Terminal GuideTerminal Guide

Nikto: Web Server Vulnerability Scanner Guide

Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple security issues. Learn how to detect misconfigurations, outdated software, dangerous files, and potential vulnerabilities with this essential security assessment tool.

20 min readLast updated: February 20, 2026
Dai Aoki

Dai Aoki

CEO at init, Inc. / CTO at US & JP startups / Creator of WebTerm

Quick Reference

Basic Scanning

nikto -h <host>Basic scan against a host
nikto -h <host> -sslScan with SSL/TLS
nikto -h <host> -p 8080Scan specific port

Output

-o report.html -Format htmHTML report
-o report.csv -Format csvCSV report
-o report.xml -Format xmlXML report

Tuning

-Tuning 1Interesting files only
-Tuning 4Injection (XSS/Script)
-Tuning 9SQL injection

Authentication

-id user:passBasic auth credentials
-useproxy http://proxy:8080Use HTTP proxy
-mutate 1Test all files with root dirs

Evasion

-evasion 1Random URI encoding
-evasion 2Directory self-reference (/./)
-evasion 4Prepend long random string

Advanced

-Plugins "apacheusers"Run specific plugin
-updateUpdate scan databases
-list-pluginsList available plugins

Downloadable Image Preview

Failed to generate preview
Ethical Use Disclaimer
Nikto is a security testing tool intended for authorized use only. Always obtain explicit written permission before scanning any system you do not own. Unauthorized scanning may violate laws such as the Computer Fraud and Abuse Act (CFAA) and similar legislation in other jurisdictions. Use this tool responsibly and only against systems you have permission to test.

Overview

Nikto is a Perl-based open-source web server scanner originally created by Chris Sullo. It performs thorough tests against web servers, checking for over 6,700 potentially dangerous files and programs, outdated server versions, and version-specific problems across more than 1,250 servers. Nikto also checks for server configuration issues such as the presence of multiple index files and various HTTP server options.

Key capabilities of Nikto include:

  • Detection of outdated server software and components
  • Identification of dangerous files and CGIs on the server
  • SSL/TLS certificate and cipher analysis
  • Checking for server misconfigurations and default installations
  • HTTP method testing (PUT, DELETE, TRACE, etc.)
  • Subdomain guessing via DNS and virtual host enumeration
  • Plugin-based architecture for extensibility
  • Multiple output format support for reporting and integration

Unlike stealthier tools, Nikto is designed for speed and thoroughness rather than evasion. It generates significant traffic and log entries on the target server, making it straightforward for administrators to detect. This is intentional -- Nikto is meant for authorized security assessments where stealth is not a concern.

Installation

Nikto is available through most package managers and can also be installed from source. It requires Perl (5.8 or later) and several Perl modules. On Kali Linux and other security-focused distributions, Nikto is often pre-installed.

Install on Debian/Ubuntu

bash
# Install from the default repository
sudo apt update
sudo apt install nikto

# Verify installation
nikto -Version

# Update the vulnerability database
nikto -update

Install on macOS

bash
# Install via Homebrew
brew install nikto

# Verify installation
nikto -Version

Install from Source

bash
# Clone the repository
git clone https://github.com/sullo/nikto.git

# Navigate to the program directory
cd nikto/program

# Run Nikto directly
perl nikto.pl -h localhost

# Optionally create a symlink for system-wide access
sudo ln -s $(pwd)/nikto.pl /usr/local/bin/nikto
Perl Dependencies
If you install from source, you may need to install additional Perl modules. Use cpan or your system package manager to install missing modules such as Net::SSLeay and IO::Socket::SSL for SSL scanning support.

Basic Scanning

Nikto scanning begins with a target host. The scanner will automatically enumerate web server details, check for common vulnerabilities, and report its findings. Even a basic scan provides valuable information about the target web server.

Simple Host Scan

The most basic usage targets a single host on the default HTTP port (80):

bash
# Scan a target host on the default port
nikto -h http://192.168.1.100

# Scan using a hostname
nikto -h www.example.com

# Scan with increased verbosity
nikto -h www.example.com -Display V

Nikto will automatically identify the web server software, test for common vulnerabilities, and check for dangerous files. A typical scan output includes the server banner, detected technologies, and a list of findings with OSVDB references.

SSL/TLS Scanning

For HTTPS-enabled servers, Nikto can perform SSL/TLS analysis alongside vulnerability scanning:

bash
# Scan an HTTPS host
nikto -h https://www.example.com

# Force SSL mode on a specific port
nikto -h 192.168.1.100 -p 443 -ssl

# Scan HTTPS and check SSL certificate details
nikto -h https://www.example.com -ssl

SSL scanning checks for weak ciphers, expired certificates, and known SSL/TLS vulnerabilities such as POODLE, BEAST, and Heartbleed. This is critical for assessing the transport-layer security posture of web applications.

