6 Best Kali Linux Tools: Enumeration, Exploits, Cracking
Kali Linux, the Linux distro loaded with every penetration-testing app you could ever need, is indeed a powerful tool in the hands of even a n00b pentester. But while the preinstalled 600+ tools sound like you have everything (and the virtual kitchen sink), some tools are better than others for certain tasks.
Sometimes a scalpel is needed instead of a broadsword, but sometimes the broadsword is nowhere near enough power, and you'll need to break out the multi-bladed Sith Army Knife.
Let's take a look at the best tools in Kali for specific pentesting tasks, both for surgical strikes and hacking the entire First Order.
SCARY LEGAL WARNING: As with any pen testing exercise, make sure you never run any tools against systems that you do not own without explicit permission. Doing so violates numerous unauthorized access laws in the U.S. and likely in most other countries. Even seemingly harmless port scans can be used against you, so be smart and scan only targets you own or are authorized to scan.
Nmap: Best Kali Tool for Port Scanning
Nmap. Done. Move Along.
Just kidding, let's dig into everyone's favorite network mapper. Nmap is a pentester's best friend and is typically the first tool drawn when enumerating targets. Just take a look at the first 60 seconds of any Ippsec video, and you'll see him start with an Nmap scan and then review the open ports it finds.
But let's take a step back and define our terms. Remember from your Network+ training that network ports are communication endpoints between two hosts. A port is generally open to client connections; the client connects to the open port, and the two computers exchange data. Ports are numbered 1-65535, but don't let that overwhelm you; there are only a much smaller number of these that will come up regularly enough to worry about.
An Nmap scan will look for open ports on a system. To be open, an application must listen on that port, and your traffic must be permitted by the firewall to reach the host. Nmap scans a range of ports (depending on the options you use when running the scan) and reports any that are open. By default, Nmap uses a TCP SYN scan, sending a SYN packet and analyzing the response without completing the full three-way handshake. A SYN-ACK indicates an open port, while a RST or no response suggests the port is closed or filtered.
While this happens very quickly (hundreds of ports per second with a good connection to the host), it can be advantageous to scan only common ports rather than 65535, which Nmap does by default: it scans only the 1,000 most common TCP ports. Then it attempts to determine which application is actually running on that port.
Sometimes it can determine this very accurately with a banner grab, for example, a web server will answer an HTTP request with ‘Well, hey there buddy! I’m an nginx server! Need some web pages?’ Okay, it actually looks more like: Server: nginx/1.24.0. But you get the idea.
Why is this valuable? A quick Google search will show that nginx commonly runs on modern Linux servers, and the version number can often hint at the underlying operating system, patch level, or hosting environment.
And just like that, from a simple port scan, you’ve already started OS enumeration of your target. Thanks, Nmap!
But this is only scratching the surface of Nmap's power. It can scan UDP ports, find all the live hosts in a range of IPs, and even run scripts to find common vulnerabilities in applications (for example, unpatched Windows machines with SMB open, which can lead to easy admin access). Nmap will become your best friend.
Hydra: Best Kali Tool for Brute Forcing Passwords
"Always use a strong password with special characters, numbers, and capital letters!" This is common advice, but why? Because dictionary attacks against web login pages are easy with Hydra.
There are several approaches to bypassing authentication, but sometimes the sledgehammer approach works best. Hydra supports a wide range of services, including FTP, POP3, and SMB, and performs password cracking using brute-force methods.
Basically, give it a username, a list of passwords, point it at a target, and scream "ATTACK!" The tool will attempt to log in to the service with each password on the list until it finds a match or runs out of passwords.
The attack, however, is only as good as the password list you give it. Fortunately, Kali comes preloaded with several great password lists, some with the first 1000 or 10,000 most common passwords (a more dangerous list than you might think). If those don't prove fruitful, however, there's also the famous rockyou.txt list, a 133MB text file containing over 14 million passwords.
While guessing passwords on FTP sites sounds cool, you might be thinking "cracking a website login might be a bit more helpful." You'd be both correct and in luck! Hydra can do its magic on both web form logins (where the username and password fields are a part of the page) and basic auth requests (where the login is in a separate pop-up box).
