Kali Linux

Using Kali Linux for Penetration Testing

To improve the security and quality of products, use Kali Linux for penetration testing. Penetration testing has become an integral part of a comprehensive security program. Pen tests are conducted by ethical hackers to mimic the strategies and actions of the attacker. This complicated task is creative, and it needs you to understand your task completely.

Gathering Information:

The first step to initiate a penetration test is to collect maximum information about the system. This helps you to understand whether the system could be investigated from outside or if potential attackers could extract any data. Factors that significantly may amplify the chance of a successful attack include port protocols, product architecture, entry points, software versions, and Information about technologies. Your goal is to prevent potential attackers from extracting this Information from your product.


DNSMap is used by DNSMap Testers to examine infrastructure security and collect Information about IP netblocks, domain names, subdomains, and so on. At the enumeration stage, this utility is utilized for the subdomain in brute-forcing.

This method proves very helpful when other methods like zone transfer don’t bring up the required results.

Network Mapper (Nmap):

A famous open-source utility for security and penetration testing is Network Mapper (Nmap). The raw Information is used to obtain the Information present in the host network and implementation of the firewall.

The result viewer (Zenmap) and a tool for comparing results (Ndiff) are some other features of Nmap. Having official binary packages for “Linux”, “Windows”, and “macOS”, it goes well with all operating systems. Speed, universality, and efficiency make it a popular tool for host and network scanning, so if you are ambiguous about the initial point, go with Nmap.


Arp scan is a tool that scans networks with Ethernet ARP packets, Layer-2, and Mac. Feedback can be received by sending ARP packets to defined hosts on your local network. ARP packets can be sent to numerous hosts using output bandwidth and configurable packet rate. It also makes uncomplicated to examine large address spaces. Outgoing ARP packets are to be constructed carefully. All fields of Ethernet frame header and ARP packets can easily be controlled by arp-scan. Received ARP packets are decoded and displayed. A specified targeted host can also be fingerprinted with its arp-fingerprint tool.


An additional high favored tool for testing penetration and network forensics is known as SSLsplit.

It is able to conduct a man in the middle (MITM) attacks in opposition to the network connections which work out with the SSL / TLS. It can stop the connections as well as has the ability to reorient the connections. It begins a novel connection to the initial location address and logs all the details transferred after the termination of an authentic SSL/TLS connection.

Plain TCP along with SSL, HTTP/HTTPS connections via IPv4 and IPv6 are supported by SSLsplit. Sign forged X509v3 certificates on-the-fly can be generated for SSL and HTTPS connections. It relies on libraries like OpenSSL, libcap, and libevent 2.x and also on liner 1.1.x, etc. STARTTLS mechanism is genetically supported by SSLsplit.

Analysis of vulnerabilities:

One of the important stages in pen testing is the analysis of vulnerabilities. It’s quite similar to collecting Information. However, here we have a specific goal of finding the weaknesses that can be exploited by an attacker. It’s a significant stage as vulnerability makes your system prone to cyberattacks. The efficient use of just one or two vulnerability tools is enough. Here is a list of the best eight tools, which are used to test and analyze the vulnerability.


For automated penetration testing, the best tool to be used is APT2. Scanning and transferring the outcomes from various tools is one of its main functions. APT2 utilizes the processes consequences for introducing clear and enumeration modules in line with the configurable Safe Level and enumerated service information. It stores module results that are received on some localhost and combines them to the general knowledge base, which can be accessed by users from within the application in order to watch the results received from the exploit module. Its main advantage is its high flexibility and granular control over its behavior with the configurability of Safe Level. It comprises detailed documentation and is easy to use. However, the updates aren’t frequent. The recent update was made in March. 2018.


BruteXSS is another powerful tool being used for brute-forcing and fast cross-site, which scripts brute. From a certain wordlist, many payloads are transferred to certain factors. Certain measures and parameters are made to check the vulnerability of XXS. XSS brute-forcing, XSS scanning, support for GET/POST requests, and Custom word lists constitute its important characteristics. It has a user-friendly UI along with support for GET/POST; therefore, it’s very compatible with most web applications. And it is more précised.