Scanning Specific Ports

Web servers often run on non-standard ports. Nikto can target any port or scan multiple ports:

bash
# Scan a specific port
nikto -h 192.168.1.100 -p 8080

# Scan multiple ports
nikto -h 192.168.1.100 -p 80,443,8080,8443

# Scan a range of ports
nikto -h 192.168.1.100 -p 8000-8100

Scanning Multiple Hosts

You can scan multiple targets by providing a file containing host addresses:

bash
# Create a hosts file (one host per line)
# hosts.txt:
# 192.168.1.100
# 192.168.1.101:8080
# https://www.example.com

# Scan all hosts from the file
nikto -h hosts.txt

# You can also pipe Nmap results into Nikto
nmap -p80,443 192.168.1.0/24 -oG - | nikto -h -
Tip
Combining Nmap with Nikto is a powerful workflow. Use Nmap to discover web servers on the network first, then pipe the results directly into Nikto for vulnerability assessment.

Advanced Scanning

Nikto provides extensive options for customizing scans. Tuning parameters, authentication support, proxy configuration, and evasion techniques allow you to tailor scans to specific testing scenarios.

Tuning Options

Tuning options control which types of tests Nikto performs. You can focus on specific vulnerability categories to reduce scan time or target particular areas of concern:

Tuning Categories

ValueDescription
0File upload
1Interesting file / seen in logs
2Misconfiguration / default file
3Information disclosure
4Injection (XSS/Script/HTML)
5Remote file retrieval (inside web root)
6Denial of service
7Remote file retrieval (server-wide)
8Command execution / remote shell
9SQL injection
aAuthentication bypass
bSoftware identification
cRemote source inclusion
xReverse tuning (exclude specified types)
bash
# Scan for XSS and SQL injection only
nikto -h http://192.168.1.100 -Tuning 49

# Scan for everything except denial of service
nikto -h http://192.168.1.100 -Tuning x6

# Scan for misconfigurations and information disclosure
nikto -h http://192.168.1.100 -Tuning 23

# Focus on authentication bypass and command execution
nikto -h http://192.168.1.100 -Tuning a8

Authentication

Many web applications require authentication. Nikto supports Basic and NTLM authentication, as well as cookie-based session management:

bash
# Basic authentication
nikto -h http://192.168.1.100 -id admin:password123

# NTLM authentication (domain\user:password)
nikto -h http://192.168.1.100 -id "DOMAIN\\user:password"

# Use a session cookie for authenticated scanning
nikto -h http://192.168.1.100 -cookie "PHPSESSID=abc123; auth=true"

# Scan a specific path requiring authentication
nikto -h http://192.168.1.100/admin -id admin:password123
Tip
For cookie-based authentication, log in to the application through a browser first, extract the session cookie using browser developer tools, and pass it to Nikto with the -cookie flag. This is particularly useful for applications that use form-based login rather than HTTP authentication.

Proxy Usage

Routing Nikto traffic through a proxy is useful for traffic inspection or when testing through a network boundary:

bash
# Route traffic through an HTTP proxy
nikto -h http://192.168.1.100 -useproxy http://127.0.0.1:8080

# Use a proxy with authentication
nikto -h http://192.168.1.100 -useproxy http://proxyuser:proxypass@proxy.example.com:3128

# Route through Burp Suite for detailed request analysis
nikto -h http://192.168.1.100 -useproxy http://127.0.0.1:8080

Routing Nikto through Burp Suite or OWASP ZAP is a common workflow. This lets you inspect each request and response in detail, modify and replay requests, and use the proxy tool for further manual testing on any interesting findings.

Evasion Techniques

Nikto includes several IDS evasion techniques that modify requests to bypass simple signature-based detection systems. Note that these are primarily useful for testing IDS/IPS effectiveness rather than for hiding your scans:

Evasion Techniques

ValueTechnique
1Random URI encoding (non-UTF8)
2Directory self-reference (/./)
3Premature URL ending
4Prepend long random string
5Fake parameter
6TAB as request spacer
7Change the case of the URL
8Use Windows directory separator (\)
bash
# Use random URI encoding
nikto -h http://192.168.1.100 -evasion 1

# Combine multiple evasion techniques
nikto -h http://192.168.1.100 -evasion 1234

# Combine evasion with tuning for a targeted scan
nikto -h http://192.168.1.100 -evasion 17 -Tuning 49

Output Formats

Nikto supports several output formats for different use cases. Reports can be generated during the scan and are essential for documentation, compliance, and integration with other tools.

