> nikto
Scan web servers for vulnerabilities with Nikto. Use when a user asks to audit web server configuration, find outdated software, detect dangerous files, check for misconfigurations, or perform web server security scanning.
curl "https://skillshub.wtf/TerminalSkills/skills/nikto?format=md"Nikto
Overview
Nikto is a web server scanner that checks for 7,000+ potentially dangerous files, outdated server versions, version-specific problems, and server configuration issues. It's noisy (not stealthy) but comprehensive — catches misconfigurations, default files, exposed admin interfaces, and known vulnerable components that automated scanners often miss.
Instructions
Step 1: Basic Scan
# Scan a web server
nikto -h https://target.example.com
# Checks:
# - Server version and known CVEs
# - Dangerous HTTP methods (PUT, DELETE, TRACE)
# - Default files (/phpinfo.php, /server-status, /.env)
# - Directory indexing
# - Missing security headers
# - Outdated components
# Scan specific port
nikto -h target.example.com -p 8080
# Scan multiple ports
nikto -h target.example.com -p 80,443,8080,8443
# Scan with SSL
nikto -h https://target.example.com -ssl
Step 2: Tuning and Targeting
# Tune scan to specific check categories
nikto -h https://target.example.com -Tuning 123456789abcde
# 1: Interesting file / seen in logs
# 2: Misconfiguration / default file
# 3: Information disclosure
# 4: Injection (XSS/Script/HTML)
# 5: Remote file retrieval (inside web root)
# 6: Denial of service (skip in production)
# 7: Remote file retrieval (server-wide)
# 8: Command execution / remote shell
# 9: SQL injection
# a: Authentication bypass
# b: Software identification
# c: Remote source inclusion
# d: WebService
# e: Admin console
# Only check for misconfigurations and info disclosure
nikto -h https://target.example.com -Tuning 23
# Use a specific wordlist for CGI directories
nikto -h https://target.example.com -Cgidirs "all"
# Authenticated scanning
nikto -h https://target.example.com \
-id admin:password123
# or with cookie
nikto -h https://target.example.com \
-cookie "session=abc123; token=xyz789"
Step 3: Output and Integration
# Save results in multiple formats
nikto -h https://target.example.com -o nikto-report.html -Format html
nikto -h https://target.example.com -o nikto-report.xml -Format xml
nikto -h https://target.example.com -o nikto-report.csv -Format csv
# JSON output for automation
nikto -h https://target.example.com -o nikto-report.json -Format json
# Scan targets from Nmap output
nmap -sV -p 80,443,8080 -oG - 192.168.1.0/24 | \
grep "open" | awk '{print $2}' | \
while read ip; do nikto -h $ip -o "nikto-$ip.html" -Format html; done
Guidelines
- Nikto is loud — it sends thousands of requests. Don't use it for stealth assessments.
- Run Nikto early in the assessment — it catches low-hanging fruit (default files, misconfigs).
- Check tuning categories:
-Tuning 23for quick misconfiguration scan, full scan for thorough assessment. - Combine with Nmap: scan ports first, then run Nikto against discovered web servers.
- XML/JSON output integrates with reporting tools and vulnerability management platforms.
- False positives are common — verify each finding manually before including in the report.
- Run with
-Cgidirs allto check CGI directories for legacy vulnerabilities (ShellShock, etc.). - Nikto is complementary to Burp Suite — Nikto checks server config, Burp tests application logic.
> related_skills --same-repo
> zustand
You are an expert in Zustand, the small, fast, and scalable state management library for React. You help developers manage global state without boilerplate using Zustand's hook-based stores, selectors for performance, middleware (persist, devtools, immer), computed values, and async actions — replacing Redux complexity with a simple, un-opinionated API in under 1KB.
> zoho
Integrate and automate Zoho products. Use when a user asks to work with Zoho CRM, Zoho Books, Zoho Desk, Zoho Projects, Zoho Mail, or Zoho Creator, build custom integrations via Zoho APIs, automate workflows with Deluge scripting, sync data between Zoho apps and external systems, manage leads and deals, automate invoicing, build custom Zoho Creator apps, set up webhooks, or manage Zoho organization settings. Covers Zoho CRM, Books, Desk, Projects, Creator, and cross-product integrations.
> zod
You are an expert in Zod, the TypeScript-first schema declaration and validation library. You help developers define schemas that validate data at runtime AND infer TypeScript types at compile time — eliminating the need to write types and validators separately. Used for API input validation, form validation, environment variables, config files, and any data boundary.
> zipkin
Deploy and configure Zipkin for distributed tracing and request flow visualization. Use when a user needs to set up trace collection, instrument Java/Spring or other services with Zipkin, analyze service dependencies, or configure storage backends for trace data.