There are handy free tools to run a scan on your web server, whether it is your own or you rent space from a hosting party. Nikto is a standard part of Kali linux, but you can also use it separately in another distribution or live environment.
- Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux. Hardware requirements Maltego is supported on Java 8 64 bit but Java 11 64 bit is recommended.
- Here are some of the major features of Nikto. See the documentation for a full list of.
- Nikto is a very light vulnerabilities scanner for web servers, it is useful if you have no time to deal with heavy scanners like Nexpose or Nessus, despite this, if you have time to analyze your target I would recommend a more complete scanner like Nexpose, Nessus, OpenVAS or Nmap, some of which we already analyzed at LinuxHint simply because.
Nikto Installation. On Windows:-First download and install perl interpreter. Next download nikto and extract the contents of the archive into a directory.
Find Web Server Vulnerabilities
If you do not run your blog or web server yourself, you often depend on the security level that your provider uses. It is quite easy to see if your application is running a recent version, but the deeper you go into the system, the more difficult it gets. As a user, you need root access to check the databases, server components and scripting, and that access is usually reserved for customers of expensive hosting packages.
Nikto scanner
Nikto is a tool that you can target a specific system to perform a scan on all kinds of possibly outdated parts. The software is designed, for example, to screen a web server for security issues, such as misconfigured Apache extensions or outdated software versions. Nikto, on the other hand, is also used by attackers who use it in addition to a scan tool like nmap. This tool maps the servers in a network, with Nikto they then hunt deeper for a specific target.
Nikto scan for over 6700 items to detect misconfiguration, risky files, etc. and some of the features include;
- You can save report in various formats such as HTML, XML, CSV
- It supports SSL and Full HTTP Proxy
- Scan multiple ports on the server
- Find subdomain
- User enumeration
- Checks for outdated components
- Detect parking sites
- Server and software configurations
- Default files and programs
- Insecure files and programs
- Outdated servers and programs
Most Linux distributions today offer Nikto in their package manager, but it can also be downloaded as a Perl program from the project’s website. It is of course supplied as standard in the security-researching Linux distribution Kali Linux, which is also available as a live environment. This allows you to quickly run an analysis from any possible system, be it officially a Windows machine or something else.
Using Nikto
You should only use Nikto on systems that are your own, scanning other web servers can lead to all kinds of trouble due to potential computer hacking. Moreover, such a scan is easy to notice, because there is no stealth mode. The analyzes are carried out as quickly as possible: he questions his target system on a number of parts and that is clearly visible when you search for it.
From the terminal you start the program with the command “nikto -h”. Graphical interfaces are provided for the program written in Perl and you can use them or just use a command line, depending on your personal taste. If you specify a computer you can enter an IP address, but a url is also fine.
Keep in mind that a scan can be broader than you intend if you query “www.cyberwarzone.com”, for example, because all underlying domains and directories are also examined. If you specify a fixed path, Nikto will only search the underlying folder structure. After confirmation, the program will run for a while, but you will soon see the first results appear in the terminal, for example which server version is used. It takes a while for all tests to complete.
The software is quite user-friendly. Some results are immediately visible, for example if the analysis shows that the license files (“license.txt”) are publicly accessible. These files are not required to run the programs, but they do contain information that attackers can use about, for example, installed software and its versions.
It may take some time for Nikto to complete his scan, depending on the size of the environment he is scanning. You can shorten the scan time by selecting in advance which tests the tool should run. It is possible to save the result of the scan so that you can read it at your leisure.
Nikto is a fast, extensible, free open source web scanner written in Perl. Nikto is great for running automated scans of web servers and application. Unlike passive tools like Paros or WebScarab, Nikto is active and automated, so there's no need to set up a proxy and navigate a site by hand. Because Nikto relies on OpenSSL it is most easily installed and run on a Linux platform. However, there are times when you might not have easy access to a Linux platform but still want to have the ability to run Nikto. The following tutorial will show you the many convoluted steps needed to install Nikto on Windows XP. I tested this process on Windows XP Professional, service pack 3, but it will probably work on other configurations.
