What is Nikto

Nikto is an open-source web server scanner that performs comprehensive tests to identify potentially dangerous files/programs, outdated versions of servers, server configuration items, and installed web servers and software. It also supports LibWhisker’s anti-IDS methods to avoid detection. While not every check is a security issue, most are, and there are also info-only checks and checks for unknown items.

Nikto Installation

git clone https://github.com/sullo/nikto

Nikto Update

cd into your nikto git clone directory:

git pull

Main script is in program

cd nikto/program

Check out the 2.5.0 branch

git checkout nikto-2.5.0

Run using the shebang interpreter

./nikto.pl -h http://www.foo.com

Run using perl (if you forget to chmod)

perl nikto.pl -h http://www.foo.com
  • list element with functor item

Nikto Scan Cheat Sheet

The following Nikto command usage for scanning a web application:

Command Description

nikto -h http://foo.com

Scans the specified host

nikto -h http://foo.com -Tuning 6

Uses a specific Nikto scan tuning level

nikto -h http://foo.com -port 8000

Scans the specified port

nikto -h http://foo.com -ssl

Scans for SSL vulnerabilities

nikto -h http://foo.com -Format html

Formats output in HTML

nikto -h http://foo.com -output out.txt

Saves the output to a file

Nikto Command Flags Sheet

The following Nikto commands allow for configuration of a Nikto scan:

Option Value


yes Ask about each (default)

no Don't ask, don't send


"none", "all", or values like "/cgi/ /cgi-a/"


Use this config file


1 Show redirects

2 Show cookies received

3 Show all 200/OK responses

4 Show URLs which require authentication

D Debug output

E Display all HTTP errors

P Print progress to STDOUT

S Scrub output of IPs and hostnames

V Verbose output


Check database and other key files for syntax errors


1 Random URI encoding (non-UTF8)

2 Directory self-reference (/./)

3 Premature URL ending

4 Prepend long random string

5 Fake parameter

6 TAB as request spacer

7 Change the case of the URL

8 Use Windows directory separator (\)

A Use a carriage return (0x0d) as a request spacer

B Use binary value 0x0b as a request spacer


csv Comma-separated-value

htm HTML Format

msf+ Log to Metasploit

nbe Nessus NBE format

txt Plain text

xml XML Format

(if not specified the format will be taken from the file extension passed to -output)


Extended help information


Target host


Ignore Codes--treat as negative responses


Host authentication to use, format is id:pass or id:pass:realm


Client certificate key file


List all available plugins, perform no testing


Maximum testing time per host


1 Test all files with all root directories

2 Guess for password file names

3 Enumerate user names via Apache (/~user type requests)

4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)

5 Attempt to brute force sub-domain names, assume that the host name is the parent domain

6 Attempt to guess directory names from the supplied dictionary file


Provide information for mutates


Disables interactive features


Disables DNS lookups


Disables the use of SSL


Disables nikto attempting to guess a 404 page


Write output to this file ('.' for auto-name)


Pause between tests (seconds, integer or float)


List of plugins to run (default: ALL)


Port to use (default 80)


Client certificate file


Prepend root value to all requests, format is /directory


Save positive responses to this directory ('.' for auto-name)


Force ssl mode on port


1 Interesting File / Seen in logs

2 Misconfiguration / Default File

3 Information Disclosure

4 Injection (XSS/Script/HTML)

5 Remote File Retrieval - Inside Web Root

6 Denial of Service

7 Remote File Retrieval - Server Wide

8 Command Execution / Remote Shell

9 [SQL Injection](/penetration-testing/web-app/sql-injection/)

0 File Upload

a Authentication Bypass

b Software Identification

c Remote Source Inclusion

x Reverse Tuning Options (i.e., include all except specified)


Timeout for requests (default 10 seconds)


Load only user databases, not the standard databases

all Disable standard dbs and load only user dbs

tests Disable only db_tests and load udb_tests


Run until the specified time or duration


Update databases and plugins from CIRT.net


Use the proxy defined in nikto.conf


Print plugin and database versions


Virtual host (for Host header)

Nikto Example Commands

Nikto Scanning

The following nikto commands allow you to run basic nikto scans against a web application.

Command Description

nikto -h [target]

Basic scan, no HTTP options.

nikto -h [target] -Tuning [tuning]

Scan with a specific tuning.

nikto -h [target] -mutate [mutate]

Scan with a specific mutation.

nikto -h [target] -ssl

Scan using SSL.

nikto -h [target] -nointeractive

Run the scan non-interactively.

Nikto Using a Proxy

Using Nikto with a proxy such as Burp or another intercepting proxy.

Command Description


Enable usage of the HTTP/SOCKS proxy


Specify comma separated list of hosts not to use proxy for


Hostname or IP address of the HTTP/SOCKS proxy


Port of the HTTP/SOCKS proxy


Password for the HTTP/SOCKS proxy


Username for the HTTP/SOCKS proxy

Nikto2 Features

  • SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL)
  • Full HTTP proxy support
  • Checks for outdated server components
  • Save reports in plain text, XML, HTML, NBE or CSV
  • Template engine to easily customize reports
  • Scan multiple ports on a server, or multiple servers via input file (including nmap output)
  • LibWhisker’s IDS encoding techniques
  • Easily updated via command line
  • Identifies installed software via headers, favicons and files
  • Host authentication with Basic and NTLM
  • Subdomain guessing
  • Apache and cgiwrap username enumeration
  • Mutation techniques to “fish” for content on web servers
  • Scan tuning to include or exclude entire classes of vulnerability checks
  • Guess credentials for authorization realms (including many default id/pw combos)
  • Authorization guessing handles any directory, not just the root directory
  • Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
  • Reports “unusual” headers seen
  • Interactive status, pause and changes to verbosity settings
  • Save full request/response for positive tests
  • Replay saved positive requests
  • Maximum execution time per target
  • Auto-pause at a specified time
  • Checks for common “parking” sites

If you found this Nikto cheat sheet useful, please share it below.

Document Changelog

  • Last Updated: 12/02/2024 (12th of February 2024)
  • Author: Arr0way
  • Notes: Checked syntax was current for latest version of Nikto.