CyberSec Arsenal: Kali Linux Tool Documentation

Filter by Complexity:

Showing 100 tools

Introduction to Kali Linux

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security Ltd, featuring over 600 preinstalled penetration-testing programs.

This advanced documentation provides detailed information on 100 essential cybersecurity tools available in Kali Linux and how they can be used in a controlled, ethical environment for learning cybersecurity concepts, preparing for certifications, and conducting authorized security assessments.

The tools are categorized by their primary function and include detailed command syntax, usage examples, and practical applications. Each tool also includes a complexity rating to help you understand the learning curve.

Getting Started

Select a category from the navigation menu above to explore different security tools and their commands. Use the search function to find specific tools by name or functionality.

Ethical Guidelines

Never use these tools on systems without explicit permission
Document all security testing activities
Follow responsible disclosure policies
Maintain confidentiality of client data
Respect privacy and legal boundaries

uname -a

Linux kali 6.1.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-1kali1 (2023-05-02) x86_64 GNU/Linux

cat /etc/os-release | grep PRETTY_NAME

PRETTY_NAME="Kali GNU/Linux Rolling"

whoami && id

root uid=0(root) gid=0(root) groups=0(root)

apt list --installed | grep -c "^"

3154 # Kali Linux includes thousands of pre-installed security tools

ls -la /usr/share/wordlists/ | head -5

total 3.8G drwxr-xr-x 9 root root 4.0K Mar 15 00:29 . drwxr-xr-x 626 root root 20K Mar 15 01:51 .. drwxr-xr-x 2 root root 4.0K Mar 15 00:29 dirb drwxr-xr-x 2 root root 4.0K Mar 15 00:29 dirbuster

System Requirements

2 GHz+ dual-core CPU
4 GB RAM (8+ recommended)
20 GB disk space
1024×768 resolution
Internet connectivity

Learning Resources

Official Documentation
Kali Training
OSCP Certification
Community Forums
Tutorial Videos

Network Analysis Tools

Network analysis tools allow security professionals to inspect, analyze, and manipulate network traffic. These tools are essential for understanding network vulnerabilities, performing reconnaissance, and testing network security controls.

Beginner

Nmap

Reconnaissance Port Scanning

Network Mapper is a utility for network discovery and security auditing. It uses raw IP packets to determine available hosts, services, OS details, and more.

nmap -sV -p 1-1000 192.168.1.1

Starting Nmap 7.93 ( https://nmap.org ) Nmap scan report for 192.168.1.1 Host is up (0.0043s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 80/tcp open http Apache httpd 2.4.48 443/tcp open https Apache httpd 2.4.48

nmap -A -T4 scanme.nmap.org

# Aggressive scan with OS detection, version detection, script scanning, and traceroute

Intermediate

Wireshark

Packet Analysis Traffic Inspection

Wireshark is a network protocol analyzer that lets you capture and interactively browse the traffic running on a computer network. It has deep inspection capabilities for hundreds of protocols.

wireshark

# Launches Wireshark GUI for packet capture and analysis

tshark -i eth0 -c 10 -w capture.pcap

# Captures 10 packets from eth0 interface and saves to capture.pcap

tshark -r capture.pcap -Y "http"

# Reads capture file and displays only HTTP packets

Intermediate

TCPDump

Packet Capture Traffic Analysis

TCPDump is a powerful command-line packet analyzer that can be used to capture or filter TCP/IP packets received or transferred over a network. It's lightweight and works on systems where graphical tools aren't available.

tcpdump -i eth0 -n

# Captures packets on eth0 interface without DNS resolution

tcpdump -i eth0 port 80

# Captures only traffic on port 80

tcpdump -i eth0 -w capture.pcap 'tcp and port 80'

# Captures TCP traffic on port 80 and saves to a file

Beginner

Netcat

Network Utility Connection Testing

Netcat (nc) is a versatile networking utility that reads and writes data across network connections using TCP or UDP protocols. It's known as the "Swiss Army knife" of networking tools.

nc -lvp 4444

listening on [any] 4444 ...

nc 192.168.1.1 80

# Connects to port 80 on specified IP

echo -e "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" | nc example.com 80

# Sends an HTTP request and displays the response

Intermediate

Masscan

Port Scanning High-Speed

Masscan is an Internet-scale port scanner, designed for scanning the entire Internet in under 5 minutes. It can transmit up to 10 million packets per second.

