CIRT.net

So you have Nikto going, but you’re not really sure what’s happening, or how long the scan is going to take?

No problem.

Nikto has several interactive features you can use while a scan is in progress. If you just want to find out the current status, simply press the space bar to find out what the program is doing, how many requests have been made, and a guesstimate of how long the rest is going to take. You can automate this output every 500 requests by turning on progress reporting by pressing ‘p’ (similarly, pressing it again will turn it off).

When running Nikto, you have the ability to save all findings in plaintext files by using the -Save option. This option takes one argument, a directory name, which will be used or created to save all findings, one per text file. 

Each file will be named in the following format: HOSTNAME_PORT_DATE_TESTID.txt

It's no secret that the -update option hasn't done much in quite a while. This is not because the Nikto project is dead or idle... it's simply because the update/release process requires manual work from humans (there is an open ticket on replacing the update system entirely).

In the meantime: run Nikto directly from the git repo.

This is your best bet for keeping completely up-to-date, benefitting from the latest checks and enhancements, and keeping your installation running smoothly.

I promised last time that I would do a git extractor and, yes, I came across a site in the real world that used git to manage its releases. A quick script later and I had its web.config file and all of the internal goodies.

There's a much more detailed write up and the tool at the corporate blog of the company I work for.

So, you're sat on a customer site, and nothing is going right: patching is up to date, passwords are all set to complex values, user input is validated, you have to wear a suit and even the coffee doesn't taste very nice.

Oh, but wait! That scan against the internal web server reveals that: