Nikto Web Vulnerability Scanner: Beginner Guide 2026

When auditing web infrastructure, speed and accuracy in the reconnaissance phase are critical. Nikto is a classic, lightweight, open-source command-line tool that checks web servers for over 6,700 dangerous files, outdated server versions, default scripts, and common misconfigurations.

In this guide, we will break down what Nikto is, how it works, how to install it on various operating systems, and how to execute command-line scans like a professional security auditor.

We will cover:

• How Nikto scans web servers.
• Detailed installation instructions.
• Basic and advanced commands with explanations.
• How to analyze and save scan reports.
• Pros and limitations of using Nikto.

What is the Nikto Web Vulnerability Scanner?

Nikto is a web server scanner rather than an application-layer fuzzer. It does not look for custom SQL injection points in your application’s checkout page. Instead, it checks the environment hosting the web application: the web server software (Apache, Nginx, IIS), SSL/TLS configurations, HTTP headers, and known default files.

Key Features of Nikto:

• Outdated Server Version Check: Identifies server banners and warns if the version is out-of-date and contains known CVEs.
• Server Misconfigurations: Detects issues like directory indexing, default credentials, or HTTP options enabled (e.g., TRACE or PUT).
• Hidden Files and Directories: Probes for standard files like robots.txt, admin login pages, configuration files, backup databases, or setup scripts.
• SSL/TLS Auditing: Checks for weak cipher suites, expired certificates, and missing secure headers.

To perform a thorough security audit, Nikto is best paired with Nmap (to find the open port first) and OWASP ZAP (to perform deep, authenticated scanning of application logic).

How to Install Nikto

Nikto is written in Perl, making it cross-platform. It runs on any operating system that has a Perl interpreter.

🐧 Linux (Debian, Ubuntu, Mint)

On Debian-based systems, Nikto is available in default repositories:

sudo apt update
sudo apt install nikto -y

On Kali Linux, Nikto comes pre-installed as part of the default web app scanning toolkit.

🍎 macOS

macOS users can install Nikto using Homebrew:

brew update
brew install nikto

🪟 Windows

To run Nikto on Windows, you can use the Windows Subsystem for Linux (WSL) which is the recommended approach. Alternatively, you can download Perl (like Strawberry Perl) and Nikto source files:

1. Install Strawberry Perl.
2. Download the Nikto source code repository from GitHub.
3. Open Command Prompt and run:

   perl nikto.pl -h <target>

Mastering Nikto Commands: Syntax & Use Cases

The general command structure for Nikto is:

nikto -h <host> [options]

Let’s look at the most useful commands and flags for real-world auditing.

1. Basic Scan

To run a standard HTTP scan against a domain or IP address:

nikto -h http://example.com

2. Scanning with SSL Enabled

If the web server runs on HTTPS, specify the protocol or use the -ssl flag to force SSL negotiation:

nikto -h https://example.com -ssl

3. Scanning a Custom Port

By default, Nikto scans port 80 (HTTP) or 443 (HTTPS). If the server is hosting on a custom port, such as 8080 or 8443, specify it with the -h option or using -p:

nikto -h http://192.168.1.50 -p 8080

4. Tuning Your Scan

By default, Nikto scans for every possible vulnerability in its database. To speed up the scan and limit queries, use the -Tuning flag followed by specific numbers representing the test classes:

For example, to only test for misconfigurations (2) and information disclosure (3):

nikto -h http://example.com -Tuning 23

5. Saving Output to a File

In penetration testing, documentation is key. You can save your scan output in HTML, XML, CSV, or Text format:

nikto -h http://example.com -o results.html -Format html

This command generates a structured HTML report that can be opened in any browser.

Understanding Nikto Scan Output

When you run Nikto, the output starts with basic metadata about the host, followed by lines prefixed with + signs. These denote potential vulnerabilities or points of interest:

- Target IP:          93.184.216.34
- Target Hostname:    example.com
- Target Port:        80
- Start Time:         2026-06-16 09:05:00 (GMT+5)
---------------------------------------------------------------------------
+ Server: IIS/10.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined.
+ The X-Content-Type-Options header is not set.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /phpmyadmin/: phpMyAdmin directory found.

Triaging Findings:

• Server Banner: Check if the server version has unpatched vulnerabilities by looking up the version in the Exploit Database.
• Missing Headers: Security headers like X-Frame-Options and Content-Security-Policy prevent client-side exploits like clickjacking and XSS.
• OSVDB-XXXX / CVE-XXXX: These are database identifiers pointing to known vulnerability documentation.

Pros and Limitations of Nikto

If you need a tool that can discover unlinked folders or search for files silently using customized wordlists, you should switch to directory enumerators like Gobuster.

Conclusion

Nikto is an exceptional utility for fast-paced web server auditing. It serves as a great first-line scanner to highlight obvious misconfigurations, missing security headers, and leftover setup scripts. To secure a web server, patch your server applications regularly, disable unused HTTP options, and hide server banners to minimize exposure.