Nikto: Oh Where, Oh Where Have My 404s Gone

Carrie Roberts //

Oh where, oh where can they be?

Remember the first time you ran Nikto against a site and it returned like, a bazillion results? You were pretty excited thinking this assessment was surely going to be a lot of fun.

A Bazillion Results From Nikto

So you you pick something fun from the list such as the last one shown above and manually visit the /guestbook/pwd URL in your browser only to find that the page actually says “The System is unable to process your request at this time” and has nothing to do with guestbook.  Bummer!

So you try another, and another until you finally figure out that most, if not all of the reported issues are false positives.

You take a closer look and realize that Nikto has gotten confused because the web server is returning a 200 OK response for pages that don’t exist when it should be returning a 404 Not Found or maybe a 500 Server Error, anything but a 200 OK because, well – that is just not OK!

Burp to the Rescue. We can proxy the Nikto scan through our Burp instance and massage the response in Burp so that Nikto gets the response code it is expecting for non-existent pages. This can be done with the “-useproxy” option as in the following example:

nikto -host -useproxy http://localhost:8080

Now we need to fire up Burp Pro with the default listener. To modify the responses we will use a little python code inside of the “Python Scripter” extension. Make sure you have installed that extension.

Next, we put a little python code in the Python Scripter tab in order to modify the response as needed to make Nikto happy.

if not messageIsRequest:

  response = messageInfo.getResponse()

  analyzedResponse = helpers.analyzeResponse(response)

  headerList = analyzedResponse.getHeaders()

  bodyStr = helpers.bytesToString(response[analyzedResponse.getBodyOffset():])

  if “The System is unable to process your request at this time” in bodyStr:

    headerList[0] = “HTTP/1.1 404 Not Found”

    message = helpers.buildHttpMessage(headerList, [ ])


Viola! Now any response that contains the message “The System is unable to process your request at this time” will have the HTTP response code set to 404, making Nikto and the tester very happy. Of course you can modify the text that the script looks for in the response to meet your own needs. Now you are back to a sane amount of Nikto results to investigate with tons (a bazillion to be precise) of clearly false positives removed.

You can learn more from Carrie in her classes!

Check them out here:

Attack Emulation Tools: Atomic Red Team, CALDERA and More 

PowerShell for InfoSec

Available live/virtual and on-demand!