Nikto 2 Released – Web Server Scanning Tool

Another one that has been a long time coming, but finally here it is! Nikto 2.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Version 2 adds a ton of enhancements, including:

  • Fingerprinting web servers via favicon.ico files
  • 404 error checking for each file type
  • Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
  • Scan tuning to include or exclude entire classes of vulnerability checks
  • Uses LibWhisker 2, which has its own long list of enhancements
  • A “single” scan mode that allows you to craft an HTTP request manually
  • Basic template engine so that HTML reports can be easily customized
  • An experimental knowledge base for scans, which will allow regenerated reports and retests (future)
  • Optimizations, bug fixes and more…

You can download Nikto 2 here:


Or read more here.

Posted in: Exploits/Vulnerabilities, Hacking Tools, Windows Hacking

, , ,

Latest Posts:

Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.

25 Responses to Nikto 2 Released – Web Server Scanning Tool

  1. Sir Henry December 24, 2007 at 2:12 pm #

    I think it is time to request a scan or two on my web host to keep them honest. Wonder how they will respond to that. If they refuse, then what do they have to hide, right? And if they don’t and something gets pwnd, perhaps I shall have to find another home? We shall see.

  2. mumble December 24, 2007 at 4:39 pm #

    @Sir Henry: I’m surprised, given your background, that you’re not running on a virtual server rather than shared hosting. The costs have dropped to the point where there’s no practical difference – and an order of magnitude more control.

    BTW — mumble (symbol) fruck (punctuation) org

  3. Sir Henry December 24, 2007 at 4:43 pm #

    I know, I know…shame on me. ;P My host does not provide VPS at a price point comparable to that which I am spending upon a shared hosting environment. Indeed, though, I know the advantages of running on a VPS and would love to, but right now, just do not have the $$ to justify it.

  4. goodpeople December 28, 2007 at 8:02 am #

    Nikto rocks! I love it. I also do lectures. Nikto is one of my favorites. Just ask someone in te audience if they have their own webserver and run Nikto against it.

  5. goodpeople December 28, 2007 at 8:06 am #

    @sir henry,

    Check your contract and look for something that says that you are not allowed to scan.

    When unsure, send them an email (on friday evening) that you will be performing a scan and start the scan 5 minutes later.

  6. Sir Henry December 28, 2007 at 2:41 pm #


    I contacted them to ask about scans and audits on shared servers and their response was, “The more attention to security by our customers, the better.”. That included all the normal caveats of not pwning the server in any way and if there is something serious, to simply let them know.

  7. mumble December 28, 2007 at 4:01 pm #

    The main problem with not pwning the box is that often, the only reliable way of knowing whether the box is vulnerable is to bang on it and find out. Of course, once you have a shell on a box, it’s pwned.

  8. Sir Henry December 28, 2007 at 4:15 pm #

    So far, I have not seen much that really gives me worry. Although, if you have access to the box, you can cat any of the log files and gain username information based upon ssh auth and whatnot. I am not sure that is anything to worry about from my perspective, but I will bring it up, anyway. I do not know that they would want their customers to have that type of information about one another. I am taking an iterative approach, however and seeing what I can leverage from each type of assessment I make.

  9. goodpeople January 3, 2008 at 11:08 am #

    @Sir Henry,

    If I were you, I’d let Nikto and Nessus loose on their server and see where it leads to. Combined with the info you get when you actually do have an account on the box, it could get very interresting..

  10. Sir Henry January 3, 2008 at 12:48 pm #


    I have been using Nikto thus far and am considering other apps, as well. I once worked for Qualys, so I still have the availability of an account there to use for scanning the server. I might use Nessus to simply compare and contrast the two.

  11. James Cooper January 4, 2008 at 10:18 am #

    Nikto’s design seems fundamentally flawed. I know companies like Qualys, Tenable (nessus) and Outpost24 who used to use nikto were putting out really long and misleading reports when they were using nikto against sites that didn’t return 404 error codes. My latest reports from Outpost24 have been much better, but it seems like they dropped nikto.

    I’m interested in playing with this new version to see if it has gotten any better about false positives.

  12. Sir Henry January 4, 2008 at 3:33 pm #


    So far, I am pleased with the new version of Nikto, but, being of skeptical nature, I always use many tools and see where the differences lie to weed out the false positives. I am not familiar with Outpost24, however and shall add that to my list of things to investigate. Thanks for the tip.

  13. goodpeople January 6, 2008 at 8:15 am #

    @Sir Henry,

    Will you keep us posted?

  14. eM3rC January 6, 2008 at 9:41 pm #

    @Sir Henry

    Ditto what goodpeople said

    Great program! Thanks darknet!

  15. Sir Henry January 8, 2008 at 11:05 pm #

    @goodpeople and eM3rC

    I have sent off my Nikto results to my web host for consultation before I make any changes. In addition to that, I ran a QG map and scan against the server IP. I am thinking that they are still going through all the results. The good thing is that there were not and sev4 and sev5 vulns. As for the sev3’s, I await their response.

  16. goodpeople January 9, 2008 at 12:09 am #

    You do realize that you have just become “that annoying guy who thinks he understands the wonderful Internet”. Right?

  17. Sir Henry January 9, 2008 at 12:51 am #

    For my web host? lol…yeah, I believe I have become that guy. But, I think they appreciate it. I once submitted with the following lines to show them that they needed to restart httpd:

    ps -ef | grep httpd
    userx 25159 25142 0 16:52 pts/2 00:00:00 grep httpd

    I believe they laughed, but thanked me for being attentive.

  18. goodpeople January 9, 2008 at 12:55 am #


    Well, I guess everybody here knows the frustration of knowing more than the people who are supposed to give support.

  19. eM3rC January 9, 2008 at 3:05 am #

    @ Sir Henry

    Its nice that you would be nice enough to contact your host about their vulnerabilities and let them know about what you were going to try to do. Many people I know seem to just do what they want and if someone doesn’t like it, down go the servers and/or website and/or computer.

  20. ivan January 9, 2008 at 2:07 pm #


    i am a total newbie on computer security, so please be patient Smile

    so, nikto 2 contains many enhancements over the first version. one of the major new features is fingerprinting web servers via favicon.ico files.

    because i’m a newbie i don’t know how nikto finding a webserver bug through *.ico file? so please tell me.

    any answer would be appreciated !

  21. Sir Henry January 9, 2008 at 2:59 pm #


    This is simple enough. They are speaking specifically about the favicon .ico file for popular webservers. If you do a search for favicon.ico on a server, there is information there that can disclose the type of webserver, thus providing the fingerprint.

  22. ivan January 9, 2008 at 7:39 pm #

    Sir Henry,

    Thanks a bunch for your explanation, but there’s a thing that i’m not uderstand yet. So, can you give examples about like you’re talking about favicon .ico of some webservers?

  23. Sir Henry January 9, 2008 at 7:43 pm #

    Look at the following link to see how one would check a favicon to enumerate the fingerprint of a web server:

  24. ivan January 9, 2008 at 7:57 pm #

    oh my god, again, thanks a bunch for your absolutely ultra fast reply, i have understood now :)

  25. Sir Henry January 9, 2008 at 7:58 pm #

    Anything to spread the word on security.