masscan -p80,443 192.168.1.0/24 --rate=1000

Starting masscan 1.3.2 at 2023-04-01 11:02:11 GMT Initiating SYN Stealth Scan Scanning 256 hosts [2 ports/host] Discovered open port 80/tcp on 192.168.1.1 Discovered open port 443/tcp on 192.168.1.1

masscan -p0-65535 192.168.1.1 --rate=5000

# Scans all ports on a single IP at 5,000 packets per second

Beginner

Zenmap

Network Scanning Visualization

Zenmap is the official GUI for Nmap, providing a more user-friendly way to run Nmap scans. It includes scan comparison, visualization, and profile management features.

zenmap

# Launches Zenmap GUI # From here you can configure scan type, target, and visualize results

Advanced

hping3

Packet Crafting TCP/IP Analysis

hping3 is a command-line TCP/IP packet assembler/analyzer that allows security professionals to craft and send custom packets and analyze network responses.

hping3 -S 192.168.1.1 -p 80

# Sends TCP SYN packets to port 80

hping3 -1 192.168.1.1 -c 5

# Sends 5 ICMP echo requests (like ping)

hping3 --traceroute -V -1 example.com

# Performs a traceroute using ICMP packets with verbose output

Advanced

Bettercap

MITM Network Analysis

Bettercap is a powerful, modular and portable Swiss Army knife for network attacks and monitoring. It allows for WiFi, Bluetooth, and ethernet network reconnaissance and MITM attacks.

bettercap -iface eth0

# Starts bettercap on the eth0 interface

net.probe on

# Within bettercap, discovers hosts on the network

net.sniff on

# Enables packet sniffing

Intermediate

Ettercap

MITM Protocol Analysis

Ettercap is a comprehensive suite for man-in-the-middle attacks. It features content filtering, active and passive dissection of protocols, and many network and host analysis capabilities.

ettercap -G

# Launches the Ettercap GUI

ettercap -Tq -M arp:remote /192.168.1.1/ /192.168.1.2/

# Performs ARP poisoning between two specified hosts

ettercap -Tq -M arp:remote /192.168.1.1/ // -P dns_spoof

# ARP poisons the gateway and all hosts, enabling DNS spoofing

Beginner

Arpwatch

Network Monitoring MAC Tracking

Arpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a network. It generates logs of observed pairing of IP addresses with MAC addresses along with timestamps.

sudo service arpwatch start

# Starts the arpwatch service

tail -f /var/log/arpwatch.log

# Monitors the arpwatch log file

arpwatch -i eth0

# Starts arpwatch on the eth0 interface

Wireless Security Tools

Important: Using these tools to access networks without authorization is illegal. Only practice on networks you own or have explicit permission to test.

Wireless security tools allow for the analysis, assessment, and testing of wireless network security. These tools can identify vulnerabilities in wireless implementations, test encryption strength, and analyze wireless traffic.

Intermediate

Aircrack-ng

WiFi Security WEP/WPA Analysis

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.

airmon-ng start wlan0

# Puts wireless interface in monitor mode

airodump-ng wlan0mon

# Displays wireless networks in range BSSID PWR Beacons #Data CH MB ENC CIPHER AUTH ESSID 00:11:22:33:44:55 -67 241 10 6 54 WPA2 CCMP PSK TestNetwork

airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture wlan0mon

# Captures packets from specific network on channel 6

Intermediate

Kismet

Wireless Detection Network Mapping

Kismet is a wireless network detector, sniffer, and intrusion detection system. It works with any wireless card that supports raw monitoring mode and can sniff 802.11a/b/g/n traffic.

kismet -c wlan0

# Starts Kismet on wlan0 interface

kismet

# Launches Kismet with default settings # Access web interface at http://localhost:2501

Beginner

Wifite

Automated WiFi Auditing

Wifite is an automated wireless attack tool designed to simplify the process of auditing wireless networks. It automates the use of various tools from the aircrack-ng suite.

wifite

# Starts automatic wireless auditing # Scans for networks, then attacks selected targets

wifite --wpa --dict /path/to/wordlist.txt

# Targets only WPA networks using a specific wordlist

Intermediate

Reaver

WPS PIN Recovery

Reaver implements a brute force attack against WiFi Protected Setup (WPS) registrar PINs to recover WPA/WPA2 passphrases.

