In this project, I conducted a vulnerability scan on a web server using Nikto to identify critical security risks. I started by launching the Metasploitable2 and Kali Linux virtual machines, obtained the IP address of the target using ifconfig, and escalated privileges on Kali Linux with sudo su. After preparing the environment, I accessed the root directory and reviewed Nikto’s help options by running nikto -H to understand available scanning configurations.

I executed a comprehensive web server scan with all tuning options enabled and saved the scan results as a text file on my Desktop for further analysis. Nikto identified several vulnerabilities on the target server, including an outdated Apache version (2.2.8), missing critical security headers (X-Frame-Options and X-Content-Type-Options), enabled HTTP TRACE method (leading to potential XST attacks), PHP information disclosure through an accessible phpinfo.php file, and public exposure of phpMyAdmin, posing major risks to database integrity.

After analyzing the findings, I outlined next steps to mitigate the vulnerabilities: updating Apache to the latest version, enabling necessary security headers, disabling the HTTP TRACE method, restricting or removing phpinfo.php, securing phpMyAdmin access, and hardening PHP configurations. Through this exercise, I demonstrated practical skills in vulnerability scanning, risk assessment, and remediation planning to improve web server security.