The interests of any individual seeking solace in the Kali Linux operating system distribution can be grouped into three viable categories:
- You are interested in learning the ropes of ethical hacking
- You are a system/network penetration tester in the making
- You are a cybersecurity professional that wants to test your limit
Kali Linux installation comes with a pre-configuration of system tools that meet the above-stated three objectives. This Linux distribution does not limit itself to these pre-installed system tools, as you are free to install and use as many as you like from its repository.
This article is for users that have installed Kali Linux and are trying to familiarize themselves with the operating system. It is also a good starting point for users that have thought of using Kali Linux but need more information before making this transition.
Since Kali Linux tools fall into several categories, this article guide gives the best Kali Linux tools. These tools relate to the use of the Kali Linux operating system as a penetration testing environment.
1. Information gathering tools
This category applies to users that are interested in solidifying their ethical hacking or penetration testing skill sets. Information gathering is knowing as much as possible about a target before initiating a penetration attack or ethical hacking. The target’s information that is gathered is relevant to the success of an ethical hack or attack underway.
A system analyst who has mastered information gathering will identify the vulnerabilities facing system users and customers and find a way to fix these loopholes. Such information might be one’s pet name, phone number, age, or close friends’ names. When such user or customer data is accessible through information-gathering tools, it can lead to brute force or password guessing attacks to access the password-protected systems linked to these users.
Four categories define information gathering: footprinting, scanning, enumeration, and reconnaissance. Its top tools include:
Nmap tool
This open-source network scanner is useful when you need to recon/scan targeted networks. Once you identify a preferred network, you can use it to find details on network services, ports, and hosts, including their associated versions.
The first initiative of the Nmap tool is to target a network host by sending packets. The network host creates a response which is then analyzed and desired results generated from it. The popularity of this reconnaissance tool also makes it flexibly applicable in scanning open ports, operating system detection, and host discovery.
You only require to master two steps to give Nmap a try:
- First, ping a targeted host to get its IP address
$ ping [hostname]
- Use Nmap command with the acquired IP address as depicted in the following command syntax
$ nmap -sV [ip_address]
You would be able to see the ports, states, services, and versions associated with the targeted hostname. This information helps you gauge the vulnerability or strength of the targeted host system from which you can pursue further exploitation.
ZenMAP tool
Ethical hackers benefit from the usefulness of this system during their network scanning phases. This tool offers its users a graphical user interface. If you want to pursue security auditing or network discovery, you will love what this tool has to offer. Think of ZenMAP as Nmap with a graphical user interface option. It does not exclude the use of the command-line interface.
Network and system administrators will cherish what ZenMAP offers in terms of host or service uptime monitoring, service upgrade schedules management, and network inventory. In addition, ZenMAP’s GUI provides a target field slot for entering your desired target URL before commencing the desired network scan.
whois lookup
If you are a constant internet user and you need more information regarding a registered domain name, whois lookup enables you to achieve this objective through querying registered domains database records. This tool meets the following objectives:
- Network administrators use it to identify and resolve domain name-related issues.
- Any internet user can use it to check if a domain name is available for purchase.
- It is useful in identifying trademark infringement
- It provides information needed to track down fraudulent domain names registrants
To use the whois lookup tool, you first need to identify the domain name you are interested in and then execute a command similar to the following on your terminal.
$ whois fosslinux.com
SPARTA
This python-based tool comes with a graphical user interface. Under information gathering, it meets the scanning and enumeration phase objectives. SPARTA is a toolkit that hosts many other useful information-gathering tool functionalities. Its functional objectives can be summarized as follows:
- Produces an XML file output from an exported Nmap output
- It caches the history of your hostname scans so that you do not have to repeat an action, i.e., saves you valuable time
- Good for password reuse, especially when the existing password is not on a word list
Launch command:
$ sparta
To see what SPARTA can do, you first need the host’s IP address. After you key it in, press scan and wait for the magic to happen.
nslookup tool
Nameserver lookup or nslookup gathers information regarding a targeted DNS server. This tool retrieves and reveals DNS records such as IP address mapping and domain name. When you are dealing with DNS-related problems, this tool provides one of the best troubleshooting results. It meets the following objectives:
- A domain name’s IP address lookup
- Reverse DNS lookup
- Any record lookup
- SOA record lookup
- ns record lookup
- MX record lookup
- txt record lookup
Example usage:
$ nslookup fosslinux.com
2. Vulnerability analysis tools
To create a good reputation as an ethical hacker, you must master vulnerability analysis through your Kali Linux operating system. It is the step that follows information gathering. Any app designer or developer needs to exhaust all the concepts of vulnerability analysis to be on the safe side.
