🔵 Day 6 — Nikto Tutorial
Day 180 — Advanced Kali Mastery
🔐
Authorised targets only — Nikto is noisy. Nikto sends thousands of HTTP requests and will appear clearly in any web server’s access logs. Only scan systems you own or have
explicit written authorisation to test. Use your own DVWA lab or Metasploitable2 for practice.
Lab setup: Ethical Hacking Lab Setup at Home · Metasploitable Labs Hub 🔍
Day 3 taught you to find hidden directories with Gobuster. Day 6 Nikto Tutorial teaches you to examine what is actually wrong with the web server serving those directories. Gobuster maps the terrain — what paths exist. Nikto audits the security — what known problems exist on the server. Together they are how professionals assess a web application’s attack surface in the first 20 minutes of an authorised engagement. Nikto does in two minutes what would take an hour of manual header inspection, CGI testing, and version checking.
Day 6 of the Kali Linux Course covers Nikto completely — what it checks, every important flag, output formats for professional reports, tuning the scan for specific finding categories, evasion options, and a full walkthrough against Metasploitable2. You will leave knowing how to interpret every line of Nikto output and which findings matter in a real report.
📋 What You’ll Master in Day 6
What Is Nikto and What Does It Check?
Nikto is an open-source web server scanner that tests against a database of over 6,700 known security issues. Unlike Gobuster which discovers hidden content by brute-forcing paths, Nikto checks specifically for known vulnerabilities, misconfigurations, and outdated software — matching the target server’s responses against a continuously updated database of security problems.
SERVER VERSION CHECKS
Identifies server software and version. Apache 2.4.49 → CVE-2021-41773 (path traversal). nginx 1.16 → known vulnerabilities. Old PHP → multiple CVEs. Version disclosure itself is a finding.
MISSING SECURITY HEADERS
Reports missing X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, Strict-Transport-Security, X-XSS-Protection. Each absent header is a reportable finding with a recommended value.
DANGEROUS HTTP METHODS
Tests for PUT (arbitrary file upload), DELETE, TRACE (XST attacks), CONNECT, PATCH. Enabled PUT on a web server = unauthenticated remote file write = critical severity finding.
EXPOSED SENSITIVE FILES
Checks for phpinfo.php, server-status, server-info, .htaccess, .htpasswd, robots.txt, backup files, and hundreds of other files that should not be web-accessible.
DEFAULT CREDENTIALS
Tests default logins on common web management interfaces — Tomcat Manager, phpMyAdmin, WebLogic, JBoss, and others. Finds admin panels left on default username:password.
6,700+ KNOWN ISSUES
Comprehensive database of historical web vulnerabilities, dangerous CGI scripts, known bad configurations, and server-specific issues. Database updated via nikto -update.
⚠️ Nikto generates significant traffic. It sends thousands of requests in a short period — this is clearly visible in server logs and will trigger IDS/WAF alerts on monitored systems. Always confirm your target and scope before running. On authorised engagements, note in your report that scanning was performed — it will appear in the client’s logs.
Install, Verify & Update Nikto
# Verify Nikto is installed (Kali Linux — pre-installed):
nikto -Version
– Nikto v2.1.6# Install if missing:
sudo apt install nikto -y
# Update Nikto’s vulnerability database (do this before any scan):
nikto -update
# Downloads latest checks from CIRT.net
# Database location: /var/lib/nikto/databases/
# Show all available options:
nikto -Help
📚 Day 6 in the course sequence: You used
Gobuster (Day 3) to discover what paths exist on a web server. Today’s Nikto scan tells you what security problems exist at those paths. In a professional workflow, Nmap → Gobuster → Nikto covers the first three phases of any web application assessment before manual testing begins. See:
Information Gathering Tools in Kali Linux.
Basic Scan — Your First Nikto Results
Nikto’s core flag is -h (host). That is all you need for a basic scan against an HTTP target. Against your Metasploitable2 lab, this single command reveals a significant list of findings in under two minutes.
securityelites.comKali Linux — Nikto Scan Against Metasploitable2 (Authorised Lab)
$ nikto -h http://192.168.56.101 -o nikto_results.txt
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
—————————————————————————
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Server leaks inodes via ETags, header found with file /,
inode: 67706, size: 45, mtime: Sat Feb 21 00:00:00 2009
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined.
+ The X-Content-Type-Options header is not set.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is
vulnerable to XST
+ Apache/2.2.8 appears to be outdated (2.4.57 is current)
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc directory is browsable. This may be
a problem.
+ OSVDB-3092: /phpMyAdmin/: phpMyAdmin is for managing MySQL
databases, and should be protected or limited.
