Install Nikto web scanner on an Ubuntu VPS

Nikto is a Perl based, open source vulnerability tool which performs wide range of tests against web servers for thousands of vulnerabilitiesnikto, outdated versions and other known issues. Since Nikto is Perl based, it can run on all operating systems with Perl installed. In this tutorial we will show you how to install and use Nikto on an Ubuntu VPS. Its installation is very easy and fast.

Nikto comes with many useful features, such as:

  • Checks for outdated server components
  • Save reports in plain text, XML, HTML, NBE or CSV
  • Scan multiple ports or multiple servers
  • Identifies installed software via headers, favicons and files
  • Scan tuning to include or exclude entire classes of vulnerability
  • checks
  • Save full request/response for positive tests
  • And many more…

First of all log in to your Ubuntu VPS as user root

ssh root@IP_ADDRESS

and make sure that all installed packages are up to date

apt-get update && apt-get upgrade

Install some prerequisites

apt-get install wget unzip libnet-ssleay-perl libwhisker2-perl openssl

Go to Nikto’s official website and download the latest release to your server

cd /opt
wget https://cirt.net/nikto/nikto-2.1.5.tar.gz

Unpack the downloaded tarball archive

tar xvfz nikto-2.1.5.tar.gz

This will create a new ‘nikto-2.1.5’ directory. We will rename this directory

mv nikto-2.1.5/ nikto

Change the current working directory and make the Perl script executable

cd nikto/
chmod +x nikto.pl

Update Nikto’s database and plugins

perl nikto.pl -update

+ Retrieving 'nikto_cookies.plugin'
+ Retrieving 'db_parked_strings'
+ Retrieving 'nikto_headers.plugin'
+ Retrieving 'nikto_report_csv.plugin'
+ Retrieving 'db_tests'
+ Retrieving 'CHANGES.txt'
+ CIRT.net message: Please submit Nikto bugs to https://github.com/sullo/nikto

For a simple test scan of your website you can run

perl nikto.pl -h yourwebsite.com

If your web server listens on different port than the default one, you can use the -p switch to specify the port.

The output of this simple scan will give you very useful information such as XSS vulnerabilities, outdated and vulnerable web applications, and many more. You can save the output to a file using the -o switch and specify the format of the output. For example, the following command will scan your website and save the outup to a html file.

perl nikto.pl -h yourwebsite.com -o scan.htm

You can check all options supported by Nikto using the -h switch

perl nikto.pl -h

-config+            Use this config file
-Display+           Turn on/off display outputs
-dbcheck            check database and other key files for syntax errors
-Format+            save file (-o) format
-Help               Extended help information
-host+              target host
-id+                Host authentication to use, format is id:pass or id:pass:realm
-list-plugins       List all available plugins
-output+            Write output to this file
-nossl              Disables using SSL
-no404              Disables 404 checks
-Plugins+           List of plugins to run (default: ALL)
-port+              Port to use (default 80)
-root+              Prepend root value to all requests, format is /directory
-ssl                Force ssl mode on port
-Tuning+            Scan tuning
-timeout+           Timeout for requests (default 10 seconds)
-update             Update databases and plugins from CIRT.net
-Version            Print plugin and database versions
-vhost+             Virtual host (for Host header)

Further information about Nikto can be found in their official documentation.

Of course you don’t have to do any of this if you use one of our Managed VPS Hosting services, in which case you can simply ask our expert Linux admins to install Nikto for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

Leave a Comment