Hot Topics
Cross-Site Request Forgery (CSRF): Complete Guide to Understanding and Prevention Cross-Site Request Forgery (CSRF): Complete Guide to Understanding and Prevention
SQLMap advanced cheat sheet for SQL injection testing SQLMap Advanced Cheat Sheet
Top 10 Vulnerability Scanners in 2026: Comprehensive Security Guide
Ultimate Recon-ng Cheat Sheet
Ultimate theHarvester Cheat Sheet

Ultimate Nikto Cheat Sheet

Posted on by cybersamir

Ultimate Nikto Cheat Sheet

A reference guide for the classic web server scanner.

1. Basic Scanning

The standard syntax for scanning a target web server.

Simple Scan

Scans port 80 by default.

nikto -h http://target.com
nikto -h 192.168.1.1

Scan Multiple Hosts

To scan a list of IP addresses from a file.

nikto -h targets.txt

2. Ports & Protocols

Specific Ports

Scan a non-standard port.

nikto -h target.com -p 8080

Multiple Ports

nikto -h target.com -p 80,88,443

Force SSL (HTTPS)

If Nikto doesn’t detect SSL automatically.

nikto -h target.com -ssl

3. Tuning (Scan Types)

Use the -Tuning (or -T) flag to specify which tests to run. This speeds up scans and reduces noise.

nikto -h target.com -Tuning 123
CodeScan Type
1Interesting File (Logs, config files)
2Misconfiguration
3Information Disclosure
4Injection (XSS/Script)
8Command Execution
9SQL Injection
xReverse Tuning (Run everything EXCEPT these)
Example: Run everything except Denial of Service tests (DoS is code 6).
nikto -h target.com -T x 6

4. Evasion & IDS Bypass

Techniques to obscure the scan from Intrusion Detection Systems (IDS) using -evasion.

nikto -h target.com -evasion 167

Evasion Codes

  • 1: Random URI Encoding
  • 2: Directory Self-Reference (/./)
  • 3: Premature URL ending
  • 6: Send random UTF-8 encoded char
  • 8: Send fake Content-Length header

User Agent

Change your signature to look like a browser.

nikto -h target.com -useragent “Mozilla/5.0…”

5. Output & Reporting

Saving your results in a readable format.

Save to File

Nikto guesses the format based on the file extension.

nikto -h target.com -o scan_results.html
nikto -h target.com -o scan_results.xml
nikto -h target.com -o scan_results.csv

Force Format

nikto -h target.com -o result.txt -Format txt

6. Configuration & Auth

Authentication

If the site is protected by Basic HTTP Auth.

nikto -h target.com -id admin:password

Using a Proxy

nikto -h target.com -useproxy http://localhost:8080

Disable Interactive Mode

Use -nointeractive to prevent Nikto from asking questions during the scan (good for scripts).

nikto -h target.com -nointeractive

Update Databases

Update plugins and databases (may require root).

nikto -update

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts