Nikto can easily trigger WAF/IPS alerts; run only on hosts you have permission to test.
Usage: nikto -host <target> [-port <port>] [-ssl] [-Display <options>] [-Tuning <options>] [-output <file>] [-Format <format>] [-Plugins <list>]| Options | Description |
|---|---|
| -h, -host, -url | Target host/URL. |
| -output Disabled | Write output to this file ('.' for auto-name). |
| -Format Disabled | Save file format: csv, json, html, nbe, sql, txt, xml. |
| -Plugins | List of plugins to run (default: ALL). |
| -Display | Turn on/off display outputs: 1=redirects, 2=cookies, etc. |
| -ssl | Force ssl mode on port. |
| -port | Port to use (default: 80). |
| -evasion Disabled | Encoding techniques to evade IDS/IPS. |
| -mutate Disabled | Guess additional file or username paths. |
| -id Disabled | Host authentication in format id:pass or id:pass:realm. |
| -useproxy Disabled | Use the proxy defined in nikto.conf or argument. |
| -useragent Disabled | Override the default user-agent. |
| -Save Disabled | Save positive responses to this directory. |
| -Tuning | Scan tuning options (e.g. XSS, SQLi, etc.). |
| -timeout | Timeout for requests (default 10 seconds). |
| -ask Disabled | Whether to ask about submitting updates. |
| -check6 Disabled | Check if IPv6 is working. |
| -config Disabled | Use this config file. |
| -dbcheck Disabled | Check database and other key files for syntax errors. |
| -Help | Show help information. |
| -Version | Print plugin and database versions. |
| -list-plugins | List all available plugins, perform no testing. |
| -nointeractive | Disables interactive features. |
| -followredirects | Follow 3xx redirects. |
| -Pause | Pause between tests (seconds). |
| -maxtime | Maximum testing time per host. |
| -nolookup, -nossl, -noslash, -no404 | Various disabling flags (DNS, SSL, trailing slash, 404 check). |
| -root | Prepend root value to all requests. |
| -vhost | Virtual host for Host header. |
| -404code, -404string | Ignore these codes or strings as negative responses. |
| -ipv4, -ipv6 | Use IPv4 or IPv6 only. |
| -Cgidirs | Scan these CGI directories. |
| -RSAcert, -key Disabled | Client certificate files. |
| -until | Run until the specified time or duration. |
| -Option Disabled | Override options in nikto.conf. |
| -Userdbs Disabled | Load only user databases. |
| -usecookies | Use cookies from responses in future requests. |
Nikto online
Open-source web server scanner designed to identify security issues such as outdated software, misconfigurations, and dangerous files or scripts. It performs comprehensive tests against web servers, checking for thousands of vulnerabilities, making it a useful tool for basic web application security assessments.
Homepage
v2.5.0 (LW 2.5)