Nikto 2 Released – Web Server Scanning Tool

Another one that has been a long time coming, but finally here it is! Nikto 2.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Version 2 adds a ton of enhancements, including:

  • Fingerprinting web servers via favicon.ico files
  • 404 error checking for each file type
  • Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
  • Scan tuning to include or exclude entire classes of vulnerability checks
  • Uses LibWhisker 2, which has its own long list of enhancements
  • A “single” scan mode that allows you to craft an HTTP request manually
  • Basic template engine so that HTML reports can be easily customized
  • An experimental knowledge base for scans, which will allow regenerated reports and retests (future)
  • Optimizations, bug fixes and more…

You can download Nikto 2 here:


Or read more here.

Posted in: Exploits/Vulnerabilities, Hacking Tools, Windows Hacking

, , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

25 Responses to Nikto 2 Released – Web Server Scanning Tool

  1. Sir Henry December 24, 2007 at 2:12 pm #

    I think it is time to request a scan or two on my web host to keep them honest. Wonder how they will respond to that. If they refuse, then what do they have to hide, right? And if they don’t and something gets pwnd, perhaps I shall have to find another home? We shall see.

  2. mumble December 24, 2007 at 4:39 pm #

    @Sir Henry: I’m surprised, given your background, that you’re not running on a virtual server rather than shared hosting. The costs have dropped to the point where there’s no practical difference – and an order of magnitude more control.

    BTW — mumble (symbol) fruck (punctuation) org

  3. Sir Henry December 24, 2007 at 4:43 pm #

    I know, I know…shame on me. ;P My host does not provide VPS at a price point comparable to that which I am spending upon a shared hosting environment. Indeed, though, I know the advantages of running on a VPS and would love to, but right now, just do not have the $$ to justify it.

  4. goodpeople December 28, 2007 at 8:02 am #

    Nikto rocks! I love it. I also do lectures. Nikto is one of my favorites. Just ask someone in te audience if they have their own webserver and run Nikto against it.

  5. goodpeople December 28, 2007 at 8:06 am #

    @sir henry,

    Check your contract and look for something that says that you are not allowed to scan.

    When unsure, send them an email (on friday evening) that you will be performing a scan and start the scan 5 minutes later.

  6. Sir Henry December 28, 2007 at 2:41 pm #


    I contacted them to ask about scans and audits on shared servers and their response was, “The more attention to security by our customers, the better.”. That included all the normal caveats of not pwning the server in any way and if there is something serious, to simply let them know.

  7. mumble December 28, 2007 at 4:01 pm #

    The main problem with not pwning the box is that often, the only reliable way of knowing whether the box is vulnerable is to bang on it and find out. Of course, once you have a shell on a box, it’s pwned.

  8. Sir Henry December 28, 2007 at 4:15 pm #

    So far, I have not seen much that really gives me worry. Although, if you have access to the box, you can cat any of the log files and gain username information based upon ssh auth and whatnot. I am not sure that is anything to worry about from my perspective, but I will bring it up, anyway. I do not know that they would want their customers to have that type of information about one another. I am taking an iterative approach, however and seeing what I can leverage from each type of assessment I make.

  9. goodpeople January 3, 2008 at 11:08 am #

    @Sir Henry,

    If I were you, I’d let Nikto and Nessus loose on their server and see where it leads to. Combined with the info you get when you actually do have an account on the box, it could get very interresting..

  10. Sir Henry January 3, 2008 at 12:48 pm #


    I have been using Nikto thus far and am considering other apps, as well. I once worked for Qualys, so I still have the availability of an account there to use for scanning the server. I might use Nessus to simply compare and contrast the two.

  11. James Cooper January 4, 2008 at 10:18 am #

    Nikto’s design seems fundamentally flawed. I know companies like Qualys, Tenable (nessus) and Outpost24 who used to use nikto were putting out really long and misleading reports when they were using nikto against sites that didn’t return 404 error codes. My latest reports from Outpost24 have been much better, but it seems like they dropped nikto.

    I’m interested in playing with this new version to see if it has gotten any better about false positives.

  12. Sir Henry January 4, 2008 at 3:33 pm #


    So far, I am pleased with the new version of Nikto, but, being of skeptical nature, I always use many tools and see where the differences lie to weed out the false positives. I am not familiar with Outpost24, however and shall add that to my list of things to investigate. Thanks for the tip.

  13. goodpeople January 6, 2008 at 8:15 am #

    @Sir Henry,

    Will you keep us posted?

  14. eM3rC January 6, 2008 at 9:41 pm #

    @Sir Henry

    Ditto what goodpeople said

    Great program! Thanks darknet!

  15. Sir Henry January 8, 2008 at 11:05 pm #

    @goodpeople and eM3rC

    I have sent off my Nikto results to my web host for consultation before I make any changes. In addition to that, I ran a QG map and scan against the server IP. I am thinking that they are still going through all the results. The good thing is that there were not and sev4 and sev5 vulns. As for the sev3’s, I await their response.

  16. goodpeople January 9, 2008 at 12:09 am #

    You do realize that you have just become “that annoying guy who thinks he understands the wonderful Internet”. Right?

  17. Sir Henry January 9, 2008 at 12:51 am #

    For my web host? lol…yeah, I believe I have become that guy. But, I think they appreciate it. I once submitted with the following lines to show them that they needed to restart httpd:

    ps -ef | grep httpd
    userx 25159 25142 0 16:52 pts/2 00:00:00 grep httpd

    I believe they laughed, but thanked me for being attentive.

  18. goodpeople January 9, 2008 at 12:55 am #


    Well, I guess everybody here knows the frustration of knowing more than the people who are supposed to give support.

  19. eM3rC January 9, 2008 at 3:05 am #

    @ Sir Henry

    Its nice that you would be nice enough to contact your host about their vulnerabilities and let them know about what you were going to try to do. Many people I know seem to just do what they want and if someone doesn’t like it, down go the servers and/or website and/or computer.

  20. ivan January 9, 2008 at 2:07 pm #


    i am a total newbie on computer security, so please be patient Smile

    so, nikto 2 contains many enhancements over the first version. one of the major new features is fingerprinting web servers via favicon.ico files.

    because i’m a newbie i don’t know how nikto finding a webserver bug through *.ico file? so please tell me.

    any answer would be appreciated !

  21. Sir Henry January 9, 2008 at 2:59 pm #


    This is simple enough. They are speaking specifically about the favicon .ico file for popular webservers. If you do a search for favicon.ico on a server, there is information there that can disclose the type of webserver, thus providing the fingerprint.

  22. ivan January 9, 2008 at 7:39 pm #

    Sir Henry,

    Thanks a bunch for your explanation, but there’s a thing that i’m not uderstand yet. So, can you give examples about like you’re talking about favicon .ico of some webservers?

  23. Sir Henry January 9, 2008 at 7:43 pm #

    Look at the following link to see how one would check a favicon to enumerate the fingerprint of a web server:

  24. ivan January 9, 2008 at 7:57 pm #

    oh my god, again, thanks a bunch for your absolutely ultra fast reply, i have understood now :)

  25. Sir Henry January 9, 2008 at 7:58 pm #

    Anything to spread the word on security.