+ 6544 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: (scan took 98 seconds)
Nikto scan against Metasploitable2 — 12 findings in 98 seconds. Key findings: Apache 2.2.8 (outdated — check CVE database for this version), HTTP TRACE enabled (XST vulnerability, OSVDB-877), phpMyAdmin exposed (should be restricted or removed from production), missing security headers (X-Frame-Options, X-XSS-Protection, X-Content-Type-Options), and directory indexing on /doc/. Each finding maps directly to a recommendation in the pentest report.
# ─── Basic scan commands ─────────────────────────────────────────
nikto -h http://192.168.56.101 # HTTP target
nikto -h https://target.com # HTTPS target
nikto -h 192.168.56.101 # IP (defaults to port 80)
nikto -h 192.168.56.101 -p 8180 # Specific port (Tomcat)
nikto -h 192.168.56.101 -p 80,443,8080,8443 # Multiple ports
nikto -h 192.168.56.101 -ssl # Force SSL/HTTPS mode
Output Formats — Saving Results for Reports
Always save Nikto output. The scan takes time to run and findings scroll past quickly in the terminal. Nikto supports five output formats — choose based on how you will use the results in your report or workflow.
# ─── -o [filename] -Format [type] ───────────────────────────────
nikto -h http://192.168.56.101
-o scan.txt
# plain text
nikto -h http://192.168.56.101
-o scan.html
-Format htm
# HTML report
nikto -h http://192.168.56.101
-o scan.csv
-Format csv
# CSV (Excel)
nikto -h http://192.168.56.101
-o scan.xml
-Format xml
# XML (import to tools)
nikto -h http://192.168.56.101
-o scan.nbe
-Format nbe
# NBE (Nessus format)# ─── Format use cases ─────────────────────────────────────────────
txt # Quick read, grep-friendly: grep “OSVDB” scan.txt
html # Readable client-facing output, include in report appendix
csv # Spreadsheet analysis, filter/sort findings by severity
xml # Import into Metasploit, Dradis, or other reporting tools
Tuning — Focus the Scan on What Matters
-Tuning restricts the scan to specific check categories. This is useful when you want faster scans, when certain check types (like DoS) are explicitly out of scope, or when you want to focus on a specific finding category during triage.
securityelites.comNIKTO -TUNING CATEGORIES — KALI LINUX COURSE DAY 6
0
File Upload
Upload directories & CGI file upload vulnerabilities
1
Interesting Files
Logs, backup files, admin pages, phpinfo.php, readme files
2
Misconfiguration
Default files, directory indexing, dangerous HTTP methods
3
Information Disclosure
Version banners, error messages, server headers
4
Injection (XSS/CRLF)
Cross-site scripting & CRLF header injection checks
5
Remote File Retrieval
Path traversal & local file inclusion vulnerabilities
6
Denial of Service
DoS vulnerabilities — usually out of scope, exclude with -Tuning x6
9
SQL Injection
Basic SQL injection detection in parameters
b
Software Identification
Identify installed software & frameworks from response
Recommended combo: nikto -h TARGET -Tuning 123b # misconfig + disclosure + software ID (no DoS)
Nikto -Tuning Categories — Numbers 0–9 plus a–c control which check categories run. In most authorised engagements, exclude category 6 (DoS) with -Tuning x6 or run only categories 1, 2, 3, b for a focused recon scan: nikto -h target -Tuning 123b. This gives misconfiguration, information disclosure, interesting files, and software ID without triggering DoS checks that may be explicitly out of scope.
# ─── Common tuning combinations ──────────────────────────────────
nikto -h http://192.168.56.101 -Tuning 123b # recon focus: misconfig + disclosure + software
nikto -h http://192.168.56.101 -Tuning 9 # SQLi checks only
nikto -h http://192.168.56.101 -Tuning x6 # run all EXCEPT DoS (x = reverse/exclude)
nikto -h http://192.168.56.101 -Tuning 4 # injection checks (XSS/CRLF) only
nikto -h http://192.168.56.101 -Tuning 2 # misconfiguration checks only — fastest
HTTPS & Custom Ports
# ─── HTTPS targets ────────────────────────────────────────────────
nikto -h https://target.com
# HTTPS auto-detected
nikto -h target.com
-ssl -p 443
# Force SSL on port 443
nikto -h 192.168.56.101
-ssl -p 8443
# SSL on non-standard port# ─── Metasploitable2 — multiple web services ─────────────────────
nikto -h 192.168.56.101 -p 80 # Apache (main web server)
nikto -h 192.168.56.101 -p 8180 # Apache Tomcat (Java app server)
nikto -h 192.168.56.101 -p 8080 # Additional web service
# ─── Scan multiple ports in one run ──────────────────────────────
nikto -h 192.168.56.101 -p 80,8080,8180,443
💡 Tomcat on port 8180: Metasploitable2 runs Apache Tomcat on port 8180 with default credentials (tomcat:tomcat). Nikto against this port will flag the manager application at
/manager/html — which allows deploying arbitrary WAR files (= remote code execution). Always scan non-standard ports that Nmap identifies as web services. First find them with
Nmap, then scan with Nikto.
