If you administer web servers, you know how crucial it is to ensure those servers’ security. Without a regular checkup, you could have a vulnerable server waiting to be exploited. To that end, how do you find out if your servers are vulnerable? The answers to that question are many and varied. However, if you’re looking for a really easy solution, one that won’t cost you a penny, you can turn to Nikto2.

Nikto2 is an open source security scanner with a feature list that includes:

  • SSL Support
  • Full HTTP proxy support
  • Checks for outdated server components
  • Save reports in plain text, XML, HTML, NBE or CSV
  • Template engine for easy customize reports
  • Scan multiple ports on a server
  • Scan multiple servers (via input file)
  • Easily updated via command line
  • Identifies installed software via headers, favicons and files
  • Host authentication with Basic and NTLM
  • Subdomain guessing
  • Apache and cgiwrap username enumeration
  • Mutation techniques to “fish” for content on web servers
  • Scan tuning to include or exclude entire classes of vulnerability checks
  • Guess credentials for authorization realms
  • Authorization guessing handles any directory (not just the rootdirectory)
  • Enhanced false positive reduction
  • Reports “unusual” headers

Let’s install Nikto2 and see how it is used to scan a web server.

SEE: Power checklist: Managing backups (Tech Pro Research)


I will be demonstrating the installation on the Ubuntu Server 16.04 platform. Since Nikto2 is Perl-based, it can be run on any platform with Perl installed. Here are the steps for installation.

The first thing you want to do is update/upgrade your system with the following two commands:

sudo apt update
​sudo apt upgrade

Once the above commands complete, you’re ready to install. Do note, if the upgrade includes the kernel, you’ll want to reboot, so plan this accordingly.

Install the necessary dependencies with the command:

sudo apt-get install wget unzip libnet-ssleay-perl libwhisker2-perl openssl

Change into the /opt directory with the command cd /opt and download the installer script with the command:

sudo wget https://cirt.net/nikto/nikto-2.1.5.tar.gz

Extract the downloaded file with the command:

sudo tar xvfz nikto-2.1.5.tar.gz

Rename the newly-created directory with the command:

sudo mv nikto-2.1.5/ nikto

Change into the newly renamed directory with the command cd nikto and give the installer script the necessary permissions with the command sudo chmod +x nikto.pl.

Finally, issue the command perl nikto.pl -update to update the databases and plugins.

You’re ready to test.

Scanning your website

Running a scan with Nikta2 is quite simple. You must be in the /opt/nikto directory and issue the command:

perl nikto.pl -h SERVER_ADDRESS

Where SERVER_ADDRESS is either the domain or IP address of your server. The scanner will begin the process and report what it finds (Figure A).

Figure A

Depending upon how complex the site scanned is, this process could take seconds or minutes. If you don’t want to have to sit and watch out the output, you can always use the -o option to direct the output to a file, such as:

perl nikto.pl -h SERVER_ADDRESS -o scan.htm

Where SERVER_ADDRESS is the IP or domain of your server. You can name the output file anything you like.

The scan will not give you suggestions as to how you can fix issues, so you’ll have to take a bit of extra time, after combing through the output, to find out how to fix any problems. Also note that some of the security checks are informational only (and not rooted in security). It is important that you carefully go through the report when the scan is complete.

To list out the various options that can be used with Nikto2, issue the command:

perl nikto.pl -h

A handy tool for your security toolkit

If you’re looking for an easy to use website vulnerability scanner, Nikto2 is certainly a handy one to have in your toolkit. Although it won’t fix your problems, it will certainly make you aware of them. Give Nikto2 a try and see if it doesn’t become one of your go-to web vulnerability scanners.

Also see