📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 6 OF 180
KALI LINUX MASTERY COURSE
FREE — ALL 180 DAYS
🔵 Day 6 — Nikto Tutorial
Day 180 — Advanced Kali Mastery
← Day 5: John The Ripper Tutorial
🔐
Authorised targets only — Nikto is noisy. Nikto sends thousands of HTTP requests and will appear clearly in any web server’s access logs. Only scan systems you own or have explicit written authorisation to test. Use your own DVWA lab or Metasploitable2 for practice.
Lab setup: Ethical Hacking Lab Setup at Home · Metasploitable Labs Hub
🔍
Day 3 taught you to find hidden directories with Gobuster. Day 6 Nikto Tutorial teaches you to examine what is actually wrong with the web server serving those directories. Gobuster maps the terrain — what paths exist. Nikto audits the security — what known problems exist on the server. Together they are how professionals assess a web application’s attack surface in the first 20 minutes of an authorised engagement. Nikto does in two minutes what would take an hour of manual header inspection, CGI testing, and version checking.
Day 6 of the Kali Linux Course covers Nikto completely — what it checks, every important flag, output formats for professional reports, tuning the scan for specific finding categories, evasion options, and a full walkthrough against Metasploitable2. You will leave knowing how to interpret every line of Nikto output and which findings matter in a real report.
📋 What You’ll Master in Day 6
What Is Nikto & What It Checks
Install, Verify & Update
Basic Scan — Your First Results
Output Formats — Save for Reports
Tuning — Focus the Scan
HTTPS & Custom Ports
Evasion Techniques
Authenticated Scans
Reading & Triaging Output
Nikto vs Gobuster — Use Both
Command Reference Card
What Is Nikto and What Does It Check?
Nikto is an open-source web server scanner that tests against a database of over 6,700 known security issues. Unlike Gobuster which discovers hidden content by brute-forcing paths, Nikto checks specifically for known vulnerabilities, misconfigurations, and outdated software — matching the target server’s responses against a continuously updated database of security problems.
SERVER VERSION CHECKS
Identifies server software and version. Apache 2.4.49 → CVE-2021-41773 (path traversal). nginx 1.16 → known vulnerabilities. Old PHP → multiple CVEs. Version disclosure itself is a finding.
MISSING SECURITY HEADERS
Reports missing X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, Strict-Transport-Security, X-XSS-Protection. Each absent header is a reportable finding with a recommended value.
DANGEROUS HTTP METHODS
Tests for PUT (arbitrary file upload), DELETE, TRACE (XST attacks), CONNECT, PATCH. Enabled PUT on a web server = unauthenticated remote file write = critical severity finding.
EXPOSED SENSITIVE FILES
Checks for phpinfo.php, server-status, server-info, .htaccess, .htpasswd, robots.txt, backup files, and hundreds of other files that should not be web-accessible.
DEFAULT CREDENTIALS
Tests default logins on common web management interfaces — Tomcat Manager, phpMyAdmin, WebLogic, JBoss, and others. Finds admin panels left on default username:password.
6,700+ KNOWN ISSUES
Comprehensive database of historical web vulnerabilities, dangerous CGI scripts, known bad configurations, and server-specific issues. Database updated via nikto -update.
⚠️ Nikto generates significant traffic. It sends thousands of requests in a short period — this is clearly visible in server logs and will trigger IDS/WAF alerts on monitored systems. Always confirm your target and scope before running. On authorised engagements, note in your report that scanning was performed — it will appear in the client’s logs.
Install, Verify & Update Nikto
Verify Nikto is installed (Kali Linux — pre-installed):
nikto -Version
– Nikto v2.1.6
Install if missing: sudo apt install nikto -y
Update Nikto’s vulnerability database (do this before any scan): nikto -update # Downloads latest checks from CIRT.net # Database location: /var/lib/nikto/databases/
Show all available options: nikto -Help 📚 Day 6 in the course sequence: You used Gobuster (Day 3) to discover what paths exist on a web server. Today’s Nikto scan tells you what security problems exist at those paths. In a professional workflow, Nmap → Gobuster → Nikto covers the first three phases of any web application assessment before manual testing begins. See: Information Gathering Tools in Kali Linux.
Basic Scan — Your First Nikto Results
Nikto’s core flag is -h (host). That is all you need for a basic scan against an HTTP target. Against your Metasploitable2 lab, this single command reveals a significant list of findings in under two minutes.
securityelites.com
Kali Linux — Nikto Scan Against Metasploitable2 (Authorised Lab)
$ nikto -h http://192.168.56.101 -o nikto_results.txt
– Nikto v2.1.6
—————————————————————————
- Target IP: 192.168.56.101
- Target Hostname: 192.168.56.101
- Target Port: 80 —————————————————————————
- Server: Apache/2.2.8 (Ubuntu) DAV/2
- Server leaks inodes via ETags, header found with file /, inode: 67706, size: 45, mtime: Sat Feb 21 00:00:00 2009
- The anti-clickjacking X-Frame-Options header is not present.
- The X-XSS-Protection header is not defined.
- The X-Content-Type-Options header is not set.
- OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
- Apache/2.2.8 appears to be outdated (2.4.57 is current)
- OSVDB-3268: /doc/: Directory indexing found.
- OSVDB-48: /doc/: The /doc directory is browsable. This may be a problem.
- OSVDB-3092: /phpMyAdmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited.
- 6544 requests: 0 error(s) and 12 item(s) reported on remote host
- End Time: (scan took 98 seconds)
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)