What Is Nikto? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
Nikto is a tool that checks web servers for security problems like old software, dangerous files, and misconfigurations. It is used by security professionals to find weaknesses before attackers do. Nikto runs quickly and provides a report of what it finds. You do not need to be a security expert to run a basic scan, but understanding the results requires some knowledge.
Commonly Confused With
Nmap is a general network scanning tool that discovers hosts and services by sending packets and analyzing responses. It identifies open ports, running services, and operating systems. Nikto, on the other hand, is specialized for web servers and tests for known vulnerabilities and misconfigurations. Nmap might tell you that a web server is running Apache, but Nikto will tell you whether that Apache version is old and has known flaws.
If you want to know what ports are open on a server, use Nmap. If you already know there is a web server and want to check if it is secure, use Nikto.
OpenVAS is a full-featured vulnerability scanner that covers a wide range of services, including operating systems, databases, and network devices. It has a more comprehensive database and can perform authenticated scans. Nikto is limited to web server vulnerabilities and only performs unauthenticated scans. OpenVAS is heavier and slower, while Nikto is quick and focused.
OpenVAS is like a full medical checkup for your entire network. Nikto is like a quick eye exam for your web server.
OWASP ZAP is a web application security scanner that focuses on application-layer vulnerabilities like SQL injection, cross-site scripting, and broken authentication. It can actively attack the application and intercept traffic. Nikto focuses on the server layer: outdated software, misconfigurations, and exposed files. They complement each other but target different depths.
Nikto checks if the server's front door is strong and the locks are working. OWASP ZAP checks if the rooms inside have hidden traps and weak floors.
Must Know for Exams
Nikto appears in several certification exams, particularly those focused on security, penetration testing, and network defense. In the CompTIA Security+ exam (SY0-601 and SY0-701), Nikto is mentioned under the domain of 'Assessments and Audits' as a tool used for vulnerability scanning. You may encounter questions about what type of tool Nikto is, its capabilities, and appropriate use cases.
For example, a question might ask: 'Which tool would you use to scan a web server for known vulnerabilities and misconfigurations?' and the correct answer would be Nikto. In the CompTIA CySA+ (CS0-002) exam, Nikto is covered more deeply as a tool for continuous security monitoring and vulnerability assessment.
You might need to interpret Nikto scan results or decide when to use it versus other tools like Nmap or OWASP ZAP. In the Certified Ethical Hacker (CEH) exam, Nikto is part of the scanning methodologies phase. Questions might ask about its features, such as its ability to test over 7200 files or its database structure.
In the PenTest+ exam, Nikto is a key tool for web application testing. You could see questions about command syntax, output interpretation, and how to evade detection using Nikto's options. For example, a scenario might describe a web server that appears to be running Apache, and you need to choose the appropriate Nikto command to find outdated plugins.
In the SANS GIAC certifications, such as GPEN (Penetration Tester), Nikto is used in the practical exam as part of the web server reconnaissance phase. You must demonstrate proficiency in running Nikto and analyzing its output. Across all exams, the key objectives that Nikto aligns with are: identifying common web server vulnerabilities, understanding the purpose of a web server scanner, knowing how to interpret scan results, and being aware of false positives.
Question types include multiple-choice, scenario-based, and command-line completion. You might be asked to identify the correct option from a set of tools, or to choose the most appropriate Nikto flag for a specific need.
Simple Meaning
Think of Nikto as a digital security guard that walks around a website and checks all the doors, windows, and locks to see if any are broken or left open. When you run Nikto against a web server, it sends many different requests to the server, just like a guard trying all the doors. It looks for things like old software that has known holes, files that should not be publicly accessible, and settings that are not secure.
For example, Nikto might find that your web server is running an older version of Apache that has a known vulnerability, or that there is a file called test.php that anyone can see. It also checks for things like default passwords, which are like leaving the key under the mat.
The tool has a database of thousands of known issues, which is like a giant checklist of common problems. When the scan finishes, you get a list of all the issues found, along with suggestions for how to fix them. This is very useful because it automates a lot of the tedious work of manually checking for security problems.
However, Nikto is not perfect. It can sometimes flag things as problems when they are really not, which is called a false positive. So you need to review the results carefully and not assume everything it finds is a real danger.
