Web Penetration test Part 4 (Nikto website scanner)
Nikto:-
As we all know this tool is used to use to scan a website and it automatically scans websites and subdomains it has many custom commands and finds many vulnerabilities like XSS, robots.txt and it is also easy to use.
Here is a guide to use Nikto
This tool is preinstalled in Kali Linux:-
To start this tool open terminal and open this tool
type nikto -host [target url]
here you can see vulnerabilities in my website likenull.rf.gd as you can see my site more vulnerable like there is no header for XSS to make my website secure so you can perform XSS attack to this website.
type nikto -help to open the help page
Let's talk about the features of Nikto:-
As you can see I am using Kali Linux 2020.1
-Display: One can control the output that Nikto shows. Reference numbers are used for specification. Multiple numbers may be used as well. The allowed reference numbers can be seen below:
-evasion: pentesters, hackers, and developers are also allowed to specify the Intrusion Detection System evasion technique to use. This option also allows the use of reference numbers to specify the type of technique. Multiple numbers of references may be used:
-host: This option is used to specify the host(s) to target for a scan. It can be an IP address, hostname, or text file of hosts.
-id: For websites that require authentication, this option is used to specify the ID and password to use. The usage format is “id: password”.
you can use nikto -host [target url] -c all
to check all the modules
Here you can see the results a little bit different.
So as now you have learned how to use Nikto in the next post you will learn to use WPscan.
That's all for this post.
If you have any doubts regarding the above content then feel free to ask in the comment section.
No comments: