MacNikto: Working with the Nikto Web Server Security Scanner on the Mac

Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 3300 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers.

What enables you to use Nikto on Mac OS X is MacNikto, a free AppleScript GUI shell script wrapper built in Apple’s Xcode and Interface Builder. It provides a subset of the features available in Nikto, bundled into this installer package. Features include:

  • Automatic scanning configuration based on server identification
  • Full scanning override, useful for when a server masquerades as another make in order to deflect certain scan attempts
  • Inline reporting and printing
  • Automatic export and reader launch of reports in HTML, CSV and TXT formats
  • Nikto database update check
  • Port range setting
  • Full Help documentation
  • Nikto 1.36/1.37 installer included.

MacNikto comes as an Universal Binary and you need to install it, however this is just a matter of a few clicks. Once located in your Applications folder you can start scanning.

The interface is truly simple and it enables you to start working immediately. All you need to enter is the IP or URL of your website, define a few options and MacNikto will do its magic.

As the author notes, each scan may take some time and MacNikto’s interface may become unresponsive during the scan so be patient. Your Internet connection speed can also be an issue here so if you’re a dial-up user, you might have to wait quite a bit.

Once the scan is over you’ll get the output in the form of TXT file that will show you what MacNikto found. An example of this file can be seen here. Naturally, sensitive information has been stripped.

Do keep in mind that this tool is to be used on servers that you have permission to scan so be responsible. Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files.

Don't miss