It is also important to know that running Nikto against a web server without permission can be illegal, just like trying doors on a building that is not yours. Always get written permission before scanning any server that you do not own.
Full Technical Definition
Nikto is a command-line web server scanner written in Perl, commonly used in security assessments and penetration testing. It works by sending crafted HTTP requests to a target web server and analyzing the responses for known vulnerabilities, misconfigurations, and outdated software. The tool can test over 7200 potentially dangerous files and programs, as well as check for outdated versions of over 1250 server software packages.
It also supports checking server configuration issues such as the presence of multiple index files, HTTP server options, and the availability of CGI directories. Nikto operates in a stateless manner, meaning each request is independent and does not rely on session persistence. This makes it fast but also means it may miss some vulnerabilities that require a multi-step process.
The tool is often used in conjunction with other scanners like Nmap, because Nikto can use Nmap's output to speed up the scanning process by only testing ports that are open. The core engine of Nikto is based on a large database of vulnerability checks, called plugins and databases, which are updated periodically. The most common database is the nikto_database.
db file, which contains all the signatures for known issues. Nikto supports SSL/TLS scanning, allowing it to check secure web servers as well. It also has options to evade intrusion detection systems (IDS) by using techniques like slow scanning, random delays, and custom headers.
Real-world implementation often involves running Nikto as part of a regular security audit cycle, for example once a month, or as a quick check when a new web application is deployed. Security professionals also use it during penetration tests to identify low-hanging fruit, which are easy-to-exploit vulnerabilities. Nikto only checks for known patterns; it cannot find custom application logic flaws or zero-day vulnerabilities.
Therefore, it is best used as a starting point, not as a complete security solution. Common options include -h for the target host, -p for port specifications, and -ssl to force SSL mode. The output can be saved in formats such as HTML, CSV, or XML for reporting purposes.
Nikto is included by default in many security-focused Linux distributions like Kali Linux and Parrot OS.
Real-Life Example
Imagine you are moving into a new apartment. Before you unpack, you decide to check all the locks on the doors and windows to make sure they are secure. You go to the front door and try the handle, it locks fine.
You check the back door, the lock is a bit loose but still works. Then you check a window in the bedroom, and you find that the latch is broken. This is like what Nikto does for a web server.
In the apartment analogy, the building is the web server, and the doors and windows are the different parts of the server software and files. You walk around and try each one. Nikto does this by sending HTTP requests to many different paths, like checking if there is a file named passwords.
txt or a directory called admin. It also checks the version of the server software, like noticing that your apartment's main door lock is an old model that has a known weakness. If it finds something wrong, it reports it, just like you would write down that the bedroom window latch is broken.
But just like with the apartment, some things might look broken but are actually fine, for example, you might think a window is unlocked but it is actually just stuck. That is a false positive. Also, you should not walk into someone else's apartment and check their locks without permission.
That is why you always need authorization before scanning a web server with Nikto.
Why This Term Matters
Nikto matters because web servers are a primary target for attackers, and many vulnerabilities are well-known and have available exploit code. A simple misconfiguration or outdated software can lead to a full system compromise. For example, if a web server is running Apache 2.
4.49, there is a known vulnerability that allows path traversal, meaning an attacker could read any file on the server, including passwords and configuration files. Nikto would detect this outdated version and warn you.
In practical IT, Nikto is often used as part of a security baseline check. Before a new web application goes live, a security team runs Nikto to ensure that no unnecessary files or directories are exposed. After deployment, regular scans help catch when a developer accidentally leaves a backup file or a test script in a public folder.
For system administrators, Nikto can be automated using cron jobs to run weekly scans and email reports. This proactive approach helps find issues before they are exploited. In a larger enterprise environment, Nikto might be one of several tools used in a vulnerability management program, alongside commercial scanners like Nessus or Qualys.
It is especially useful for small to medium businesses that may not have budget for expensive tools but still need to perform security checks. Nikto is also valuable for penetration testers who need to quickly assess a large number of web servers during an engagement. It is lightweight, fast, and provides a good overview of the web server's security posture.
