In this post I want to show how to install and using the nikto command-line vulnerability scanner.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).




The installation for Linux and Windows can be done by using the git clone command.

$ git clone

After that you can go to the program directory where you will find the perl script.

In contrast to Windows, Perl is installed on most Linux distributions by default.

You can also use on most distributions the install program as it is available by default in their system repositories.

For Ubuntu you can use:

$ apt update
$ apt install nikto

By installing Nikto this way, you do not have to prefix with the perl command.


In order to use Nikto on Windows, you first need to install the latest version of Perl as mentioned above if not already installed.

After that you can download Nikto by using also the following git clone command as with Linux.

Perl for Windows

Strawberry Perl: A 100% Open Source Perl for Windows that is exactly the same as Perl everywhere else; this includes using modules from CPAN, without the need for binary packages. Help is available from other Windows Perl developers on the #win32 irc channel on (see website for access through a browser).

> git clone

The actual Nikto Perl script, you will find inside the program folder.

Show Help, you can also use the option -help to list all options.

> perl -host https://host.domain.tld/

> perl -url https://host.domain.tld -ssl

Tuning parameter

> perl -Tuning 123bde -host https://host.domain.tld -ssl

After a scan you will find at the end how many requests were run against the web server and how many vulnerabilities (items on remote host) where found.

To determine what items exactly found on the remote server, you can use the following switch

-o report.html -Format htm

> perl -o report.html -Format htm -host https://host.domain.tld:443/

Finally you will find a report.html file in the directory you executed the command.

Testing Examples

Basic Testing

Single Port

$ perl -h https://host.domain.tld:443/
$ perl -h

Multiple Port

$ perl -h -p 80,88,443

SecRuleEngine On

perl -h <IP to test> -p 80,443

See the documentation for a full list of features and how to use them.


If you want to test an SSL host and will run into the following error, you need to install additional libraries.

$ perl -h <IP to test> -p 443 -ssl

Nikto – SSL Support not available (see docs for SSL install)

You need to install additional libraries
$ apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libio-pty-perl




Download latest GitHub Release


Nikto Kali Tools

Nikto (vulnerability scanner)

8 SaaS Web Vulnerability Scanner for Continuous Security