97% of applications tested by Trustwave had one or more weaknesses.
And 14% of investigated intrusion was due to misconfiguration. Misconfiguration can lead to serious risks.
There is a number of online vulnerability scanner to test your web applications on the Internet. However, if you are looking to test Intranet applications or in-house applications, then you can use the Nikto web scanner. Nikto is an open-source scanner and you can use it with any web servers (Apache, Nginx, IHS, OHS, Litespeed, etc.). Sounds like a perfect in-house tool for web server scanning. It is capable of scanning for over 6700 items to detect misconfiguration, risky files, etc. and some of the features include;
You can save the report in HTML, XML, CSV It supports SSL Scan multiple ports on the server Find subdomain Apache user enumeration Checks for outdated components Detect parking sites
Let’s get started with installation and how to use this tool. There are many ways to use Nikto.
Using Kali Linux Docker container Use the binary on UNIX-based distro or Windows.
Note: performing scan makes lots of requests to your web server. You acknowledge the risk and perform against only your servers.
Using Nikto on Kali Linux
Since it’s inbuilt in Kali, you don’t need to install anything.
Login into Kali Linux Go to Applications » Vulnerability Analysis and click nikto
It will open the terminal where you can run the scanning against your web server. There is multiple syntaxes you can use to run the scan. However, the quickest way to do is below. Don’t forget to change $webserverurl with your web server actual IP or FQDN. As you can see the above scan is against the default configuration of Apache 2.4, and there are many items that needs attention.
Clickjacking Attack MIME Type Security
You can refer to my Apache Security & Hardening Guide to fix these.
Using Nikto on CentOS
Login to CentOS or any Linux based OS Download the latest version from Github using wget
Extract using unzip command
It will create a new folder called “nikto-master” Go inside the folder nikto-master > program
Execute nikto.pl with the target domain
Once installed execute nikto and should be fine. This time, I will run a scan against the Nginx webserver to see how it performs. So as you can see default Nginx, the webserver configuration is vulnerable too and this security guide will help you to mitigate them.
Troubleshooting
You may encounter the following error when running on CentOS and if so you can fix as explained below. ERROR -1 OR If you are getting the above warning, then you need to install the Perl module by the following. or using DNF is using CentOS 8 ERROR – 2 For this, you need to export the locale on the terminal as explained here. ERROR – 3 You need to install the Perl bignum module. or using DNF if CentOS 8
Conclusion
Go ahead and play around with the Nikto software and if interested in learning more then check out this hacking and penetration testing course.