However, it is only one piece of the puzzle. It does not check for SQL injection or cross-site scripting, so those require separate testing. Nonetheless, Nikto is a fundamental tool for anyone responsible for web server security.
How It Appears in Exam Questions
Exam questions about Nikto often fall into several patterns. First, tool identification questions: 'Which of the following is a web server vulnerability scanner?' with answer choices including Nmap, Netcat, Nikto, and OpenVAS.
The correct answer is Nikto. Second, command syntax questions: 'Which Nikto command would scan a secure web server on port 443?' Possible answers include 'nikto -h 192.168.1.1 -p 443 -ssl', 'nikto -h 192.
168.1.1 -ssl', 'nikto -target 192.168.1.1 -port 443', etc. You need to know the correct flags: -h for host, -p for port, and -ssl for SSL. Third, use case scenarios: 'A security analyst wants to quickly identify outdated software on a web server.
Which tool is most appropriate?' The answer is Nikto, because it specifically checks for outdated versions and known vulnerabilities. Fourth, output interpretation: You might be shown a sample Nikto output listing several findings such as '/phpinfo.
php' and '/test.php' and asked what these indicate. The correct answer would be that the server has potentially dangerous test files accessible. Fifth, false positive awareness: A question could describe a situation where Nikto reports a vulnerability that does not actually exist, and the answer should be 'false positive'.
Sixth, integration with other tools: 'Which tool can be used together with Nikto to identify open ports before scanning?' The answer is Nmap, and Nikto can use Nmap's output through the -nmap option. Seventh, evasion techniques: 'Which Nikto option can be used to slow down the scan to avoid detection by an IDS?'
The answer is -delay or -evasion. Eighth, ethical and legal considerations: 'What is the first step before running Nikto on a target?' The correct answer is 'obtain written permission'.
Ninth, comparison questions: 'What is the main difference between Nikto and OWASP ZAP?' Nikto is a web server scanner focused on server-side misconfigurations, while ZAP is a web application scanner that also tests for application-level vulnerabilities like SQL injection. Tenth, operational security: 'A penetration tester runs Nikto against a web server and finds that the server is running Apache 2.
2.3. What is the most likely risk?' The answer is that this version is outdated and has known vulnerabilities, so it should be patched.
Practise Nikto Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a junior security analyst at a company called TechBids. Your supervisor asks you to perform a basic security check on the company's new public-facing web server before it goes live. The web server IP is 203.
0.113.50, and it hosts a bidding platform. You decide to use Nikto to scan it. First, you open your Kali Linux terminal and type: nikto -h 203.0.113.50. The scan begins, and you see messages scrolling by.
After a few minutes, Nikto finishes and displays a report. The report shows a few findings: first, it found that the server is running Apache 2.4.6, which is an older version with a known vulnerability.
Second, it found a directory called /backups/ that is publicly accessible. Third, it found a file named /phpinfo.php. Fourth, it found that the server is missing some security headers like X-Frame-Options and X-Content-Type-Options.
You note all these findings. The Apache version is outdated and should be updated. The /backups/ directory could expose sensitive data, so it should be protected with authentication or removed.
The /phpinfo.php file reveals detailed PHP configuration and should be deleted. The missing security headers increase the risk of clickjacking and MIME sniffing attacks. You write a report for your supervisor with these recommendations.
This scenario shows how Nikto helps identify real issues that can be fixed before attackers find them. It also demonstrates that Nikto finds a mix of serious and moderate issues. The key takeaway is that you need to verify each finding because some might be false positives.
For example, the /backups/ directory might actually be intended for public use. You should manually check each item. This is exactly how you would use Nikto in a real job role.
Common Mistakes
Thinking Nikto is a comprehensive web application scanner that finds SQL injection and XSS.
Nikto is designed to scan web servers for misconfigurations and known vulnerabilities, not to test web applications for logic flaws like SQL injection. It checks for files, outdated software, and common misconfigurations.
Use Nikto for server-level checks and use tools like OWASP ZAP or Burp Suite for application-level testing.
Running Nikto without permission on a target you do not own.
Scanning a web server without permission is illegal in many jurisdictions and can be considered a hostile act. It could lead to legal consequences or a network ban.
Always obtain written authorization from the owner of the target before running any scan.