HTML Report

HTML reports are ideal for sharing findings with stakeholders and management:

bash
# Generate an HTML report
nikto -h http://192.168.1.100 -o report.html -Format htm

# HTML report with full details
nikto -h http://192.168.1.100 -o report.html -Format htm -Display V

CSV Output

CSV output is useful for importing results into spreadsheets or databases for further analysis:

bash
# Generate a CSV report
nikto -h http://192.168.1.100 -o findings.csv -Format csv

XML Output

XML output integrates well with other security tools and automated processing pipelines:

bash
# Generate an XML report
nikto -h http://192.168.1.100 -o results.xml -Format xml

JSON Output

JSON output is the most flexible format for programmatic consumption and modern toolchains:

bash
# Generate a JSON report
nikto -h http://192.168.1.100 -o results.json -Format json

# Combine JSON output with jq for filtering
nikto -h http://192.168.1.100 -o results.json -Format json && \
  cat results.json | jq '.vulnerabilities[] | select(.severity == "High")'
Info
You can generate multiple output formats from a single scan by running multiple-o and -Format pairs, or by converting between formats after the scan. Saving as XML or JSON first provides the most flexibility for later conversion.

Practical Examples

The following examples demonstrate real-world usage patterns for common security assessment scenarios.

CMS Vulnerability Scanning

Content management systems like WordPress, Joomla, and Drupal have known vulnerability patterns. Nikto can identify CMS installations and check for common weaknesses:

bash
# Scan a WordPress site for known issues
nikto -h http://192.168.1.100/wordpress -Tuning 12349 -Plugins "apache;cgi;outdated"

# Check for default CMS files and admin panels
nikto -h http://192.168.1.100 -Tuning 2b

# Comprehensive CMS scan with HTML report
nikto -h http://192.168.1.100 \
  -Tuning 1234ab \
  -o cms-report.html -Format htm \
  -Display V

# Use mutations to discover hidden CMS paths
nikto -h http://192.168.1.100 -mutate 1 -mutate 3

Mutation Options

ValueDescription
1Test all files with all root directories
2Guess for password file names
3Enumerate user names via Apache (/~user)
4Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user)
5Attempt to brute force sub-domain names (via Host header)
6Attempt to guess directory names from a file

API Endpoint Testing

While Nikto is primarily a web server scanner, it can be used to test API servers for common misconfigurations and security issues:

bash
# Scan an API server on a non-standard port
nikto -h http://api.example.com:3000 -Tuning 2389

# Test with custom headers (e.g., API versioning)
nikto -h http://api.example.com \
  -Tuning 389 \
  -cookie "Authorization: Bearer eyJhbGciOi..."

# Scan an API behind a reverse proxy
nikto -h http://api.example.com \
  -vhost api.internal.example.com \
  -Tuning 238

# Check for exposed API documentation and debug endpoints
nikto -h http://api.example.com -Tuning 13 -mutate 1

CI/CD Integration

Nikto can be integrated into continuous integration pipelines to automatically scan deployments for security regressions. Below is an example using a Bash wrapper script and a GitHub Actions workflow:

bash
#!/bin/bash
# nikto-ci-scan.sh - CI/CD integration script for Nikto
set -euo pipefail

TARGET_URL="${1:?Usage: $0 <target-url>}"
REPORT_DIR="./security-reports"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
REPORT_FILE="${REPORT_DIR}/nikto-${TIMESTAMP}.json"

mkdir -p "${REPORT_DIR}"

echo "Starting Nikto scan against ${TARGET_URL}..."
nikto -h "${TARGET_URL}" \
  -Tuning 1234589ab \
  -o "${REPORT_FILE}" -Format json \
  -maxtime 600 \
  -nointeractive \
  -Display P

# Check for critical findings
CRITICAL_COUNT=$(cat "${REPORT_FILE}" | grep -c '"OSVDB-' || true)

echo "Scan complete. Found ${CRITICAL_COUNT} potential issues."
echo "Report saved to ${REPORT_FILE}"

# Fail the pipeline if critical issues are found
if [ "${CRITICAL_COUNT}" -gt 0 ]; then
  echo "WARNING: Security issues detected. Review the report."
  exit 1
fi
bash
# Example GitHub Actions workflow step
# .github/workflows/security-scan.yml
#
# - name: Run Nikto scan
#   run: |
#     docker run --rm \
#       -v ${{ github.workspace }}/reports:/reports \
#       secfigo/nikto:latest \
#       -h https://staging.example.com \
#       -Tuning 12349 \
#       -o /reports/nikto-results.json -Format json \
#       -maxtime 300
#
# - name: Upload scan results
#   uses: actions/upload-artifact@v4
#   with:
#     name: nikto-report
#     path: reports/nikto-results.json
CI/CD Scanning Considerations
When integrating Nikto into CI/CD pipelines, always scan staging or pre-production environments -- never production. Set a -maxtime limit to prevent scans from blocking the pipeline indefinitely. Review and triage findings before failing builds to avoid alert fatigue from false positives.

