Using Nikto is fairly straightforward. The main required arguments are the target host and port against which the scan will be conducted. If no port is specified, port 80 (the default) is used. All command-line options except for -debug, -update, -dbcheck, and -verbose are available by using the first letter as a short-form option. Execute the program with no arguments, and a description of all available options along with module-loading warning messages will be displayed. You'll see the warning messages if support modules such as SSL are not installed correctly.
- findonly
-
This does a port scan only; no other checks will be run. If you are port-scanning only, I suggest you use Nmap or some other tool that is dedicated to that task.
- Format
-
This controls the output format when the -output flag is used. Valid values are htm, csv, and txt. If this option is not used, txt will be used as the default output format.
- generic
-
This forces all checks in the scan database to be executed, regardless of web server banner.
- host+
-
Use this to specify the target host or a file that contains target entries in the format domain.com:80:443. Each line should contain one entry; any other command-line options such as -ssl will be applied to all the hosts in the file.
- id+
-
Use this to specify HTTP Basic authentication credentials in the form username:password:realm. The realm is optional.
- mutate+
-
The mutate options are special, in that each integer placed in these options activates a different "conditional" plug-in. For example, by entering 13 you enable the Mutate and Enum_apache plug-ins.
- nolookup
-
This avoids hostname DNS lookups.
- output+
-
This specifies an output filename. The default format is plain text.
- port+
-
This is the port the checks will be run against. The default is 80.
- root+
-
This prepends a directory to all requests. This is useful for web servers that are configured to redirect all requests to a static virtual directory.
- ssl
-
This forces use of HTTPS. On occasion this option is unreliable. A workaround is to use Nikto in combination with an HTTPS proxy agent such as sslproxy, stunnel, or openssl.
- timeout
-
This is the connection timeout (the default is 10 seconds). If you are on a fast link and are scanning a multitude of hosts, lowering this helps to reduce scan time.
- useproxy
-
This tells Nikto to use the proxy information defined in config.txt, for all requests. At the time of this writing, only HTTP proxies are supported.
- Version
-
This will print the version of all found plug-ins and databases.
- vhost+
-
This sets the virtual host that will be used for the HTTP Host header. This is crucial when scanning a domain that is hosted on a server virtually. To get the most coverage you should run a scan against the web server's IP, and against the domain.
- debug
-
This enables debug mode, which outputs a large amount of detail regarding every request and response.
- dbcheck
-
This does a basic syntax-check against the scan_database.db and user_scan_data base.db databases that the main scanning engine uses.
- update
-
This retrieves and updates databases and plug-ins, getting the latest version from cirt.net. By default Nikto will never automatically download and install updates. It will prompt the user for acknowledgment.
- verbose
-
This enables verbose mode.