Nikto Best Practices

Best practices for effective and ethical use of Nikto in penetration testing

This guide outlines best practices for using Nikto effectively and ethically in penetration testing and security assessments. Following these recommendations will help you maximize the tool's utility while minimizing potential issues.

Ethical Considerations

Authorization and Scope

Always ensure you have proper authorization before scanning any system:

1
Obtain Written Permission

Always obtain explicit written permission before scanning any system. This should include:

  • Target IP addresses and hostnames
  • Permitted scanning timeframes
  • Scan intensity limitations
  • Emergency contact information
2
Define Clear Boundaries

Establish clear scope boundaries:

# Limit scan to specific hosts
nikto -h target-host.com

# Avoid scanning out-of-scope hosts
# DO NOT use options that might scan beyond the target
3
Respect Limitations

Adhere to any limitations specified by the system owner:

# Limit scan intensity with delays
nikto -h target-host.com -delay 2

# Limit scan duration
nikto -h target-host.com -maxtime 3600

Minimizing Impact

Take steps to minimize the impact of your scanning:

# Use minimal tuning for sensitive systems
nikto -h target-host.com -Tuning 123

# Add delays between requests
nikto -h target-host.com -delay 2

# Avoid aggressive plugins on production systems
nikto -h target-host.com -Plugins "-dos,-apache_expect_xss"

Documentation and Reporting

Maintain thorough documentation of your activities:

# Generate comprehensive reports
nikto -h target-host.com -o nikto_scan.html -Format htm

# Include scan parameters in output
nikto -h target-host.com -o nikto_scan.csv -Format csv -Display V

Operational Best Practices

Pre-Scan Planning

Reconnaissance

Perform thorough reconnaissance before scanning:

# Use passive reconnaissance tools first
# Example: DNS enumeration, WHOIS lookups, etc.

# Identify web servers and technologies
nmap -sV -p 80,443,8080,8443 target-host.com

# Identify virtual hosts
host -t CNAME target-host.com

Understanding the target environment helps you:

  • Select appropriate scan options
  • Identify potential sensitive areas
  • Prepare for likely vulnerabilities

Scan Configuration

Configure your scans appropriately for each target:

# Basic scan with reasonable defaults
nikto -h target-host.com -Tuning 123 -Display 3

# More thorough scan
nikto -h target-host.com -Tuning x -Display 12 -ssl -port 443,8443

# Scan with authentication
nikto -h target-host.com -id "username:password" -Tuning 123

Scan Execution

Follow these practices during scan execution:

1
Start with Limited Scope

Begin with a focused scan:

# Start with basic tests
nikto -h target-host.com -Tuning 123 -Display 3

Review initial results before expanding scope.

2
Monitor Progress

Monitor scan progress and system impact:

# Use verbose output
nikto -h target-host.com -Display V

Watch for:

  • Unexpected errors
  • System performance issues
  • Security alerts
3
Adjust as Needed

Be prepared to adjust scan parameters:

# Reduce intensity if needed
nikto -h target-host.com -delay 5 -Tuning 123

# Pause and resume if necessary
# (Use Ctrl+C to pause, then restart with different parameters)

Result Analysis

Analyze scan results thoroughly:

# Generate multiple report formats for analysis
nikto -h target-host.com -o nikto_scan -Format htm,csv,xml

# Filter results for critical findings
grep "OSVDB" nikto_scan.csv | sort -u > critical_findings.txt

Focus on:

  • High-severity vulnerabilities
  • False positives verification
  • Patterns across multiple hosts
  • Unusual or unexpected findings

Technical Best Practices

Scan Tuning

Tune your scans for optimal results:

General Tuning

Basic tuning options for most scenarios:

# Basic scan (file upload, injection, XSS, etc.)
nikto -h target-host.com -Tuning 123

# Include informational tests
nikto -h target-host.com -Tuning 123b

# Comprehensive scan
nikto -h target-host.com -Tuning x

Common tuning values:

  • 1: File Upload
  • 2: Misconfiguration
  • 3: Information Disclosure
  • 4: Injection
  • 9: SQL Injection
  • x: All except DOS tests

Authentication Handling

Handle authentication properly:

# Basic authentication
nikto -h target-host.com -id "username:password"

# Form-based authentication
nikto -h target-host.com -Cookies "session:1234567890abcdef"

# Custom headers for API tokens
nikto -h target-host.com -header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

For complex authentication:

  1. Authenticate manually in a browser
  2. Copy cookies or session tokens
  3. Pass them to Nikto using the -Cookies option

Performance Optimization

Optimize scan performance:

# Parallel host scanning
nikto -h host_list.txt -Tuning 123

# Focus on specific ports
nikto -h target-host.com -p 80,443,8080,8443

# Skip SSL checks for non-HTTPS servers
nikto -h target-host.com -nossl

Balance between:

  • Scan speed
  • System impact
  • Thoroughness
  • Detection avoidance

Environment-Specific Best Practices

Web Applications

1
Identify Application Framework

Identify the web application framework:

# Use initial scan to identify technologies
nikto -h webapp.example.com -Tuning b

Common frameworks include:

  • WordPress
  • Drupal
  • Joomla
  • Custom frameworks
2
Target Framework-Specific Tests

Adjust scanning based on the framework:

# For WordPress
nikto -h wordpress-site.com -Tuning 123 -root /wordpress/

# For Drupal
nikto -h drupal-site.com -Tuning 123 -root /drupal/
3
Test Authentication Mechanisms

Focus on authentication mechanisms:

# Test login pages
nikto -h webapp.example.com -Tuning a -id "test:test"

APIs and Microservices

When testing APIs and microservices:

# API endpoint scanning
nikto -h api.example.com -Tuning 349 -Plugins "headers,auth"

# Test with authentication
nikto -h api.example.com -header "Authorization: Bearer token"

# Test specific endpoints
nikto -h api.example.com/v1/users -Tuning 349

Consider:

  • API versioning
  • Authentication mechanisms
  • Rate limiting
  • Input validation

Cloud Environments

When testing cloud-hosted applications:

# Test cloud-hosted applications
nikto -h cloud-app.example.com -Tuning 123 -useragent "Mozilla/5.0"

# Test multiple subdomains
nikto -h subdomains.txt -Tuning 123

Be aware of:

  • Cloud provider restrictions
  • Shared infrastructure concerns
  • WAF protections
  • Rate limiting

Integration with Security Workflows

Continuous Integration/Continuous Deployment (CI/CD)

Integrate Nikto into CI/CD pipelines:

# Example CI/CD script
#!/bin/bash
TARGET="$1"
THRESHOLD=10

nikto -h "$TARGET" -Tuning 123 -Format json -o scan_results.json
CRITICAL_COUNT=$(grep -c "CRITICAL" scan_results.json)

if [ "$CRITICAL_COUNT" \-gt "$THRESHOLD" ]; then
  echo "Security scan failed: $CRITICAL_COUNT critical issues found"
  exit 1
else
  echo "Security scan passed: $CRITICAL_COUNT critical issues found"
  exit 0
fi

Key considerations:

  • Set appropriate thresholds
  • Balance security and development velocity
  • Focus on high-impact issues
  • Provide clear feedback to developers

Vulnerability Management

Integrate with vulnerability management processes:

# Generate reports for import into vulnerability management systems
nikto -h target-host.com -Format xml -o nikto_scan.xml

Best practices:

  • Consistent scan scheduling
  • Trend analysis across scans
  • Integration with ticketing systems
  • Verification of remediation

Security Orchestration

Integrate with security orchestration platforms:

# Example integration script
#!/bin/bash
TARGET="$1"
OUTPUT_DIR="$2"

# Run scan
nikto -h "$TARGET" -Format json -o "$OUTPUT_DIR/nikto_scan.json"

# Process results
python3 process_results.py "$OUTPUT_DIR/nikto_scan.json" "$OUTPUT_DIR/processed_results.json"

# Send to orchestration platform
curl -X POST -H "Content-Type: application/json" \
  -d @"$OUTPUT_DIR/processed_results.json" \
  https://orchestration-platform.example.com/api/results