wash -i wlan0mon

# Scans for WPS-enabled access points

reaver -i wlan0mon -b 00:11:22:33:44:55 -vv

# Attempts to recover the WPS PIN for specified access point with verbose output

Intermediate

Airgeddon

Multi-tool WiFi Security

Airgeddon is a multi-use bash script for Linux systems to audit wireless networks. It automates various wireless attacks and has an interactive menu system.

airgeddon

# Launches airgeddon interactive menu # Follow on-screen prompts to select attack modes

Advanced

Bully

WPS Attack Brute Force

Bully is a new implementation of the WPS brute force attack, written in C. It has several advantages over previous tools, including multi-threading and session resumption.

bully -b 00:11:22:33:44:55 -c 6 -B wlan0mon

# Attempts to brute force WPS PIN on specified access point on channel 6

bully -b 00:11:22:33:44:55 -d -v 3 wlan0mon

# More detailed attack with maximum verbosity

Advanced

PixieWPS

Pixie Dust Attack WPS

PixieWPS is a tool implementing the pixie dust attack and can be used to find the WPS PIN of a vulnerable router in seconds, resulting in the recovery of the WPA/WPA2 passphrase.

pixiewps -e PKE -r PKR -s e-hash1 -z e-hash2 -a e-nonce -n e-bssid

# Performs pixie dust attack with specified parameters # Usually used with the output from Reaver or Bully

Beginner

Fern WiFi Cracker

GUI WiFi Auditing

Fern WiFi Cracker is a GUI-based wireless security auditing application that can crack and recover WEP/WPA/WPA2 keys and perform other network-based attacks.

fern-wifi-cracker

# Launches the Fern WiFi Cracker GUI # Select interface, scan for networks, and choose attack methods

Advanced

mdk3

Deauthentication DoS Testing

mdk3 is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses, including beacon flooding, authentication DoS attacks, and deauthentication attacks.

mdk3 wlan0mon b -n "Evil_Network"

# Creates a fake access point with the specified name

mdk3 wlan0mon d -b blacklist

# Deauthenticates clients from networks listed in blacklist file

Beginner

Wifite2

Automated WiFi Auditing

Wifite2 is an improved version of the original Wifite with more features, better error handling, and enhanced automation for wireless network auditing.

wifite2

# Starts wifite2 with automatic interface selection and scanning

wifite2 --crack --dict /path/to/wordlist.txt

# Attempts to crack captured handshakes using specified wordlist

Wireless Security Best Practices

For Network Administrators

Use WPA3 when available or at minimum WPA2 with a strong password
Change default router credentials immediately
Disable WPS (Wi-Fi Protected Setup) or use more secure methods
Implement MAC address filtering for enhanced security
Regularly update router firmware to patch vulnerabilities
Use a non-default SSID and consider hiding it in high-security environments
Segment guest networks from internal networks
Use enterprise authentication (802.1X) where appropriate

For Security Testers

Always obtain explicit permission before testing
Document all testing activities thoroughly
Use isolated test environments when possible
Be aware of legal implications and jurisdictional laws
Avoid interference with production networks
Report vulnerabilities responsibly and confidentially
Provide clear remediation steps with findings
Remove sensitive data after testing is completed

Web Application Security Tools

Web application security tools help identify and exploit vulnerabilities in web applications. These tools are essential for testing security controls, identifying vulnerabilities, and ensuring web applications are secure against common attack vectors.

Intermediate

Burp Suite

Proxy Web Testing

Burp Suite is an integrated platform for performing security testing of web applications. It functions as a proxy server and can be used to intercept, inspect, and modify traffic between your browser and the target application.

burpsuite

# Launches Burp Suite GUI # Configure your browser to use Burp as a proxy (typically 127.0.0.1:8080) # Intercept requests and analyze web application behavior

java -jar burpsuite_pro.jar

# Alternative way to launch Burp Suite with Java

Beginner

OWASP ZAP

Vulnerability Scanner Penetration Testing

The OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. It provides automated scanners and tools for manual testing.

