Cybersecurity Tools Cheat Sheets: Quick Reference Commands and Techniques

Nikto Cheat Sheet

38 enrolled

~185 min

07-01-2026

1 pt

Chapter Content

Deep dive into cybersecurity fundamentals

Nikto Cheat Sheet

Complete Web Server Scanner Reference

6,700+ vulnerability checks • Misconfigurations • Outdated software

📅 Updated: December 2024 • ⏱️ 15 min read • 🔧 Nikto 2.5+

What is Nikto?

Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple items including over 6,700 potentially dangerous files/programs, outdated versions of over 1,250 servers, and version-specific problems.

Nikto comes pre-installed on Kali Linux. Source at github.com/sullo/nikto.

📦 Installation

Kali Linux

sudo apt install nikto

From Git

git clone https://github.com/sullo/nikto
cd nikto/program && perl nikto.pl

Update Database

nikto -update

🎯 Basic Usage

# Basic scan
nikto -h http://<target>

# Scan specific port
nikto -h <target> -p 8080

# Scan multiple ports
nikto -h <target> -p 80,443,8080,8443

# HTTPS target
nikto -h https://<target>

# Scan with SSL
nikto -h <target> -p 443 -ssl

# Scan from file
nikto -h hosts.txt

# Save output
nikto -h http://<target> -o results.txt

⚙️ Core Options

Flag	Description
-h HOST	Target host (IP, hostname, or URL)
-p PORT	Port(s) to scan
-ssl	Force SSL mode
-nossl	Disable SSL
-root PATH	Prepend root value to all requests
-id USER:PASS	HTTP authentication
-vhost HOSTNAME	Virtual host to scan
-timeout SECONDS	Request timeout (default 10)
-Pause SECONDS	Delay between tests

🎛️ Tuning Options (-Tuning)

Control which tests to run with -Tuning followed by test codes:

Code	Test Type
0	File Upload
1	Interesting File / Seen in logs
2	Misconfiguration / Default File
3	Information Disclosure
4	Injection (XSS/Script/HTML)
5	Remote File Retrieval (inside web root)
6	Denial of Service
7	Remote File Retrieval (server wide)
8	Command Execution / Remote Shell
9	SQL Injection
a	Authentication Bypass
b	Software Identification
c	Remote Source Inclusion
x	Reverse Tuning (exclude these tests)

# Only run SQL injection and XSS tests
nikto -h http://<target> -Tuning 49

# Run all except DoS tests
nikto -h http://<target> -Tuning x6

# Only misconfiguration and info disclosure
nikto -h http://<target> -Tuning 23

📄 Output Options

Flag	Description
-o FILE	Output file
-Format FORMAT	Output format (csv, htm, txt, xml, json)
-Display OPTIONS	Control display output

Display Options (-Display)

1	Show redirects
2	Show cookies received
3	Show all 200/OK responses
4	Show URLs requiring authentication
D	Debug output
E	HTTP errors
P	Print progress
V	Verbose output

🛡️ Evasion Techniques (-evasion)

Code	Technique
1	Random URI encoding (non-UTF8)
2	Directory self-reference (/./)
3	Premature URL ending
4	Prepend long random string
5	Fake parameter
6	TAB as request spacer
7	Change case of URL
8	Use Windows directory separator (\)
A	Use carriage return (0x0d)
B	Use binary value 0x0b

# Use multiple evasion techniques
nikto -h http://<target> -evasion 1234

🔀 Proxy Options

# Use proxy
nikto -h http://<target> -useproxy http://127.0.0.1:8080

# Route through Burp Suite
nikto -h http://<target> -useproxy http://127.0.0.1:8080

🔥 Common Scanning Scenarios

# Comprehensive scan with all output
nikto -h http://<target> -o report.html -Format htm

# Quick scan with common ports
nikto -h <target> -p 80,443,8080,8443

# Scan with authentication
nikto -h http://<target> -id admin:password

# Scan specific directory
nikto -h http://<target> -root /webapp/

# Stealthy scan with evasion and delays
nikto -h http://<target> -evasion 1234 -Pause 2

# Scan virtual host
nikto -h 192.168.1.100 -vhost target.local

# Only scan for SQL injection and XSS
nikto -h http://<target> -Tuning 49

# Maximum verbosity for debugging
nikto -h http://<target> -Display V

📚 Additional Resources

🔬 Nikto Cheat Sheet Complete!

You now have a comprehensive reference for the most thorough web server scanner. From vulnerability detection to evasion techniques, these commands are essential for auditing web infrastructure.

Scanning Tuning Output Evasion

Ready to audit your next web server!

Knowledge Validation

Demonstrate your understanding to earn points and progress

Chapter Question

What Nikto flag specifies the target host to scan?

Your Answer

Read

Validate

Complete

Ready to track your progress?

Create a free account to save your progress, earn points, and access 170+ hands-on cybersecurity labs.

Start Learning Free

Cybersecurity Tools Cheat Sheets: Quick Reference Commands and Techniques

Chapter Content

Nikto Cheat Sheet

What is Nikto?

📦 Installation

🎯 Basic Usage

⚙️ Core Options

🎛️ Tuning Options (-Tuning)

📄 Output Options

Display Options (-Display)

🛡️ Evasion Techniques (-evasion)

🔀 Proxy Options

🔥 Common Scanning Scenarios

📚 Additional Resources

🔬 Nikto Cheat Sheet Complete!

Knowledge Validation

Ready to track your progress?

Course Progress

Course Chapters

Nmap Cheat Sheet

Hydra Cheat Sheet

Metasploit Cheat Sheet

Burp Suite Cheat Sheet

SQLMap Cheat Sheet

Gobuster Cheat Sheet

Nikto Cheat Sheet

John the Ripper Cheat Sheet

Hashcat Cheat Sheet