Chapter 5. Configuration Files

Table of Contents

Location
Format
Variables

Location

Nikto, like any non-trivial program needs to know a few things about how to work with the current environment. For most situations the default configuration file will work. Sometimes, tuning may be required, or some things may need to be changes.

Nikto will look for a configuration file in three places and if it finds one, will apply it in the strict order, listed below. A later found configuration file will overwrite any variables set in an earlier configuration file. The locations are:

  1. /etc/nikto.conf (this may be altered depending on platform)

  2. $HOME/nikto.conf

  3. nikto.conf

Format

The configuration files are formated like a standard Unix configuration file: blank lines are ignored, any line starting with a # is ignored, variables are set with VariableName=Value line.

Variables

The following variables may be set within the configuration file:

CLIOPTS

Default options that should always be passed to the command line. For example:

CLIOPTS=-output results.txt -Format text

Default Setting

CLIOPTS=
NIKTODTD

Path to the location of the DTD used for XML output. If the path is not absolute then it will be relative to the directory where Nikto is executed.

Default Setting

NIKTODTD=docs/nikto.dtd
RFIURL

Full URL to an file for remote file inclusion. This file should contain a call to phpinfo(), as Nikto will look for the output of that command to determine that the RFI succeeded. You may use the default cirt.net file, but please keep in mind there must be connectivity from the target server to cirt.net, it's subject to cirt.net's availability, and successful requests will be logged (by Apache). We recommend you use your own.

Default Setting

RFIURL=http://cirt.net/rfiinc.txt?
SKIPPORTS

This configuration item defines ports that would never be scanned by Nikto.

Default Setting

SKIPPORTS=21 111
SKIPIDS
[Note]Note

Note, this filter only applies to tests in the db_tests database

Contains a space separated list of Test IDs (tids) that Nikto will not run on the system, for example:

SKIPIDS=000045 000345

Default Setting

SKIPIDS=
DEFAULTHTTPVER

Defines the default version of HTTP that Nikto will use, unless superceded by a specific test. Usually keeping this to the default will suffice, though some web servers may only work with later versions of the HTTP protocol.

Default Setting

DEFAULTHTTPVER=1.0
UPDATES

If the outdated Nikto plugin sees a web server it doesn't know of, or a version that is later than that defined in db_outdated, then it will send this information back to cirt.net for inclusion in future versions of Nikto. Server specific information (e.g. IP addresses or hostnames) are not sent.

This item can be set to one of the below values:

UPDATES=yes

Display each submission and ask for permission before it is sent

UPDATES=no

Do not send any data back to cirt.net

UPDATES=auto

Send data back to cirt.net with no prompting

Default Setting

UPDATES=yes
LW_SSL_ENGINE

Force LibWhisker to use the specified SSL library instead of the default select (Net::SSLeay, if available).

This item can be set to one of the below values:

LW_SSL_ENGINE=auto

use auto-selection

LW_SSL_ENGINE=SSL

use Net::SSL

LW_SSL_ENGINE=SSLeay

use Net::SSLeay

Default Setting

LW_SSL_ENGINE=auto
MAX_WARN

Unused

Produces a warning of a number of MOVED responses are retrieved. This is currently unused.

Default Setting

MAX_WARN=20
PROMPTS

Disables Nikto prompts if set to "no". This is currently only used to prompt for proxy authentication and sending updates.

Default Setting

PROMPTS=
CIRT

The IP address that Nikto will use to update the databases and plugins, or will send version information back to (as described in the UPDATES item).

Default Setting

CIRT=174.142.17.165
PROXYHOST, PROXYPORT, PROXYUSER, PROXYPASS

Address, port and username password of a proxy to relay all requests through. Note, to use a proxy, you must set the configuration items in the configuration file and supply the -useproxy switch to the command line.

Default Setting

PROXYHOST=
PROXYPORT=
PROXYUSER=
PROXYPASS=
STATIC-COOKIE

Adds the supplied cookie(s) to all requests made via Nikto. This is generally useful is an authentication cookie is required for a website. Separate cookies with a semi-colon, for example:

STATIC-COOKIE="cookie1"="cookie value";"cookie2"="cookie val"

Default Setting

STATIC-COOKIE=
CHECKMETHODS

Nikto will attempt to identify targets as webservers by sending a request to fetch the / URI via certain HTTP methods. Some web servers do not implement all HTTP methods and may cause Nikto to fail to identify the web server correctly if it doesn't support the method being used.

If this setting is missing from the configuration file, then Nikto will default back to the Nikto 2.02 default of HEAD.

Default Setting

CHECKMETHODS=HEAD GET
EXECDIR, PLUGINDIR, TEMPLATEDIR, DBDIR, DOCDIR

Defines where to find the location of Nikto, its plugins, databases, XML/HTML templates and documents. This should only normally be changed if repackaging Nikto to work with different file system standards. Nikto will use the EXECDIR item to guess the other directories.

Default Setting

EXECDIR=.
PLUGINDIR=EXECDIR/plugins
TEMPLATEDIR=EXECDIR/templates
DBDIR=EXECDIR/databases
DOCDIR=EXECDIR/docs