CrackMapExec is a tool for testing windows and Active Directory environments using multiple technologies such as PowerSploit repository as its modules.

Logged users can be enumerated and shares SMB folders can be indexed along with performing peace attacks and NTDS.dit dumping, automatic injection of Mimikaz/Shellcode/DDL into the memory using PowerShell, etc. Its main advantages include the Clear Python scripts, fully parallel multithreading, and the use of only native WinAPI calls to detect sessions, thus reducing the risk of errors, users and SAM hash dumping, etc. It is almost undetectable by security scanners and uses plain Python scripts without depending on any external library. It is rather complex and worth the effort, as most of its analogy isn’t very accurate and functional.


SQLmap is another open-source tool that helps you to automate the perception along with it the utilization of SQL injection errors and commandment of database servers.

SQLmap support MySQL, Oracle, and IBM DB2 are the most popular components of the database management system

Six main SQL injection techniques:

  • Time-based blind, error-based, UNION query, stacked queries, and out-of-band, and Boolean based. User’s Information such as enumeration, roles, password hashes, tables, and columns, privileges, and databases.
  • A dictionary-based attack with recognition of password and supporting the password cracking.
  • Find the specific database names, tables, or columns in database tables.
  • Using MySQL, PostgreSQL, or Microsoft SQL Server software to download and upload any software files.
  • Perform the commands on the database operating system and finding their standard output and organizing a connection that is out-of-band stateful TCP between your database server operating system and the device of the attacker.
  • Increase user privileges for database execution through MetaSplit’s Metapter Gate system command. It comprises of an influential search engine which can also be introduced on a Windows little with an old homepage.

Open Vulnerability Assessment System (OpenVAS):

This framework can monitor network hosts and find security issues along with determining severity and controlling the ways of dealing with them. It detects host vulnerable due to old software usage or misconfiguration. It scans open ports of hosts being monitored, sends packets which are specially formed to copy an attack, authorizes on a specific host, gets access to a panel of admins, can run various commands, etc. It provides a set of Network Vulnerability Tests (NVT), which classifies the threat by providing 50000 security tests. CVE and Opens CAP check the description of known problems. OpenSCAP is completely free as well as it is compatible with the Virtual Box, Hyper-V virtualization systems, and ESXi and supports OVAL, ARF, XCCFF, CVSS, CVE, and CCE.

After installing it, you’ll need time to update the present version of NVT databases.

Sniffing and spoofing traffic:

Traffic sniffing and traffic spoofing is the next step. It is an interesting and equally important step in penetration testing. While performing penetration testing, sniffing and spoofing can be used for a variety of different reasons.

It is used to identify network vulnerabilities and locations that attackers can target, which is an important use of sniffing and spoofing traffic.  Paths from which the packets pass through your network can be checked and to see what information packets contain if they are encrypted or not and many more.

The possibility of the packet being caught by an attacker and accessing important information that is a threat to the security of your network. Furthermore, if an intervening a packet by an enemy and then also replacing the original with a malignant one, can turn into the destruction of the consequences. With the help of encryption, tunnelling, and other similar techniques, it is your objective to make it as difficult as possible to sniff and spoof packets sent across your network. For sniffing and forging some best tools are used. The following are the tools used for this purpose.

Burp Suite:

To run the web application test of security Burp Suite is the best choice to choose. It consists of a number of different tools that are proved to be very efficient to use in every step of the vulnerability testing process, site map creation, web application attack level analysis. Burp Suite provides full control over the testing process, and it allows you to combine high-level automation with advanced manual techniques. It is ultimately making penetration testing swift and effectual.

