reconnaissance

SecurityTrails Blog · Dec 04 · SecurityTrails team

Top 25 Kali Linux Penetration Testing Tools

Kali Linux is an open source distribution based on Debian focused on providing penetration testing and security auditing tools. Actively developed by Offensive Security, it’s one of the most popular security distributions in use by infosec companies and ethical hackers.

One of the best things about Kali is the fact that it doesn’t require you to install the OS in your hard drive — it uses a live image that can be loaded in your RAM memory to test your security skills with the more than 600 ethical hacking tools it provides.

It includes numerous security-hacker tools for information gathering, vulnerability analysis, wireless attacks, web applications, exploitation tools, stress testing, forensic tools, sniffing and spoofing, password cracking, reverse engineering, hardware hacking and much more.

We’ve previously explored the Top 20 OSINT Tools available, and today we’ll go through the list of top-used Kali Linux software. Let’s begin!

Screenshot of Kali Linux 2018 - Install_Live DVD (64-bit)

For ease of reference, we’ll divide the most-used software of Kali Linux into five distinct categories: information gathering, vulnerability scanning, wireless analysis tools, password crackers, exploitation tools and stress testing.

1. Nmap

Nmap is the world’s most famous network mapper tool. It allows you to discover active hosts within any network, and acquire other information (such as open ports) relevant to penetration testing.

Main features:

  • Host discovery: useful for identifying hosts in any network
  • Port scanning: lets you enumerate open ports on the local or remote host
  • OS detection: useful for fetching operating system and hardware information about any connected device
  • App version detection: allows you to determine application name and version number
  • Scriptable interaction: extends Nmap default capabilities by using Nmap Scripting Engine (NSE)
[securitytrails@kali root]$ nmap --help
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host

Ready to unleash the power of Nmap? Check out our list of Top 15 Nmap Commands.

2. Netcat

Netcat is a network exploration application that is not only popular among those in the security industry, but also in the network and system administration fields.

While it’s primarily used for outbound/inbound network checking and port exploration, it’s also valuable when used in conjunction with programming languages like Perl or C, or with bash scripts.

Netcat’s main features include:

  • TCP and UDP port analysis
  • Inbound and outbound network sniffing
  • Reverse and forward DNS analysis
  • Scan local and remote ports
  • Fully integrated with terminal standard input
  • UDP and TCP tunnelling mode

3. Unicornscan

Licensed under the GPL license, Unicornscan is one of the best infosec tools used for information gathering and data correlation. It offers advanced asynchronous TCP and UDP scanning features along with very useful network discovery patterns that will help you to find remote hosts. It can also reveal details about the software running by each one of them.

Main features include:

  • TCP asynchronous scan
  • Asynchronous UDP scan
  • Asynchronous TCP banner detection
  • OS, application and system service detection
  • Ability to use custom data sets
  • Support for SQL relational output

4. Fierce

Fierce is a great tool for network mapping and port scanning. It can be used to discover non-contiguous IP space and hostnames across networks.

It’s similar to Nmap and Unicornscan, but unlike those, Fierce is mostly used for specific corporate networks.

Once the penetration tester has defined the target network, Fierce will run several tests against the selected domains to retrieve valuable information that can be used for later analysis and exploitation.

Its features include:

  • Ability to change DNS server for reverse lookups
  • Internal and external IP ranges scanning
  • IP range and entire Class C scanning
  • Logs capabilities into a system file
  • Name Servers discovery and Zone Transfer attack
  • Brute force capabilities using built-in or custom text list

5. OpenVAS

OpenVAS (Open Vulnerability Assessment System) was developed by part of the team responsible for the famous Nessus vulnerability scanner. Licensed under the GLP license, it’s free software that anyone can use to explore local or remote network vulnerabilities.

This security tool allows you to write and integrate your own security plugins to the OpenVAS platform — even though the current engine comes with more than 50k NVTs (Network Vulnerability Tests) that can literally scan anything you imagine in terms of security vulnerabilities.