Believing all findings from Nikto are real vulnerabilities without verification.
Nikto can produce false positives, meaning it reports a vulnerability that does not actually exist. For example, it might flag a file as dangerous when it is actually a legitimate part of the application.
Manually verify each finding. Check the file or configuration that Nikto flagged to confirm if it is a real issue.
Using only Nikto for a full security assessment.
Nikto only checks a limited set of known patterns. It does not test for custom application vulnerabilities, authentication bypass, or business logic flaws. Relying solely on Nikto gives a false sense of security.
Combine Nikto with other tools and manual testing, including vulnerability scanners, web application scanners, and code review.
Assuming that if Nikto finds nothing, the web server is secure.
Nikto only checks for known issues in its database. A server could have custom vulnerabilities or zero-day exploits that Nikto will not detect.
Use Nikto as one part of a broader security strategy that includes patching, secure coding practices, and periodic comprehensive assessments.
Not updating Nikto before scanning.
Nikto's databases and plugins are updated to include new vulnerabilities. Using an outdated version means you might miss recent threats.
Run 'nikto -update' before each scan to ensure you have the latest vulnerability signatures.
Exam Trap — Don't Get Fooled
{"trap":"An exam question asks: 'Which tool would you use to scan a web server for directory traversal vulnerabilities?' and the answer choices include Nikto, Nmap, Netcat, and Wireshark. Learners often pick Nmap because they think it is the general scanner, or Wireshark because it analyzes traffic.
They choose the wrong option because they do not know the specific purpose of each tool.","why_learners_choose_it":"Learners may memorize that Nmap is a scanner and therefore think it scans for web vulnerabilities. Or they confuse directory traversal with network traffic analysis.
They are not familiar with Nikto's focus on web server issues.","how_to_avoid_it":"Remember that Nmap is a network mapper for open ports and services, not a vulnerability scanner. Nikto is specifically a web server vulnerability scanner that checks for directory traversal, outdated software, and misconfigurations.
If the question mentions web server scanning, the answer is likely Nikto."
Step-by-Step Breakdown
Obtain Authorization
Before any scanning, you must have written permission from the owner of the target. Scanning without permission is illegal and unethical.
Update Nikto
Run the command 'nikto -update' to download the latest vulnerability databases and plugins. Outdated databases may miss new threats.
Identify Target and Ports
Determine the IP address or hostname of your target. Optionally use Nmap to find which ports are open. Nikto can then focus on the web server ports (usually 80 and 443).
Run the Scan
Execute the appropriate Nikto command. For example: 'nikto -h 192.168.1.10 -p 80,443 -ssl'. This starts the scanning process where Nikto sends thousands of requests to the server.
Monitor Output
While the scan is running, Nikto displays findings in real-time. Pay attention to any 'OSVDB' references, which indicate the vulnerability ID from the Open Sourced Vulnerability Database.
Review the Full Report
After the scan completes, Nikto provides a summary. You can save the output to a file for later analysis using options like -o report.html -Format html. Review each finding carefully.
Verify Findings
Manually check each reported issue. For example, if Nikto finds a file like /phpinfo.php, open it in a browser to confirm it exists and is accessible. Some findings may be false positives.
Take Remediation Actions
Based on verified findings, make necessary changes: update outdated software, remove exposed files, fix misconfigurations, and add security headers.
Practical Mini-Lesson
Nikto is a command-line tool that is often pre-installed on security distributions like Kali Linux. To use it effectively, you need to understand its command options. The basic syntax is 'nikto -h <target>'.
The -h flag specifies the target host, which can be an IP address or hostname. You can add -p to specify a port or port range, and -ssl for HTTPS scanning. For example, 'nikto -h 10.
0.0.5 -p 443 -ssl' scans a secure web server on the default HTTPS port. If you want to scan multiple ports, use a comma-separated list like -p 80,443,8080. Nikto also supports using Nmap output to speed up scanning.
Run Nmap first: 'nmap -p 80,443,8080 10.0.0.5 -oG nmap_output.txt', then use 'nikto -h 10.0.0.5 -nmap nmap_output.txt'. This tells Nikto to only scan ports that Nmap found open. For evasion, you can use the -delay flag to add a delay between requests, helping avoid detection by intrusion detection systems.
