Scanning Web Servers with Nikto: A Pentester’s Guide

When it comes to web server reconnaissance, speed is good, stealth is better — but awareness is everything. That’s where Nikto comes in. It’s loud, it’s obvious, and it’s supposed to be. Nikto isn’t built for silent ops; it’s built for uncovering known vulnerabilities fast.

In this post, we’ll cover:

• What Nikto is
• When and why to use it
• How it works
• Important command examples
• What kind of vulnerabilities it can find
• Limitations and tips for pentesters

What is Nikto?

Nikto is an open-source web server scanner. It checks for:

• Insecure or default configurations
• Outdated software versions
• Dangerous files (e.g., /phpinfo.php, /test, /admin)
• Known vulnerabilities
• HTTP headers and misconfigurations

Nikto is written in Perl and uses a large database of known issues. It’s often used in the early stages of a web app pentest to quickly identify low-hanging fruit.

When to Use Nikto

Nikto is your friend when:

• You’ve identified a web server during recon
• You want to quickly spot known issues, outdated software, or misconfigurations
• You’re doing an internal assessment and stealth isn’t a priority
• You want to complement GoBuster, Dirb, or Nmap scans with vulnerability checks

It’s not stealthy. IDS/IPS systems will see it. That’s fine in a lab or gray-box test — just don’t bring it to a red team op unless you’re meant to be loud.

Installing Nikto

Most Kali and Parrot distros already have it. If not:

sudo apt install nikto

Or clone it directly:

git clone https://github.com/sullo/nikto.git
cd nikto/program
perl nikto.pl -h

Basic Usage

nikto -h http://target-ip
# Perform a basic scan on the target

HTTPS

nikto -h https://target.com
# Scans an HTTPS site

Specify Port

nikto -h http://target.com -p 8080
# Scans on a non-standard port

Use IP Instead of Hostname

nikto -h 192.168.1.10

Scan Multiple Hosts from File

nikto -h targets.txt
# targets.txt = one host per line

Useful Options

nikto -h <host> -output result.txt
# Saves results to file

nikto -h <host> -Tuning x
# Customize scan type (e.g., x=4 for interesting files)

nikto -h <host> -Plugins <plugin_name>
# Run specific plugin(s)

nikto -h <host> -Display V
# Show detailed vulnerability output

What Can Nikto Find?

Nikto can identify things like:

• Exposed admin panels
• WebDAV enabled
• PHP info pages
• Default credentials and login portals
• Misconfigured HTTP methods (e.g., PUT, DELETE)
• Dangerous HTTP headers or lack thereof
• Apache or nginx version leaks with known CVEs

It’s like a web-focused version of Nmap scripts — but specifically tuned for HTTP vulnerabilities.

Example Output (Shortened)

+ Server: Apache/2.4.29 (Ubuntu)
+ Retrieved x-powered-by header: PHP/7.2.24
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ /phpinfo.php: Output from the phpinfo() function was found.
+ /test/: Test directory is accessible.
+ OSVDB-3092: /admin/: This might be an administrative login page.

Limitations

• No zero-days — Nikto uses known vulnerabilities only.
• No stealth — It’ll get flagged by AV/IDS/IPS.
• No authentication — Can’t log in to protected pages.
• No JavaScript rendering — Can’t interact with dynamic web apps.

But as a first strike tool, Nikto is fast and simple.

Pentester Tips

• Pair Nikto with Dirb, GoBuster, and WhatWeb for a full picture.
• Use it after fingerprinting a target with Nmap or Wappalyzer.
• Always follow up Nikto findings manually — especially when you see /phpinfo.php, /test, or config files exposed.
• When in doubt, scan in verbose mode (-Display V) and dig into each issue.

Conclusion

Nikto is a classic — not fancy, not subtle, but damn useful. It’s perfect for those initial moments when you just want to know: “What’s broken and obvious here?”

Throw it in your toolbox, fire it up in the recon phase, and let it light up misconfigurations before you dig deeper with Burp or manual fuzzing.