You'll need part of the actual HTTP authentication request sent to the site, which you can obtain from an app that intercepts your traffic, such as Burp Suite. “Feed this to Hydra, carefully tuning request timing and failure detection, then launch the attack—keeping in mind that modern sites often implement rate limiting, account lockouts, or MFA that can stop brute-force attempts.
WPScan: Best Kali Tool for Enumerating WordPress
Ah, WordPress, which has received so much flak from the security community for being so vulnerability-ridden. It's not completely WordPress's fault, even though the core application does have issues from time to time.
The problems usually stem from third-party plugins, of which there are over 55,000 available. Take a plugin written by an anonymous dev with no security background, make the code publicly available (they all are) for anyone to analyze, ensure the dev abandoned it years ago, so there's no hope for updates, then install that plugin on your website. What could go wrong?
Since WordPress is so popular, it only makes sense that a pentest tool like WPScan exists. It will enumerate just about everything you could possibly want to know about a WordPress site. The WordPress core version and any known vulnerabilities associated with it. Any installed plugins and their versions (highlighting any with known vulnerabilities). Note that modern versions of WPScan require an API token to access the full vulnerability database.
And one of our favorites, it will enumerate a list of usernames for the site. Use this list, along with a password list, to automate brute-force attacks on those logins. If you hit paydirt with an admin user, great; if you only get in as a low-level user, don't forget that privilege-escalation vulnerabilities abound.
Social-Engineer Toolkit (SET): Best Kali Tool for Social Engineering
Sometimes, the best way through an impenetrable locked door is just to nicely ask an unsuspecting-looking person for the key. Just act like you belong, ask really nicely, pretend like you forgot your key at home, and walk up to the door with your arms full, and ask: Who would be so ruthless as to say no?
This, in a nutshell, is social engineering: gaining a user's trust to manipulate them to gain access. An email saying that you need to change your email password, click this (bogus) link, and log in.
A phone call from the IT help desk asking to install an application on your computer. An urgent message from the CEO requesting a wire transfer. All these depend on you trusting the source to do what the hacker wants.
While social engineering tools sound like tradecraft for spammers, they can actually be incredibly helpful for a pentester trying to gain access to your network. Forget bypassing authentication or hacking a web app to get a remote shell on the server, just ask someone to let you in! Kali, of course, includes one of the best: the Social-Engineer Toolkit.
SET does a lot of cool stuff: harvesting email addresses from your target's domain, automating the delivery of reverse shell payloads, hosting fake versions of legitimate websites to harvest credentials, and sending emails to get unsuspecting users to visit those bogus sites. It's everything you need to get in via some social engineering wizardry.
Metasploit: Best Kali Tool for Running Exploits
Finally, no discussion about Kali would be complete without mentioning Metasploit. The Metasploit Framework (MSF) is a lot of things: a collection of prewritten application exploits, an engine for running custom exploits, an information-gathering tool, a listener for special Meterpreter reverse shells, a means to perform post-exploitation and pivot deeper into the network, and much more.
On the surface, you select an exploit that matches a discovered service, configure the required options, and attempt exploitation, though real-world success often requires customization and validation.
That's an extreme simplification; there are lots of gotchas and trial and kill involved, but at its simplest form, MSF has stripped away a lot of the chores around setting up exploits and payloads so you can point and shoot.
Instead of digging any deeper into the wide and deep leagues of Metasploit, you'd be better off going through the CBT Nuggets Metasploit Framework course, which will unpack all the goodies within MSF.
Final Thoughts
Kali can be overwhelming with its staggering number of included tools, but 99% of the time, you'll be reaching for the same dozen or so. Start with those we've discussed, then consider a few other heavy hitters like Burp Suite, John the Ripper, SQLMap, and Netcat.
Also, if you missed them, be sure to check out our previous articles on the OSCP cert, heavily based on Kali. The OSCP material will definitely give you lots of practice in mastering these tools. Happy hacking!
Want to learn more? Explore our cybersecurity training courses.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.