Vulnerability analysis exposes the loopholes or weaknesses of an application or program, making it possible for an attacker or hacker to find a way in and compromise the system’s integrity. The following are the most used vulnerability analysis tools by Kali Linux.
Nikto
Pearl programming language is behind the development of this open-source software. Once a web server scan is initiated via Nikto, any existing vulnerabilities are exposed, making server exploitation and compromise possible. In addition, it will check and expose a server’s outdated version details and determine if there is a specific issue with the same server’s version details. The following are some of its major packed features:
- SSL full support
- Subdomains lookup
- Full HTTP proxy support
- Reports on outdated components
- Username guessing functionality
If you have Nikto downloaded or already installed on your Kali system, reference the following command syntax for its usage.
$ perl nikto.pl -H
Burp Suite
This web application is a popular security testing software. Since it offers proxy functionalities, all proxy-related browser requests channel through it. Burp Suite then makes these browser requests editable to fit a specific user’s needs. Web vulnerability tests like SQLi and XSS then take place. Burp Suite community edition is ideal for users that want to partake in vulnerability tests for free. You also have the option of pursuing its professional edition for extended features.
You can explore this tool by typing its name on your terminal:
$ burpsuite
Its user interface will open with various menu tabs. Locate the Proxy tab. Click on the intercepter switch and wait for it to indicate that it is on. From here, any URL you visit will lead to Burp Suite capturing its associated requests.
SQL Map
This open-source tool serves the unique goal of manually automating an SQL injection process. It references several parameters related to the targeted website’s requests. Through the provided parameters, SQL Map automates the SQL injection process through its detection and exploitation mechanisms. Here, a user only needs to feed SQL Map with a targeted URL or request as input. It is compatible with PostgreSQL, Oracle, MySQL, and 31 other databases.
Since this tool is pre-installed in all Kali Linux distributions, launch it with the following command from your terminal:
$ sqlmap
ZenMAP and Nmap also comfortably fit in this category.
3. Wireless attacks tools
The conceptualization of wireless attacks is not as simple as most of us think. Breaking into someone’s WiFi is not the same as using an iron hammerhead to destroy a plastic lock. Since this type of attack is offensive, you need to first capture a connection’s handshake before proceeding with an attempt to crack its associated hashed password. A dictionary attack is one suited candidate for cracking hashed passwords.
Kali Linux offers easy-to-use tools for such offensive security tests. The following tools are popular in cracking WiFi passwords. Before exploring their use, test it on something like your WiFi modem to master the basics. Also, be professional in its applicability on an outside WiFi network by requesting the owner’s permission.
Aircrack-ng
This application combines a hash capturing tool, an analyzing tool, a WEP & WPA/WPA2 cracker, and a packet sniffer. Its role in WiFi hacking is through capturing network packages and decoding their associated hashes. A dictionary attack is one of the password hacking mechanisms this tool borrows. Aircrack-ng wireless interfaces are up-to-date. Since it is pre-compiled within Kali Linux, typing the following command on your terminal should launch its command line-based user interface.
$ aircrack-ng
Reaver
If you want to test the network strength of a WiFi Protected Setup (WPS), the brute force nature of Reaver is effective enough. This network setup is associated with registrar PINs, and getting through them leads to uncovering hidden WPA/WPA2 passphrases. Since WPA/WPA2 hacking is tedious, Reaver is becoming a favorite candidate handling such WiFi attack tests.
Reaver takes a fraction of the time needed by a dictionary attack to hack a WiFi passphrase. Recovering a targeted AP’s plain text associated with a WPA/WPA2 passphrase can take 4-to-10 hours. Guessing the right WPS pin and recovering the targeted passphrase might also take half this duration.
Type this command on your Kali Linux terminal to launch this tool and understand how to use it.
$ reaver
PixieWPS
This tool is also effective in cracking WPS pins through an initiated brute force attack. C programming language is the backbone of PixieWPS development. After exploring it, you will familiarize yourself with features like Small Diffie-Hellham Keys, reduced seed entropy, and checksum optimization. Launch it from your Kali terminal with the following command:
$ pixiewps
Wifite
When the target location of your offensive WiFi attack has numerous wireless devices, then Wifite is the tool to consider. If you are dealing with encrypted wireless networks defined by WEP or WPA/WPS, WIfite will crack them in a row. If you are after multiple WiFi hacking, you can automate this tool to handle such instances. Some of Wifite’s top features include:
- Multiple networks password sorting based on associated signal strength
- Improved wireless attacks effectiveness due to its flexible customization options
- A wireless attacker can become anonymous or undetectable by editing their mac address
- Allows blocking of specific attacks if they do not meet the needed attack criteria
- Manages saved passwords by using separate files
To explore this tool, key in the following command on the terminal:
$ wifite -h
Fern Wifi Cracker
Fern Wifi Cracker is the go-to tool for users exploring WiFi password cracking through a graphical user interface. Python Qt GUI library is the umbrella behind Fern’s design. You can also use this tool to test the strength and vulnerability of Ethernet networks. Some of its prominent features include:
- Applicable in WEP cracking
- Effective in WPA/WPA2/WPS dictionary attacks
- Supports service provision related to an automatic access point attack system
- Flexible enough to carry out session hijacking
You can launch its GUI interface and explore it with the following terminal command:
$ fern-wifi-cracker
4. Exploitation tools
After information gathering and vulnerability analysis, the next step for a network tester is to determine if the discovered vulnerabilities are exploitable. A network is defined as vulnerable if its exploitation can lead to the complete compromise of an application. Several Kali Linux applications handle network and application exploitation. Some popular ones include the following:
Metasploit
It handles vast security and penetration testing assessments. This framework is always up-to-date due to its popularity and growing user base. Upon interacting with it, you will discover that it hosts other tools responsible for creating penetration testing and vulnerability testing system workspaces. Metasploit is easy-to-use, open-source, and under the design footprints of rapid7 LLC.
Since it is pre-installed on your Kali Linux distribution, you can launch it by keying in the following command on your system terminal:
$ msfconsole
BeEF
BeEF is an abbreviation for Browser Exploitation Framework. It supports the use of a web browser environment to carry out its penetration testing runs and executions. A professional penetration tester can use this tool to assess a targeted environment’s actual security posture through client-side attack vectors.
Since BeEF’s main focus is a web browser environment, the used browser app is hooked to function as a launchpad for premeditated exploitation attacks. Afterward, malicious payloads and codes are then executed through its interface. For example, the following is the terminal command to launch the BeEF tool on your Kali Linux system:
$ beef -xss
5. Sniffing & spoofing tools
Sniffing relates to the monitoring of network-bound data packets. Network administrators find sniffers useful in monitoring and troubleshooting network traffic. Network hackers will use sniffers to capture monitored data packets from which sensitive information like user account profiles and user passwords can be stolen. Sniffers installation can be both hardware and software.
Spoofing is the creation of false identity on a network system by generating fake traffic. A network is successfully spoofed if it accepts an incorrect source address from received packets. The use of digital signatures is one of the main countermeasures against spoofing.
Wireshark
This tool is an effective sniffing and spoofing application. The reputation of Wireshark as a network protocol analyzer has a global presence. It assesses the activities and behavior of an active network. With its filters, you will be able to break down the detailed behavior of your network effectively. It supports several interfaces like Bluetooth, Wi-Fi, and Ethernet. Since it is pre-installed on Kali Linux, you can launch it with the following terminal command:
$ wireshark
From here, you can comfortably start capturing packets and analyzing them based on the set criteria.
Final note
Kali Linux operating system offers countless tools to explore. The categories that house these tools are endless and would require several lengthy articles to cover them all in detail. As for the mentioned ones, you will find them useful in your day-to-day network operations. From each tool category, pick one and try to master it to your level best.