Hack Like a Pro: How to Find Vulnerabilities for Any Website Using Nikto

How to Find Vulnerabilities for Any Website Using Nikto

Before attacking any website, it's critical for any white hat hacker or pentester to perform good reconnaissance. Trying various attacks without first finding which attacks the site is vulnerable to is pure foolishness. A few minutes of recon can save you hours on a hack and make the job a lot easier.

There are a number of apps that can find vulnerabilities in websites, but one of the simplest is Nikto, an open-source web server scanner. It examines a website and reports back potential vulnerabilities that it found which could be used to exploit or hack the site. Also, it's one of the most widely used website vulnerabilities tools in the industry, and in many circles, considered the industry standard.

Although this tool is extremely effective, it's not stealthy. Any site with an intrusion-detection system or other security measures in place will detect that you're scanning it. Initially designed for security testing, it was never meant to be stealthy.

Step 1: Fire Up Kali & Open Nikto

Let's fire up Kali and get started with nikto. Once we have Kali up and running, go to Kali Linux -> Vulnerability Analysis -> Misc Scanners -> nikto, like in the screenshot below.

Image via wonderhowto.com

Although there are many options in using nikto, we will limit ourselves here to the basic syntax, such as this:

  • nikto -h <IP or hostname>

Step 2: Scan the Web Server

Let's start with a safe web server on our own network. In this case, I have started the http service on another machine on my network. There is not a website hosted by this machine, just the web server. Let's scan it for vulnerabilities by typing:

  • nikto -h

Nikto responds with a lot of information, as you can see below.

First, it tells us the server is Apache 2.2.14, probably on Ubuntu. It nailed this info and gives up more information on other potential vulnerabilities on this web server.

Note near the bottom that it identifies some vulnerabilities with the OSVDB prefix. This is the Open Source Vulnerability Database. This is a database maintained of known vulnerabilities at osvdb.org, in addition to other databases I covered, such as SecurityFocus and Microsoft's Technet.

Step 3: Scan the Site

Let's try another site. In an earlier tutorial, we had hacked a web server named webscantest.com. Let's see what nikto can tell us about this site.

  • nikto -h webscantest.com

Once again, it identifies the server (Apache) and then proceeds to identify numerous potential vulnerabilities pre-fixed with OSVDB. We can take a look at that website at osvdb.org to learn more about these vulnerabilities.

Now, let's use this site to find information on one of the vulnerabilities identified by nikto as OSVDB-877. We can put that reference number into the search function and it retrieves the following page.

Note, in lower half of this page there are cross-references to the various information sources about this vulnerability, as well as references to tools and filters such as Nikto, Nessus, and Snort.

Scan WonderHowTo

Let's scan a few more sites and see what it can tell us about these sites. Let's see what we can find out about our own website, wonderhowto.com.

  • nikto -h wonderhowto.com

As you can see, it tells us that WonderHowTo is using Microsoft's IIS 8.5 as a web server and then lists numerous potential vulnerabilities.

However, any attempt to exploit the vulnerabilities listed will reveal that they're all false-positives, as WonderHowTo simply returns a harmless 404 page. This is because WonderHowTo is not built on php or asp as the noted exploits expect.

False positives like this can appear because the scan does not actually execute each of the possible vulnerabilities, but rather scans to see if the server responds without error to known exploitable URLs.

Scan Facebook

Finally, lets point nikto at facebook.com.

  • nikto -h facebook.com

As you can see, Facebook is tightly secured with few vulnerabilities. As you can imagine, if Facebook weren't secure, every script-kiddie on the planet would be hacking it to see who his true love is chatting with online.


Hey OTW,
Nikto is quite a cool tool. (And free ;D)

But when you're covering this,

you should cover fingerprinting a Server / getting the banner of a webserver via telnet or netcat. And understanding it.

So It wont be just script after script. :)



Welcome to Null Byte!