zaproxy

# Launches ZAP GUI

zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://example.com

# Runs a quick scan from the command line against example.com

Beginner

Nikto

Web Scanner Vulnerability Detection

Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple vulnerabilities, including outdated software and dangerous files.

nikto -h http://example.com

- Nikto v2.1.6 - Target IP: 93.184.216.34 - Target Hostname: example.com - Target Port: 80 - Start Time: 2023-04-01 12:00:00 ----------- + Server: ECS (dcb/7F84) + Retrieved x-powered-by header: PHP/7.4.3 + Uncommon header 'x-cache' found, with contents: HIT + /admin/: Admin login page/section found.

nikto -h example.com -ssl -port 443

# Scans an HTTPS site on port 443

Beginner

Dirb

Content Discovery Directory Bruteforce

Dirb is a web content scanner that uses a dictionary-based approach to find hidden directories and files on web servers by sending requests and analyzing responses.

dirb http://example.com

DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Apr 1 12:00:00 2023 URL_BASE: http://example.com/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://example.com/ ---- + http://example.com/admin (CODE:200|SIZE:1234) + http://example.com/css (CODE:200|SIZE:1122) + http://example.com/js (CODE:200|SIZE:512)

dirb http://example.com /usr/share/wordlists/dirb/big.txt

# Uses a different wordlist for more thorough scanning

Intermediate

SQLmap

SQL Injection Database Testing

SQLmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

sqlmap -u "http://example.com/page.php?id=1" --dbs

# Tests the URL for SQL injection and enumerates databases if vulnerable

sqlmap -u "http://example.com/page.php?id=1" -D database_name -T users --dump

# Dumps the contents of the 'users' table from the specified database

sqlmap -r request.txt --risk=3 --level=5

# Tests a captured request (from Burp/ZAP) with high risk and level settings

Beginner

WPScan

WordPress CMS Scanner

WPScan is a black box WordPress vulnerability scanner that can identify vulnerabilities, enumerate users, and test password strength in WordPress installations.

wpscan --url http://example.com

# Scans a WordPress site for vulnerabilities and outdated components

wpscan --url http://example.com --enumerate u

# Enumerates WordPress users

wpscan --url http://example.com --passwords /path/to/wordlist.txt --usernames admin

# Performs a password brute force attack against the admin user

Beginner

Gobuster

Directory Enumeration Content Discovery

Gobuster is a tool used to brute-force URIs (directories and files) in web sites, DNS subdomains, and virtual host names. It's known for its speed and efficiency.

gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt

Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://example.com [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/04/01 12:00:00 Starting gobuster in directory enumeration mode =============================================================== /admin (Status: 200) [Size: 1234] /css (Status: 200) [Size: 1122] /js (Status: 200) [Size: 512]

gobuster dns -d example.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

# Performs DNS subdomain enumeration

Beginner

Dirsearch

Web Path Scanner Content Discovery

Dirsearch is a mature command-line tool designed for brute forcing directories and files in webservers, with a modern Python implementation and many features.

dirsearch -u http://example.com

# Scans for common directories and files

dirsearch -u http://example.com -e php,html,js

# Searches for files with specific extensions

dirsearch -u http://example.com -w /path/to/wordlist.txt -t 50

# Uses custom wordlist with 50 threads

Intermediate

Commix

Command Injection Web Vulnerability

Commix (Command Injection Exploiter) is an automated tool that can help detect and exploit command injection vulnerabilities in web applications.

commix --url="http://example.com/vulnerable.php?cmd=id"

# Tests for command injection at the specified parameter

commix --url="http://example.com/login.php" --data="username=admin&password=pass&submit=Login" --cookie="PHPSESSID=abc123"

# Tests POST parameters with cookies

Intermediate

XSSer

XSS Testing Web Vulnerability

XSSer is an automatic framework to detect, exploit and report XSS vulnerabilities in web applications. It contains multiple attack vectors and modern techniques.

xsser --url "http://example.com/vulnerable.php?p=XSS"

# Tests for XSS vulnerabilities in the 'p' parameter

xsser --url "http://example.com/search.php" --data "search=XSS" --method POST

# Tests POST parameter for XSS vulnerabilities

Common Web Vulnerabilities

Injection Vulnerabilities

SQL Injection: Allowing attackers to execute malicious SQL queries
Command Injection: Executing system commands through web applications
LDAP Injection: Manipulating LDAP queries to access unauthorized data
XPath Injection: Manipulating XML queries and data structures

Client-Side Vulnerabilities

Cross-Site Scripting (XSS): Injecting malicious client-side scripts
Cross-Site Request Forgery (CSRF): Forcing users to perform unwanted actions
DOM-based Vulnerabilities: Manipulating the Document Object Model
UI Redressing (Clickjacking): Tricking users into clicking hidden elements

Authentication & Authorization

Broken Authentication: Weak or improperly implemented authentication
Session Management Flaws: Improper handling of user sessions
Insecure Direct Object References: Accessing unauthorized resources
Missing Function Level Access Control: Improper authorization checks

Vulnerability Assessment Tools

Vulnerability assessment tools help identify security weaknesses in systems, networks, and applications. These tools scan for known vulnerabilities, misconfigured services, and security issues that could be exploited by attackers.

Intermediate

OpenVAS

Vulnerability Scanner Security Assessment

OpenVAS (Open Vulnerability Assessment System) is a framework of services and tools for vulnerability scanning and vulnerability management, offering a comprehensive solution for vulnerability assessment.

gvm-setup

# Sets up the GVM/OpenVAS system

gvm-start

# Starts the OpenVAS services # Access the web interface at https://127.0.0.1:9392

gvm-check-setup

# Checks if the setup is correct

Intermediate

Nessus

Vulnerability Scanner Compliance Checks

Nessus is a proprietary vulnerability scanner that helps identify vulnerabilities, configuration issues, and malware that hackers could use to penetrate your network.

/etc/init.d/nessusd start

# Starts the Nessus service

firefox https://localhost:8834

# Opens the Nessus web interface # Requires installation and registration

Beginner

Lynis

System Auditing Hardening

Lynis is a security auditing tool for Unix/Linux systems. It performs an in-depth security scan and provides recommendations for hardening the system.

lynis audit system

# Performs a complete system audit [+] Initializing program [+] Detecting OS... [+] Checking Lynis update... [+] Detecting system... [+] Checking available tools... [+] Program version: 3.0.6 [+] Auditing and scanning system... ... [+] Hardening index : [65] [################### ] [+] Tests performed : 235 [+] Plugins enabled : 0

lynis audit system --quiet

# Performs audit with minimal output

Advanced

Nexpose

Vulnerability Management Risk Assessment

Nexpose is a vulnerability management solution that combines vulnerability and asset management capabilities with vulnerability checking, risk classification, and integrated remediation workflows.

/opt/rapid7/nexpose/nsc/nsc.sh

# Starts the Nexpose Security Console # Access web interface typically at https://localhost:3780

Advanced

Retina

Network Security Scanner Vulnerability Assessment

Retina Network Security Scanner identifies known vulnerabilities, configuration issues, and missing patches across operating systems, applications, devices, and virtual environments.

retina-scan.sh

# Commercial tool requiring proper installation and licensing # Usually accessed through GUI or web interface

Beginner

OWASP Dependency-Check

Software Composition Analysis Dependency Scanning

OWASP Dependency-Check is a software composition analysis tool that detects publicly disclosed vulnerabilities in project dependencies, helping identify vulnerable components in your applications.

dependency-check --project "My Project" --scan /path/to/application

# Scans application dependencies for vulnerabilities

dependency-check --project "Web App" --scan /var/www/html --format HTML --out /reports

# Scans web application and outputs HTML report

Intermediate

OSSEC

Host-based IDS File Integrity Monitoring

OSSEC is a host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.

/var/ossec/bin/ossec-control start

# Starts OSSEC services

/var/ossec/bin/ossec-control status

ossec-analysisd is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-monitord is running... ossec-execd is running...

/var/ossec/bin/agent_control -l

# Lists connected agents

Intermediate

Vuls

Vulnerability Scanner Agentless

Vuls is an agentless vulnerability scanner for Linux/FreeBSD that automatically detects security vulnerabilities and creates notifications. It's fast, reliable, and has minimal impact on system resources.

vuls configtest

# Tests your Vuls configuration

vuls scan

# Scans target servers defined in config.toml Start scanning ... localhost (localhost) ======================= CVE-2022-1111 5.9 MEDIUM (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVE-2022-2222 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ...

vuls report -format-json -to-email

# Sends scan results by email in JSON format

Advanced

Metasploit Pro

Penetration Testing Vulnerability Validation

Metasploit Pro is a commercial penetration testing solution that helps security teams efficiently verify vulnerabilities, manage security assessments, and improve security awareness.

/opt/metasploit/msfpro

# Starts Metasploit Pro # Access web interface at https://localhost:3790

msfpro

# Alternative command to start Metasploit Pro if in PATH

Beginner

Vulners Scanner

Vulnerability Database Package Auditing

Vulners Scanner checks installed software packages against the Vulners database of vulnerabilities to identify security issues in your system packages and dependencies.

python3 vulners_scanner.py

# Scans system for vulnerable packages

python3 vulners_scanner.py --output json

# Outputs results in JSON format

Exploitation Tools

Important: These tools are designed for authorized security testing only. Using exploitation tools against systems without explicit permission is illegal and unethical.

Exploitation tools are used to leverage known vulnerabilities in systems, applications, or networks. These tools help security professionals validate vulnerabilities and assess the potential impact of successful exploitation in controlled environments.

Intermediate

Metasploit Framework

Exploitation Penetration Testing

Metasploit Framework is a powerful open-source platform for developing, testing, and executing exploits. It contains a database of ready-to-use exploits and a robust infrastructure for custom exploit development.

msfconsole

# Launches the Metasploit console .~+P```````-o+:. -o+:. .+oooyysyyssyyssyddh++os-````` ``````````````` +++++++++++++++++++++++sydhyoso-`````.``` `````````````````` ++++/++++++++++++++++++++++++ossyso/. ```````````````````````` Metasploit Framework 6.2.26-dev 149042 exploits - 42378 auxiliary - 14831 post 962 payloads - 46 encoders - 11 nops 7517 evasion

use exploit/windows/smb/ms17_010_eternalblue

# Selects an exploit to use

set RHOSTS 192.168.1.10

# Sets the target IP address

run

# Executes the exploit

Intermediate

BeEF

Browser Exploitation Client-side Attacks

The Browser Exploitation Framework (BeEF) is a penetration testing tool that focuses on the web browser, allowing security professionals to assess the security posture of a target by exploiting browser vulnerabilities.

beef-xss

# Starts the BeEF server [*] Please wait for the BeEF service to start... [*] You might need to refresh your browser once it starts... [*] BeEF is starting up... [*] Web UI: http://127.0.0.1:3000/ui/panel [*] Hook:

Beginner

Armitage

Metasploit GUI Visualization

Armitage is a graphical cyber attack management tool for the Metasploit Framework that visualizes targets, recommends exploits, and exposes advanced post-exploitation features.

armitage

# Launches Armitage GUI # Connect to Metasploit instance through the GUI interface

Advanced

PowerSploit

PowerShell Framework Post-Exploitation

PowerSploit is a collection of PowerShell modules that can be used to aid penetration testers during all phases of an assessment, with a focus on post-exploitation techniques.

Import-Module PowerSploit

# Imports PowerSploit modules in PowerShell # Must be executed in a PowerShell environment

Get-Command -Module PowerSploit

# Lists available commands from PowerSploit

Invoke-Mimikatz

# Example of a PowerSploit credential dumping function

Beginner

Social Engineering Toolkit

Social Engineering Phishing

The Social Engineering Toolkit (SET) is an open-source penetration testing framework designed for social engineering. It contains various attack vectors that allow security professionals to test the effectiveness of user awareness.

setoolkit

# Launches the Social Engineering Toolkit _____ .____ ._______ / ____\| | | \ \ \____ \| | | | | / \| |___| | | /______/|_______ \___|___| \_ _ / \ \_____ / \ /\/ \ \ / \ \_/_/ \_______//____/ Select from the menu: 1) Social-Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update SET 5) Help, Credits, and About 6) Exit

Advanced

Empire

Post-Exploitation PowerShell Agents

Empire is a pure PowerShell post-exploitation agent with compatibility for Linux/macOS. It allows for stealthy communication and extensive post-exploitation modules for Windows targets.

powershell-empire server

# Starts the Empire server

powershell-empire client

# Connects to Empire server Empire> [*] Loading configuration... [*] Loading plugins... [*] Loading Empire Framework... ⊙ \ --[_]-- +-----------+ | EMPIRE | +-----------+ | | | | | | |_| | |___| Version 4.3.2

listeners

# Manages Empire listeners

Intermediate

RouterSploit

Router Exploitation IoT Security

RouterSploit is an open-source exploitation framework dedicated to embedded devices like routers and IoT devices. It contains various exploits, scanners, and brute force mechanisms specifically designed for these devices.

rsf

# Launches RouterSploit Framework ______ _ _____ _ _ _ | ___ \ | | / ___| | | (_) | | |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_ | // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __| | |\ \ (_) | |_| | || __/ | /\__/ / |_) | | (_) | | |_ \_| \_\___/ \__,_|\__\___|_| \____/| .__/|_|\___/|_|\__| | | |_| Exploits: 112 Scanners: 12 Creds: 13 Generic: 9 Payloads: 2 rsf >

use scanners/autopwn

# Uses the autopwn scanner to identify vulnerable devices

Advanced

Koadic

COM Command Post-Exploitation

Koadic is a Windows post-exploitation rootkit similar to other penetration testing tools but utilizes Windows Script Host, providing an interface similar to Metasploit with a JavaScript-based agent.

koadic

# Launches Koadic C3 COM Command & Control [?] .../.../.../.../.../.../.../.../.../.\ [?] .../.../.../.../.../.../.../.../.../.\ [?] .../.../.../.../.../.../.../.../.../.\ [?] .../.|.../.../.../.../.../.../.../...\ [?] .../.|.\./.../.../.../.../.../.../...\ [?] ....\_|_/.../.../.../.../.../.../.../.\ [?] .../.|_|__|.../.../.../.../.../.../.../ [?] /.\'.|_|__|.\./.../.../.../.../.../.../ [?] \.|`.[_|__|.|.\./.../.../.../.../.../..| [?] ..\`.[|_|__|.\.\.../.../.../.../..././| [?] ..|.\`[|_|__|.|`|../.../.../.../.../|..| [?] .|..|\`[|_|__|_|/.../.../.../.../.|...| [?] _|__|_`[_|__|,´.../.../.../.../.|.....| [?] |,´...\`[|_|.|`\./.../.../.../.|......| [?] |......\|.|.|./.../.../.../.../|......|

help

# Displays available commands

Advanced

Shellter

Dynamic Shellcode PE Infection

Shellter is a dynamic shellcode injection tool that can be used to create stealth backdoors for Windows applications by re-engineering native executables to be undetectable by antivirus solutions.

shellter

Advanced

Cobalt Strike

Red Team Advanced Exploitation

Cobalt Strike is a commercial, full-featured penetration testing tool that leverages "Beacon" payloads to model advanced attackers. It's widely used for adversary simulation and red team operations.

./teamserver 192.168.1.100 password

# Starts Cobalt Strike team server on specified IP with password # Commercial tool requiring proper licensing

java -jar cobaltstrike.jar

# Launches Cobalt Strike client to connect to team server

Educational Purposes Only

Filter by Complexity:

Introduction to Kali Linux

Getting Started

Ethical Guidelines

System Requirements

Learning Resources

Network Analysis Tools

Nmap

Wireshark

TCPDump

Netcat

Masscan

Zenmap

hping3

Bettercap

Ettercap

Arpwatch

Wireless Security Tools

Aircrack-ng

Kismet

Wifite

Reaver

Airgeddon

Bully

PixieWPS

Fern WiFi Cracker

mdk3

Wifite2

Wireless Security Best Practices

For Network Administrators

For Security Testers

Web Application Security Tools

Burp Suite

OWASP ZAP

Nikto

Dirb

SQLmap

WPScan

Gobuster

Dirsearch

Commix

XSSer

Common Web Vulnerabilities

Injection Vulnerabilities

Client-Side Vulnerabilities

Authentication & Authorization

Vulnerability Assessment Tools

OpenVAS

Nessus

Lynis

Nexpose

Retina

OWASP Dependency-Check

OSSEC

Vuls

Metasploit Pro

Vulners Scanner

Exploitation Tools

Metasploit Framework

BeEF

Armitage

PowerSploit

Social Engineering Toolkit

Empire

RouterSploit

Koadic

Shellter

Cobalt Strike

Password Security Tools

John the Ripper