Nikto Cheat Sheet
Web server scanner for dangerous files, misconfigurations, and outdated software indicators.
Overview
Nikto performs comprehensive (and noisy) checks against web servers for known issues, default files, and misconfigurations. Best used as a broad signal generator—verify findings manually before reporting.
Authorized testing only. Nikto generates many requests and can lock accounts or trigger alerts. Run only on approved web targets and time windows.
Install
sudo apt install -y niktonikto -VersionEssential commands
Basic scan
nikto -h https://target.example.comHost + port
nikto -h 10.10.10.5 -p 8080 -sslSave results
nikto -h https://target.example.com -o nikto.html -Format htmCommon workflows
Authenticated scan —
nikto -h https://target.example.com -id "user:pass" -C allProxy through Burp —
nikto -h https://target.example.com -useproxy http://127.0.0.1:8080Tuning plugins and tuning —
nikto -h https://target.example.com -Tuning 123bde -maxtime 2hnikto -h https://target.example.com -Plugins "apacheusers;tests"Multiple virtual hosts on one IP —
nikto -h 10.10.10.5 -vhost target.example.com -ssl -p 443Flags reference
-h | Target host or URL |
|---|---|
-p | Port |
-ssl | Force SSL |
-o | Output file |
-Format | txt, htm, csv, json, xml |
-Tuning | Test categories (see -H help) |
-Plugins | Enable/disable plugins |
-id | HTTP basic auth user:pass |
-useproxy | Proxy URL |
-vhost | Virtual host header |
-maxtime | Max run time per host |
-mutate | Guess additional paths |
Tips
- High false-positive rate—correlate with Burp and manual validation.
- Update databases: sudo nikto -update (when available).
- Schedule during agreed maintenance windows on production.
- Combine with authenticated crawling for apps behind login.