CIRT.net

In Nikto 2.1.1, the facillity to call only specific plugins was added. This was mainly designed as a debugging and development feature so that it is easier to test one plugin without running all of the tests. This was a very simple plugin string that consisted of a simple comma separated list of plugin names.

In Nikto 2.1.2 it was discovered that this facillity was of more use than previously thought and could fix one of the basic flaws with the current plugin system: that of passing parameters to the plugin, something that had been hacked via using -mutate-options.

Nikto 2.1.2 introduces some much needed status reporting, along with some new interactive features.

First up, the Display mode "P" will print a progress report to STDOUT every 500 tests (configurable in nikto.conf or via -Plugins). During a scan, you'll see something like this:

- Tests completed: 3000 47%

On systems with POSIX support, there are several interactive features you can use during scans. While running, any of the following keys can be pressed to report status or make display changes:

Jabra, author of Nikto's XML output format, has just released Nikto::Parser (along with several other security tool parsers). This perl module takes in a Nikto XML file (or runs Nikto directly) and creates an easily accessible interface to the data.

Here's an example reading in a saved scan file.

 my $npx = new Nikto::Parser;
 my $parser = $npx->parse_file("nikto.xml");

 foreach my $h ( $parser->get_all_hosts() ) {
     print "ip: " . $h->ip . "\n";
     foreach my $p ( $h->get_all_ports() ) {

I've decided to stop procrastinating and put the final polish on the next version of Nikto and aim for a mid-July release date.

We've had a couple of bugs raised after some people have upgraded Nikto 2.02 to Nikto 2.03 and kept the same configuration file.

The more observant may have noticed that several spamming tickets were created within the Nikto development trac instance, this compounded with a time when I couldn't get to my mail account, means that we've had around 100 spams in the trac database.