provocativo_
back to the arsenal
// arsenal·Web AppSecBeginnerFOSS

Nikto

Loud-but-fast web server scanner — checks for thousands of misconfigurations.

Web AppSec

$ nikto --help

Nikto

// what it is

Description

Perl scanner that probes for ~7000 dangerous files, default scripts, and outdated server software. Not stealthy by design — generates an obvious log entry — but invaluable as a fast first pass on legacy installs.

// use cases

What people use it for

  • Quick triage of a freshly-discovered web server
  • Checking for default-creds web admin panels
  • Spotting EOL Apache/IIS/nginx versions

// commands

The commands you'll type

Default scan

$ nikto -h https://target.tld

Scan + output JSON

$ nikto -h target.tld -Format json -output nikto.json

// facts

category
Web AppSec
platforms
LIN · WIN · MAC
license
FOSS
difficulty
Beginner

// links

// related in Web AppSec

Web AppSecIntermediate

Burp Suite

PortSwigger's intercepting HTTP proxy — the de facto web app testing platform.

Freemium
LIN·WIN·MAC
open entry →
Web AppSecBeginner

OWASP ZAP

The free, OWASP-stewarded alternative to Burp.

FOSS
LIN·WIN·MAC
open entry →
Web AppSecIntermediate

sqlmap

Automated SQL-injection exploitation — fingerprints DB, dumps tables, opens OS shells.

FOSS
LIN·WIN·MAC
open entry →