How to Perform Website Penetration Testing Using Nikto

Table of Contents

What Is Penetration Testing?

Penetration testing is a controlled, authorized attempt to breach a system’s security. Think of it as hiring a professional locksmith to test your home’s locks by trying to pick them, not to steal, but to show you where you’re weak.

For websites, pen testing focuses on:

• Web server configuration
• Outdated software
• Misplaced sensitive files
• Weak encryption
• Exposed administrative panels

Nikto specializes in the first layer: the web server itself (Apache, Nginx, IIS, etc.). It doesn’t log in as a user or test your application logic. It checks the foundation.

Introduction to Nikto

Nikto is an open-source web server scanner written in Perl. First released in 2001, it has become a staple in security toolkits worldwide. It works by sending thousands of HTTP requests to a target server and analyzing responses for signs of weakness.

Key features:

• Over 6,700 vulnerability checks
• Detects outdated server versions
• Finds dangerous files and scripts
• Supports SSL, authentication, and proxies
• Outputs reports in HTML, XML, or plain text

Legal and Ethical Considerations

Always:

• Get written permission (email or contract)
• Test only on systems you control (your own sites, lab environments)
• Avoid scanning during peak business hours
• Inform IT teams before testing

Setting Up Your Testing Environment

Before scanning, prepare a safe environment:

• Use a virtual machine: Install Kali Linux or Ubuntu in VirtualBox/VMware.
• Isolate your network: Avoid scanning from your personal computer.
• Use a test server: Set up a local web server (e.g., Apache on localhost) to practice.
• Backup everything: Never test on live production without backups.

Installing Nikto

Nikto is easy to install. Here are the most common methods:

• Kali Linux (pre-installed): Just open terminal and type nikto
• Ubuntu/Debian:

  sudo apt update
  sudo apt install nikto

• Fedora:

  sudo dnf install nikto

• Windows (via WSL):

  wsl --install -d Ubuntu
  # Then follow Ubuntu steps

• From GitHub (latest version):

  git clone https://github.com/sullo/nikto.git
  cd nikto/program
  perl nikto.pl -h http://example.com

After installation, update the database:

nikto -update

Running Your First Nikto Scan

Let’s scan a test server. Replace http://yoursite.com with your target (only if you own it).

nikto -h http://yoursite.com

Sample output:

+ Server: Apache/2.4.41
+ The anti-clickjacking X-Frame-Options header is not present.
+ OSVDB-630: The /icons/README file is exposed.
+ Over 30 requests made. Scan took 45 seconds.

Congratulations! You just performed your first penetration test.

Understanding Nikto Output

Nikto reports include:

• Server banner: Reveals software and version (often a risk).
• OSVDB/CVE IDs: Links to known vulnerabilities.
• Risk level: High, medium, low (not always shown, but implied).
• File/directory findings: Exposed config files, backups, etc.

Example finding:

+ /admin/: Admin login page found. Check for weak passwords.

This doesn’t mean it’s hacked. It means a login page exists and should be secured.

Advanced Scanning Techniques

Go beyond basics with these commands:

• Scan SSL sites:

  nikto -h https://yoursite.com

• Save HTML report:

  nikto -h http://yoursite.com -o report.html -Format html

• Scan specific port:

  nikto -h 192.168.1.100 -p 8080

• Use basic auth:

  nikto -h http://yoursite.com -id admin:password123

• Avoid detection (evasion):

  nikto -h http://yoursite.com -evasion 1

• Scan multiple hosts:

  nikto -h hosts.txt

Nikto Command Reference Table

Interpreting Common Findings

Here are real Nikto outputs and what they mean:

• Server: Apache/2.2.3 → Old version. Upgrade immediately.
• /phpinfo.php: Found → Delete this file. It leaks server details.
• Directory indexing found → Disable in server config.
• OSVDB-877: CGI found → Remove or secure old scripts.
• Allowed HTTP methods: PUT → Disable if not needed.

How to Fix the Vulnerabilities Nikto Finds

Action plan:

• Update software: Always run latest stable versions.
• Remove test files: Delete phpinfo.php, test.php, etc.
• Hide server banners: Use ServerTokens Prod in Apache.
• Disable directory listing: Set Options -Indexes.
• Secure headers: Add X-Frame-Options, CSP, HSTS.
• Restrict HTTP methods: Allow only GET, POST, HEAD.

Best Practices for Nikto Penetration Testing

• Scan regularly (weekly or after changes)
• Review every finding manually
• Combine with other tools (Nmap, OWASP ZAP)
• Document all tests and fixes
• Retest after applying patches
• Train your team on security basics

Limitations of Nikto

Nikto is excellent, but not perfect:

• Doesn’t test logged-in areas
• Cannot find logic flaws (e.g., broken access control)
• May trigger false positives
• Loud scans can be detected/blocked
• No zero-day vulnerability detection

Conclusion

Penetration testing with Nikto is one of the simplest yet most effective ways to improve your website’s security. In under an hour, you can uncover critical flaws that attackers exploit daily. Start with a single scan, fix one issue at a time, and build a culture of proactive security.

Remember: tools like Nikto don’t replace knowledge. They empower it. Use Nikto as your early warning system, but always follow up with understanding, action, and continuous improvement. Your website, your users, and your peace of mind deserve nothing less.

Now go scan your server. The first step to security is knowing where you stand.