As a full-stack developer and professional Linux coder, having an in-depth understanding of Kali Linux and its powerful set of pentesting tools is essential. Kali Linux comes preinstalled with over 600 tools specialized for penetration testing, security auditing, and ethical hacking.
While the sheer number of tools can seem overwhelming for beginners, there are definitely some that stand out as being particularly useful. Based on my extensive experience as an ethical hacker and penetration tester, I have curated this list of the top 25 must-have Kali Linux tools for both aspiring and seasoned security professionals.
I have organized the tools according to the main phases of a typical penetration test engagement – reconnaissance, scanning, exploitation, post-exploitation etc. Under each phase, I have highlighted why the tool is important, how it functions, and use cases from real-world assessments.
Anonymity Tools
When conducting penetration testing, it is crucial to preserve anonymity and cover your tracks. The tools below allow you to spoof details that could potentially identify you.
1. MACCHANGER
MACChanger is used to modify and randomize your network interface‘s MAC address. This is useful when penetrating networks protected by MAC address filtering. It can also help you evade tracking during assessments.
Here are some common MACChanger usage examples:
# Show current MAC address
macchanger -s wlan0
# Randomize MAC address
macchanger -r wlan0
# Set specific MAC address
macchanger --mac=00:11:22:33:44:55 wlan0
As you can see, MACChanger provides flexibility to either randomize your MAC completely or set a custom one.
2. PROXYCHAINS
Proxychains allows you to route any TCP traffic through a proxy server, effectively masking your real IP address. This adds an additional layer of anonymity during penetration tests.
Below is an example running Nmap through Proxychains:
proxychains nmap 192.168.1.1
This tunnels the Nmap scan through the configured proxy. You will need to edit Proxychains‘ configuration file to point it to your preferred proxy server.
Information Gathering
The reconnaissance phase involves gathering intel on the target systems and networks prior to launching exploits. The tools below help uncover valuable data.
3. TRACEROUTE
Traceroute displays the network path to a destination IP/domain and every hop in between. It reports round-trip times and IP addresses of each node.
This helps map out the target‘s upstream infrastructure during assignments. It can also identify network firewalls, load balancers and filtering in place.
traceroute google.com
4. WHATWEB
WhatWeb identifies web technologies used on websites – such as content management systems, frameworks, server software, plugins and more.
It leverages a database of over 1700 different plugins to detect these applications.
whatweb amazon.com
Helps fingerprint underlying tech stacks of web applications during testing – useful for selecting exploits to attempt.
5. WHOIS
WHOIS queries Internet registration databases to uncover details on domain names and IP blocks.
It reveals registration info, assigned IP ranges, admin contacts and more. Useful for expanding target scopes during pen tests.
whois facebook.com
6. MALTEGOCE
Maltego is an intelligence gathering and data mining tool. It can aggregate information from a wide variety of public sources to map out relationships and connections between entities.
The information gathered can then be transformed into easy-to-read graphical diagrams.
This assists the reconnaissance phase by revealing data points that can be leveraged when formulating attack strategies.
7. NMAP
No list of recon tools is complete without mentioning Nmap. It is arguably Kali Linux‘s most popular network scanner, and for good reason.
Nmap utilizes raw IP packets to probe networks, identify live hosts, perform port scans, and determine services/apps running on systems.
It enables comprehensive network mapping and service enumeration – integral for infrastructure penetration tests.
nmap 192.168.1.1/24 -sV
The example scans an entire subnet to enumerate operating systems and running services on each live system.
Vulnerability Scanning
These specialized tools help identify security flaws in networks and applications.
8. NIKTO
Nikto is a web server scanner designed to find vulnerabilities and misconfigurations affecting web servers.
It leverages an extensive database of over 6700 potentially dangerous files/programs across multiple platforms.
Below command performs a Nikto scan:
nikto -h http://example.com
Nikto is especially useful for testing infrastructure supporting websites and web apps.
Web Application Hacking
The tools below focus on hacking web apps and websites.
9. SQLMAP
SQLmap specializes in exploiting SQL injection flaws to gain access to backend databases.
It automates the detection and exploitation process – capable of extracting database contents and executing operating system commands.
sqlmap -u "http://example.com/vuln.php?id=1" --dbs
This runs sqlmap to fingerprint the DBMS, determine the number of databases, and print available databases hosted on the server.
SQLmap is a must-have tool for identifying and validating SQLi vulnerabilities.
10. BURPSUITE
Burp Suite is an integrated platform comprised of various tools for testing web application security.
These include an interception proxy for manipulating requests/responses, a web spider for site crawling, a web app scanner, intruder tool for automating attacks, and more.
Burp makes it easy to inspect web traffic for vulnerabilities, as well as launch a variety of manual and automated exploits against targets.
11. OWASP ZAP
The OWASP Zed Attack Proxy is another popular web app security scanner.
It includes automated and passive scanning modes , manual exploitation tools, scripting capabilities for advanced tests, plug-in support to extend functionality and more.
ZAP offers dynamic application security testing tailored towards websites and web apps.
Password Cracking Tools
Recovering passwords by cracking encrypted hashes found on compromised systems.
12. HASH-IDENTIFIER
Identifying the hash type is the first step for successful cracking. Hash-identifier analyzes hashes against over 220 unique algorithms to determine the method used for obfuscating plaintext passwords.
This insight narrows down the specific approaches and tools to use when attempting to recover credentials.
