Are you ready to take your hacking to the next level? Kali Linux is the perfect platform for penetration testing and hacking, and the best way to hack is with the right tools. In this guide, we’ll provide an overview of the top 25 penetration testing tools for Kali Linux.
Whether you’re a pentesting newbie or ninja, you’ll be happy to learn about or recall the best penetration testing tools we use for enumeration, password cracking, web app security, on-path attacks, privilege escalation, network exploitation, pentesting frameworks, social engineering, and evasion.
If you haven’t yet, follow our tutorial to install Kali Linux. When you’re ready, let’s scroll down and get started.
Enumeration Tools
Before you begin hacking, you need to know your target’s vulnerabilities. In other words, every pentest begins with enumeration. The following tools are for reconnaissance, obtaining your attack surface, and learning the landscape of your battleground.
Nmap
Nmap is a network mapping tool. It scans individual targets or networks for available hosts and shows details about these devices, such as active ports and the services running on those ports that may interest you. See our Top 20 Nmap Commands article to start using it today.
Why we like Nmap
- Easy to install
- Highly efficient when scanning huge numbers of devices
- Can do basic vulnerability scans
- Supports many advanced scanning techniques
- Well-documented
- Has command-line and graphical user interfaces
Included with Kali
Bloodhound
Bloodhound sniffs out exploitable attack paths and weak links. It’s a single-page Javascript web application that uses the mathematics of graph theory to describe relationships between entities. It visualizes Active Directory object relationships and permissions between those relationships through the power of a graph database platform called Neo4j.
Why we like Bloodhound
- Identifies obscure attack paths quickly
- Locates nodes of interest, e.g., admins
- Can export query results as a CSV file
Needs to be installed
- Installation instructions: https://www.kali.org/tools/bloodhound/
PowerView
PowerView is a complex PowerShell script that pentesters use to enumerate Active Directory over networks containing Windows hosts. It helps detect privilege escalation, locate where specific users, such as admins, have logged in to a network, and monitor existing logged-in sessions.
Why we like PowerView
- Displays in great detail the results of enumeration
- Can check when a user logs into a system in real-time
- Can work without the interference of antivirus software on vulnerable hosts if run in memory
Needs to be installed
- Installation instructions: https://www.kali.org/tools/powershell/
Password Cracking
Password cracking is programmatically uncovering an unknown or lost password to a computing or network resource. A threat actor can gain unauthorized access using a password cracker like the ones listed below.
Hydra
Hydra is a password cracker that runs on parallelized processing systems. It’s for brute-force cracking of usernames and passwords related to protocols such as FTP, SSH, Telnet, Microsoft SQL, and numerous others. Learn how to use Hydra here.
Why we like Hydra
- Fast
- Flexible
- Easy to add new modules
- Has command-line and graphical user interfaces
Included with Kali
John The Ripper
John the Ripper helps you find weak passwords and recover access to locked files. It can automatically alert users of easily compromised accounts via email. It has a separate graphical user interface called Johnny.
Why we like John the Ripper
- Easy to install and learn
- Used by professional pentesters and ethical hackers
- Supports cracking multiple password types, salts, and hashes
- Remembers previous exploits
- Can automatically detect encryption methods
- Combinable with pre-built, proven packages and open-source word dictionaries for enhanced performance
- Offers 20+ different languages
- Detects multithreading automatically
- Usable on Windows and UNIX
Included with Kali
Web Application Security
Web application security protects resources accessible online, such as static web pages, web apps, and APIs, from cyber vandalism, data theft, unethical competition, and other threats. Here are the bleeding-edge pentesting tools Kali has to offer.
sqlmap
sqlmap is an open-source pentesting tool that automates detecting and exploiting SQL injection flaws in database systems. It can help you enumerate targets, perform database fingerprinting, read and write to remote file systems, and crack passwords.
Why we like sqlmap
- Gentle learning curve
- Extensive pentesting features
- Used by professional pentesters and ethical hackers
- Supports common relational database management systems: MySQL, PostgreSQL, MySQL, Microsoft SQL Server, and so on
Included with Kali
Burp Suite
Burp Suite is an integrated collection of web application security tools covering many known flaws in web apps. It can enumerate and analyze an application’s attack surface and find and exploit security vulnerabilities.
Why we like Burp Suite
- Intuitive graphical user interface
- Contains many smoothly integrated pentesting tools
- Allows automated and manual pentesting
- Enumerates pages in web apps quickly
- Used by professional web app security researchers and bug bounty hunters
- Installing add-ons called BApps can enhance its capabilities
- Well-documented
- Attacks are fast
Included with Kali (Burp Suite Community Edition)
ffuf
ffuf (short for “Fuzz Faster U Fool”) is a fast generator of web app data. It discovers elements and content within web applications or servers, such as directories and virtual hosts, without DNS records. It can fuzz GET and POST parameters for web apps or API pentesting.
Why we like ffuf
- Fast
- Flexible
- Integrates well with external tools, such as custom wordlists
- Excellent maintenance by its development team
Included with Kali
Intercepting Proxies
An intercepting proxy is an eavesdropper: a server that intercepts the connection between an end-user or device and the Internet but keeps the requests and responses involved unchanged. Here are the top penetration testing tools we’ve picked in this category.
Aircrack-ng
Aircrack-ng is a Wi-Fi pentesting software suite that hacks wireless networks using statistical analysis. Its capabilities include the following:
- Packet sniffing
- Cracking WEP and WPA/WPA2
- Capturing and deciphering hashes
- Cyber attacks, including replay attacks and fake access points (evil twin attacks)
Why we like Aircrack-ng
- Contains many tools, each with specialized functions
- Suitable for heavy scripting
- Quite well maintained by its development team
Included with Kali
Responder
Responder is a credential harvesting and remote system access tool. It poisons LLMNR, NBT-NS, and MDNS protocols by mimicking harmless services. Once a Windows host communicates with Responder, Responder hijacks login credentials and relevant hashes for further use (you can learn passing-the-hash techniques here).
Why we like Responder
- Can look up local hosts containing certain DNS entries
- Queries DNS automatically to select networks
- Quiet; no need to install additional services for sending messages to networks
- Can troubleshoot issues easily
Included with Kali
bettercap
bettercap is a networking security framework for performing reconnaissance and attacks on multiple targets, such as Wi-Fi networks, Bluetooth Low Energy devices, wireless Human Interface Devices, and IPv4/IPv6 networks. A major use of bettercap is sniffing or spoofing networks, making it ideal for man-in-the-middle (on-path) attacks.
Why we like bettercap
- Easy to use
- Has a rapid port scanner
- Can scan IP network hosts passively
- Its network sniffer can harvest credentials and doubles as a network protocol fuzzer
Needs to be installed
- Installation instructions: https://www.bettercap.org/installation/
Privilege Escalation
Privilege escalation is when a low-level user with limited capabilities takes on administrator or super admin permissions. Linux users are familiar with switching to the root user for app installations and major upgrades, while Windows users would be more familiar with Administrator or NT Authority\System. When you break into a system, you’ll get the level of whoever opens your payload, so it takes tools like those listed below to gain extra abilities.
Seatbelt
Seatbelt is a security auditing tool. It performs security checks, enumerates a system’s vulnerabilities, and manages host data collection that may interest the offensive and defensive parties in network security.
Why we like Seatbelt
- Numerous safety checks
- In-depth reconnaissance
- Customizable modules
Needs to be installed
- Installation instructions: https://github.com/GhostPack/Seatbelt
PowerUp
PowerUp is a Windows security auditing tool for rapidly checking privilege escalation vulnerabilities. It can’t check against all known privilege escalation techniques, but it’s good enough for basic attempts at local privilege escalation.
Why we like PowerUp
- Covers basic functions, which is ideal for quick safety checks
- Can load PowerUp modules directly into the random access memory to dodge antivirus scans
- The diligence in disabling execution policy and bypassing AMSI is necessary training for pentesters when conducting general attacks
Needs to be installed
- Installation instructions: https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
LinPEAS
LinPEAS (Linux Privilege Escalation Awesome Script) belongs to a family of privilege escalation scripts. It looks for privilege escalation pathways on Linux and some Unix operating systems such as macOS.
Why we like LinPEAS
- Easy to use on the command line (documentation)
- Checks are customizable by speed and depth
- Diligent maintenance by the development team
Needs to be installed
- Run this command in the terminal to install LinPEAS:
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -O linpeas.sh
Network Exploitation
Network exploitation is computer espionage and data theft, keeping other functions unaffected. The main goals are to gain access to the network, perform reconnaissance, infiltrate the target systems, and obtain the desired information. Here are our top penetration testing tools to perform such a task.
CrackMapExec
CrackMapExec is an all-in-one pentesting toolkit targeting Windows/Active Directory environments. It can enumerate logged-in users, automatically inject malicious code into memory, store harvested credentials in a database, and exploit other vulnerabilities.
Why we like CrackMapExec
- Requires no external tools or dependencies
- Fully concurrent threading
- Uses ONLY native WinAPI calls for enumeration scans
- OpSec-safe: it maintains operations security (OpSec) by not uploading binaries during attacks
- Automatically correlates admin credentials to hosts, thus keeping track of extracted credentials
Included with Kali
Mimikatz
Mimikatz is a network pentesting Swiss Army Knife. Its main usage is to show the passwords of currently logged-in users using admin rights on Windows in plaintext. Other functions include Kerberoasting and password dumping.
Why we like Mimikatz
- Comes with built-in tools for network pentesting
- Suitable for offensive and defensive security
- Regularly maintained and updated
Included with Kali
sshuttle
sshuttle is a cross between an intercepting proxy and a VPN, forwarding traffic over SSH. Its role in pentesting is to enable you to access remote hosts even if you’re not an admin.
Why we like sshuttle
- Does the job of a VPN, hence its nickname “poor man’s VPN”
- Makes tunneling through a bastion host easier
- Eliminates the need for complex configuration and management
- Minimizes the overhead of encryption and tunneling, resulting in faster network speeds
Needs to be installed
- Installation instructions: https://sshuttle.readthedocs.io/en/stable/installation.html
Pentesting Frameworks
This section is exciting as we list our favorite self-contained and juicy pentesting toolkits.
