Nikto 2.1.0 – Web Server Security Auditing Tool

It’s been almost 2 years since the last release Nikto, version 2 and finally, 2.1.0 is out.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).


Version 2.1.0 has gone through significant rewrites under the hood in order to make it more expandable and usable.

  • Rewrite to the plugin engine allowing more control of the plugin structure and making it easier to add plugins
  • Rewrite to the reporting engine allowing reporting plugins to cover more and also ensuring that output is written if Nikto is quit before finishing
  • Addition of caching to reduce amount of calls made to the web servers, as well as a facility to disable smart 404 guessing.
  • Addition of simple guessing for whether a system is an embedded device and to report what it is
  • Plugin to use OWASPs dictionary lists to attempt to brute force directories on the remote web server (as mutate 6)
  • Plugin to attempt to brute force domains (as mutate 5)
  • Allow username guessing (mutate 3 and 4) to use a dictionary file as well as brute forcing, hurray!
  • Support for NTLM authentication
  • Lots of bug fixes and new security checks

You can download Nikon 2.1.0 from here or read more here.

Layer Four Traceroute (LFT) and WhoB

LFT, short for Layer Four Traceroute, is a ‘traceroute’ application that works much faster than traditional Linux (traceroute) and Windows (tracert) options and can bypass restrictive packet-filters (firewalls). More importantly, LFT implements numerous other features including AS number lookups, loose source routing and netblock name lookups.

What makes LFT unique? LFT is the all-in-one traceroute tool because it can launch a variety of different probes using ICMP, UDP, and TCP protocols, or the RFC1393 trace method. For example, rather than only launching UDP probes in an attempt to elicit ICMP “TTL exceeded” from hosts in the path, LFT can send TCP SYN or FIN probes to target arbitrary services. Then, LFT listens for “TTL exceeded” messages, TCP RST (reset), and various other interesting heuristics from firewalls or other gateways in the path. LFT also distinguishes between TCP-based protocols (source and destination), which make its statistics slightly more realistic, and gives a savvy user the ability to trace protocol routes, not just layer-3 (IP) hops. With LFT’s verbose output, much can be discovered about a target network.

Here’s example output from LFT:

[[email protected] src]# lft -e -A -N -s 2222 -d 80 -m 2 -M 2 -a 5 -c 20 -t 800 -H 30
Tracing ............*****.........................T
TTL LFT trace to (
1 [2XXX] [MY-AS] ( 0.7/0.8ms
2 [4750] [csloxinfo-th] ( 13.0/13.1ms
3 [4750] [csloxinfo-th] ( 13.4/13.4ms Continue reading "Layer Four Traceroute (LFT) and WhoB"