Getty Images

Tip

Top 21 Kali Linux tools and how to use them

Kali Linux includes many tools tailored to beefing up network security. Getting familiar with them takes a lot of work, but the benefits they provide can be wide-ranging.

Kali Linux is the OS most frequently used by both ethical and malicious hackers for almost every aspect of cybersecurity. It includes almost every imaginable hacking tool, meaning learning to use it is a journey, not a simple skill that can be picked up watching a 10-minute tutorial.

Kali is based on the Debian distribution and contains hundreds of tools for penetration testing, security auditing and digital forensics. These tools help security professionals discover vulnerabilities, address misconfigurations, find exposed data and more. Other security-oriented Linux distributions, including Parrot and BlackArch, contain many of the same tools.

Editor's note: Tools such as those in Kali Linux can be used in ways that are lawful and helpful as a security practitioner, but they can also be used illegally, unlawfully and unethically. Make sure any planned use is ethical, lawful and legal. If you're not sure about the legality, do not proceed until you are. This might require some research on your part, such as an honest discussion with internal counsel about what you have planned.

Top Kali Linux tools

Kali Linux contains just about every type of security-oriented utility you could name, from scanners and password crackers to DoS site testers and web server scanners. In fact, its comprehensive tool list could overwhelm many users.

Screenshot of Kali Linux's GUI
Kali's user-friendly and well-organized GUI

Kali's menu breaks down its utilities into several categories, including the following:

  • Information gathering. This category includes tools that help with everything from identifying all the devices on a network to identifying open ports on targeted servers. Tools include Nmap and Wireshark.
  • Wireless attacks. This category includes tools that carry out attacks against wireless systems, including those connected by Bluetooth and Wi-Fi. Tools include Aircrack-ng and Kismet.
  • Password attacks. This category includes password cracking tools and tools to make password crackers more effective. Tools include John the Ripper and Hydra.

Let's examine some of Kali Linux's most common and useful utilities. The following tools are not listed in any particular order, but similar tools are grouped together. Some tools are probably familiar, such as Nmap and Wireshark, while others might only be known for their specific features, such as Kismet or CrackMapExec.

1. Nmap

Network Mapper, or Nmap, has evolved since its release as a port scanner in 1997 to become a ubiquitous tool that not only reports port status, guesses OSes and maps network topologies, but also detects vulnerabilities and performs brute-force password auditing.

Key Nmap features and capabilities

  • Identifies devices running on a network.
  • Provides visual mapping via its Zenmap GUI.
  • Identifies services running on systems, including service versions and types.
  • Hosts useful documentation and scripts on its site.
Screenshot of an Nmap port scan
Example of a basic Nmap scan of a target system

Learn how to use Nmap to scan specific ports.

2. Masscan

Masscan is an IP port scanner that offers many of the same features as Nmap. The main difference is that Masscan is designed to scan large networks, multiple machines and the internet quickly, whereas Nmap is meant for more targeted scans on a single network or machine. Masscan's speed can, however, increase network traffic.

Key Masscan features and capabilities

  • Supports banner grabbing on multiple protocols.
  • Transmits 10 million packets per second from one machine.
  • Uses asynchronous transmission, meaning it can send and receive requests separately -- it, therefore, doesn't need to wait for a response from each scan to do the next scan.
  • According to Masscan's author, Robert Graham, can scan the entire internet in less than five minutes.
Screenshot of a Masscan scan
Example of a basic Masscan scan of a target system

3. Unicornscan

Unicornscan is a stateless port scanner that sends data to potentially vulnerable TCP/IP-enabled devices and analyzes results. It is often faster than Nmap on larger networks and able to hide its scans.

Key Unicornscan features and capabilities

  • TCP banner grabbing.
  • User Datagram Protocol scanning.
  • Packet capture (PCAP) file logging and filtering.
  • OS, application and component identification.

4. Wireshark

Wireshark is a network protocol analyzer, sometimes called a packet analyzer, that captures network traffic and displays its constituent parts, such as logical and physical address information. It also displays packet contents unless those contents are encrypted.

Key Wireshark features and capabilities

  • Advanced filtering tools enable practitioners to narrow results.
  • PCAP capabilities; converts traffic into human-readable content.
  • Easy-to-use GUI.
Screenshot of a Wireshark packet capture
Example of a basic Wireshark packet capture

Learn how to use Wireshark to sniff and scan network traffic.

5. Tcpdump

Tcpdump is a protocol analyzer often installed on Linux distributions by default. It only operates via CLI. It offers many filtering options and is easily scripted and efficient at capturing network packets for analysis.

Key tcpdump features and capabilities

  • Offers speed and scriptability.
  • Via PCAP, enables practitioners to write results to a file for analysis in Wireshark, tcpreplay or other tools.
  • Provides extensive documentation.

Learn how to capture and analyze traffic with tcpdump.

6. Metasploit

Metasploit Framework is one of the most well-known pen testing tools. It is a comprehensive framework for gathering information and executing exploits against targeted systems. It contains prebuilt exploit code and payloads to exploit known vulnerabilities.

Key Metasploit features and capabilities

  • Includes exploits and payloads, as well as auxiliary tasks that don't use payloads.
  • Normalizes how practitioners work with exploit code by fostering payload reuse and using a common methodology to interact with exploits.
  • For those starting with Metasploit, can use Metasploitable, an intentionally weakened VM to test exploits on and learn about Metasploit.

Learn how to use Metasploit commands and exploits for pen tests.

7. Burp Suite

Burp Suite is a web application vulnerability scanner from security testing software vendor PortSwigger. It identifies issues, performs intensive website scans and can send modified HTTP calls to discover exploits.

Key Burp Suite features and capabilities

  • Includes spidering tools, a randomness tool, a request repeater and an intercepting proxy.
  • Checks for SQL injection, cross-site scripting, OS command injection, HTTP request smuggling, broken authentication and more.
  • Supports static and dynamic testing.
Screenshot of Burp Suite Community Edition
Burp Suite's Community Edition

8. John the Ripper

John the Ripper is an offline password recovery and cracking tool. It uses various hashes, ciphers, encryption formats and word lists to test password strength via dictionary attacks, brute forcing and other methods.

Key John features and capabilities

  • Is known for its ubiquity and accessibility.
  • Helps in instances where online brute-force cracking is impractical, such as a remote system with user login rate limiting.
  • Offers Johnny, a GUI for John the Ripper.

Learn how to use the John the Ripper password cracker.

9. Hydra

Hydra is an online password cracking utility that uses brute-force and dictionary attacks to expose weak passwords or poor password practices. It targets SSH, Lightweight Directory Access Protocol, Remote Desktop Protocol, HTTP, HTML forms, virtual network computing and other protocols.

Key Hydra features and capabilities

  • Can run multiple threats in parallel to increase efficiency and speed.
  • Has a simple and intuitive interface.
  • Offers prebuilt and customizable word lists.
Screenshot of the Hydra password auditing tool
The Hydra password auditing tool

Learn how to use the Hydra password-cracking tool.

10. Aircrack-ng

Aircrack-ng is a suite of wireless security tools that consists of multiple applications for monitoring, interception and injections. It includes Airdecap-ng, a Wired Equivalent Privacy, Wi-Fi Protected Access and WPA capture file decryptor; Airodump-ng, a tool that collects packets and WPA handshakes; Airtun-ng, a virtual tunnel interface creator; and Besside-ng, a WEP and WPA cracker.

Key Aircrack-ng features and capabilities

  • Focuses on 802.11 wireless LANs.
  • Provides command-line tools that enable heavy scripting.
  • Performs WEP dictionary attacks and fragmentation attacks.

11. Kismet

Kismet is a wireless and Bluetooth network monitor and war driving tool that sniffs networks, intercepts traffic and acts as a wireless intrusion detection system (IDS).

Key Kismet features and capabilities

  • Detects rogue access points (APs).
  • Supports radio frequency sensors, Zigbee and multiple beacons.
  • Is compatible with tcpdump and Wireshark.

12. Wifite

Wifite is a wireless network penetration testing and auditing tool written in Python. It gathers service set identifiers, signal strength and other information. It also attacks WEP, WPA and WPA2 keys.

Key Wifite features and capabilities

  • Includes brute-force PIN attacks, handshake captures and hash captures.
  • Decloaks hidden APs automatically.
  • Maintains a directory of cracked passwords and handshakes.

13. Fern Wifi Cracker

Fern Wifi Cracker is a wireless testing and attacking tool written in Python. It uses a GUI to scan wireless networks. It can expose WEP, WPA and WPA2 keys.

Key Fern Wi-Fi Cracker features and capabilities

  • Has a straightforward and easy-to-use GUI.
  • Monitors network activities in real time.
  • Conducts dictionary attacks, Address Resolution Protocol (ARP) request replay attacks, brute-force attacks and Wi-Fi Protected Setup attacks.
Screenshot of the Fern Wifi Cracker interface
Fern Wifi Cracker interface

14. Bettercap

Bettercap is a reconnaissance and attack tool for wired and wireless networks that captures packets, performs man-in-the-middle (MitM) attacks and more. It includes a CLI, web-based interface and built-in scripting engine.

