Nikto is good but i have found a lot of false positives from nikto. For instance, I have been scanning site and it keeps letting me know it has a shell uploaded which i know for a fact it does not. The directory doesn't even exist there.
But it still does give some good information that we can use to fix some issues with configuration.
Dirbuster is a nice tool that can brute force test directories and files based off wordlist which i have used many times and actually found shells and many other things in which i was able to back track into root of a server and had access to over 300 domains. (Hosting company gave me the ok and paid me to look through all this)
The problem with most hosting companies ( smaller resellers) they don't have the knowledge of this and or the knowhow to prevent it from happening. Its a huge risk for hosting companies when you have people creating and building sites that have no control or knowledge on security and that site can possibly leave the entire server wide open.Which is actually a reason I started hosting sites. It gives me an oppertunity to keep my sites live and any extra clients get the same level of protection i give myself at no cost to them.
I should have a good write up done either today or tomorrow on dirbuster and get it posted up here.
Webmaster Security