Nikto Web Scanner Guide: Installation, Commands, Results Interpretation, and Alternatives

Nikto Web Scanner Guide: Installation, Commands, Results Interpretation, and Alternatives

Nikto scanner is one of the oldest and most widely recognized open-source web security tools. First released in 2001, it performs fast, noisy scans against web servers to detect thousands of potentially dangerous files, outdated software versions, and common misconfigurations. If you are new to web security scanning, Nikto is often the first tool you encounter.

This guide covers everything you need to know: installation, essential commands, output interpretation, limitations, and how Nikto compares to modern alternatives like ZeriFlow and Burp Suite.

Modern alternative, zero setup: ZeriFlow runs 80+ web security checks — security headers, TLS, exposed paths, DNS security — with a single URL input. No installation, no command line. Try it now.

What Is Nikto and What Does It Test?

Nikto is a Perl-based open-source web server scanner maintained on GitHub. It tests for:

• Outdated server software — Apache, nginx, IIS version banners.
• Dangerous files and directories — Default installation files, backup files, admin panels.
• Known CVE vulnerabilities — Server software with published CVEs.
• Configuration issues — HTTP methods enabled (PUT, DELETE, TRACE), missing headers.
• Insecure cookies — Cookies lacking HttpOnly or Secure flags.
• SSL/TLS issues — Weak ciphers, certificate problems.
• File upload vulnerabilities — CGI-based upload scripts.
• Common web application issues — phpinfo() pages, default credentials pages, readme files.

Nikto's database contains approximately 7,000 checks. It is fast, comprehensive for what it covers, and free.

Important caveat: Nikto is intentionally noisy — it does not attempt to evade IDS/WAF detection. Its scans will appear in logs and will likely trigger security alerts. Never use Nikto against systems you do not own or have explicit permission to test.

Installing Nikto

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install nikto
nikto -Version

macOS

brew install nikto
nikto -Version

From Source (All Platforms)

git clone https://github.com/sullo/nikto.git
cd nikto/program
perl nikto.pl -Version

Nikto requires Perl 5.8+, which is pre-installed on macOS and most Linux distributions.

Docker

docker pull sullo/nikto
docker run --rm sullo/nikto -h https://target.com

Essential Nikto Commands

Basic Scan

nikto -h https://target.com

The -h flag specifies the host (URL or IP address). Nikto will: 1. Identify the web server software. 2. Check for outdated software versions. 3. Test all endpoints in its vulnerability database. 4. Report findings as they are discovered.

Specify Port

nikto -h https://target.com -p 8443

Default ports are 80 (HTTP) and 443 (HTTPS). Use -p for non-standard ports.

Scan Multiple Hosts

nikto -h hosts.txt

Put one host per line in a text file for bulk scanning.

Save Output

# Plain text
nikto -h https://target.com -o results.txt -Format txt

# HTML report
nikto -h https://target.com -o results.html -Format htm

# XML (for CI/CD integration)
nikto -h https://target.com -o results.xml -Format xml

# CSV
nikto -h https://target.com -o results.csv -Format csv

Use a Proxy (e.g., route through Burp Suite)

nikto -h https://target.com -useproxy http://127.0.0.1:8080

Routing Nikto through Burp Suite lets you capture all requests Nikto makes, which is useful for understanding the scan traffic.

Tune Scan Types

The -Tuning option filters which checks to run:

nikto -h https://target.com -Tuning x6   # x = reverse, so everything EXCEPT 6

Tuning codes: - 0 — File Upload - 1 — Interesting File / Seen in logs - 2 — Misconfiguration / Default File - 3 — Information Disclosure - 4 — Injection (XSS/Script/HTML) - 5 — Remote File Retrieval (Inside Web Root) - 6 — Denial of Service (do not use against production) - 7 — Remote File Retrieval (Server Wide) - 8 — Command Execution / Remote Shell - 9 — SQL Injection - a — Authentication Bypass - b — Software Identification

Scan with Authentication

# HTTP Basic authentication
nikto -h https://target.com -id admin:password

# Cookie-based authentication
nikto -h https://target.com -cookies "sessionid=abc123; csrftoken=xyz"

Evasion Techniques

# IDS evasion (slows scan down, less reliable)
nikto -h https://target.com -evasion 1

Evasion options alter the request format to attempt to bypass WAF/IDS detection. Note: modern WAFs are largely immune to these techniques.