Metasploit
Metasploit is a pentesting framework for investigating systematic vulnerabilities on networks and servers. It contains about 250 post-exploitation modules, including those for keylogging, enumeration, and remote code injection and execution, to name a few. If you’re new to Metasploit, run the command “msfrpcd -h
” in the terminal for help notes.
Why we like Metasploit
- Comes with a wide range of pentesting tools
- Modules are customizable for many operating systems
- Used by professionals and criminals, so pentesters need to learn it
Included with Kali
Empire/Starkiller
Empire is a post-exploitation and adversary emulation framework used to conduct system attacks. It can deploy post-exploitation modules such as keyloggers, Mimikatz, and adaptable communications to evade network detection. Starkiller, which doesn’t come with Kali, is a web app GUI. Mimikatz and Seatbelt are among its modules.
Why we like Empire/Starkiller
- Rapid deployment
- Focuses on usability
- Can run PowerShell agents without powershell.exe
Included with Kali (powershell-empire)
Covenant
Covenant is a .NET Command and Control (C2/C&C) Framework. Its purposes are to highlight the attack surface of .NET and conduct offensive .NET tradecraft. It includes a web-based interface that doubles as a collaborative C2 platform for red teamers.
Why we like Covenant
- Intuitive web application
- Targets .NET Core, which is multi-platform
- Supports multi-user collaboration
- Easy to extend functionalities, develop, and debug
- Support encrypted key exchange (Grunt implants)
- Tracks digital activities of interest, which it calls “indicators”
Needs to be installed
- Installation instructions: https://www.kali.org/tools/covenant-kbx/
Social Engineering
Social engineering is when you persuade a target to reveal specific information or unknowingly allow a threat actor to gain unauthorized access. Below we list our best tools for social engineering.
BeEF
BeEF (The Browser Exploitation Framework) is a pentesting tool that attaches itself to web browsers, making them the launchpad for further exploitation. It helps professional pentesters use client-side attack vectors to examine vulnerabilities of a target environment, such as mobile devices.
Why we like BeEF
- Free and open source
- Customizable
- In-built Metasploit integration
- Easy detection of plug-ins
- Easy exploitation of intranet (such as corporate environments)
Needs to be installed
- Installation instructions: https://github.com/beefproject/beef/wiki/Installation
EvilGinx2
Evilginx2 is a man-in-the-middle attack framework. It lets you phish login credentials and intercept valid session cookies to bypass two-factor authentication. By using Evilginx2 to change DNS server records, you can trick people into authorizing sessions over which you have full control.
Why we like EvilGinx2
- Generates certificates that look almost legitimate
- Can bypass two-factor authentication
- Has a portable version requiring no installation or changes in registry entries
Needs to be installed
- Installation instructions: https://github.com/kgretzky/evilginx2#installation
SET
SET (Social-Engineer Toolkit) is a penetration testing framework designed for social engineering. You can use it to conduct cyber ambushes such as phishing, smishing, spear-phishing, and caller ID spoofing. Learn how to use SET effectively here.
Why we like SET
- Free and open-source
- Portable—it’s easy to change attack vectors
- Used by professional hackers, security researchers, and pentesters
- Supports integration with third-party modules
- Supports multiple platforms: Linux, Unix, and Windows
- Offers website vector attacks or custom vector attacks, by which you can clone any website for phishing attacks
Included with Kali (setoolkit)
Evasion
Evasion means you bypass a security system, such as antivirus software, firewalls, routers, network switches, and intrusion detection devices. Pentesters need to be familiar with how threat actors would dodge various defenses. Here are our top tools for detecting opportunities for evasion.
Veil
Veil is a Metasploit payload generator to bypass common antivirus software, such as outwit their signature-matching capabilities. It can mask the signature of malware or a remote shell with elevated privileges through which an attacker gains access to a target.
Why we like Veil
- Free and open-source
- Supports 32- and 64-bit payloads generated by Metasploit
- Supports different methods of payload obfuscation (e.g., Base64, AES)
- Supports custom shellcode as payload
Needs to be installed
- Installation instructions: https://github.com/Veil-Framework/Veil
evilgrade
evilgrade is a modular framework for spoofing, injecting attack payloads, and creating backdoors disguised as updates to existing apps. It’s useful when you have a fully patched target machine or one that updates itself often as a security measure.
Why we like evilgrade
- Clean and easy to set up and use
- Comes with pre-made binaries (agents)
- Has a working default configuration for fast pentests
- Has its own WebServer and DNS server modules
- Supports attacks such as DNS tampering, DNS cache poisoning, ARP spoofing, Wi-Fi Access Point impersonation, DHCP hijacking, and hostname redirections
Needs to be installed
- Installation instructions: https://www.kali.org/tools/isr-evilgrade/
Conclusion
We hope this list of penetration testing tools for Kali Linux is helpful in some way and that you make good use of it. Remember to check out our hacking tools cheat sheet and other articles and courses on Kali Linux. Don’t forget to leave a comment below on your favorite pentesting tools, whether we’ve mentioned them or not.
good