Troubleshooting and Common Issues

Scan Failures

Connection Issues

Common connection problems and solutions:

# Test basic connectivity
curl -I http://target-host.com

# Try different port
nikto -h target-host.com -p 8080

# Try without SSL
nikto -h target-host.com -nossl

# Use proxy if needed
nikto -h target-host.com -useproxy http://proxy:8080

If connection issues persist:

  • Verify network connectivity
  • Check firewall rules
  • Verify DNS resolution
  • Test with basic tools like curl or wget

False Positives

Dealing with false positives:

# Generate detailed output for analysis
nikto -h target-host.com -Display V -o detailed_scan.txt

# Verify findings manually
curl -I http://target-host.com/path/identified/by/nikto

Strategies for reducing false positives:

  • Verify findings manually
  • Use multiple tools for confirmation
  • Update Nikto databases regularly
  • Customize tests for your environment

Scan Optimization

Optimize problematic scans:

# Focus on specific tests
nikto -h target-host.com -Tuning 123

# Disable problematic plugins
nikto -h target-host.com -Plugins "-outdated,-msgs"

# Use incremental scanning
nikto -h target-host.com -Tuning 1 -o phase1.txt
nikto -h target-host.com -Tuning 2 -o phase2.txt

Advanced Best Practices

Custom Database Maintenance

Maintain custom databases for specialized environments:

# Locate database files
nikto -dbcheck

# Create custom database entries
echo '"999999","0","d","Custom test for internal app","/internal/status.php",""' >> db_tests

# Use custom database
nikto -h target-host.com -config /path/to/custom/nikto.conf

Scan Automation

Automate regular scanning:

#!/bin/bash
# weekly_scan.sh

DATE=$(date +%Y-%m-%d)
TARGETS_FILE="targets.txt"
OUTPUT_DIR="nikto_scans/$DATE"

mkdir -p $OUTPUT_DIR

# Read targets file
while IFS= read -r target
do
  # Skip comments and empty lines
  [[ "$target" =~ ^#.*$ || -z "$target" ]] && continue
  
  # Extract hostname for file naming
  hostname=$(echo $target | sed 's/https\?:\/\///' | sed 's/:.*//')
  
  echo "Scanning $target..."
  
  # Run scan
  nikto -h "$target" -Tuning 123b -o "$OUTPUT_DIR/${hostname}.html" -Format htm
  
  echo "Completed scan of $target"
done < "$TARGETS_FILE"

# Generate summary report
echo "Scan Summary for $DATE" > "$OUTPUT_DIR/summary.txt"
echo "\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=" >> "$OUTPUT_DIR/summary.txt"
grep -r "Host:" "$OUTPUT_DIR" --include="*.html" >> "$OUTPUT_DIR/summary.txt"
grep -r "OSVDB" "$OUTPUT_DIR" --include="*.html" | sort | uniq -c | sort -nr >> "$OUTPUT_DIR/summary.txt"

echo "All scans complete. Results in $OUTPUT_DIR"

Team Collaboration

Establish best practices for team collaboration:

  1. Standardize scan configurations:

    # Create standard configuration files
echo "STATIC-HEADERS=X-Scan-ID: CompanyName-SecurityTeam" > company_nikto.conf
echo "USERAGENT=CompanyName Security Scanner" >> company_nikto.conf

  2. Share scan results:

    # Generate shareable reports
nikto -h target-host.com -Format htm -o shared_report.html

  3. Document scan methodology:

    # Include methodology in reports
echo "# Scan Methodology" > methodology.md
echo "1. Reconnaissance: nmap -sV target" >> methodology.md
echo "2. Basic scan: nikto -h target -Tuning 123" >> methodology.md
echo "3. Detailed scan: nikto -h target -Tuning x" >> methodology.md

Next Steps

Now that you understand Nikto best practices, explore the following topics: