Nikto Cheatsheet
Purpose: Web server scanner — checks for dangerous files, outdated server software, misconfigurations, and known vulnerabilities.
Basic Usage
nikto -h <target> # Scan a target (default port 80)
nikto -h https://target.tld # HTTPS target
nikto -h <ip> -p 443 -ssl # Force SSL on custom port
nikto -h <ip> -p 80,443,8080,8443 # Multiple ports
nikto -h hosts.txt # Scan a list of targets
Common Flags
| Flag | Description |
|---|---|
-h <host> |
Target host, URL, or file of hosts |
-p <ports> |
Port(s) — single, list, or range |
-ssl |
Force SSL/TLS |
-nossl |
Disable SSL |
-root <path> |
Prepend root path to all requests |
-vhost <host> |
Set virtual host (Host header) |
-id <user:pass> |
HTTP Basic auth |
-useragent <ua> |
Custom User-Agent |
-useproxy <url> |
Route through proxy |
-Display <opts> |
Output verbosity flags (see below) |
-Format <fmt> |
Output format: csv, htm, txt, xml, json, sql |
-output <file> |
Write report to file |
-Tuning <ids> |
Limit checks to specific categories |
-Plugins <list> |
Run specific plugins only |
-evasion <ids> |
IDS evasion techniques |
-timeout <s> |
Per-request timeout |
-maxtime <s/m/h> |
Hard scan time limit (e.g. 30m) |
-Pause <s> |
Pause between requests |
-ask no |
Don’t prompt to submit findings |
-update |
Update plugins / databases |
-list-plugins |
List installed plugins |
Output
nikto -h https://target.tld -o report.html -Format htm
nikto -h <ip> -o nikto.json -Format json
nikto -h <ip> -o nikto.xml -Format xml
nikto -h <ip> -o nikto.csv -Format csv
-Display flags (combine, e.g. -Display 1V):
| ID | Meaning |
|---|---|
1 |
Show redirects |
2 |
Show cookies received |
3 |
Show 200/OK responses |
4 |
Show URLs requiring auth |
D |
Debug output |
E |
HTTP errors |
P |
Show progress |
S |
Scrub IPs from output |
V |
Verbose |
Tuning (Limit Check Categories)
nikto -h <target> -Tuning <ids>
| ID | Category |
|---|---|
0 |
File upload |
1 |
Interesting files / logs |
2 |
Misconfiguration / default files |
3 |
Information disclosure |
4 |
Injection (XSS/HTML) |
5 |
Remote file retrieval — inside webroot |
6 |
Denial of Service |
7 |
Remote file retrieval — server-wide |
8 |
Command execution / RCE |
9 |
SQL injection |
a |
Auth bypass |
b |
Software identification |
c |
Remote source inclusion |
d |
WebService |
e |
Administrative console |
x |
Reverse tuning (exclude listed) |
Examples:
nikto -h <target> -Tuning 123b # Files, misconfig, info, fingerprint
nikto -h <target> -Tuning x6 # Everything EXCEPT DoS
nikto -h <target> -Tuning 9a # SQLi + auth bypass only
Evasion Techniques (-evasion)
| ID | Technique |
|---|---|
1 |
Random URI encoding (non-UTF8) |
2 |
Directory self-reference (/./) |
3 |
Premature URL ending |
4 |
Prepend long random string |
5 |
Fake parameter |
6 |
TAB as request spacer |
7 |
Change case of URL |
8 |
Use Windows directory separator \ |
A |
Use carriage return (0x0d) as line terminator |
B |
Use binary value 0x0b as spacer |
nikto -h <target> -evasion 1234
Auth, Headers, vhost, Proxy
# HTTP Basic
nikto -h https://target.tld -id 'admin:password'
# Custom UA + custom Host (vhost test)
nikto -h <ip> -vhost dev.target.tld -useragent "Mozilla/5.0 Recon/1.0"
# Cookie-based session
nikto -h https://target.tld -Header "Cookie: session=abcd1234"
# Through Burp / ZAP
nikto -h https://target.tld -useproxy http://127.0.0.1:8080
Proxy can also be set in nikto.conf:
PROXYHOST=127.0.0.1
PROXYPORT=8080
Practical Recipes
# Quick fingerprint + misconfig sweep, no DoS, no SQLi noise
nikto -h https://target.tld -Tuning 123b -maxtime 15m -o fp.html -Format htm
# Full scan against an internal app behind a non-default path
nikto -h http://<ip> -p 8080 -root /app/ -o app-scan.txt
# Bulk scan from a list, JSON output, throttled
nikto -h targets.txt -Pause 1 -o bulk.json -Format json -ask no
# SSL scan with verbose progress
nikto -h target.tld -p 443 -ssl -Display PV
Tips
- Nikto is loud — assume IDS/WAF will flag it. Use
-Pause,-Tuning, and-evasionif stealth matters. - Run after
whatweb/wafw00fso tuning matches the detected stack. - Many findings are informational; verify hits manually with
curlbefore claiming a vuln. - Use
-updateafter install and periodically — checks are plugin-driven. - For HTTPS targets that redirect from HTTP, scan both ports explicitly — Nikto won’t always follow.