TOOL GUIDE

How to use Nikto to check website safety.

Nikto is a fast tool that checks web servers for known weak spots. Learn how to scan your servers, read the reports, and fix bad settings before bad guys find them.

Scanner Ready

Target: Web Server

Status: Waiting for command...

What exactly is Nikto?

A Safety Inspector

Imagine a guard who walks around a building checking if doors are locked. Nikto does this for websites.

Fast and Simple

It tests thousands of common mistakes very quickly. It gives you a quick snapshot of your website's safety.

A Report Generator

After checking the doors, it hands you a list telling you exactly what needs to be fixed.

Warning: Nikto is very "Loud"

Nikto is not a spy tool. When it checks a website, it makes a lot of "noise."

  • Any security system will easily see that you are scanning the site.
  • It leaves a huge trail of evidence in the server logs.
  • This is great for testing your own site, but bad if you want to be quiet.

The 3 Things Nikto Looks For

Old Software

It checks if you are using old versions of web software.

Old software often has known weak spots. Bad guys share these weak spots online. If you do not update, they can use these tricks against you.

Insecure Files

It checks for dangerous files left on the server.

Sometimes builders leave test files, backup files, or secret password files out in the open. Nikto searches for thousands of these specific files.

Bad Settings

It checks for common setup mistakes.

If your server is set up to share too much information, or if default passwords were never changed, Nikto will point it out.

How the Scan Works

1

Connect to Target

You type the website name. Nikto reaches out and says "hello" to the server.

2

Read the Giant List

Nikto has a massive list of known problems. It starts checking them one by one, very fast.

3

Create the Report

When it finishes, it stops and prints out a list of everything it found that looks bad.

Basic Commands to Learn

Nikto does not have buttons to click. You type commands on your screen to make it work.

Scan a basic website
nikto -h http://www.example.com

The -h stands for "host". This tells Nikto which website to look at.

Save the report to a file
nikto -h http://www.example.com -o results.html -Format htm

The -o tells it to output to a file. The -Format htm makes it a nice web page you can read later.

How to Read the Results

What it says What it means What you should do
Outdated version of Apache Your web server software is old. Download and install the newest version of the software immediately.
/admin.php found It found a login page that is easy to guess. Move the login page, change its name, or add an extra password layer to it.
X-Frame-Options not set A minor setting is missing. Change your server settings to add this missing rule. It stops other sites from tricking your users.
Server: nginx/1.18.0 It is telling the world what software you use. Hide this information in your settings so bad guys do not know what tools you are using.

Good Rules (Do This)

  • Only scan websites that you own and control.
  • Scan your site every time you make a big change.
  • Use the scan report to make a checklist of things to fix.

Bad Rules (Never Do This)

  • Never scan a website if you do not have permission.
  • Never use Nikto to try and break into a website.
  • Do not ignore the report. If you see a red warning, fix it.

The Good and The Bad of Nikto

Why people love it

  • It is completely free to use.
  • It sets up very quickly.
  • It catches obvious mistakes instantly.
  • The reports are easy to save and read.

Why it is not perfect

  • It makes a lot of noise (not sneaky).
  • Sometimes it says there is an error, but it is wrong.
  • It does not think. It only checks a list.
  • It cannot test complex login systems.

Who Uses Nikto?

Security Guards

People hired to test a company's safety use it as their very first tool to get a quick overview.

Web Builders

Coders use it before launching a new website to ensure they didn't forget any basic locks.

Server Managers

The people who keep the computers running use it to double-check their own settings.

Where Can You Run It?

Linux / Kali Linux
Easiest

It is usually already installed on security versions of Linux. If not, it takes one simple command to download.

Mac Computers
Medium

You can install it using a special Mac tool called Homebrew. It takes a few extra steps.

Windows Computers
Hardest

It is not made for Windows. You have to install a translator program (like Perl) first before it will work.

Saving Time with "Tuning"

A full scan can take a long time. If you only want to check for one specific problem, you can "tune" the scanner to skip the rest.

Scan ONLY for old software
nikto -h http://www.example.com -Tuning b

The letter b stands for "Software Identification". This tells Nikto to ignore missing files and bad settings, and just look at the software versions. It makes the scan finish in seconds instead of minutes.

Beware of Fake Alarms

Sometimes Nikto gets confused. It might report that a door is open when it is actually securely locked. This is called a False Positive.

Why does this happen? Nikto is like a robot. If a website gives a weird, custom answer instead of a standard "No Entry" sign, the robot assumes it broke in. Always double-check a red warning yourself before panicking!

Plugins (Adding New Tricks)

Nikto is built with "Plugins." These are like extra tools you can attach to the main scanner to make it smarter.

Guessing Passwords

A plugin that tries common passwords like "admin123".

Finding Secret Folders

A plugin dedicated to hunting down hidden backup folders.

The Top 3 Fixes to Learn

#1

Hiding your Server Name

Most servers proudly shout "I am Apache version 2.4!". Turn this off in your server settings so bad guys don't know what weapons to use against you.

#2

Deleting Default Files

When you build a site, it often comes with a "readme.html" or "test.php". Delete these immediately. They give away clues.

#3

Adding Security Headers

These are invisible rules you add to your site that tell web browsers to block sneaky tricks (like preventing other sites from putting your site inside a frame).

The Machine (Nikto)

  • ✓ Extremely fast.
  • ✓ Never gets tired.
  • ✓ Checks exactly what is on the list.
  • ✗ Cannot think creatively.

The Human (You)

  • ✓ Can understand context.
  • ✓ Can guess passwords based on the company name.
  • ✓ Knows which warnings are actually fake alarms.
  • ✗ Very slow at checking 10,000 files.

What the Guard Sees (Server Logs)

If you scan someone else's server, their computer writes down everything you did. It looks exactly like this block of code:

192.168.1.5 - - [10/Oct/2023:13:55:36] "GET /admin.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Nikto/2.1.6)"

192.168.1.5 - - [10/Oct/2023:13:55:36] "GET /backup.zip HTTP/1.1" 404 - "-" "Mozilla/5.0 (Nikto/2.1.6)"

192.168.1.5 - - [10/Oct/2023:13:55:37] "GET /test.html HTTP/1.1" 200 - "-" "Mozilla/5.0 (Nikto/2.1.6)"

Notice how it clearly says "Nikto/2.1.6" at the end of every single line? This is why Nikto is very loud and easy to catch!

Scanning Automatically

Smart security guards do not run Nikto manually every day. They set up the computer to run it automatically every Sunday night while they are asleep.

Sunday 2:00 AM

Computer wakes up

Nikto Runs

Checks for new mistakes

Email Sent

Report waits in your inbox

The Simple Word List (Cheat Sheet)

Host The target. It is just the website name or IP address you want to scan.
Vulnerability A fancy word for a "weak spot" or a "broken lock" on your server.
Port The specific door on the server. Websites usually use door (port) 80 or 443.
Directory A folder on the computer where files are stored.

Your Action Plan

Nikto is only the first step. Finding the problem does not fix the problem. Here is what you must do next:

1
Run the basic scan command on your test server.
2
Read the HTML report it generates.
3
Update any software it marks as "outdated".
4
Delete any old backup files it finds.