Nikto is an open source tool that allows security assessors to evaluate the configuration of web servers. Unlike Nmap or Nessus, Nikto is designed exclusively for web-based configuration evaluations. As a general rule, it's a good idea to run Nikto (or a similar web scanner) on web services that are identified as part of a penetration test or vulnerability assessment. Nikto can be accessed from its web page at https://cirt.net/Nikto2.
The installation of Nikto is a fairly straightforward process, similar to the other tools we've used throughout this book:
wget https://github.com/sullo/nikto/archive/master.zip
unzip master.zip
cd nikto-master/program
Nikto is now ready to use!
Nikto, like many early security tools, is a Perl script—which means that as long as Perl is available on your system, Nikto is good to go! In order to demonstrate how Nikto works, we will run a simple scan against our favorite host, scanme.nmap.org
. To run this scan, we invoke...