The Nikto Web Scanner

Nikto logo
Install
 Nikto via GitHub
Download
 Latest GitHub Release
Docs
 Wiki

Nikto is an open-source web server scanner designed for security professionals, penetration testers, and system administrators. It performs comprehensive tests against web servers, checking for over 8,000 potentially dangerous or interesting files and programs, identifying outdated versions of thousands of servers and components, and detecting common server misconfigurations such as multiple index files, HTTP server options, and more.

Nikto attempts to identify installed web servers and software using headers, content, and file analysis, with scan items and plugins that can be updated automatically. It supports multiple report formats per scan, making it suitable for both interactive use and automated workflows.

Nikto includes hundreds of application-specific tests and many informational checks that highlight possible misconfigurations, information disclosures, or useful data for pentesters and site owners. Nikto focuses on coverage and accuracy over speed, using multiple false-positive reduction techniques to improve result quality.

Features

Some of the major features of Nikto are listed below. See the documentation for a full list of features and usage information.

  • Support for both IPv4 and IPv6
  • HTTP proxies
  • Cross-platform with Perl & OpenSSL
  • Checks for outdated server components
  • Multiple report formats per scan (plain text, JSON, SQL, XML, HTML, CSV)
  • Direct database reporting to MySQL and PostgreSQL
  • Easy custom checks via CSV files
  • Scan multiple ports on a server, or multiple servers via input file (including nmap output)
  • Identifies installed software via headers, favicons, and other files
  • Host authentication with Basic and NTLM
  • Scan tuning to include or exclude entire classes of vulnerability checks
  • Guess credentials for Basic/NTLM authorization realms (including many default ID/password combos)
  • False positive reduction using headers, page content, hashing, and dynamic 404 detection
  • TLS configuration and fingerprinting detection
  • Automatic cookie handling with optional disable flag
  • Reports unusual HTTP headers
  • Interactive status display with pause and verbosity controls
  • Save full request and response data for positive tests
  • Replay saved finding requests
  • Checks for common parked or placeholder sites
  • Bash wrapper util to run multiple scans in parallel via screen

Support

The best way to get support for Nikto is via GitHub, and the documentation can be found here.

For bugs, feature requests, or questions, please open a new GitHub issue.

License

The Nikto 2.6 code is licensed under the GPLv3 license. The Nikto database files may only be distributed with, and for use in, the Nikto program/package, and may not be used in any other software product without a commercial license obtained from the author.