Nikto is a command-line tool in Kali Linux that can be used to evaluate a web application for known security issues. Nikto spiders through a target application and also makes numerous preconfigured requests, attempting to identify potentially dangerous scripts and files that exist on an application. In this recipe, we will discuss how to run Nikto against a web application and how to interpret the results.
To use Nikto to perform web application analysis against a target, you will need to have a remote system that is running one or more web applications. In the examples provided, an instance of Metasploitable2 is used to perform this task. Metasploitable2 has several preinstalled vulnerable web applications running on TCP port 80. For more information on setting up Metasploitable2, refer to the Installing Metasploitable2 recipe in Chapter 1, Getting Started, of this book.