How to Install and Use Nikto on Debian 10 – Step-by-Step (2025)
Nikto’s one of those tools you just kinda keep around. It’s simple, does what it’s supposed to do, and doesn’t get in your way. You point it at a server, hit go, and it tells you if there’s anything obvious wrong. Old scripts, directories you shouldn’t have left open, that sort of thing.
Here, I’ll show you how to install Nikto on Debian 10. It’s pretty simple, just a few steps and you’re good to go.
If you’re looking for a VPS to try it on, check out Eldernode’s Linux VPS.
Step-by-Step: Set Up and Use Nikto on Debian 10
If you’ve ever worried about whether your web server has a hidden admin page or an outdated script you forgot about, Nikto is the tool you want. It’s not fancy, it doesn’t do deep scans like Nessus or OpenVAS. But it’s a solid way to catch the obvious stuff fast.
I remember running Nikto on an old site of mine, and it flagged a forgotten backup file in an exposed directory. That could’ve been a disaster if someone else found it first.
In this guide, I’ll show you exactly how to set up Nikto on Debian 10, run your first scan, and make sense of the results. Let’s get into it.
What is Nikto and How it works?
Nikto’s one of those tools you just kinda keep around. It’s simple, does what it’s supposed to do, and doesn’t get in your way. You point it at a server, hit go, and it tells you if there’s anything obvious wrong old scripts, directories you shouldn’t have left open, that sort of thing.
It’s not fancy, won’t replace a full pentest, but it’s quick. Sometimes that’s all you need. Like, I ran it on an old dev box once, and boom found a config file I’d completely forgotten about, just sitting there in a public folder. Could’ve been bad if someone else spotted it.
So yeah, Nikto’s the kind of tool that helps you catch the obvious stuff before it bites you in the ass.
Nikto Features
Alright, here’s what Nikto’s good at:
Finds outdated software that could leave you exposed.
Spots backup files or old scripts you forgot about.
Handles SSL and HTTPS scans.
Can go through proxies if needed.
Scans multiple ports so if you’ve got services on 8080 or 8443, it’s got you covered.
I’ve had it flag test pages I didn’t even know were there like devtest.php or backup.zip. Nothing fancy, but it does the job.
Prerequisites to Install Nikto on Debian 10
To let this tutorial work better, please consider the below Prerequisites:
A non-root user with Sudo privileges.
To setup, follow our Initial server setup on Debian 10.
Install Nikto on Debian 10 | Debian 9
First of all, you can download Nikto for Debian. Then, open your terminal and run the following commands to install Nikto on Debian Linux:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install nikto
If all is done correctly, Nikto should have been installed successfully. Also, you can use the command below to verify that the Nikto website vulnerability scanner is installed. It’s then ready for use:
nikto
Note: Before you start using Nikto to scan web servers, you can use the -Help option to see everything that can be done inside Nikto.
nikto -Help
How to use Nikto on Debian Linux
Nikto has many options. The basic Nikto command line syntax is:
nikto [options...]
You can also substitute the <IP or hostname> with the actual IP address or hostname sans angle brackets:
nikto -h <IP or hostname>
Nikto is able to do a scan that can go after SSL and port 443, the port that HTTPS websites use. So, you are not limited to scanning old sites. You can do vulnerability assessments on sites that use SSL, which is pretty much a requirement these days to be indexed in search results. If you know it’s an SSL site that you are targeting, specify it in Nikto. This saves some time on the scan by adding -ssl to the end of the command:
nikto -h <IP or hostname> -ssl
How to scan specific ports with Nikto on Debian 10
Web servers run on non-standard ports like 8081 or 8080. Alternatively, several web servers operate on the same host using distinct network ports. So, it is vital to have the ability to scan specific ports as well as the main 80 and 443 ports. To do this, run the command below:
nikto -h example.com -port 8083
Note: Do not forget to replace example.com with the host or IP you wish to scan, and 8083 with the port you wish to scan.
You can use Nikto on a local network to find embedded servers. Examples include a login page for a router or an HTTP service on another machine that’s just a server with no website. Use the command below to locate your IP address:
ifconfig
Conclusion
Alright, that’s it. Nikto’s not gonna solve all your security problems, but it’s a quick way to catch the obvious stuff. This consists of outdated scripts, test documents, and files you may have overlooked. I’ve used it a bunch of times, and it’s saved me from a few “oh crap” moments.
Give it a shot on your server, see what it finds. You might be surprised by what’s still hanging around.
If you’ve run into anything interesting with Nikto, or if you’ve got a question, drop a comment. Always cool to swap stories and tips.