Burp Suite includes:

A sniffing proxy has used that checks and monitor the traffic. Moreover, it edits the traffic sent between your browser and the targeted side. An advanced web application scanner diagnoses different levels of hazards instinctively. In the application spider to crawl both content and functionality. It also adds to commentators, backslider, and sequencer gadgets.

It can redeem the work and then can also resume it when in need. You can simply mention your extensions to carry out a certain complex and more customizable piece of work because it is adaptable. Similar to the other security testing tools, it also harms and damages the other web applications. For this matter, you should always construct backup copies of the application you have tested before using Burp Suite. And do not apply it in opposition to the systems to which you cannot access permission to test it.

Note that Burp Suite is a product that is salaried and is not a free open source gadget that is dissimilar to a lot of other tools that are mentioned in this article. Its usage is not difficult at all as it comprises the intuitive interface as well, so novice teens can also apply it. It contains a number of strong characteristics that can benefit new testers, and you can customize it as per your need.


Malware analyst and pen testing hackers can use the DNSchef because it is highly configurable and functions efficiently. Feedbacks can be generated, which is based on lists of both included and excluded domains. Different types of DNS data which is assisted by DNSChef. It can take part in competing domains with wildcards and can proxy real responses to asynchronous domains and define external configuration files.

DNS Proxy is a very useful instrument that is used to inspect application network traffic. For example, a DNS proxy can be used for fake requests to point to a real host anywhere on the Internet for badgoo.com but to a local machine that will process the request. Or will stop it. Only initial filtering is applied, or it signalizes to one IP address for all DNS queries. DNS Chef is mandatory for a resilient system and was created as part of a penetration test.

DNS proxies are helpful when an application has no other way to use another proxy server. The same is the case with a few mobile phones that does not regard the operating system and the system because of the HTTP proxy. This proxy (DNSchef) is the best to run all types of applications and directly enables the connection with the targeted site.

OWASP Zed Attack Proxy:

OWASP, probably the most used vulnerability and security scanner on the web. Many hackers widely use it. Leading benefits of OWASP ZAP includes that it is free, open-source, and cross-platform. Also, it is actively supported by volunteers from all over the world and is fully internationalized.

The ZAP comprises a number of significant characteristics, including some automatic and inactive scanners, proxy server interface, dawn, and traditional and AJAX web crawlers.

You can use OWASP ZAP to automatically detect security vulnerabilities in your web applications during development and testing. It is also used for experienced penetration tests to conduct manual security tests.


MITM FM is a popular framework for MITM attacks based on Sergio Proxy and is primarily an attempt to revitalize the project.

The MITMf is two in one tool that has the ability to attack the network and MITM.  For this purpose, it was constantly introducing and improving all the attacks and techniques available. Initially, MITMf was designed to address critical issues with other tools, such as malware and eater caps. But later, to ensure high-level framework scalability, it was completely rewritten so that every user could use MITMf to carry out their MITM attacks.

Main features of the MITMf framework:

  • Preventing locating the configuration file by using DHCP or DNS (Web Proxy Auto-Discovery Protocol).
  • The responder tool integration (LLMNR, MDNS poisoning, NBT-NS)
  • Built-in DNS (domain name server), SMB (server message block), and HTTP (hypertext transfer protocol) servers.
  • SSL Strip proxy, which bypassed HSTS (HTTP strict transport security) and modified the HTTP too.
  • NBT-NS, LLMNR, and MDNS poisoning are directly related to the offender tool. Furthermore, the Web Proxy Auto-Discovery Protocol (WPAD) Supports the Fraud Server.


Wire Shark is a well-known network protocol analyst. This allows you to observe every action at the micro-level. Wire share network is the barometer in many industries for traffic analysis. The Wire Shark is the successor of the 1998 project. Soon after the success, all the experts around the globe started developing the wire shark.

Wireshark has some of the most decent features to test the network and but sometimes, especially for the newbies, it’s doesn’t seem to be quite easy to operate as its built structure needs good documentation of the features to operate.