We have already covered fingerprinting servers and pulling banners in numerous other tutorials on netcat, xprobe2, nmap, hping, etc. Check them out.



I will check them out!


Hey OTW...I Loved and learnt a great deal from your tutorials
Just a little question that i couldn't find a satisfactory answer to:
Q -> What do these ouput statements mean when i run Nikto on some website?And what do i do with them?
/admin.cgi: InterScan VirusWall administration is accessible without authentication.

  • /interscan/: InterScan VirusWall administration is accessible without authentication.

OWT even if nikto stumbles around and sounds of all kinds of alarms, The sysop still wont know what vulunerablies are being reported, is this correct. So while the Admin may know something is up, he wont know what holes to fill?

Although nikto is noisy, most sysadmins are not paying attention.

No, they won't know what is reported, but a good sysadmin will have done this already. Unfortunately or fortunately, there are a LOT of bad sysadmins.

There are a lot of busy sysadmins too.

I think you are confusing busy with bad. Most of us old-timers running networks are pretty skilled. We are also under-resourced, and security STILL hasn't become enough of a budgetary priority in most small/medium enterprises.

good I like it when I know his cards and he doesn't know my cards. While he may know of the holes he doesn't know for sure if i know them. Advantage hacker !!!!!

Only if you are arrogant enough to assume that the sysadmin hasn't set up a honeypot and is profiling your exploits. Advantage, sysadmin!

Really starting to love this, this is looking more and more like a chess game. Of course I just had to look up honeypots I maybe setting one up on my puter to "play myself". But according to the below it appears as if might not be a big threat but needs to be addressed.

Honeypots can be classified based on their deployment and based on their level of involvement. Based on deployment, honeypots may be classified as:

production honeypots
research honeypots

Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do.

Research honeypots are run to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats that organizations face and to learn how to better protect against those threats.1 Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.

some interesting links

Fairly long pdf file but a must read


Advantage again hacker!!_


Could u make more tutorials about what a lot of all these results mean and why they r significant? I know some u might have covered. But could u still maybe makemamthread detailing what these results mean to one looking for a way in? Or how these vulnerabilities could b exploited?

Dang you WonderHowTo, I now have the hacking bug.

Since my first site hack went so well I have been nikto'ing sites all over the place. One site had rows and i mean rows of CGI error's a few even told me how to get the credit card numbers. Nikto often gives the option of -c to force all directories. Should it be used as it appears CGI errors are huge wholes in a system. (yes I researched meaning googled CGI and they are known vulnerabilities).

Can you please do a tutorial on how to exploit the vulnerabilities found using nikto?

Thank you master for this tutorial. i scanned a website using nikto and found lots of cgi-bin vulnerabilities like this;


I tried a number of them using http-debuger on get and post method but not a single one worked for me. Does this mean all of them are false positive or i am doing something wrong. thanks


It's hard to say without knowing more. Nikto does generate a lot of false positives, though. Check to see whether that vulnerability has specific exploit by going to the OSVDB database.


Hey OTW,

when it displays a message like this :

" NO CGI Directories found ( use ' -C all ' to force check all possible dirs ) "

what does it mean ?

Thank you !!!


I'm not certain what you are asking, but that message means that no CGI directories were found where it expected them to be , but if you want to check all directories, then use the -C switch.


huh, look what you have shared about nikto is just about almost nothing, obviously it is for the beginners.
Above all, thank you

its realy cool

brther plz mention or mark the main points like vulnerabilities during scaning (hope so u understand) for beginners :) it will be more effective n enhanced your tut


please email me need some help or advice

A bit late, but I have a question: most websites that I come across are hosted by bigger hosting companies, like One.com and 3ix.org, and not on a private server. Does this mean Nikto is scanning those big servers instead of the small part where the target website is on? Which means the chance of finding a vulnerability will be smaller?

