Website detection (iii) nikto Web Server Vulnerability Detection

Nikto is an open-source Web program scanner that can scan server problems. Nikto is a tool in linux/Unix. It can be downloaded from the official website and decompressed to a local computer for running. Here the nikto tool integrated in backtrack 5 is used directly.

Nikto command directory/pentest/web/nikto/

Root @ bt:/pentest/web/nikto # ls
Docs nikto. conf nikto. pl plugins templates
Root @ bt:/pentest/web/nikto #./nikto. pl-h
Option host requires an argument

-Config + Use this config file
-Display + Turn on/off display outputs
-Dbcheck check database and other key files for syntax errors
-Format + save file (-o) format
-Help Extended help information
-Host + target host
-Id + Host authentication to use, format is id: pass or id: pass: realm
-List-plugins List all available plugins
-Output + Write output to this file
-Nocache Disables the URI cache
-Nossl Disables using SSL
-No404 Disables 404 checks
-Plugins + List of plugins to run (default: ALL)
-Port + Port to use (default 80)
-Root + Prepend root value to all requests, format is/directory
-Single request mode
-Ssl Force ssl mode on port
-Tuning + Scan tuning
-Timeout + Timeout for requests (default 10 seconds)
-Update: Upgrade the database CIRT.net.
-Version: print the plug-in Version and database Version.
-Vhost + Virtual host (for Host header)
+ Requires a value

Note: This is the short help output. Use-H for full help text.

Test the following baidu

Root @ bt:/pentest/web/nikto #./nikto. pl-h www.2cto.com
-Nikto v2.1.5

For example:





Wait patiently and print the vulnerability results. Take the next step based on the test results. Due to the slow update of the nikto database, some of the latest vulnerabilities may not be detected. note that nikto may generate a large amount of http connections or traffic to the target website, which may lead to poor website downtime. If the target website is protected, it may be added to the IP blacklist.