Vulnerability assessment

1. Vulnerability assessment using openVAS

2. Vulnerability assessment using Nessus

Windows version. Scanning with a policy

3. Vulnerability assessment using GFI LanGuard

Windows tool

4. Nikto scanner

Nikto help

nikto -H

start the scan

nikto -h -Tuning x

-h specifies the targer

-Tuning scan perimenters, x specifies run all scans against the target

Finding cgi directories

nikto -h -Cgidirs all

saving the scan

nikto -h -o result -F txt

-o filename where result will be saved

-F file type

Scanning on other ports

nikto -h -p 80,8000,8080

Nikto Plugins

Plugins further extend the capabilities of Nikto. Using information gathered from our basic scans, we can pick and choose plugins that are appropriate to our target. You can use the --list-plugins flag with Nikto to list the plugins or view the whole list in an easier to read format online.

Some interesting plugins include:

Plugin NameDescription


Attempt to enumerate Apache HTTP Authentication Users


Look for CGI scripts that we may be able to exploit


Analyse the robots.txt file which dictates what files/folders we are able to navigate to


Attempt to use a directory traversal attack (i.e. LFI) to look for system files such as /etc/passwd on Linux (http://ip_address/application.php?view=../../../../../../../etc/passwd)

We can specify the plugin we wish to use by using the-Plugin argument and the name of the plugin we wish to use...For example, to use the "apacheuser" plugin, our Nikto scan would look like so:

nikto -h -Plugin apacheuser

Tuning Your Scan for Vulnerability Searching

Nikto has several categories of vulnerabilities that we can specify our scan to enumerate and test for. The following list is not extensive and only include the ones that you may commonly use. We can use the -Tuningflag and provide a value in our Nikto scan:

Category NameDescriptionTuning Option

File Upload

Search for anything on the web server that may permit us to upload a file. This could be used to upload a reverse shell for an application to execute.


Misconfigurations / Default Files

Search for common files that are sensitive (and shouldn't be accessible such as configuration files) on the web server.


Information Disclosure

Gather information about the web server or application (i.e. verison numbers, HTTP headers, or any information that may be useful to leverage in our attack later)



Search for possible locations in which we can perform some kind of injection attack such as XSS or HTML


Command Execution

Search for anything that permits us to execute OS commands (such as to spawn a shell)


SQL Injection

Look for applications that have URL parameters that are vulnerable to SQL Injection


Saving Your Findings

Rather than working with the output on the terminal, we can instead, just dump it directly into a file for further analysis - making our lives much easier!

Nikto is capable of putting to a few file formats including:

  • Text File

  • HTML report

We can use the -o argument (short for -Output) and provide both a filename and compatible extension. We can specify the format (-f) specifically, but Nikto is smart enough to use the extension we provide in the-o argument to adjust the output accordingly.

For example, let's scan a web server and output this to "report.html": nikto -h http://ip_address -o report.html

Verbosing our Scan

We can increase the verbosity of our Nikto scan by providing the following arguments with the-Display flag. Unless specified, the output given by Nikto is not the entire output, as it can sometimes be irrelevant (but that isn't always the case!)

ArgumentDescriptionReasons for Use


Show any redirects that are given by the web server.

Web servers may want to relocate us to a specific file or directory, so we will need to adjust our scan accordingly for this.


Show any cookies received

Applications often use cookies as a means of storing data. For example, web servers use sessions, where e-commerce sites may store products in your basket as these cookies. Credentials can also be stored in cookies.


Output any errors

This will be useful for debugging if your scan is not returning the results that you expect!

Last updated