Nikto is a crucial part of any web penetration test. It sits firmly in both the ‘web application audit’ and ‘web server audit’ camps. Nikto will comprehensively test web servers for a whole range of items. Tests include the presence of dangerous files and CGIs, outdated versions of web server software and specific configuration problems with web servers. So whether you have an open WebDAV setup, outdated Joomla installations or phpinfo test development files lying around – expect Nikto to find them. Nikto publishes regular updates, and so to fetch the latest definitions, just use:

./nikto.pl -update

Once we have the latest version, we can go ahead and run a scan with:

./nikto -host http://www.plzpwn.me/

As always, remember that this is an active offensive tool. You should absolutely not run it against web servers without proper authorization from the owners. It is not a stealth tool. It will attempt to enumerate as many possible vulnerabilities as quickly as possible, leaving a lot of noise in IDS and web server logs.

nikto

nikto

And Nikto has run, showing amongst other things that ‘info.php’ has been located, displaying the server’s phpinfo() page. Plenty of useful information to harvest here.