Main features:

  • Simultaneous host discovery
  • Network mapper and port scanner
  • Support for OpenVAS Transfer Protocol
  • Fully integrated with SQL Databases like SQLite
  • Scheduled daily or weekly scans
  • Exports results into XML, HTML, LateX file formats
  • Ability to stop, pause and resume scans
  • Full support for Linux and Windows

openvas-kali-screenshot

6. Nikto

Written in Perl and included in Kali Linux, Nikto iworks as a complement to OpenVAS and other vulnerability scanners.

Nikto allows penetration testers and ethical hackers to perform a full web server scan to discover security flaws and vulnerabilities. This security scan gathers results by detecting insecure file and app patterns, outdated server software and default file names as well as server and software misconfigurations.

It includes support for proxies, host-based authentication, SSL encryption and much more.

Main features include:

  • Scans multiple ports on a server
  • IDS evasion techniques
  • Outputs results into TXT, XML, HTML, NBE or CSV.
  • Apache and cgiwrap username enumeration
  • Identifies installed software via headers, favicons and files
  • Scans specified CGI directories
  • Uses custom configuration files
  • Debug and verbose output.

7. WPScan

WPScan is recommended for auditing your WordPress installation security. By using WPScan you can check if your WordPress setup is vulnerable to certain types of attacks, or if it’s exposing too much information in your core, plugin or theme files.

This WordPress security tool also lets you find any weak passwords for all registered users, and even run a brute force attack against it to see which ones can be cracked.

WPScan receives frequent updates from the wpvulndb.com WordPress vulnerability database, which makes it a great software for up-to-date WP security.

What can you do with WPScan?

  • Non-intrusive security scans
  • WP username enumeration
  • WP bruteforce attack & weak password cracking
  • WP plugins vulnerability enumeration
  • Schedule WordPress security scans

Are you interested in WordPress security? Check out our blog post on asking exactly that: Is WordPress secure?

8. CMSMap

Unlike WPScan, CMSMap aims to be a centralized solution for not only one, but up to four of the most popular CMS in terms of vulnerability detection.

CMSmap is an open source project written in Python that helps automate the process of vulnerability scanning and detection in WordPress, Joomla, Drupal, and Moodle.

This tool is not only useful for detecting security flaws in these four popular CMS but also for running actual brute force attacks and launching exploits once a vulnerability has been found.

Main features include:

  • Supports multiple scan threats
  • Ability to set custom user-agent and header
  • Support for SSL encryption.
  • Verbose mode for debugging purposes
  • Saves output in a text file.

9. Fluxion

Fluxion is a WiFi analyzer that specializes in MITM WPA attacks.

It allows you to scan wireless networks, searching for security flaws in corporate or personal networks.

Unlike other WiFi cracking tools, Fluxion does not launch any brute force cracking attempts that usually take a lot of time.

Instead, it spawns an MDK3 process which forces all users connected to the target network to deauthenticate. Once this is done, the user is prompted to connect to a fake access point, where they will enter the WiFi password. Then the program reports the password to you, so you can gain access.

10. Aircrack-ng

Aircrack-ng is a wireless security software suite. It consists of a network packet analyzer, a WEP network cracker, and WPA / WPA2-PSK along with another set of wireless auditing tools. Here are the most popular tools included in the Aircrack-ng suite:

  • Airmon-Ng: converts your wireless card into a wireless card in a promiscuous way
  • Airmon-Ng: captures packages of desired specification, and t is particularly useful in deciphering passwords
  • Aircrack-Ng: used to decrypt passwords — able to use statistical techniques to decipher WEP and dictionaries for WPA and WPA2 after capturing the WPA handshake
  • Aireplay-Ng: can be used to generate or accelerate traffic in an access point
  • Airdecap-Ng: decrypts wireless traffic once we the key is deciphered

Main features:

  • Support for WEP, WPA/WPA2-PSK passwords
  • Fast WEP and WPA password decryption
  • Packet sniffer and injector
  • Ability to create a virtual tunnel
  • Automated WEP key password recovery
  • Password list management
[securitytrails@kali root]$ aircrack-ng  

