https://www.techtarget.com/searchsecurity/tip/Top-Kali-Linux-tools-and-how-to-use-them
Kali Linux is the OS most frequently used by both ethical and malicious hackers for almost every aspect of cybersecurity. It includes almost every imaginable hacking tool, meaning learning to use it is a journey, not a simple skill that can be picked up watching a 10-minute tutorial.
Kali is based on the Debian distribution and contains hundreds of tools for penetration testing, security auditing and digital forensics. These tools help security professionals discover vulnerabilities, address misconfigurations, find exposed data and more. Other security-oriented Linux distributions, including Parrot and BlackArch, contain many of the same tools.
Editor's note: Tools such as those in Kali Linux can be used in ways that are lawful and helpful as a security practitioner, but they can also be used illegally, unlawfully and unethically. Make sure any planned use is ethical, lawful and legal. If you're not sure about the legality, do not proceed until you are. This might require some research on your part, such as an honest discussion with internal counsel about what you have planned.
Kali Linux contains just about every type of security-oriented utility you could name, from scanners and password crackers to DoS site testers and web server scanners. In fact, its comprehensive tool list could overwhelm many users.
Kali's menu breaks down its utilities into several categories, including the following:
Let's examine some of Kali Linux's most common and useful utilities. The following tools are not listed in any particular order, but similar tools are grouped together. Some tools are probably familiar, such as Nmap and Wireshark, while others might only be known for their specific features, such as Kismet or CrackMapExec.
Network Mapper, or Nmap, has evolved since its release as a port scanner in 1997 to become a ubiquitous tool that not only reports port status, guesses OSes and maps network topologies, but also detects vulnerabilities and performs brute-force password auditing.
Learn how to use Nmap to scan specific ports.
Masscan is an IP port scanner that offers many of the same features as Nmap. The main difference is that Masscan is designed to scan large networks, multiple machines and the internet quickly, whereas Nmap is meant for more targeted scans on a single network or machine. Masscan's speed can, however, increase network traffic.
Unicornscan is a stateless port scanner that sends data to potentially vulnerable TCP/IP-enabled devices and analyzes results. It is often faster than Nmap on larger networks and able to hide its scans.
Wireshark is a network protocol analyzer, sometimes called a packet analyzer, that captures network traffic and displays its constituent parts, such as logical and physical address information. It also displays packet contents unless those contents are encrypted.
Learn how to use Wireshark to sniff and scan network traffic.
Tcpdump is a protocol analyzer often installed on Linux distributions by default. It only operates via CLI. It offers many filtering options and is easily scripted and efficient at capturing network packets for analysis.
Learn how to capture and analyze traffic with tcpdump.
Metasploit Framework is one of the most well-known pen testing tools. It is a comprehensive framework for gathering information and executing exploits against targeted systems. It contains prebuilt exploit code and payloads to exploit known vulnerabilities.
Learn how to use Metasploit commands and exploits for pen tests.
Burp Suite is a web application vulnerability scanner from security testing software vendor PortSwigger. It identifies issues, performs intensive website scans and can send modified HTTP calls to discover exploits.
John the Ripper is an offline password recovery and cracking tool. It uses various hashes, ciphers, encryption formats and word lists to test password strength via dictionary attacks, brute forcing and other methods.
Learn how to use the John the Ripper password cracker.
Hydra is an online password cracking utility that uses brute-force and dictionary attacks to expose weak passwords or poor password practices. It targets SSH, Lightweight Directory Access Protocol, Remote Desktop Protocol, HTTP, HTML forms, virtual network computing and other protocols.
Learn how to use the Hydra password-cracking tool.
Aircrack-ng is a suite of wireless security tools that consists of multiple applications for monitoring, interception and injections. It includes Airdecap-ng, a Wired Equivalent Privacy, Wi-Fi Protected Access and WPA capture file decryptor; Airodump-ng, a tool that collects packets and WPA handshakes; Airtun-ng, a virtual tunnel interface creator; and Besside-ng, a WEP and WPA cracker.
Kismet is a wireless and Bluetooth network monitor and war driving tool that sniffs networks, intercepts traffic and acts as a wireless intrusion detection system (IDS).
Wifite is a wireless network penetration testing and auditing tool written in Python. It gathers service set identifiers, signal strength and other information. It also attacks WEP, WPA and WPA2 keys.
Fern Wifi Cracker is a wireless testing and attacking tool written in Python. It uses a GUI to scan wireless networks. It can expose WEP, WPA and WPA2 keys.
Bettercap is a reconnaissance and attack tool for wired and wireless networks that captures packets, performs man-in-the-middle (MitM) attacks and more. It includes a CLI, web-based interface and built-in scripting engine.
Arpwatch is a tool that monitors Ethernet and ARP traffic. It maintains a database of MAC and IP address relationships. If a change is detected, such as a new address or an address modification, it alerts administrators.
Learn how to use arpwatch.
Sqlmap is an automated tool for exposing and exploiting SQL injection vulnerabilities. It works with Microsoft SQL Server, MySQL, PostgreSQL, Oracle and others.
Social-Engineer Toolkit (SET) is a Python-based tool that exploits human vulnerabilities rather than application or system weaknesses. It enables practitioners to send phishing, website and wireless AP attacks, among other attacks.
Learn how to use SET.
Netcat is a powerful network utility that scans ports, transfers files, makes web requests and reads/writes across network connections. It's a flexible tool often used beyond security audits for regular network management.
BloodHound is a network reconnaissance tool that performs attack path mapping in Active Directory (AD) environments to expose potential vulnerabilities and weaknesses.
CrackMapExec is a pen testing tool for exploiting vulnerabilities in AD environments. It enumerates users, groups, computers, domain controllers and other targets before performing attacks.
Nikto is a web server scanner that identifies vulnerabilities, misconfigurations and unpatched software, including more than 6,700 malicious file types and outdated web server versions.
Kali contains hundreds of additional utilities, many of which are for specialized use or specific situations. You can also add new utilities to supplement its inventory -- remember to use the Advanced Package Tool manager, as Kali is based on Debian Linux.
As you become more familiar with the basic Kali Linux tools, you'll soon discover more ways to use these additional applications in your security audits.
The Kali website contains documentation on all tools, so it's a great place to get started.
You can run Kali Linux on bare metal, as a VM, from bootable media, from cloud images or even as a container. Kali's comprehensive tool list can help you perform security audits more efficiently.
Learning to use Kali Linux effectively can be daunting, especially if you're an administrator with additional responsibilities. Gaining familiarity with the available tools helps you understand when and how to use Kali for best results.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget Editorial, The New Stack and CompTIA Blogs.
07 Feb 2025