How to use Nikto for DAST
Nitko is an Open Source web server scanner that performs scans against web servers for potentially dangerous files/programs, outdated versions and other version specific problems. It also scans for server configurations such as HTTP server options and tries to identify installed web servers and software.
At the start of a penetration testing activity, the testers usually gather information about the targets in the Information Gathering phase. They will use a tool like Nikto to scan for vulnerabilities and discover the weakest link.
Setup & Usage
Although Nikto is available in Kali Linux by default, and there is a way to install it for Windows platform as well. Nikto is written in Perl. You can download the distribution of Nikto 2.1.5 conveniently packaged with Strawberry Perl, that should run on Microsoft Windows as well. The distribution is portable, and no installation is needed.
Step 1: Browse to the following link https://projects.giacomodrago.com/nikto-win/ and download the zip file.
Step 2: Unzip the file and browse to the extracted location, browse to nikto-2.1.5-win\nikto-2.1.5\perl and open portableshell.bat, which will act as a shell for Nikto.
Figure 1 Portable shell Perl
Step 3: You will get a command prompt where you will have to change the directory to nikto-2.1.5 and then execute command nikto.bat
Figure 2 Changing directory in Command Prompt
If you get the result as shown in the red rectangular box in Figure 2, then Nikto is ready for work.
Simplified Guide to use Nikto
Let’s see how this powerful and versatile tool works.
Figure 3 Nikto Modules
If you just run Nikto by itself, you might not know what to do with the information. In fact, it’s more like a laser pointer to call in a much bigger strike.
First, we are going to understand what the target surface is – pretty much anywhere where we can attempt to attack such as web servers, exposed printers, web applications, websites, etc.
Let’s say we have a URL, and if we are using Nikto, we will need to provide it with one of the three different types of information to attack –
- An IP address
- A Web domain
- An SSL enabled, or HTTPS–enabled website
These are 3 main types of targets we can use but we need to find them before we actually attack them, that’s where tools like Maltego (an OSINT tool) come into play and help us build a profile of the available targets. After we compile a list of targets, we’ll use Nikto to grind through those targets until we find something particularly juicy.
If we are lucky, we’ll be able to go ahead and find something that maybe has a weaponized update and what this essentially means is we have found a vulnerability that someone else has not only exploited but also created a tool to do.
So, we can put in some code or do something else that otherwise wasn’t intended for us to be able to do on that device. Now, this is a kind of like cycle of Nikto – we find something, we put it through NIKTO and by utilizing active scan, we find a better way of attacking than maybe some much longer and more invested scheme that we would have to pull off otherwise. So, in general, if you are looking to do an attack, it’s worth your while to use a vulnerability scanner, and Nikto is one of the easiest.
One of the most useful features of Nikto is its capability of doing a scan that can actually go after “SSL” and go after a port 443. This means that rather than being stuck to only the older websites, we can also perform vulnerability assessments on websites that are using SSL.
Figure 4 Attack on example.co
In Figure 4, you can see some cipher information from the SSL port of <target>. Now, the next command you should use is –
nikto -h example.com -ssl
We specified SSL to speed up the scan and let Nikto know that this is an SSL encrypted target. So, once it connects on port 443, we can get can gather useful pieces of information found by Nikto while it is scanning the target. All these information provided by Nikto will be very much useful when trying a live target as it gives a complete overview of the types of the attacks that might work, vulnerable locations on a website or loopholes in the server version or headers.
(Check our post on 3 Opensource Tools for DAST.)