10 Best Hacking Tools in Kali Linux (And How to Use Them Safely)

Quick Answer: Kali Linux is a popular operating system used by security professionals. It comes loaded with over 600 security tools, including the best hacking tools security pros rely on. 

The tools that ship with Kali are powerful for almost any testing work you will need. They are used to expose vulnerabilities safely, allowing them to be patched before hackers can exploit them. 

They are not toys, and before you use them, you must ensure you have permission to operate them. There are legal consequences for attempting to access systems without permission, so please use these resources responsibly.

The tools covered here are the same ones that professional pentesters rely on daily, and mastering and understanding them requires considerable practice. You’ll find them used in Security Operation Centers (SOC), on bug bounty hunter laptops, and in cybersecurity training labs around the world—so you know that the tools are effective and used out in the real world.

What is Kali Linux?

Kali Linux is a Debian-based distro built specifically for cybersecurity. Having access to the best hacker tools in a single install makes it very easy to get set up—no more hunting for dependencies and packages to get each tool up and running.

You can use Kali Linux for most security research and testing tasks. It features digital forensics tools, network scanning apps, and penetration testing tools for enhancing network security and applications.

Kali Linux is very broad and gives you tons of tools from different sources to choose from. Most of these tools will work across platforms and protocols, so you’ll have the right tool for the job for most scenarios that you might come across. 

Let's look at our 10 most popular tools that security professionals use, covering a wide range of capabilities that handle the most common day-to-day tasks. 

1. Nmap (Network Mapper)

Nmap is a network scanner and service discovery tool that finds live hosts on networks. It identifies open ports and running services, as well as the target host’s operating system, remotely. You can spot everything from web servers to industrial control systems similar to the kind that you’d find in a factory with nmap.

Using it is quite simple, and it has numerous additional parameters you can use as your needs become more complex. The following command lets you scan a single host IP  ‘nmap 192.168.1.1’. This will scan the host and check 1000 of the most common ports that are running on the system. 

A more aggressive scan command is ‘nmap -A -T4 192.168.1.0/24 -oA full_scan’. This command scans an entire network subnet using an aggressive scan (-A) with specified timing (-T4) and saves the result in different formats (-oA). (This kind of scan can cause issues on some networks, so always make sure that you are not connected to a live network if you are just experimenting.) 

With nmap, there are hundreds of different scripts that you can use for just about any tasks that are network testing related, from brute-forcing to detecting malware.

2. Metasploit Framework

Metasploit has thousands of exploits that target well-known vulnerabilities, and it handles the payload generation. Metasploit gets updated often, so you’ll have fresh exploits from the latest Common Vulnerabilities and Exposures (CVEs) to test with. 

Metasploit has additional capabilities and can test for vulnerabilities in standard systems, such as Active Directory Certificate Services, Confluence, FortiOS, and GeoServer, which is useful for verifying that the latest security patches have been applied to your systems. 

Using Metasploit takes some getting used to. The commands are run from the msfconsole, which means getting comfortable with the command line. An example would be to search for a known exploit by typing search eternalblue. You then select one of the options with ‘use exploit/windows/smb/ms17_010_eternalblue’. You select your payload with ‘set PAYLOAD windows/x64/meterpreter/reverse_tcp’ and then execute it with exploit.

This example enables the Meterpreter payload to access compromised systems, allowing the pentester to run hashdump to extract passwords, start a keylogger with keyscan_start, or execute any other commands within the scope of testing. 

Exploits also need proper configuration to work, like setting your RHOSTS or LHOSTS, and patched systems won't fall for exploits they are protected against—so not every system will be vulnerable (and that’s a good thing, if you think about it.)

3. Wireshark

Wireshark is one of the most used network packet analyzers available today. It’s an advanced network tool that allows you to inspect most of your network, from overall traffic down to individual data packets. Capturing packets usually means that you need to have administrator or root access to your system, so make sure you have the right permissions before you get started (and permission, of course).

It takes all of this data and formats it in a readable output that makes more sense to human operators. The GUI shows all the information you’ll need to investigate network activity with packet lists, breakdowns, and even raw hex data. 

Open the app and choose your network interface, click on the blue shark fin to start capturing, and you’ll see network traffic flowing right away. You’ll notice that the output is quite overwhelming on a busy network, which is where filtering comes to the rescue. Type in ‘http.request’ and you’ll see only HTTP requests filter into your output—perfect if you are tracking down suspicious HTTP traffic.

If you need to focus on a specific IP address, then you can use ‘ip.addr == 192.168.1.1’ and that will filter out everything except for that host. Fans of the command line will be happy to know that tshark is the command for launching it from the command line interface (CLI). Simply type ‘tshark -i eth0 -w capture.pcapng’ to start capturing traffic without the GUI.

4. Aircrack-ng

Aircrack-ng is actually a collection of tools grouped for Wi-Fi penetration testing. It captures traffic and analyzes encryption protocols, while also attempting to crack WPA/WPA2 passwords. It now supports multi-core CPUs for faster cracking attempts. 

A common workflow for testing with this tool is to enable monitor mode, start capturing traffic, and then force clients to reconnect. This captures the connection handshake, which can then be cracked offline. 

To enable monitor mode, you just need to type ‘airmon-ng start wlan0’ (or whichever wireless adapter you intend on using). In this example, the command creates a new interface called wlan0mon. You can then capture traffic with ‘airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon’. This monitors channel 6 and saves packets from the network that you are testing. 

To force the handshake capture, type ‘aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon’. This disconnects clients from the Wi-Fi network, which then reconnects and supplies you with the necessary handshake.

With this data, you can then start cracking attempts with ‘aicrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap’. The file rockyou.txt is a wordlist with over 14 million commonly used passwords. The tool attempts each password against the captured WPA/WPA2 pre-shared key in your capture file. If the network has used a common, insecure password, then there is a good chance that you will find a match. 

The good news for wary WiFi network owners is that as of 2025, WPA3 is resistant to these kinds of attacks. 

5. John the Ripper

John the Ripper is a password hash-cracking tool that employs various techniques to accomplish its task. The latest version supports hundreds of different hash formats, supporting old formats like Unix crypt(3) all the way up to the newer Argon2 standard without much fuss. It can handle operating system passwords, encrypted archive files like Zip, or even cryptocurrency wallets. 

Owning a decent Graphics Processing Unit (GPU) speeds up the entire process and is significantly faster than CPU-based systems. Even better is the fact that it works on both NVIDIA and AMD GPUs. There are some limitations, even with decent hardware, and cracking performance also depends on the hash type.

Using the tool is really easy - just type ‘john hashes.txt’. John automatically detects the hash type and then starts with single-crack mode, which tries passwords based on usernames. 

John also handles dictionary attacks, which can be run with ‘john --wordlist=/usr/share/wordlists/rockyou.txt --rules hashes.txt’. The ‘--rules’ flag applies mangling rules that try out common password patterns. 

Enable GPU acceleration by using ‘john --format=wpapsk-opencl --wordlist=wordlist.txt hashes.txt’, which will speed up the process by a good margin. To see how your work has progressed, you can type in ‘john --show hashes.txt’ to display the contents of the hashes.txt output file.

6. Hydra

Hydra performs brute-force attacks against common authentication types and protocols, such as SSH, FTP, HTTP, RDP, and SMB. It can even target databases, and updates have provided it with improved PostgreSQL support and SMB2/SMB3 handling. It supports dictionary attacks and password spraying, which tries one password on a list of different accounts.

Using Hydra with SSH would look something like ‘hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100’. This command tries every password in rockyou.txt against the root account of the target system. 

Password spraying is used for online testing where account lockouts from attempting passwords on the same account can slow down the testing process. To do this, type ‘hydra -L users.txt -p Password123 ssh://192.168.1.100’. Hydra will attempt the password ‘Password123’ against all accounts in the ‘user.txt’ file, rather than targeting a single account with excessive requests, which could result in an account lockout.

Online attacks with Hydra can trigger account lockouts and rate limiting after too many tries, so you need to lower your rate settings if you don’t want to end your testing session prematurely.

7. SQLmap

If you want to test automated SQL injection, then SQLmap will help you do it. It identifies and exploits SQL injection vulnerabilities, helping to uncover security issues in web applications that require hardening. Version 1.9.4 tests six different injection methods across over 50 database management systems, and it also supports Amazon Aurora and CockroachDB.

Using SQLmap starts with basic detection, like this command: ‘sqlmap -u http://examplesite.com/page.php?id=1’. With this URL, the tool can initiate its automation testing and run a series of vulnerability tests to identify SQL injection exploits it can use. These are serious security flaws because an attacker could potentially update or delete data in the DB by injecting SQL commands directly via the browser.

SQL injection vulnerabilities are serious, which is why SQLmap is valuable for identifying poorly configured systems that could leave them open to abuse.

8. Burp Suite

Web applications are everywhere, from your internal network to the wide open internet. Before deploying an application to the prying eyes of the public, you need to ensure your app has all the security bases covered. Burp Suite can intercept and modify web traffic, allowing for unsafe data access, which can lead to escalations of attacks. 

It comes with a built-in Chromium browser that is preconfigured out of the box, eliminating the need for painful manual setups. The most commonly used tools in the suite are: 

• Proxy

• Repeater 

• Decoder 

• Sequencer

• Comparer

To use it, start Burp, and it will launch pre-configured to route traffic through its proxy. Enter the URL of the web app that you want to test and watch as the web requests start flooding in. Right-click on requests that spark your interest and then select ‘Send to Repeater’ for some manual tests. 

In Repeater, you can modify parameters and even inject test payloads to see what will happen. You can attempt cross-site scripting (XSS ) or SQL injection if you are looking for specific flaws. Each time you modify your parameters, you’ll need to click ‘Send’ so that you can monitor changes with each request. This tool offers a limited community edition that is still suitable for manual testing. However, if you plan to use it more frequently, a professional edition is available for around $449 per year, which includes automated scanning.

9. Nikto

Web server vulnerabilities can lead to disastrous outages, which is why Nikto is an important analysis tool for improving security. Nikto is not a quiet tool, but that’s by design. It doesn’t try to sneak its way into web servers; instead, it intentionally tries to trigger intrusion detection systems to test the server’s defenses.

This ‘noisy’ approach to scans can trigger Web Application Firewall (WAF) rules, which generate alerts or automatically block certain actions. Therefore, ensure you have permission if you are on a real network before proceeding.

To use Nikto, run it against a website and see what common vulnerabilities come up. An example would be ‘nikto -h http://example.com’. It will check for vulnerabilities, misconfigurations, and outdated software versions. If you have more specific objectives in mind, then you can focus on only the items in your scope of operations. 

If you want to only look for injection vulnerabilities, then you can run ‘nikto -h example.com -Tuning 59a’. This tests injection-related vulnerabilities (5), command execution (9), and SQL injection (a).

10. TheHarvester

If you create security reports, you'll have to collect a large amount of data. TheHarvester collects data from over 40 data sources and can query search engines, security platforms, and other online sources for details about a target domain. It will find email addresses, subdomain information, and even employee names or compromised credentials when run against a target.

To run some basic reconnaissance against a target, you can type ‘theHarvester -d example.com -l 500 -b google,bing,crtsh’. This will search Google, Bing, and Certificate Transparency logs for information about the domain you are testing. 

You will need to obtain API keys for some of the sources you wish to query. Most providers offer a free tier for basic testing, even if they have query limits that prevent larger scans.

How to Use Kali Linux Hacking Tools Safely

None of the tools listed in this guide should be used without the written permission of the owners of the resource you want to test against. Testing against systems that you do not own or have permission to access is illegal, and you can land yourself in some serious trouble if you start scanning assets for vulnerabilities. 

If you are legitimately testing systems within a network, ensure that the scope of work is clearly defined, including a list of what you can and can’t do. This scope document needs to be signed off before you begin testing, so you know exactly what you are testing and what you should leave alone.

Tools can cause damage and destruction in the wrong hands, so always exercise caution when experimenting. Set up a home lab that is isolated from the rest of the world and start learning before you attempt anything on a live system. Even something as simple as a scan has the potential to disrupt a service if not performed correctly, causing downtime and very angry IT managers. 

Keep detailed logs of everything you do during testing. If you encounter any problems that require troubleshooting after completing your work, share the exact steps you took during the process. This will help speed up the restoration process if a mission-critical component goes offline during your tests. 

If you find anything concerning, document it. This will need to be presented to management once it has been properly detailed and explained in full once the tests are done and the dust has settled. Your scope document will outline what you can and cannot do once you identify a vulnerability. The idea is to cause the least amount of disruption possible when you find a vulnerability, which often means documenting the findings and then moving on to the next objective.

Conclusion

These 10 tools are foundational for modern pentesting. They’re free, easy to use (with some practice), and regularly updated, which is what makes Kali Linux the go-to choice for security professionals learning new skills and working on real systems.

Cybersecurity moves quickly, and as new exploits and vulnerabilities are uncovered, the tools you need to use will continue to be updated. If you practice regularly, you can develop a repertoire of skills that will benefit you in your studies and on the job. 

Always ask permission and get it in writing before using any of the tools on the list, and ensure that you understand what you are doing before running any of the commands.  

Want to try a CBT Nuggets course? Get a free 7-day trial.