  • Offline mode and a very powerful display filtering.
  • Rich VoIP(voice over internet protocol) analysis.
  • Ethernet and other multiple types can be used to read live data (IEEE, PPP, etc.).
  • Capturing RAW USB traffic.
  • Multiple platform support.
  • Decryption ability for many protocols.
  • Refined data display.
  • Plugins can be created.

Pen testing of web applications:

Pentesting is another name of a penetration test, which is also known as ethical hacking, as it’s a legal and permissible way to hack your system so to test the loopholes and various vulnerabilities of your web application. A modern web application comprises a complex architecture, and with that, it also carries various hazards with different levels of intensity. A lot of application works and are linked directly to the international payment techniques and services of order etc. For example, you have an eCommerce website; you should have to test the payment gateway of your website prior to making it live to the customers so that there won’t be any mishap with the client’s payment date or payment methods.

Following are five essential Kali Linux tools and their brief introduction:


ATSCAN is a tool which is very efficient for advanced search, massive exploitation of the dark, and automatic detection of vulnerable websites. It is very useful for substructing known search engines, including Google, Bing, Yandex, Esco.com, and Sogo.

ATSCAN is a scanner that will scan your website or script for the vulnerabilities, especially in the admin pages, as hacking the admin page of a website means hacking the entire website as from the admin page, the hacker can perform any activity he wants.

It is obtainable for all recommended platforms. ATSCAN has the ability to diagnose Dark completely, execute external commands, find the admin pages, and automatic detection of all types of errors. For instance, different scanners such as XSS scanners, LFI / AFD scanners, etc. are used.

Iron WASP:

To detect web application security, we use IronWSP, which is free, open-source equipment. Though initially, it originated for Windows primarily supporting Python and Ruby on rails, it also works for Linux. Its majorly supports Python and Ruby, but it can also use all sort of plugins and modules that are written in C # and VB.NET.

IronWSP has a simple graphical interface that is easy to use and is supported by a powerful scanning engine and recording of continuous recording. In addition, it has the capability to detect web applications for more than 25 types of known vulnerabilities. IronWASP includes a large variety of built-in modules and provides a number of specific tools:

  • WiHawk — A Wi-Fi router vulnerability scanner
  • XmlChor — An automatic exploitation tool for XPATH injection
  • IronSAP — An SAP security scanner
  • SSL Security Checker — A scanner for detecting SSL installation vulnerabilities
  • OWASP Skanda — An automatic SSRF operation tool
  • CSRF PoC Generator — A tool for generating exploits for CSRF vulnerabilities
  • HAWAS — A tool for automatically detecting and decoding encoded strings and hashes on websites


Nikto is an open-source tool for scanning web servers that scans all of the dangerous files, data, and programs on any type of web servers such as Linux, Windows or BSD servers. Nikto inspects web servers to diagnose potential troubles and security threats by testing. This includes:

  • Invalid settings in web server or software files
  • Unsafe files and programs
  • Default files and programs
  • Historical services and programs

Nikto can work on any platform with the Pearl environment because it is made on LibWhisker2 (via RFP). Host authentication, proxy, payload encoding, and much more are fully supported.


Every penetration tester must know about Kali Linux tool because it is very strong and convenient to use. The final choice to use the tools will always depend on the tasks and goals of your current project even though it offers a complete set of tools at every stage of penetration tests. It offers and has the ability to show completely higher levels of accuracy and performance. This special technique is done by using different tools in different situations.

This article includes the most famous, easy, and commonly used Kali Linux tools for different functions. The functions include collecting the Information, analyzing different vulnerabilities, sniffing, connection, and interacting with fake network traffic, stress testing, and interacting with web applications. Many of these tools are not meant for investigative and security audit purposes. And it should be strictly prohibited in networks that do not grant permission.

About the author

Younis Said

I am a freelancing software project developer, a software engineering graduate and a content writer. I love working with Linux and open-source software.