What is Nikto?
Nikto is a Perl-based open-source web server vulnerability scanner. It performs comprehensive tests against web servers, checking for over 6,700 potentially dangerous files and scripts, outdated server software versions, version-specific configuration problems, and HTTP server options. It's typically run early in the web application testing phase to quickly surface low-hanging fruit before deeper manual testing begins. Nikto is intentionally noisy — it makes no attempt to evade detection — so it should only be run against targets you are authorized to test.
Only use on web servers you own or have explicit written permission to test. Nikto generates significant traffic and will trigger IDS/IPS alerts. Unauthorized scanning violates Pakistan's PECA 2016 and international cybercrime laws.
Installation
# Update packages sudo apt update # Install Nikto (pre-installed on Kali) sudo apt install nikto -y # OR clone from GitHub (latest version) git clone https://github.com/sullo/nikto.git cd nikto/program perl nikto.pl --help # Check version nikto -Version
Basic Usage
The -h flag specifies the target host. Nikto accepts hostnames, IP addresses, and full URLs including HTTPS targets.
# Scan a basic HTTP target nikto -h http://target.com # Scan a specific IP address nikto -h 192.168.1.10 # Scan an HTTPS target nikto -h https://target.com # Scan on a non-standard port nikto -h target.com -p 8080 # Scan multiple ports at once nikto -h target.com -p 80,443,8080,8443 # Scan using a proxy (route through Burp Suite) nikto -h http://target.com -useproxy http://127.0.0.1:8080
Output & Reporting
# Save output to a plain text file nikto -h http://target.com -o results.txt # Save as HTML report nikto -h http://target.com -o report.html -Format htm # Save as CSV for spreadsheet analysis nikto -h http://target.com -o report.csv -Format csv # Save as XML (for importing into other tools) nikto -h http://target.com -o report.xml -Format xml # Display verbose output in terminal nikto -h http://target.com -Display V
Tuning Scans
The -Tuning flag controls which test categories Nikto runs. Use specific tuning codes to focus on relevant checks and reduce noise.
# Run only file upload vulnerability checks nikto -h http://target.com -Tuning 0 # Check for interesting files and content nikto -h http://target.com -Tuning 1 # Check for misconfiguration issues only nikto -h http://target.com -Tuning 2 # Scan for information disclosure vulnerabilities nikto -h http://target.com -Tuning 3 # Check for injection vulnerabilities (XSS, SQLi) nikto -h http://target.com -Tuning 4 # Run all checks (default behavior) nikto -h http://target.com -Tuning x # Combine multiple tuning categories nikto -h http://target.com -Tuning 123
Authentication & Session Handling
# HTTP Basic Authentication nikto -h http://target.com -id admin:password # Scan with a session cookie (for authenticated areas) nikto -h http://target.com -c "PHPSESSID=abc123; auth_token=xyz" # Provide custom HTTP headers nikto -h http://target.com -useragent "Mozilla/5.0 (compatible; custom)" # Follow redirects nikto -h http://target.com -Plugins "headers"
Scanning Multiple Targets
# Read targets from a file (one per line)
nikto -h targets.txt
# Scan a full subnet (combine with nmap output)
nmap -p 80,443 192.168.1.0/24 -oG - | grep "80/open\|443/open" | awk '{print $2}' > webservers.txt
nikto -h webservers.txt -o nikto_results.txt
Common Flags
-h— Target host, IP, or URL-p— Port number(s) to scan-o— Output file path-Format— Output format:txt,htm,csv,xml-Tuning— Control which test categories run (0–9, x)-id— HTTP Basic Auth credentials (user:pass)-c— Pass session cookies-useproxy— Route traffic through a proxy-Display— Control output verbosity (V = verbose)-ssl— Force SSL mode for HTTPS targets-timeout— Request timeout in seconds-update— Update Nikto's plugin and vulnerability database-Version— Display current Nikto version
Common Use Cases
- Initial web server reconnaissance at the start of a pentest engagement
- Detecting exposed sensitive files like
.git,.env,phpinfo.php,backup.zip - Identifying outdated server software (Apache, Nginx, IIS) with known CVEs
- Finding misconfigured HTTP methods (PUT, DELETE, TRACE enabled)
- Checking for default credentials on admin panels
- CTF reconnaissance — quickly surfacing hidden paths and server info
- Internal network web server audits during red team engagements
Further Reading
Nikto is a surface-level scanner — it's fast but not exhaustive. Follow up Nikto findings with manual testing using Burp Suite and deeper directory brute-forcing with gobuster or ffuf. Keep Nikto's database updated regularly with nikto -update to catch newly added vulnerability checks. Practice on intentionally vulnerable machines on TryHackMe, HackTheBox, and hackzia.site labs before running against live targets.