Lesson Notes
Nikto & Dirb: Web Recon
Module 3: Tools of the Trade. Vuln scanning.
Module 3: Nikto & Dirb Web Recon — Comprehensive Theory Guide
After you have identified open ports (Nmap) and set up a proxy (Burp), the next step is to enumerate the web-specific attack surface: known vulnerabilities in the server and application, and hidden directories or files that are not linked from the main site. Nikto is a vulnerability and misconfiguration scanner that checks thousands of known bad paths, server versions, and security headers. Dirb (or Dirbuster, or similar tools) performs directory and file brute-forcing using wordlists. Both are reconnaissance tools—they build a map of what is present so you can prioritize manual testing and exploitation. Use them only on authorized targets (e.g. your lab or a scope-defined URL); they generate many requests and can trigger IDS or impact performance.
Nikto: Purpose, Database, and What It Checks
Nikto is an open-source web server scanner that uses a large database of known dangerous paths, files, and server behaviors. It sends HTTP requests to the target (e.g. nikto -h http://target/) and analyzes responses. It checks for: outdated or vulnerable server software (e.g. Apache 2.2 with known CVEs); sensitive or dangerous files (e.g. /server-status, /phpinfo.php, /.git/config); missing or weak security headers (X-Frame-Options, X-Content-Type-Options, Content-Security-Policy); default credentials or install scripts; and other misconfigurations. Results are printed with severity and often include CVE references or remediation hints. You use the output to decide what to harden first (update server, disable mod_status, add headers) or what to test manually (e.g. try CVE exploit for the reported version). Nikto does not exploit; it only reports what it finds. Run it against the base URL of the target; use Burp as the proxy if you want all traffic in one place. Do not run Nikto against systems you are not authorized to test.
Interpreting Nikto Output and False Positives
Nikto can report items that are not actually vulnerable (e.g. a path that returns 200 but with a custom "not found" page). Always verify critical findings: open the URL in a browser or Burp, check the real response body and headers. Some entries are informational (e.g. "Server may allow directory listing")—follow up with a manual check. Document confirmed findings in your report with evidence (URL, response code, relevant header or body snippet). Use Nikto early in recon so you can combine its output with Nmap version data and manual browsing for a complete picture.
Dirb and Directory/File Brute-Forcing
Web applications often expose functionality or sensitive resources under paths that are not linked from the main site: /admin, /backup, /config, /.git, /api, /dev, etc. Attackers and testers use wordlists to request many such paths and observe HTTP status codes and response size. Dirb (command-line) and Dirbuster (GUI) do this: they take a base URL and a wordlist, send GET requests for each word (e.g. http://target/admin, http://target/backup), and report which paths return 200, 301, 302, 403, or other interesting codes. A 200 on /admin might mean an admin panel; a 200 on /.git/config might leak repository and sometimes credentials. Response size can help distinguish real pages from generic 404 pages. Use large wordlists for thorough coverage and smaller ones for speed; combine with extensions (e.g. .php, .bak, .old) if the app is PHP-based. Always inspect discovered paths in Burp before attempting exploitation.
Integrating Nikto and Dirb into the Recon Workflow
Typical order: (1) Nmap to find open ports and versions (e.g. 80, 443, 8080). (2) Burp configured; browse the site manually to map linked pages and parameters. (3) Run Nikto against the base URL to find known vulns and misconfigurations. (4) Run Dirb (or similar) to find hidden directories and files. Document every finding: open ports, service versions, Nikto alerts (verified), Dirb-discovered paths. This recon map is the input for exploitation: you prioritize by risk (e.g. SQLi on a login form, weak TLS, exposed admin panel) and test within scope. Recon finds entry points; exploitation and reporting follow. Next: OWASP Top 10 and injection attacks (SQLi, command injection) and how they relate to unencrypted or weakly protected backends.
Key Takeaway for Lesson 12
Nikto scans for known server and application vulnerabilities and misconfigurations using a built-in database; verify important findings manually. Dirb (or Dirbuster) discovers hidden directories and files via wordlist-based requests. Both are recon tools—use only on authorized targets. Integrate them into a workflow: Nmap → Burp → Nikto → Dirb, then document and prioritize for exploitation. Next: OWASP Top 10—injection attacks.