6 Best Kali Linux Tools: Enumeration, Exploits, Cracking

Kali Linux — the Linux distro loaded down with every penetration testing app you could ever need — is indeed a powerful tool in the hands of even a n00b pentester. But while the preinstalled 600+ tools sounds like you have everything and the virtual kitchen sink with which to assault your pentesting targets, some tools are better than others for certain tasks. Learn which tools can be used where in our Linux training course.

Sometimes a scalpel is needed instead of a broadsword, but sometimes the broadsword is nowhere near enough power and you'll need to break out the multi-bladed Sith Army Knife.

Let's take a look at the best tools in Kali for some specific pentesting tasks, both for surgery and hacking the entire First Order.

SCARY LEGAL WARNING: As with any pen testing exercise, make sure you never run any tools against systems that you do not own without explicit permission. Doing so is a violation of lots of unauthorized access laws in the U.S. and probably most other countries. Even seemingly harmless port scans can be held against you, so be smart and only scan targets that you own or have permission to scan.

Nmap: Best Kali Tool for Port Scanning

Nmap. Done. Move Along.

Just kidding, let's dig into everyone's favorite network mapper. Nmap is a pentester's best friend and typically is the first weapon drawn when enumerating targets. Just take a look at the first 60 seconds of any Ippsec video, and pretty much every time guaranteed, he starts out with an Nmap scan and then reviews the open ports it finds.

But let's take a step back and define our terms. Remember from your Network+ training that network ports are communication endpoints between two hosts. A port will generally be open to connections from a client; the client connects to the open port and the two computers send data back and forth. Ports are numbered 1-65535, but don't let that overwhelm you, there are only a few dozen that will come up regularly enough to worry about.

An Nmap scan will look for open ports on a system. To be open, an application must be listening for incoming connections on that port and your traffic must be permitted by the firewall to reach the host. Nmap hits a range of ports (depending on the options you use when running the scan) looking for any that are open. It does this by sending the first part of a TCP three-way handshake, and waiting for the appropriate response. No response? That port is closed, move on to the next.

While this happens very quickly (hundreds of ports per second with a good connection to the host), it can be advantageous to scan only common ports rather than on 65535, which luckily Nmap does by default, scanning only the 1,000 most common TCP ports. Then it attempts to figure out the application actually running on that port. Sometimes it can determine this very accurately with a banner grab, for example, a web server will answer a HTTP request with "Well hey there buddy! I'm an IIS 7.5 server! Need some web pages?" Okay, it actually will look more like: Server: Microsoft-IIS/7.5. But you get the idea.

Why is this valuable? Well, a quick Google search will show that IIS is the built-in Windows Server web server, and that IIS 7.5 is the web server included with Windows 7 and Server 2008 R2, so it's safe to assume your host is either of these. And just like that, from a simple port scan, you've already done OS enumeration of your target. Thanks, Nmap!

But this is only scratching the surface of Nmap's power. It can scan UDP ports, find all the live hosts in a range of IPs, and even run scripts to find common vulnerabilities in applications (for example, unpatched Windows machines with SMB open which can lead to easy admin access). Nmap will become your best friend.

Hydra: Best Kali Tool for Brute Forcing Passwords

"Always use a strong password with special characters, numbers, and capital letters!" This is common advice, but why? Because dictionary attacks against web login pages are easy with Hydra.

There are several approaches to bypassing authentication, but sometimes the sledgehammer approach works best. Hydra works against a huge number of services like FTP, POP3, and SMB to do password cracking using a method called brute forcing. Basically give it a username, list of passwords, point it at a target, and scream "ATTACK!" The tool will try logging into the service with every password on the list until it finds a match or runs out of passwords.

The attack, however, is only as good as the password list you give it. Fortunately, Kali comes preloaded with several great password lists, some with the first 1000 or 10,000 most common passwords (more dangerous a list than you might think). If those those don't prove to be fruitful however, there's also the famous rockyou.txt list, a 133 megabyte text file is over 14 million passwords.

While guessing passwords on FTP sites sounds cool, you might be thinking "cracking a web site login might be a bit more helpful." You'd be both correct and in luck! Hydra can do its magic on both web form logins (where the username and password fields are a part of the page) and basic auth requests (where the login is in a separate popup box).

You'll need part of the actual HTTP authentication request sent to the site, which you can get from an app which intercepts your traffic like Burp Suite. Feed this to Hydra, marking where the username and passwords go within the request, hit go, and wait for pwnage!

WPScan: Best Kali Tool for Enumerating WordPress

Ah, WordPress, new web apps have received so much flak from the security community for being so vulnerability-ridden. It's not completely WordPress's fault, even though the core application does have issues from time to time. The problems usually stem from third-party plugins, of which there are over 50,000 available. Take a plugin written by an anonymous dev with no security background, make the code publicly available (they all are) for anyone to analyze, make sure the dev abandoned it years ago so there's no hope for updates, then install that plug-in on your website. What could go wrong?

Since WordPress is so popular, it only makes sense that a pentest tool like WPScan exists. It will enumerate just about everything you could possibly want to know about a WordPress site. The WordPress core version and any known vulnerabilities with that version. The theme in use and its version. Any installed plugins and their versions (highlighting any with known vulnerabilities).

And one of our favorites, it will enumerate a list of usernames for the site.

Take this list, plus a password list, and it will automate brute forcing those logins. If you hit paydirt with an admin user then great, if you only get in as a low level user don't forget that privilege escalation vulnerabilities abound.

Social-Engineer Toolkit: Best Kali Tool for Social Engineering

Sometimes the best way through an impenetrable locked door is just to nicely ask an unsuspecting looking person for the key. Just act like you belong, ask really nice, pretend like you forgot your key at home, and walk up to the door with your arms full, and ask: Who would be so ruthless as to say no?

This, in a nutshell, is social engineering, gaining a user's trust to manipulate them to gain access. An email saying that you need to change your email password, click this (bogus) link and login. A phone call from the IT help desk asking to install an application on your computer. An urgent message from the CEO asking to wire him money. All these depend on you trusting the source to do what the hacker wants.

While social engineering tools sound like tradecraft for spammers, they can actually be incredibly helpful for a pentester trying to get into your network. Forget bypassing authentication or hacking a web app to get a remote shell on the server, just ask someone to let you in! Kali, of course, includes one of the best: the Social-Engineer Toolkit.

SET does a lot of cool stuff: harvesting email addresses from your target's domain, automating sending out reverse shell payloads, hosting fake versions of legit websites to harvest credentials, and sending emails to get unsuspecting users to visit said bogus websites. It's everything you need to get in via some social engineering wizardry.

Metasploit: Best Kali Tool for Running Exploits

Finally, no discussion about Kali would be complete without mentioning Metasploit. The Metasploit Framework (MSF) is a lot of things: a collection of prewritten application exploits, an engine to run custom exploits, an info-gathering tool, a listener for extra special Meterpreter reverse shells, a means to perform post-exploitation and pivot deeper into the network, and much more.

On the surface, choose an included exploit that matches a service you found with, say, Nmap, add your target IP and port, and let Metasploit loose. If successful, you will be granted a shell on the target system from which to run commands.

That's an extreme simplification, there are lots of gotchas and trial and Kill involved, but at its simplest form MSF has stripped away a lot of the chores around setting up exploits and payloads so that you can point and shoot.

Instead of digging any deeper the wide and deep leagues of Metasploit, you'd be better going through the CBT Nuggets Metasploit Framework course, it'll unpack all the goodies within MSF.

Final Thoughts

Kali can be overwhelming with its staggering number of included tools, but 99% of the time you'll be reaching for the same dozen or so. Start out with those that we've discussed, then Google to research a few other heavy hitters like Burp Suite, John the Ripper, SQLMap, and Netcat.

Also, if you missed them, be sure to check out our previous articles on the OSCP cert, heavily based on Kali. The OSCP material will definitely give you lots of practice toward mastering these tools. Happy hacking!