The first step to getting Nikto to run is to install Perl. Fortunately for Windows users, ActiveState releases Active Perl, which is free. Download Active Perl from their site at ActiveState.com. Once you have downloaded Perl, install it in an easy to access location, such as C:Perl. Next update your PATH environmental variable so that C:Perlbin is in your PATH. To do this right click on your 'My Computer' icon, select 'Properties', click the 'Advanced' tab, and click the 'Environmental Variables' button at the bottom. This will open a new window. In the bottom half of this window, in the 'System variables' frame you should see an item called 'Path'. Click 'Path' and then the 'Edit' button. Path variables are separated by a semi-colon, so scroll to the end of the 'Variable value' text box and add ';C:Perlbin;' to add Perl to your PATH environmental variable. Now click 'OK' on on the open boxes to close things up again. (See the related article on MadIrish.net for further details)
Once you have Perl installed you're going to need to begin the arduous task of getting OpenSSL built and installed. The first thing you'll need is the 7zip utility from 7-zip.org. You're going to need this because several of the files are distributed as zipped tar files (.tar.gz or .tgz extensions). 7zip allows you to unzip and untar these files.
Next you need Microsoft Visual C++ Redistributable from Microsoft.com. Be sure to get the version from this link, as it is known to work with this process. Once the download is complete, install the program.
You're also going to need the Windows equivalant of the Unix 'make' utility, called 'nmake'. Download Nmake15.exe from Microsoft's site at Microsoft.com. You should rename this to 'nmake.exe' and put it's location in your Path environmental variable. I created a folder called C:bin and then put all such files in there. I've added C:bin to my Path environmental variable. You can test to see if this is configured correctly by opening a command prompt (Start->Run->Command) and typing 'nmake' to see if you get any output. If you get an error that says 'nmake' is not recognized as an internal or external command, operable program or batch file' then it isn't installed or the environmental variable isn't set up properly. Note that when you change an environmental variable you have to open a new command prompt for changes to take effect.
Nikto Security Tool
Now you have to install a C compiler. The best one to use for this job is MinGW because it includes a g++ compiler. Download MinGW from MinGW.org and install it. Be sure to select g++ in addition to the default components when installing MinGW. Once installed add the path to gcc.exe to your Path environmental variables, it's usually located in C:MinGWbin. Once you've done this test to ensure that MinGW is installed properly. Type the following command at a command prompt to view the version information:
Now that you've got all the tools you need to build OpenSSL go ahead and download OpenSSL from SLProWeb.com. Run the installer and install OpenSSL into C:OpenSSL. Add the following to your Path environmental variables:
Once installed double click on the program C:OpenSSLbinopenssl.exe. If you get an error then something has gone wrong. If there is no error a command prompt should open with the 'SSL>' prompt at the front of the line.
Now that OpenSSL is installed we can install Net_SSLeay.pm, the Perl SSL module. You can download this module from CPAN.org. The download link is on the right and should be something like Net_SSLeay.pm-1.25.tar.gz. Download this file and extract it by right clicking on it, selecting 7zip, then the 'Extract here' option. I put the final extracted Net_SSLeay.pm-1.25 folder in my C:Temp folder just because there were problems when it was in a path with a space (such as 'C:Documents and Settings'). Once you've extracted the file it's time to build the Net_SSLeay module. To do this type the following:
You'll notice the slash in the file path to OpenSSL is backwards. Perl interprets command paths with Unix style forward slash separations. If you use a backslash the command won't execute properly. Once the Makefile is written it's time to build the module. Use this command to build it:
Once that completes, install the module using:
You may get some errors reported at the end of the output. If this is the case the installation might not have gone completely smoothly. Check in the C:TempNet_SSLeay.pm-1.25 directory and see if a SSLeay.pm file exists. If it does simply copy it into your Perl directory (C:PerllibNet) and you should be fine.
Once OpenSSL and SSLeay are installed you can use Nikto. Download Nikto from http://www.cirt.net/nikto2 into it's own folder (I chose C:Program FilesNikto2). Nikto is a series of Perl scripts so there's no need to run an installer. Once Nikto is downloaded and extracted open a command prompt and navigate to the Nikto folder. You can run Nikto using:
Nikto Tool
Where 192.168.0.1 is the target of your testing. Make sure you target a website you control or have permission to test. Others might not take so kindly to your testing their sites without permission.
Download Nikto For Windows
Form more information about how to actually use Nikto see their documentation at http://cirt.net/nikto2-docs/.