Nikto2 is an easy to install and use website vulnerability scanner. Here’s how to make sure your servers are secure with this free open source scanner.
If you administer web servers, you know how critical it is to keep those servers secure. Without regular checks, you could have a vulnerable server waiting to be exploited. So how do you know if your servers are vulnerable? The answers to this question are many and varied. However, if you are looking for a really simple solution that won’t cost you a dime, you can turn to Nikto2.
Nikto2 is an open source security scanner with a feature list that includes:
- SSL support
- Full HTTP proxy support
- Checks for obsolete server components
- Save reports as plain text, XML, HTML, NBE or CSV
- Template engine to easily customize reports
- Scan multiple ports on a server
- Analyze multiple servers (via input file)
- Easily updated via the command line
- Identifies installed software via headers, favicons and files
- Host authentication with Basic and NTLM
- Subdomain riddle
- Enumeration of Apache and cgiwrap usernames
- Mutation Techniques to “Fish” Content on Web Servers
- Optimizing the scan to include or exclude entire classes from vulnerability checks
- Guess the credentials for authorization domains
- Permission riddle manages any directory (not just the root directory)
- Improved false positive reduction
- Reports “unusual” headers
Let’s install Nikto2 and see how it is used to analyze a web server.
SEE: Power Checklist: Managing Backups (Tech Pro Research)
I will demonstrate the installation on the Ubuntu Server 16.04 platform. As Nikto2 is Perl based, it can be run on any platform where Perl is installed. Here are the installation steps.
The first thing to do is update / upgrade your system with the following two commands:
sudo apt update âsudo apt upgrade
Once you have completed the above commands, you are ready to install. Note that if the upgrade includes the kernel, you’ll want to reboot, so plan it accordingly.
Install the necessary dependencies with the command:
sudo apt-get install wget unzip libnet-ssleay-perl libwhisker2-perl openssl
Go to the / opt directory with the cd / opt command and download the installation script with the command:
sudo wget https://cirt.net/nikto/nikto-2.1.5.tar.gz
Extract the downloaded file with the command:
sudo tar xvfz nikto-2.1.5.tar.gz
Rename the newly created directory with the command:
sudo mv nikto-2.1.5/ nikto
Switch to the newly renamed directory with the command cd nikto and give the installation script the necessary permissions with the command sudo chmod + x nikto.pl.
Finally, run the command perl nikto.pl -update to update databases and plugins.
You are ready to test.
Digitization of your website
Running a scan with Nikta2 is quite easy. You must be in the / opt / nikto directory and run the command:
perl nikto.pl -h SERVER_ADDRESS
Where SERVER_ADDRESS is either the domain or the IP address of your server. The scanner will start the process and report what it finds (Figure A).
Depending on the complexity of the site being scanned, this process may take a few seconds or minutes. If you don’t want to sit and watch the output, you can always use the -o option to direct the output to a file, for example:
perl nikto.pl -h SERVER_ADDRESS -o scan.htm
Where SERVER_ADDRESS is the IP address or domain of your server. You can name the output file whatever you want.
The scan will not give you any suggestions on how you can fix the issues, so you will need to take a little extra time, after combing through the exit, to find out how to fix the issues. Also note that some of the security checks are informational only (and not rooted in security). It is important that you go through the report carefully after the scan is complete.
To list the different options that can be used with Nikto2, run the command:
perl nikto.pl -h
A handy tool for your security toolbox
If you are looking for an easy to use website vulnerability scanner, Nikto2 is definitely a handy tool to have in your toolbox. While it won’t solve your problems, it will definitely make you aware of it. Try Nikto2 and see if it doesn’t become one of your go-to web vulnerability scanners.