Nikto is an Open source web scanner released under the GPL license, which is used to perform comprehensive tests
on Web servers for multiple items including over 6500 potentially dangerous files/CGIs.
To install Nikto on Centos ;
1 yum install perl-CPAN* perl perl-Net-SSLeay openssl install perl-Time-HiRes
2 wget https://github.com/sullo/nikto/archive/master.zip
3 – unzip master.zip
To run a simple test, just type ./nikto.pl -h 192.168.10.74 on the program folder.
This is the result from my development server
– Nikto v2.1.6
+ Target IP: 192.168.10.74
+ Target Hostname: 192.168.10.74
+ Target Port: 80
+ Start Time: 2016-09-01 08:43:45 (GMT-3)
+ Server: Lotus-Domino
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ IBM/Lotus Domino: Server detected based on banner or nsf retrieval.
+ IBM/Lotus Domino: Version 188.8.131.52 detected at /download/filesets/l_LOTUS_SCRIPT.inf.
+ OSVDB-523: /homepage.nsf: This database can be read without authentication, which may reveal sensitive information.
+ Allowed HTTP Methods: GET, HEAD, POST, TRACE, PUT, DELETE, OPTIONS, PATCH
+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.
+ HTTP method: ‘PATCH’ may allow client to issue patch commands to server. See RFC-5789.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /ckeditor/ckeditor.js: CKEditor identified. This file might also expose the version of CKEditor.
+ /ckeditor/CHANGES.md: CKEditor Changelog identified.
+ 8392 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2016-09-01 08:45:02 (GMT-3) (77 seconds)
+ 1 host(s) tested