Interpreting Nikto Results

A typical Nikto output looks like:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          93.184.216.34
+ Target Hostname:    example.com
+ Target Port:        443
+ Start Time:         2024-01-15 10:23:41 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined.
+ The X-Content-Type-Options header is not set.
+ No CGI Directories found
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ 7863 requests: 0 error(s) and 5 item(s) reported

Understanding Finding Types

Header issues (most common): - Missing security headers (X-Frame-Options, X-Content-Type-Options, CSP) — low risk individually, important for defense in depth. - These are best addressed comprehensively with ZeriFlow, which tests 80+ header and configuration issues.

OSVDB references: - OSVDB (Open Source Vulnerability Database) was a vulnerability database that has since shut down. Nikto still references OSVDB IDs in its output. Cross-reference with CVE databases for current status.

Interesting files and directories: - /admin/, /backup/, /test/, /.git/ — potentially sensitive paths worth manual investigation. - /phpinfo.php — exposes server configuration, should be removed from production. - /server-status — Apache status page, should not be publicly accessible.

Server version disclosure: - Apache/2.4.41 — check this version against the CVE database for known vulnerabilities.

Nikto Limitations: What It Cannot Find

Nikto is fast and useful, but has significant limitations:

1. 1Not application-aware: Nikto tests server-level issues, not application-specific vulnerabilities like SQLi, XSS, CSRF, or broken authentication in your custom code.

1. 1High false positive rate: Nikto reports anything that looks interesting, including many findings that are not actually exploitable in context. Manual verification is always required.

1. 1No JavaScript execution: Nikto cannot test single-page applications (React, Angular, Vue) that load content dynamically.

1. 1No authenticated scanning without manual setup: Cookie and HTTP Basic auth work, but modern OAuth/JWT flows require additional effort.

1. 1No context-aware testing: Nikto does not understand the application's logic. It fires requests and checks responses without understanding what the application is supposed to do.

1. 1Easily detected: Nikto makes no attempt to appear as normal traffic. Any basic IDS/WAF will log and potentially block it.

Nikto vs. ZeriFlow vs. Burp Suite

When to use Nikto: Quick server-level misconfiguration check in a test environment. Good for finding default files, version disclosure, and enabled HTTP methods.

When to use ZeriFlow: Fast configuration and header security audit on any URL, including production. Zero setup, low noise, comprehensive header and TLS coverage.

When to use Burp Suite: Deep manual penetration testing with full proxy interception, custom payloads, and application-aware testing.

FAQ

Q: Is Nikto safe to run against production?

A: No. Nikto is an active scanner that sends thousands of HTTP requests including known malicious payloads. It will stress-test your server, trigger alerts, and potentially cause errors. Only run Nikto against staging/test environments or with explicit permission.

Q: Why does Nikto show so many false positives?

A: Nikto uses pattern matching against responses without understanding application context. It may flag a 200 response to /admin/ as interesting even if the page returns a login form (not actually an exposed admin panel). Always manually verify Nikto findings before reporting them.

Q: How do I update Nikto's vulnerability database?

A: Run nikto -update to download the latest plugin and vulnerability databases. Keeping the database current is important — outdated databases miss recently disclosed CVEs.

Q: Can Nikto find SQL injection vulnerabilities?

A: Nikto includes some basic SQLi checks (tuning code 9), but it is not a dedicated injection scanner. For comprehensive injection testing, use a dedicated tool like sqlmap or Burp Suite's scanner.

Q: How does ZeriFlow compare to Nikto for header scanning?

A: ZeriFlow is significantly more comprehensive for security header and TLS checking — it runs 80+ checks including CSP policy analysis, HSTS preloading status, cookie attribute verification, DNS security (CAA, DNSSEC), and more. Nikto's header checks are basic by comparison, and ZeriFlow requires zero installation.

Conclusion: Nikto Is a Useful Starting Point, Not a Complete Solution

Nikto remains a valuable tool in a security professional's toolkit — fast, free, and effective at finding server-level misconfigurations and default files. But it should never be your only tool, and its high false positive rate means every finding requires manual verification.

Pair Nikto with modern tools: use ZeriFlow for comprehensive, low-noise header and configuration scanning, and Burp Suite for deep application-layer testing. Together, these three tools cover the full spectrum from server configuration to application logic.

Start with ZeriFlow for an instant, production-safe baseline — then bring in Nikto and Burp Suite for the deeper testing that your security program requires.