Key bettercap features and capabilities

  • Works on Wi-Fi networks, Bluetooth Low Energy devices, Controller Area Network bus, wireless human interface devices and Ethernet networks.
  • Supports ARP, DNS, Neighbor Discovery Protocol and Dynamic Host Configuration Protocol version 6 spoofing MitM attacks on IPv4 and IPv6 networks.
  • Can be used as a network protocol fuzzer.

15. Arpwatch

Arpwatch is a tool that monitors Ethernet and ARP traffic. It maintains a database of MAC and IP address relationships. If a change is detected, such as a new address or an address modification, it alerts administrators.

Key Arpwatch features and capabilities

  • Produces logs and can send email alerts to practitioners.
  • Helps detect ARP spoofing.

16. Sqlmap

Sqlmap is an automated tool for exposing and exploiting SQL injection vulnerabilities. It works with Microsoft SQL Server, MySQL, PostgreSQL, Oracle and others.

Key Sqlmap features and capabilities

  • Conducts Boolean-based, time-based, error-based, union-based and stacked queries, as well as out-of-band SQL injection attacks.
  • Includes password cracking capabilities using dictionary attacks.
  • Supports user privilege escalation and arbitrary command execution.

17. Social-Engineer Toolkit

Social-Engineer Toolkit (SET) is a Python-based tool that exploits human vulnerabilities rather than application or system weaknesses. It enables practitioners to send phishing, website and wireless AP attacks, among other attacks.

Key SET features and capabilities

  • Offers options for social engineering, pen testing and post-exploit lateral movement.
  • Conducts spear phishing, QR code phishing, mass email phishing, SMS phishing and other phishing attacks.
  • Performs tabnabbing and other browser-based attacks to gather information or assess employee responses to social engineering attempts.
Screenshot of the SET welcome screen
The welcome screen for the SET utility

Learn how to use SET.

18. Netcat

Netcat is a powerful network utility that scans ports, transfers files, makes web requests and reads/writes across network connections. It's a flexible tool often used beyond security audits for regular network management.

Key netcat features and capabilities

  • Acts as a data transfer agent.
  • Provides full DNS forward/reverse checking.
  • Offers loose source-routing capabilities.

19. BloodHound

BloodHound is a network reconnaissance tool that performs attack path mapping in Active Directory (AD) environments to expose potential vulnerabilities and weaknesses.

Key BloodHound features and capabilities

  • Exposes domain trusts.
  • Identifies user and group relationships.
  • Identifies users with local admin privileges.
  • Enumerates domain computers, including domain controllers.
Screenshot of Bloodhound's login page
Login page for the Bloodhound Active Directory mapper

20. CrackMapExec

CrackMapExec is a pen testing tool for exploiting vulnerabilities in AD environments. It enumerates users, groups, computers, domain controllers and other targets before performing attacks.

Key CrackMapExec features and capabilities

  • Performs credential brute forcing.
  • Performs post-exploit lateral movement.
  • Integrates with Metasploit, BloodHound and other Kali Linux tools.

21. Nikto

Nikto is a web server scanner that identifies vulnerabilities, misconfigurations and unpatched software, including more than 6,700 malicious file types and outdated web server versions.

Key Nikto features and capabilities

  • Performs dictionary attacks on web servers to exploit user accounts.
  • Has built-in support for HTTP and SSL proxies, as well as IDS evasion.

Other Kali tools

Kali contains hundreds of additional utilities, many of which are for specialized use or specific situations. You can also add new utilities to supplement its inventory -- remember to use the Advanced Package Tool manager, as Kali is based on Debian Linux.

As you become more familiar with the basic Kali Linux tools, you'll soon discover more ways to use these additional applications in your security audits.

The Kali website contains documentation on all tools, so it's a great place to get started.

Screenshot of Kali's Nmap documentation page
Documentation for each tool on the Kali website

Using Kali Linux tools: Getting started

You can run Kali Linux on bare metal, as a VM, from bootable media, from cloud images or even as a container. Kali's comprehensive tool list can help you perform security audits more efficiently.

Learning to use Kali Linux effectively can be daunting, especially if you're an administrator with additional responsibilities. Gaining familiarity with the available tools helps you understand when and how to use Kali for best results.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget Editorial, The New Stack and CompTIA Blogs.

Dig Deeper on Threat detection and response