Evasion Techniques — Reducing IDS Detection
In authorised engagements where the scope explicitly permits evasion testing, Nikto’s -evasion flag modifies HTTP requests to reduce the probability of IDS signature matches. These do not make Nikto invisible — server logs will still record the requests — but they may bypass signature-based IDS rules that look for Nikto-specific patterns.
# Evasion techniques (combine multiple with no spaces):
1 Random URI encoding
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Random case sensitivity
8 Windows directory separator (\)# ─── Apply evasion during a scan ─────────────────────────────────
nikto -h http://192.168.56.101 -evasion 1 # random URI encoding
nikto -h http://192.168.56.101 -evasion 17 # encoding + random case
nikto -h http://192.168.56.101 -evasion 1234 # multiple techniques combined
Authenticated Scans — Scanning Behind Login Walls
# ─── Basic authentication (-id user:pass) ─────────────────────────
nikto -h http://192.168.56.101
-id admin:admin# ─── Cookie-based auth (use Burp to capture cookie) ──────────────
nikto -h http://192.168.56.101/dvwa/ \
-cookie “PHPSESSID=abc123; security=low”
# ─── Scan through a proxy (Burp Suite intercept) ─────────────────
nikto -h http://192.168.56.101 -useproxy http://127.0.0.1:8080
# All Nikto traffic routed through Burp — see every request/response
# ─── Custom User-Agent (change from default “Mozilla/… Nikto”) ──
nikto -h http://192.168.56.101 \
-useragent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”
Reading & Triaging Nikto Output — What Matters
Nikto outputs can be long. Knowing how to triage the findings quickly — which are critical, which are low-severity, which are false positives — is a skill that saves time in every engagement. Here is the priority framework:
Dangerous HTTP methods (PUT/DELETE enabled), Outdated software with active CVEs, Default credentials on web management panels
+ HTTP PUT method: /uploads/ – PUT method could allow file uploads
Exposed admin interfaces (phpMyAdmin, Tomcat Manager), Directory indexing enabled, phpinfo.php accessible, .git folder exposed
+ OSVDB-3092: /phpMyAdmin/: phpMyAdmin is for managing MySQL
TRACE method enabled (XST), Server version disclosure in headers, HTTP TRACE/CONNECT enabled
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
Missing security headers (X-Frame-Options, CSP, X-XSS-Protection, X-Content-Type-Options), ETag inode leakage
+ The anti-clickjacking X-Frame-Options header is not present.
# ─── Quick triage on saved output ────────────────────────────────
grep -i “PUT\|DELETE\|upload” scan.txt # dangerous methods first
grep -i “admin\|phpmyadmin\|manager\|console” scan.txt # admin interfaces
grep -i “outdated\|appears to be” scan.txt # outdated software
grep -i “header\|missing” scan.txt # missing headers (low)
grep “OSVDB” scan.txt | wc -l # count total findings
Nikto vs Gobuster — Different Tools, Different Jobs
A common question from beginners is whether to use Nikto or Gobuster. The answer is always: both. They do fundamentally different things.