For example, 'nikto -h 10.0.0.5 -delay 2' adds a 2-second delay. The -evasion flag offers several techniques like random URI encoding or using a different user agent. To output results, use -o <filename> and -Format <format>.
Supported formats include html, csv, txt, and xml. For example, 'nikto -h 10.0.0.5 -o report.html -Format html'. When interpreting results, look at the 'Status' column: it shows whether the check returned a '200 OK' (success) or a '404 Not Found' (file does not exist).
A status of 200 for a known dangerous file is a potential problem. Also note the 'OSVDB' code, which you can look up for more details. In practice, you will often see findings like: '/phpinfo.
php' (information disclosure), '/test.php' (test file left in production), '/backup.zip' (backup accessible), or 'Server: Apache/2.2.3' (outdated). Each of these is a lead for further investigation.
A common mistake is to take every finding at face value. For instance, Nikto might report that the server is missing the X-Frame-Options header. While this is a security concern, it might be intentional if the application uses frames.
You need to understand the context. The strength of Nikto is its speed and breadth; its weakness is the lack of deep, context-aware analysis. Therefore, always combine Nikto findings with manual checking and other tools.
Professionals often script Nikto into automated pipelines, using it as a first step in a vulnerability management process. For example, a cron job could run Nikto weekly against all public-facing web servers, parse the output, and send alerts if new critical findings appear. This automated approach helps maintain a baseline security posture.
Memory Tip
Remember 'Nikto' as 'No Integrity for Known Threats Online'. It checks for known problems, not integrity of the application logic.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CS0-003CompTIA CySA+ →PT0-003CompTIA PenTest+ →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
A 2-in-1 laptop is a portable computer that can switch between a traditional laptop form and a tablet form, usually by detaching or rotating the keyboard.
The 24-pin motherboard connector is the main power cable that connects the computer's power supply unit (PSU) to the motherboard, supplying electricity to the motherboard and its components.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
A 3D printer is a device that creates physical objects by depositing layers of material based on a digital model.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
The 8-pin CPU connector is a power cable from the power supply that delivers dedicated electricity to the processor on a computer's motherboard.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
Is Nikto free to use?
Yes, Nikto is open-source software and is completely free to download and use. It is included in many Linux distributions like Kali Linux.
Can Nikto scan HTTPS websites?
Yes, Nikto supports SSL/TLS scanning. You just need to include the -ssl flag in the command, like 'nikto -h example.com -ssl'.
Does Nikto detect SQL injection?
No, Nikto does not test for SQL injection or other application-layer vulnerabilities. It focuses on server misconfigurations and known software vulnerabilities.
Is it legal to run Nikto on my own web server?
Yes, you can run Nikto on any server you own or have explicit written permission to scan. Scanning without permission is illegal.
How long does a Nikto scan take?
The duration depends on the target and the number of tests. A typical scan of a standard web server can take from a few minutes to an hour.
What do I do after Nikto finds vulnerabilities?
You should verify each finding, then take appropriate remediation steps: update software, remove unnecessary files, fix configurations, and apply security patches.
Summary
Nikto is a lightweight, open-source web server scanner that helps identify known vulnerabilities, misconfigurations, and outdated software on web servers. It is a staple tool for security professionals, penetration testers, and system administrators. By sending a large number of HTTP requests and matching responses against a database of known issues, Nikto can quickly reveal potential weaknesses like exposed backup files, default credentials, and outdated server versions.
However, it is not a complete security solution, it does not find application-level flaws like SQL injection or cross-site scripting. It also can produce false positives, so manual verification is essential. In certification exams, Nikto is tested in the context of vulnerability scanning tools, particularly in CompTIA Security+, CySA+, PenTest+, and CEH.
Questions often focus on its purpose, syntax, and appropriate use cases. To use Nikto effectively in a professional environment, always obtain permission, update the tool before scanning, and combine it with other security assessments. The key takeaway for exam preparation is to know what Nikto does and what it does not do.
Remember that it is a web server vulnerability scanner, not a general network scanner or a full web application scanner. With proper use, Nikto is a valuable part of a layered security strategy.