Snapshot of available Tools for Pentesting

The tools that come with Kali Linux are grouped together into various categories with some appearing more than once due to them having multiple applications or features. In total there are 600+ of them with many being specific Command Line Interface (CLI) tools. Below we are listing the main comprehensive applications rather than all 600+.

Information Gathering

arping – Broadcasts a who-has ARP packet on the network and prints answers. VERY useful when you are trying to pick an unused IP for a net that you don’t yet have routing to.
DMitry (Deepmagic Information Gathering Tool) – Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.
ike-scan – Discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern.
legion – a fork of SECFORCE’s Sparta, is an open source, easy-to-use, super-extensible and semi-automated network penetration testing framework that aids in discovery, reconnaissance and exploitation of information systems.
maltego – an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.
netdiscover – a network address discovering tool, developed mainly for those wireless networks without dhcp server, it also works on hub/switched networks. Its based on arp packets, it will send arp requests and sniff for replys.
nmap (Network Mapper) – uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
recon-ng – a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.
theharvester – gathers emails, names, subdomains, IPs and URLs using multiple public data sources.

Vulnerability Analysis

legion – see Information Gathering
nikto – an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
nmap – see Information Gathering
unix-privesc-check – tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).

Web Application Analysis

burpsuite – a leading range of cybersecurity tools, brought to you by PortSwigger.
commix (short for [comm]and [i]njection e[x]ploiter) – test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.
cutycapt – a small cross-platform command-line utility to capture WebKit’s rendering of a web page into a variety of vector and bitmap formats, including SVG, PDF, PS, PNG, JPEG, TIFF, GIF, and BMP.
nikto – see Vulnerability Analysis
skipfish – prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.
sqlmap – an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
wfuzz – for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.
whatweb – identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.
wpscan (WordPress Security Scanner) – WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.
ZAP (Zed Attack Proxy) – can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.

Database Assessment

SQLite database browser – a high quality, visual, open source tool to create, design, and edit database files compatible with SQLite.
sqlmap – see Web Application Analysis

Password Attacks

CeWL (Custom Word List generator) – a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
crunch – a wordlist generator where you can specify a standard character set or a character set you specify. ‘crunch’ can generate all possible combinations and permutations.
hashcat – the world’s fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms.
hydra (thc-hydra) – a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.
hydra-gtk – Gtk+2 frontend for ‘thc-hydra’.
john (John the Ripper) – a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS. Historically, its primary purpose is to detect weak Unix passwords.
medusa – a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible.
mimikatz – well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
Ncrack – a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.
ophcrack – a free Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms.
ophcrack-cli – command line version of ‘ophcrack’.
wordlists – contains the ‘rockyou’ wordlist and contains symlinks to a number of other password files present in the Kali Linux distribution.

Wireless Attacks

aircrack-ng – an 802.11 WEP and WPA/WPA2-PSK key cracking program.
bully – a new implementation of the WPS brute force attack, written in C.
Fern Wifi Cracker – a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library. The program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks.
kismet – a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework.
PixieWPS – used to bruteforce offline the WPS PIN exploiting the low or non-existing entropy of some software implementations, the so-called “pixie-dust attack”.
reaver – implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.
wifite – to attack multiple WEP, WPA, and WPS encrypted networks in a row.

Reverse Engineering

clang – a language front-end and tooling infrastructure for languages in the C language family (C, C++, Objective C/C++, OpenCL, CUDA, and RenderScript) for the LLVM project.
clang++ – version of ‘clang’ for C++.
NASM shell – a shell for the Netwide Assembler: an assembler targeting the Intel x86 series of processors, with portable source.
radare2 – a free/libre toolchain for easing several low level tasks like forensics, software reverse engineering, exploiting, debugging, …

Exploitation Tools

metasploit framework – an exploitation and vulnerability validation tool that helps you divide the penetration testing workflow into manageable sections.
MSFvenom Payload Creator (MSFPC) – a quick way to generate various “basic” Meterpreter payloads via msfvenom (part of the Metasploit framework).
searchsploit – a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go.
Social-Engineer Toolkit (SET) – an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly.
sqlmap – see Web Application Analysis

Sniffing & Spoofing

ettercap-graphical – graphical front-end to Ettercap which is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
MAC Changer – a utility that makes the manipulation of MAC addresses of network interfaces easier.
mitmproxy – a free and open source interactive HTTPS proxy.
netsniff-ng – a fast zero-copy analyzer, pcap capturing and replaying tool.
responder – a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
wireshark – the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.

Post Exploitation

exe2hex – inline file transfer using in-built Windows tools (DEBUG.exe or PowerShell).
mimikatz – see Password Attacks
PowerSploit – a PowerShell Post-Exploitation Framework. PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
proxychains – a tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. Supported auth-types: “user/pass” for SOCKS4/5, “basic” for HTTP.
Weevely – a web shell designed for post-exploitation purposes that can be extended over the network at runtime.

Forensics

autopsy – a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.
Binwalk – a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
blkcalc – converts between unallocated disk unit numbers and regular disk unit numbers.
blkls – list or output file system data units.
blkstat – display details of a file system data unit (i.e. block or sector).
bulk_extractor – a Bulk Extractor that can be used on Windows, Linux, and Macintosh OS X platforms.
Guymager – a free forensic imager for media acquisition.
hashdeep – compute, compare, or audit multiple message digests.

Reporting Tools

cutycapt – see Web Application Analysis
faraday IDE – an IPE (Integrated Penetration-Test Environment), a multiuser Penetration test IDE. Designed for distributing, indexing, and analyzing the data generated during a security audit.
maltego – see Information Gathering
pipal – Password Analyser.
recordMyDesktop – a simple command line tool that performs the basic tasks of capturing and encoding and an interface that exposes the program functionality in a usable way.

Social Engineering Tools

maltego – see Information Gathering
MSF Payload Creator – see Exploitation Tools
Social-Engineer Toolkit (SET) – see Exploitation Tools

The available tools evolve with each version of Kali – those covered in this article are from the 64-bit 2020.2 image for VirtualBox.

Do you have any favorite tools from the above list and if so what do you like about them? Please share your thoughts by commenting below.