 Select which plugins will be run on the specified targets\&. A comma separated list should be provided which lists the names of the plugins\&. The names can be found by using \-list\-plugins\&. .sp There are two special entries: ALL, which specifies all plugins shall be run and NONE, which specifies no plugins shall be run\&. The default is ALL .RE .PP \fB\-port\fR .RS 4 TCP port(s) to target\&. To test more than one port on the same host, specify the list of ports in the \-p (\-port) option\&. Ports can be specified as a range (i\&.e\&., 80\-90), or as a comma\-delimited list, (i\&.e\&., 80,88,90)\&. If not specified, port 80 is used\&. .RE .PP \fB\-Pause\fR .RS 4 Seconds (integer or floating point) to delay between each test\&. .RE .PP \fB\-root\fR .RS 4 Prepend the value specified to the beginning of every request\&. This is useful to test applications or web servers which have all of their files under a certain directory\&. .RE .PP \fB\-ssl\fR .RS 4 Only test SSL on the ports specified\&. Using this option will dramatically speed up requests to HTTPS ports, since otherwise the HTTP request will have to timeout first\&. .RE .PP \fB\-Single\fR .RS 4 Perform a single request to a target server\&. Nikto will prompt for all options which can be specified, and then report the detailed output\&. See Chapter 5 for detailed information\&. .RE .PP \fB\-timeout\fR .RS 4 Seconds to wait before timing out a request\&. Default timeout is 10 seconds\&. .RE .PP \fB\-Tuning\fR .RS 4 Tuning options will control the test that Nikto will use against a target\&. By default, if any options are specified, only those tests will be performed\&. If the "x" option is used, it will reverse the logic and exclude only those tests\&. Use the reference number or letter to specify the type, multiple may be used: .sp 0 \- File Upload .sp 1 \- Interesting File / Seen in logs .sp 2 \- Misconfiguration / Default File .sp 3 \- Information Disclosure .sp 4 \- Injection (XSS/Script/HTML) .sp 5 \- Remote File Retrieval \- Inside Web Root .sp 6 \- Denial of Service .sp 7 \- Remote File Retrieval \- Server Wide .sp 8 \- Command Execution / Remote Shell .sp 9 \- SQL Injection .sp a \- Authentication Bypass .sp b \- Software Identification .sp c \- Remote Source Inclusion .sp x \- Reverse Tuning Options (i\&.e\&., include all except specified) .sp The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character\&. .RE .PP \fB\-useproxy\fR .RS 4 Use the HTTP proxy defined in the configuration file, or given as argument in the format http://server:port\&. .RE .PP \fB\-update\fR .RS 4 Update the plugins and databases directly from cirt\&.net\&. .RE .PP \fB\-Version\fR .RS 4 Display the Nikto software, plugin and database versions\&. .RE .PP \fB\-vhost\fR .RS 4 Specify the Host header to be sent to the target\&. .RE .SH "FILES" .PP \fInikto\&.conf\fR .RS 4 The Nikto configuration file\&. This sets Nikto\'s global options\&. Several nikto\&.conf files may exist and are parsed in the below order\&. As each configuration file is loaded is supersedes any previously set configuration: .sp .RS 4 \h'-04'\(bu\h'+03'System wide (e\&.g\&. /etc/nikto\&.conf) .RE .sp .RS 4 \h'-04'\(bu\h'+03'Home directory (e\&.g\&. $HOME/nikto\&.conf) .RE .sp .RS 4 \h'-04'\(bu\h'+03'Current directory (e\&.g\&. \&./nikto\&.conf) .RE .RE .PP \fI${NIKTO_DIR}/plugins/db*\fR .RS 4 db files are the databases that nikto uses to check for vulnerabilities and issues within the web server\&. .RE .PP \fI${NIKTO_DIR}/plugins/*\&.plugin\fR .RS 4 All nikto\'s plugins exist here\&. Nikto itself is just a wrapper script to manage CLI and pass through to the plugins\&. .RE .PP \fI${NIKTO_DIR}/templates\fR .RS 4 Contains the templates for nikto\'s output formats\&. .RE .SH "BUGS" .PP The current features are not supported: .sp .RS 4 \h'-04'\(bu\h'+03'SOCKS Proxies .RE .SH "AUTHORS" .PP Nikto is written and maintained by Chris Sullo and David Lodge\&. See the main documentation for other contributors\&. .PP All code is Copyright CIRT, Inc., except LibWhisker which is Copyright (c) 2009, Jeff Forristal (wiretrip.net)\&. Other portions of code may be (C) as specified\&. .SH "SEE ALSO" .PP \fINikto Homepage\fR\&[1] .SH "NOTES" .IP " 1." 4 Nikto Homepage .RS 4 \%http://cirt.net/ .RE