Options Reference

The following table summarizes the most commonly used Nikto command-line options:

Nikto Command-Line Options

OptionDescription
-h <host>Target host (IP, hostname, or URL)
-p <port>Port(s) to scan (comma-separated or range)
-sslForce SSL mode on the connection
-o <file>Write output to the specified file
-Format <fmt>Output format: csv, htm, json, txt, xml
-Tuning <opts>Scan tuning categories (0-9, a-c, x)
-id <user:pass>HTTP authentication credentials
-cookie <cookies>Cookie string to include in requests
-useproxy <url>Use an HTTP proxy for connections
-evasion <opts>IDS evasion technique(s) to use (1-8)
-mutate <opts>Mutation techniques for additional tests
-Plugins <list>Run only specified plugins
-list-pluginsList all available plugins
-vhost <name>Virtual host for the Host header
-Display <opts>Output verbosity (V, D, E, P, S)
-maxtime <secs>Maximum scan duration in seconds
-timeout <secs>Timeout for each request
-Pause <secs>Delay between each test
-nointeractiveDisable interactive features
-no404Disable 404 guessing
-updateUpdate databases and plugins
-VersionPrint version information
-dbcheckCheck scan databases for errors

Tips & Best Practices

Follow these guidelines to get the most effective and responsible results from Nikto scanning:

  • Always update before scanning -- Run nikto -update before starting any assessment to ensure you have the latest vulnerability signatures and plugins.
  • Use tuning to reduce noise -- Running all tests against every target generates excessive output. Use -Tuning to focus on relevant vulnerability categories for the specific application under test.
  • Set time limits -- Use -maxtime to prevent scans from running indefinitely, especially in automated pipelines or when scanning large applications.
  • Combine with other tools -- Nikto excels at known vulnerability detection but should be part of a broader testing methodology. Use it alongside Nmap for discovery, Burp Suite for manual testing, and sqlmap for SQL injection validation.
  • Save reports in multiple formats -- Generate both human-readable (HTML) and machine-parseable (JSON/XML) reports. HTML reports are useful for stakeholder communication, while JSON/XML integrates with vulnerability management platforms.
  • Use the Pause option for stability -- When scanning production-adjacent environments, use -Pause to add delays between requests and reduce the load on the target server.
  • Verify findings manually -- Nikto can produce false positives. Always verify critical findings manually before including them in a final report. Use a proxy like Burp Suite to replay and inspect individual requests.
  • Check for custom 404 pages -- Sites with custom error pages may cause false positives. Use -no404 to disable 404 guessing if you encounter excessive false results, or review the 404 detection behavior at the start of the scan.
  • Scan authenticated and unauthenticated -- Run scans both with and without credentials to understand the attack surface from different perspectives. Authenticated scans reveal vulnerabilities that are only accessible after login.
  • Document your scope -- Before starting any scan, clearly document the scope, targets, timing, and authorization. This protects both you and the organization being tested.

Related Tools

Nikto works well alongside other security tools in a comprehensive assessment workflow:

  • Nmap -- Use Nmap for initial network discovery and port scanning before running Nikto against discovered web servers. Nmap can directly feed targets to Nikto.
  • Burp Suite -- Route Nikto traffic through Burp Suite for detailed request/response analysis. Use Burp for manual testing of findings discovered by Nikto.
  • sqlmap -- When Nikto identifies potential SQL injection points, use sqlmap for thorough SQL injection testing and exploitation.
  • OWASP ZAP -- An alternative web application scanner that provides both automated and manual testing capabilities. ZAP offers a more modern interface and active community support.
  • WPScan -- For WordPress-specific vulnerability scanning, WPScan provides deeper coverage than Nikto for WordPress themes, plugins, and core vulnerabilities.
  • Metasploit -- After identifying vulnerabilities with Nikto, use Metasploit to validate exploitability and demonstrate impact during penetration testing engagements.

Related Articles

Burp Suite: Web Application Security Testing Guide

Complete guide to Burp Suite for web application security testing. Learn proxy interception, scanning, intruder attacks, and REST API testing from the CLI.

linux24 min read

sqlmap: SQL Injection Testing Tool Guide

Complete guide to sqlmap for automated SQL injection detection and exploitation. Learn database enumeration, data extraction, and advanced tamper techniques.

linux22 min read

Nmap: Network Scanner & Security Auditing Tool Guide

Comprehensive guide to Nmap for network discovery and security auditing. Learn port scanning, OS detection, NSE scripts, and practical penetration testing workflows.

linux25 min read

Metasploit Framework: Penetration Testing Guide

Complete guide to the Metasploit Framework for penetration testing. Learn msfconsole, exploit modules, payloads, and post-exploitation techniques.

linux28 min read