Aircrack-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe  
http://www.aircrack-ng.org  

usage: aircrack-ng [options] <.cap / .ivs file(s)>  

Common options:  

-a <amode> : force attack mode (1/WEP, 2/WPA-PSK)  
-e <essid> : target selection: network identifier  
-b <bssid> : target selection: access point's MAC  
-p <nbcpu> : # of CPU to use (default: all CPUs)  
-q : enable quiet mode (no status output)  
-C <macs> : merge the given APs to a virtual one  
-l <file> : write key to file

11. Kismet Wireless

Kismet Wireless is a multi-platform free Wireless LAN analyzer, sniffer and IDS (intrusion detection system).

It’s compatible with almost any kind of wireless card. Using it in sniffing mode allows you to work with wireless networks such as 802.11a, 802.11b, 802.11g, and 802.11n.

Kismet Wireless runs natively in Windows, Linux and BSD operating systems (FreeBSD, NetBSD, OpenBSD, and MacOS).

Main features:

  • Ability to run in passive mode
  • Easy detection of Wireless clients and access points
  • Wireless intrusion detection system
  • Scans wireless encryption levels for a given AP
  • Supports channel hopping
  • Network logging

12. Wireshark

Wireshark is an open source multi-platform network analyzer that runs Linux, OS X, BSD, and Windows.

It’s especially useful for knowing what’s going on inside your network, which accounts for its widespread use in government, corporate and education industries.

It works in a similar manner as tcpdump, but Wireshark adds a great graphical interface that allows you to filter, organize and order captured data so it takes less time to analyze. A text-based version, called tshark, is comparable in terms of features.

Main features include:

  • GUI-friendly interface
  • Packet live capture and offline analysis
  • Full protocol inspection
  • Gzip compression and decompression on the fly
  • Full VoIP analysis
  • Decryption support for IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Reading capture file formats such as tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog and many others

13. John the Ripper

John the Ripper is a multi-platform cryptography testing tool that works on Unix, Linux, Windows and MacOS. It allows system administrators and security penetration testers to launch brute force attacks to test the strength of any system password. It can be used to test encryptions such as DES, SHA-1 and many others.

Its abilities to change password decryption methods are set automatically, depending on the detected algorithm.

Licensed and distributed under the GPL license, it’s a free tool available for anyone who wants to test their password security.

Main features include:

  • Dictionary attacks and brute force testing
  • Compatible with most operating systems and CPU architectures
  • Can run automatically by using crons
  • Pause and Resume options for any scan
  • Lets you define custom letters while building dictionary attack lists
  • Allows brute force customization rules

14. THC Hydra

THC Hydra is a free hacking tool licensed under AGPL v3.0, widely used by those who need to brute force crack remote authentication services.

As it supports up to more than 50 protocols, it’s one of the best tools for testing your password security levels in any type of server environment.

It also provides support for most popular operating systems like Windows, Linux, Free BSD, Solaris and OS X.

Main features:

  • Ultrafast password cracking speed
  • Runs on multiple operating systems
  • Ability to launch parallel brute force cracking attacks
  • Module-based application allows you to add custom modules
  • Support for multiple protocols such as CVS, FTP, HTTP, HTTPS, HTTP-Proxy, IMAP, IRC, LDAP, MS-SQL, MySQL, etc.

15. findmyhash

Written in Python, findmyhash is a free open-source tool that helps to crack passwords using free online services.

It works with the following algorithms: MD4, MD5, SHA1, SHA225, SHA256, SHA384, SHA512, RMD160, GOST, WHIRLPOOL, LM, NTLM, MYSQL, CISCO7, JUNIPER, LDAP_MD5, and LDAP_SHA1. It also supports multi-thread analysis for faster speed and algorithm recognition from the hash value.

Main features include:

  • Empty hashes recognition
  • Reads input from a text file
  • Ability to escape special characters
  • Cracks single or multiple hashes.
  • Password hash search on Google
  • Pause and Resume options
  • Saves the results in a file.

