Nikto Web Server Scanning Demystified: The Step-by-Step Guide That Gets Results (2025)

In an era dominated by million-dollar enterprise security solutions and complex AI-driven platforms, one of the most effective web vulnerability scanners remains a free, open-source tool created over two decades ago: Nikto. In my 10+ years as a penetration tester, I’ve seen organizations spend fortunes on security suites, only to have their entire web presence compromised by a vulnerability that a single, five-minute Nikto scan could have exposed.

Nikto is often underrated precisely because it is simple. It doesn’t have a fancy GUI or a cloud-based dashboard. It is a lean, command-line-driven workhorse that performs thousands of checks against a web server to find low-hanging fruit and critical misconfigurations. In 2025, understanding how to use Nikto is not just a skill for ethical hackers; it’s a fundamental necessity for any developer, system administrator, or security professional responsible for a web application.

A screenshot of the Nikto web vulnerability scanner running in a command line and identifying critical security flaws on a target server.

1. What Is Nikto? The Swiss Army Knife of Web Scanning

Nikto is an open-source web server scanner written in Perl. It performs comprehensive tests against web servers for multiple items, including over 6,700 potentially dangerous files and programs. Unlike network scanners that just look for open ports, Nikto interrogates the web application itself, acting like a persistent, automated hacker checking for common weaknesses.hackercoolmagazine+1

Nikto’s Core Capabilities:

Vulnerability Detection: It checks for over 6,700 potentially dangerous files, CGIs, and misconfigurations.hackercoolmagazine
Outdated Software Identification: It identifies the version of the web server (e.g., Apache, Nginx) and installed software (e.g., WordPress, OpenSSL) and flags versions with known CVEs.armur+1
Insecure HTTP Method Detection: It tests if dangerous HTTP methods like PUT, DELETE, or TRACE are enabled, which could allow an attacker to modify or delete files or perform Cross-Site Tracing (XST) attacks.
Missing Security Headers: It checks for the absence of critical security headers like Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), and X-Frame-Options.
Directory Enumeration: It attempts to find common, and often sensitive, directories like /admin, /backup, /config, and /test.

Nikto is not a quiet tool. It is designed to be fast and aggressive, which makes it “noisy” on the network. However, for a quick and thorough assessment of a web server’s security posture, it is unparalleled.

2. Installation and Setup: Getting Nikto Running

Nikto is a Perl script, so its only dependency is a Perl interpreter, which is pre-installed on most Linux and macOS systems.

On Linux (Kali, Ubuntu, etc.) and macOS:

For many security-focused Linux distributions like Kali Linux, Nikto is already installed. If not, installation is simple via Git.armur+1

Clone the Repository: Open your terminal and clone the official Nikto repository from GitHub. bashgit clone https://github.com/sullo/nikto.git
Navigate to the Program Directory: bashcd nikto/program
Run Your First Scan: You can now run Nikto directly. bash./nikto.pl -h scanme.nmap.org (Note: scanme.nmap.org is a safe, legal target for security scanning practice.)

On Windows:

Install Perl: If you don’t have Perl installed, you must first install a Perl distribution for Windows, such as Strawberry Perl or ActivePerl.
Download Nikto: Download the Nikto project as a ZIP file from the GitHub repository and extract it.
Run from the Command Line: Open a command prompt, navigate to the program directory within the extracted folder, and run the script using the Perl interpreter. textperl nikto.pl -h scanme.nmap.org

3. Basic Scanning: From Simple Scans to Powerful Options

Nikto’s power comes from its command-line flags, which allow you to tailor your scan precisely.

The Simplest Scan:

To run a basic scan against a web server on the default port 80:

bashnikto -h target.com

Scanning an HTTPS Site:

If the site uses SSL/TLS, you must use the -ssl flag:

bashnikto -h target.com -ssl

Scanning a Specific Port:

To scan a non-standard port, use the -p flag:

bashnikto -h target.com -p 8080

Saving the Output:

For documentation and analysis, it’s crucial to save your scan results. The -o flag saves the output to a file. The extension determines the format.

bashnikto -h target.com -o report.html  # HTML format
nikto -h target.com -o report.txt   # Plain text format
nikto -h target.com -o report.csv   # CSV format

Using Tuning Levels for Targeted Scans:

The -Tuning flag allows you to control the types of tests Nikto performs. This is useful for focusing on specific vulnerability classes.

Tuning Option	Focus of the Scan
`-Tuning 1`	Interesting Files / Seen in Logfiles
`-Tuning 2`	Misconfiguration / Default Files
`-Tuning 3`	Information Disclosure
`-Tuning 4`	Injection (XSS/Script/HTML)
`-Tuning 5`	Remote File Retrieval

Example: To scan specifically for injection vulnerabilities:

bashnikto -h target.com -Tuning 4

4. Real-World Vulnerabilities Nikto Detects: Interpreting the Output

A Nikto scan can produce a lot of output. The key is knowing what to look for. Here are some of the most critical findings and what they mean.

Nikto Output	What It Means	The Risk
`Server: Apache/2.4.41 (Ubuntu)`	The server is disclosing its exact software version.	If Apache 2.4.41 has a known RCE vulnerability, an attacker has everything they need to exploit it.
`HTTP method 'PUT' is enabled.`	The server allows clients to upload files via the `PUT` method.	An attacker could upload a web shell and gain complete control of the server.
`The X-Frame-Options header is not present.`	The site is vulnerable to Clickjacking.	An attacker can embed your site in an iframe on their own malicious site and trick users into performing actions they didn’t intend to.
`OSVDB-3233: /admin/: This might be an administrative interface.`	Nikto has found a common administrative directory.	If the admin panel has weak or default credentials, an attacker could gain administrative access.
`OSVDB-3092: /test.php: This appears to be a test page.`	A leftover test file is publicly accessible.	Test files often contain sensitive information, database credentials, or have security features disabled.

5. From Finding to Exploitation: Practical Scenarios

Finding a vulnerability is only half the battle. Here’s how you can turn Nikto’s findings into a practical exploitation path.

Scenario 1: Outdated Software Leads to Compromise
1. Nikto Finds: Server: WordPress 5.2 (an outdated version).
2. The Next Step: Search for known exploits for WordPress 5.2. You find a public Remote Code Execution (RCE) exploit.
3. The Attack: You use the exploit to upload a web shell and gain control of the server.
4. The Fix: Always keep your web applications and server software patched and up-to-date. This is the core principle of our guide on how to Fix Unpatched Vulnerabilities.
Scenario 2: Information Disclosure via /.git/ Directory
1. Nikto Finds: / .git/ directory is publicly accessible.
2. The Next Step: Use a tool like git-dumper to download the entire source code repository of the web application.
3. The Attack: You analyze the source code and find hardcoded database credentials, leading to a full database compromise.
4. The Fix: Configure your web server to block access to sensitive directories like .git, .svn, and .DS_Store.

6. Conclusion: The Underestimated Powerhouse

In a world of complex security threats, Nikto serves as a powerful reminder that organizations are still falling victim to the basics. Misconfigurations, outdated software, and forgotten files are the entry points for the vast majority of web application breaches.

Mastering Nikto is one of the most cost-effective ways to improve your security posture. It is free, powerful, and relentless. Run it against your own servers before an attacker does. It will almost certainly find something you missed. To take your skills to the next level, set up your own Penetration Testing Lab and practice.