13. JOHN THE RIPPER (JTR)
John The Ripper is arguably Kali Linux‘s most popular password cracking tool. It supports a vast array of hashing algorithms and offers different modes such as dictionary attacks, brute force attacks, and rainbow tables to speed up the cracking process.
Below cracks the provided hash using the standard wordlist:
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
No other tool can match JTR‘s effectiveness across so many distinct hashing algorithms. It should be a go-to choice for offline password cracking.
Wireless Hacking
The tools below focus on penetration testing wireless networks.
14. AIRCRACK-NG
Aircrack-ng consists of various utilities for auditing wireless networks.
These include aircrack-ng for actually cracking WEP/WPA keys, airodump-ng for packet capturing, aireplay-ng for injecting packets, and more.
The suite utilizes advanced techniques like packet replay, FMS, and dictionary attacks to recover passwords on wireless networks.
15. FLUXION
Fluxion specializes in the fake access point technique for tricking users into connecting to rogue networks controlled by the attacker.
It then prompts victims to enter their WPA/WPA2 passwords through a fake authentication page to capture the credentials.
This makes exploiting misconfigurations on wireless networks incredibly convenient.
Exploitation Tools
These frameworks and tools assist with developing and executing complex exploits.
16. METASPLOIT
The Metasploit Framework continues to be Kali Linux‘s most notable exploitation tool. It boasts over 3000+ modules comprised of exploits, encoders, payloads and more geared towards common services.
It effectively functions as an “exploit development studio” making it simple to integrate researched vulnerabilities into working proof-of-concept code with ease.
Metasploit provides automation around developing reliable exploits capable of evading anti-virus and bypassing protection layers.
17. SOCIAL ENGINEERING TOOLKIT (SET)
The Social Engineering Toolkit specializes in non-technical exploitation relying on human interaction and deception.
SET enables a wide range of attack vectors including targeted website cloning, mass mailer phishing campaigns, infectious media generator and more.
It lowers the barrier for convincingly replicating communication mediums to take advantage of unwitting users through social engineering.
Sniffing & Spoofing
Monitor unencrypted communications and spoof various protocols.
18. BETTERCAP
BetterCAP is a powerful man-in-the-middle framework aimed at performing various types of network attacks such as sniffing unencrypted traffic, hijacking sessions, transparent proxies, DNS spoofing and more.
BetterCAP sets itself apart from similar tools through its extensive capabilities, reliability, speed and simpler configuration process.
19. WIRESHARK
Wireshark continues to be the industry standard packet analyzer useful for low-level inspection of network traffic.
It provides rich filtering options and inspection capabilities allowing granular analysis of protocols.
Wireshark is vital for confirming exploit success, inspecting client-server communications, analyzing SSL connections and beyond.
Database Hacking
These open source tools facilitate attacking various database servers.
20. NOSQLMAP
NoSQLMap focuses specifically on auditing the security of popular NoSQL database servers like MongoDB and CouchDB.
It comes preinstalled in Kali Linux with options for database fingerprinting, querying data, accessing shells and more.
# Fingerprint and attack MongoDB instance
nosqlmap --host mongodb://127.0.0.1:27017
NoSQL databases like MongoDB and CouchDB are becoming commonplace for modern web apps. NoSQLMap is purpose built to test them.
21. SQLMAP
We touched on SQLmap earlier for exploiting SQL injection issues. However, beyond just identifying SQLi vulnerabilities, sqlmap is capable of database server fingerprinting, querying and manipulating data, accessing underlying file systems and even issuing OS commands.
This makes sqlmap the most comprehensive open source SQL database hacking tool available. It supports the broadest range of databases including MySQL, Oracle, PostgreSQL and more.
Reporting Tools
Proper documentation and reporting is crucial for penetration testing engagements. These tools help streamline report generation.
22. Dradis
Dradis provides collaboration capabilities for penetration testers working together on large assignments. It enables information sharing regarding targets, findings, hosts, vulnerabilities and proof of concepts.
It also offers automated reporting built on this data to quickly generate client deliverables post assessment.
Dradis helps keep activities organized and facilitates report writing.
Bonus Tools
These bonus handy tools don‘t cleanly fit under any specific category but are still worth mentioning.
23. SHELLTER
Shellter specializes in generating anti-virus evasive Windows executable payloads. It supports netcat, meterpreter and VBA generation for diverse delivery scenarios.
Payloads can be cloned as COM objects, Dynamic-link libraries and more. Multiple encoding iterations allows highly customizable trojans for persistent access.
24. EMPIRE
Empire serves as a post exploitation framework focused specifically on PowerShell related attacks. It enables access to underlying operating systems without needing malware or backdoors.
Empire allows executing PowerShell scripts without directly touching disk which helps evade anti-virus and detection capabilities.
25. YARA
YARA defines complex search patterns for locating malware using textual or binary patterns. YARA rules can detect filenames, IP addresses, fuzzing artifacts and more.
It is used to streamline the malware analysis process to quickly identify or categorize samples based on keyword signatures.
Final Thoughts
And there you have it – a comprehensive walkthrough of Kali Linux‘s top 25 tools for penetration testing and ethical hacking. I highly recommend getting intimately familiar with each one if you are pursuing professional security assessments and audits.
Of course, Kali Linux contains hundreds of other useful utilities. But fully mastering this list here will provide highly transferrable skills applicable to real client engagements.
Each tool serves a distinct purpose across recon, exploitation, reporting and more. Learn their capabilities, best practices for utilization in assessments, and how to interpret their output.
Doing so will enable seamlessly conducting end-to-end penetration tests reflecting the methodologies followed by industry experts.