16. RainbowCrack

RainbowCrack is a password cracking tool available for Windows and Linux operating systems.

Unlike other password cracking tools, RainbowCrack uses a time-memory tradeoff algorithm to crack hashes along with large pre-computed “rainbow tables” that help to reduce password cracking time.

Features include:

  • Available rerminal-based and GUI-friendly interface
  • Works well with multi-core processors
  • Rainbow table generation, sort, conversion and lookup
  • Support for GPU acceleration (Nvidia CUDA and AMD OpenCL)
  • Support rainbow table of any hash algorithm and charset.
  • Support rainbow table in raw file format (.rt) and compact file format (.rtc).

17. Metasploit Framework

Metasploit Framework is a Ruby-based platform used to develop, test and execute exploits against remote hosts. It includes a full collection of security tools used for penetration testing, along with a powerful terminal-based console — called msfconsole — which allows you to find targets, launch scans, exploit security flaws and collect all available data.

Available for Linux and Windows, MSF is probably one of the most powerful security auditing tools freely available for the infosec market.

What can you do with Metasploit Framework?

  • Network enumeration and discovery
  • Evade detection on remote hosts
  • Exploit development and execution
  • Work with the MFSconsole
  • Scan remote targets
  • Exploit vulnerabilities and collect valuable data

18. Social Engineering Toolkit

Available for Linux and Mac OS X, the Social Engineering Toolkit (known as SET) is an open-source Python-based penetration testing framework that will help you launch Social-Engineering attacks in no time.

Have you ever wondered how to hack social network accounts? Well, SET has the answer — it’s indispensable for those interested in the field of social engineering.

What kind of attacks can I launch with SET?

  • WiFi AP-based attacks: this kind of attack will redirect or intercept packets from users using our WiFi network
  • SMS and email attacks: here, SET will try to trick and generate a fake email to get social credentials
  • Web-based attacks: lets you clone a web page so you can drive real users by DNS spoofing or phishing attacks
  • Creation of payloads (.exe): SET will create a malicious .exe file that, after executed, will compromise the system of the user who clicks on it

Highlighted features include:

  • Fast penetration testing
  • Integration with third-party modules
  • Phishing attack generator
  • Launch QRCode attacks
  • Support for Powershell attack vectors

set-kali-securitytrails

19. BeEF

BeEF stands for The Browser Exploitation Framework,a powerful penetration testing tool that relies on browser vulnerabilities and flaws to exploit the host.

Unlike other Kali cybersecurity tools, it focuses on the browser side, including attacks against mobile and desktop clients, letting you analyze exploitability of any Mac and Linux system.

You’ll be able to select specific modules in real-time to audit your browser security.

BeEF requirements:

  • OS: Mac OS X 10.5.0 or higher / modern Linux
  • Ruby 2.3 or newer
  • SQLite 3.x
  • Node.js 6 or newer

Main features:

  • Web and console UI
  • Metasploit integration
  • Modular structure
  • Interprocess communication & exploitation
  • History gathering and intelligence
  • Host and network reconnaissance
  • Ability to detect browser plugins

20. Yersinia

Yersinia is a security network tool that allows you to perform L2 attacks by taking advantage of security flaws in different network protocols.

This tool can attack switches, routers, DHCP servers and many other protocols. It includes a fancy GTK GUI, ncurses-based mode, is able to read from a custom configuration file, supports debugging mode and offers to save results in a log file.

Supported network protocols:

  • 802.1q and 802.1x Wireless LANs
  • Cisco Discovery Protocol (CDP)
  • Dynamic Host Configuration Protocol (DHCP)
  • Dynamic Trunking Protocol (DTP)
  • Inter-Switch Link Protocol (ISL)
  • Hot Standby Router Protocol (HSRP)
  • Spanning Tree Protocol (STP)
  • VLAN Trunking Protocol (VTP)

21. DHCPig

DHCPig is a DHCP exhaustion application that will launch an advanced attack in order to consume all active IPs on the LAN.

It also prevents new users from getting IPs assigned to their computers. Works pretty well attacking Linux LANs as well as Windows 2003, 2008, etc.