🔍 GOBUSTER — Content Discovery
→ Brute-forces paths using a wordlist
→ Discovers hidden content that exists
→ Finds: /admin, /backup, /api/v1/
→ You define what to look for
→ Run first to map the attack surface
🛡️ NIKTO — Vulnerability Assessment
→ Tests against 6,700+ known issues
→ Finds: outdated software, bad configs
→ Finds: missing headers, dangerous methods
→ Database defines what to look for
→ Run after Gobuster maps the server
→ Day 6: Nikto Tutorial ← you are here
Professional web assessment order:
Nmap
→
Gobuster
→
Nikto
→
Manual testing in Burp Suite
Open ports → Hidden content → Known vulnerabilities → Manual exploitation of findings
More on the information gathering workflow: Information Gathering Tools in Kali Linux | Penetration Testing Lifecycle Explained
📋 Nikto Command Reference Card — Screenshot This
securityelites.comNIKTO COMMAND REFERENCE — KALI LINUX COURSE DAY 6 — securityelites.com
BASIC SCANS
nikto -h http://TARGET
nikto -h https://TARGET -ssl
nikto -h TARGET -p 8080,8443
nikto -update
OUTPUT FORMATS
nikto -h TARGET -o out.txt
nikto -h TARGET -o out.html -Format htm
nikto -h TARGET -o out.csv -Format csv
nikto -h TARGET -o out.xml -Format xml
TUNING
nikto -h TARGET -Tuning 123b # recon focus
nikto -h TARGET -Tuning x6 # skip DoS
nikto -h TARGET -Tuning 9 # SQLi only
nikto -h TARGET -Tuning 2 # misconfiguration
AUTH & PROXY
nikto -h TARGET -id admin:admin
nikto -h TARGET -cookie “sess=abc”
nikto -h TARGET -useproxy http://127.0.0.1:8080
EVASION
nikto -h TARGET -evasion 1 # URI encoding
nikto -h TARGET -evasion 7 # random case
nikto -h TARGET -evasion 17 # encoding+case
TRIAGE GREPS
grep -i “PUT\|DELETE” scan.txt
grep -i “admin\|manager” scan.txt
grep -i “outdated” scan.txt
grep -i “header” scan.txt
Workflow: nmap → gobuster → nikto → manual Burp testing · Authorised targets only
Nikto Command Reference Card — Day 6 Kali Linux Course. Six panels: basic scans (HTTP, HTTPS, multiple ports), output formats (txt/html/csv/xml), tuning (recommended: 123b for recon, x6 to exclude DoS), authentication and proxy routing, evasion options, and grep commands for fast output triage. Screenshot for your second monitor.
Day 6 Complete — 174 Tools Still to Come
The Full Kali Linux Course — One Tool Per Day.
180 Days. All Free. No Registration.
Six days in you have a complete recon and scanning toolkit. Nmap finds services. Gobuster finds paths. Nikto finds vulnerabilities. Hydra tests credentials. John cracks hashes. The stack is building.
Frequently Asked Questions – Nikto Tutorial
What is Nikto used for in ethical hacking?
Nikto is a web server vulnerability scanner that checks for 6,700+ known issues — outdated server software, missing security headers, dangerous HTTP methods (PUT/DELETE enabled), exposed sensitive files, default web management credentials, and common misconfigurations. It provides a quick automated baseline of a web server’s security posture in minutes.
What is the difference between Nikto and Gobuster?
Gobuster brute-forces paths using a wordlist to discover hidden content (what exists). Nikto tests against 6,700+ known vulnerabilities and misconfigurations to find security issues (what is wrong). Use both: Gobuster first to map the server, then Nikto to assess known vulnerabilities. They complement each other — neither replaces the other.
How noisy is Nikto? Will it be detected?
Very noisy. Nikto sends thousands of HTTP requests in a short period — clearly visible in server logs, will trigger most IDS/WAF systems. It does not attempt stealth by default. Use -evasion flags to reduce IDS signature detection (not full evasion). Always confirm scanning is authorised and expected before running against any system.
What does Nikto check for?
Server version disclosure and outdated software, missing security headers (X-Frame-Options, CSP, X-XSS-Protection), dangerous HTTP methods (PUT allows file upload, TRACE enables XST), exposed sensitive files (phpinfo.php, server-status, .htaccess), default credentials on web management panels, directory indexing, and 6,700+ historical vulnerability signatures.
What is Nikto -Tuning?
Controls which check categories run. Numbers 0–9 and a–c select specific categories. Recommended for most scans: -Tuning 123b (misconfiguration + disclosure + software ID). Use -Tuning x6 to exclude DoS checks (category 6) that are usually out of scope in authorised engagements.
Is Nikto pre-installed on Kali Linux?
Yes. Verify: nikto -Version. Update database: nikto -update. Install if missing: sudo apt install nikto. Database at: /var/lib/nikto/databases/
ME
Mr Elite
Founder, SecurityElites.com | Penetration Tester | Kali Linux Educator
Nikto is one of the first tools I run against every web server in an authorised assessment — not because it finds sophisticated vulnerabilities, but because it finds the obvious ones in two minutes. Missing security headers. Outdated Apache. phpMyAdmin accessible from the internet. Tomcat Manager running on default credentials. These findings appear in reports from global financial institutions and small e-commerce sites alike. Nikto does not find everything — no automated tool does — but it finds the low-hanging fruit quickly, freeing your manual testing time for the vulnerabilities that require judgment to find.
Coming Up — Day 7
SQLmap — Automated SQL Injection Discovery & Exploitation
Nikto flags potential SQLi in headers. Day 7 teaches you to confirm and exploit it.
Course Hub →