As I am trying to get to know Nikto and how to use it I found some ports I would like Nikto to go to work on for me.
But when I put in
> nikto -h http://website -p 2014
nikto reports back that it's scanning port 80.
I have tried
> nikto -port 2014 -h http://website
with the same results.
How can I get Nikto to scan a specific port for me?

P.S. the only program that reported 2014 open for me was knocker

nikto -h http://whatever.net:1234 if you need to change the port, though like someone already said, it's a web scanner so you're not likely to have any luck on anything other than port 80.

Nikto is a website vulnerability scanner.

master OTW
I understand that Nikto is a website vulnerability scanner.
if you nikto --help
you get the -port+
Therefore I thought i could direct the scan to the ports I had previously exposed.
Or does the fact that it's a website vulnerability scanner lock it to port 80?
I mentioned Knocker only because it picked up the port several other scanners had not.


I'm having some trouble with Nikto,

I open and run Nikto on Kali 1.1, type
nikto -h theWebsiteName (for privacy, I won't name the site)

It shows that it is running, says "no banner retrieved",
then after 30seconds or so, it quits saying something about connection timing out.

Does Nikto work on all websites? or just the popular ones?

Some websites have security built in to prevent a scanner like Nikto, but I have seen very few of those.

So would there be some way around that anti-Nikto security?

also, slightly off topic, but I feel like something changed about this NB forum...I think I remember the Linux penguin used to have a orange beak and blue text in the background...

There is ALWAYS a way around it, but you haven't given us enough info. How about a website and a screenshot?

" I feel like something changed about this NB forum...I think I remember the Linux penguin used to have a orange beak and blue text in the background." Voidx

This piqued my curiosity... so I used the Way Back Machine to see what,if anything, changed.

The Penguin was on the left hand side of the Null Byte banner from 2013 to until some time between September 18th 2015 and January 23rd 2016. The matrix-themed background image was changed, but the colors of the penguin remained the same.

It looks much better now.



is it illegal if i scan a website(only scan it) with nikto and mail the owner for requesting him money about the info i got? i need an answer please

The law is vague. If I were you, I would not do it. It could be misconstrued as extortion.

but it can be misconstrued as bussiness too..or not? bcz the person doing such things isn't pointing a gun at the victim :P

Ask for permission first and then it will be business and their will be no legal risk.

so it can be done like this?

Ask for permission first or you may end up in prison.

not me thanks god :P so thank you very much for your answers,i appreciate that :D

Recently facebook was hacked by forgot password vulnerabilities

What meen strt http serrvice on another machine on my network.Is this just the IP of the windows machine?

I tried to hack a website.Its admin page was http://www.example.com/wp-admin

but it shifted me to an authentication bar which says "A username and password are being requested by http://www.example.com. The site says: "Site Needs You to Authenticate".If I give a password and username they are false and it then it give error "401"Authorization required.If any one know how to get rid of it and break the password and find the username please help.

hey guys while scanning a site i got this out put and i don't really understand it

  • Cookie 0e0b288adbffaf5f44fc5b5612da434e created without the httponly flag
  • Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
  • File/dir '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/bin/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/cli/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/language/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/layouts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/libraries/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/logs/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/plugins/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
  • File/dir '/en/personal/internet/internet-packs/' in robots.txt returned a non-forbidden or redirect HTTP code (301)
  • File/dir '/sw/site-map/' in robots.txt returned a non-forbidden or redirect HTTP code (301)
  • "robots.txt" contains 17 entries which should be manually viewed.
  • /webmail/blank.html: IlohaMail 0.8.10 contains an XSS vulnerability. Previous versions contain other non-descript vulnerabilities.
  • /securecontrolpanel/: Web Server Control Panel
  • /webmail/: Web based mail package installed

plz help out

How do we exploit those OSVDB vulnerabilities? Please explain it in detail.

Can anyone tell me how to exploit WINDOWS IIS 8.5 whose website is built using WORDPRESS????
If anyone knows pls do reply ...iam doing it as a project for my college!!!!

Share Your Thoughts

  • Hot
  • Latest