In fact, DHCPig doesn’t require any installation, as it is a tiny script; it only requires scapy library installed on your system, and it includes support for ipv4 and ipv6.

What can you do with DHCPig?

  • Detect/print DHCP replies
  • Detect/print ICMP requests
  • Discover and create a network map of your neighbours’ IPs
  • Request all possible IP addresses in a zone
  • Create a loop and send DHCP requests from different MAC addresses
  • Explore your neighbours’ MAC & IP addresses
  • Release IPs and MAC address from the DHCP server
  • ARP for all neighbours on that LAN
  • Knock off network on Windows systems

22. FunkLoad

Written in Python, FunkLoad is a popular web-stress tool that works by emulating a fully functional web browser. It’s highly useful for testing web projects and seeing how well they react in terms of web server performance.

FunkLoad allows full performance testing to help you identify possible bottlenecks within your web apps and web servers, at the same time testing your application recoverability time.

Main FunkLoad features include:

  • Real web browser emulation (including GET/POST/PUT/DELETE, DAV, cookie, referer support, etc)
  • Command-line advanced tests
  • Full benchmarking reports in PDF, HTML, ReST, Org-mode
  • Benchmark differential comparison between 2 results
  • Test customization using a configuration file
  • Full support for popular servers such as PHP, Python, Java

23. SlowHTTPTest

SlowHTTPTest is one of the most popular web-stress applications used to launch DOS attacks against any HTTP server. This type of security tool focuses on sending low-bandwidth attacks to test your web-server health and response times. It includes statistics of all your tests and allows you to run multiple types of attacks such as:

  1. Apache Range Header.
  2. Slow Read.
  3. Slow HTTP POST.
  4. Slowloris.

Main features include:

  • Saving statistics output in HTML and CSV files
  • Setting verbose level (0-4)
  • Targeting custom number of connections
  • Setting HTTP connection rate (per seconds)
  • Proxy traffic redirection

slowhttptest-securitytrails

24. Inundator

Inundator is a multi-threaded IDS evasion security tool designed to be anonymous. By using TOR it can flood intrusion detection systems (especially with Snort) causing false positives, which hide the real attack taking place behind the scenes t. By using SOCKS proxy it can generate more than 1k false-positives per minute during an attack.

The main goal of Inundator is to keep your security team busy dealing with false positives while a real attack is happening.

Inundator features and attributes include:

  • Multi-threaded capabilities
  • Full SOCKS support
  • Anonymization-ready
  • Support of multiple targets
  • Queue-based

25. t50

t50 is another web-stress testing tool included with Kali Linux distribution. It can help you test how your websites, servers and networks react under high load average during an attack.

It’s one of the few security tools capable of encapsulating protocols using GRE (Generic Routing Encapsulation), and supports up to 14 different protocols. The t50 package also lets you send all protocols sequentially using one single SOCKET.

t50 features:

  • DoS and DDoS attacks simulator
  • Main supported protocols include TCP, UDP, ICMP, IGMP, etc.
  • Up to 1,000,000 pps of SYN Flood if using Gigabit network
  • Up to 120k pps of SYN Flood if using 100Mbps network

Summary

We’ve said it before in our post How web software gets hacked: a History of Web Exploits: “Internet has no future without hacking”.

Nowadays Kali Linux offers what are probably the best ethical hacking and penetration testing suites in the world. Thanks to their extensive documentation, community and tools, starting in the infosec world is not as hard as it was 20 years ago; nowadays you can find pre-built tools for almost anything you imagine.

By implementing these Kali Linux tools, your software company will have more ways to test and increase the security of your web applications and systems — by identifying security flaws before the bad guys do.

We at SecurityTrails are focused on creating a powerful security platform that includes domain automation lists, forensic DNS tools and IP exploration utilities as never seen before. Our information gathering and intel reconnaissance data, combined with security distributions like Kali, can make your daily security tasks way easier than ever.


Are you ready to start using our cybersecurity treasure trove? Grab a free API account today or contact us for consultation.