Official introduction of each tool in Kali (vertical): You can explore the tools available for web scanning by visiting [https://tools.kali.org/tools-listing](https://tools.kali.org/tools-listing).
|
Name |
Type |
Usage Mode |
Function |
Function Evaluation |
|---|---|---|---|---|
|
dmitry |
Information Gathering |
Whois Lookup/Subdomain Collection/Port Scanning |
Whois is not straightforward; subdomains and email depend on Google; port scanning speed is average | |
|
dnmap |
Information Gathering |
Used to set up distributed nmap, with dnmap_server as the server; dnmap_client as the client |
Not very convenient to use, not very necessary unless absolutely needed | |
|
ike-scan |
Information Gathering |
Collects IPsec VPN server fingerprint information |
Seems to be used for attacking VPNs, not entirely understood | |
|
maltegoce |
Information Gathering |
GUI |
Collection and display of domain/account correlations |
The correlation display function is indeed good, but the effect may not be so ideal, especially for China |
|
netdiscover |
Information Gathering |
Actively sends ARP packets and captures ARP packets |
The ARP detection functionality itself is quite well done | |
|
nmap |
Information Gathering |
Cmd-Line |
Port service detection and port vulnerability scanning |
The comprehensive port scanner |
|
p0f |
Information Gathering |
Cmd-Line |
Monitors network card data packets to read remote machine OS service version info, etc. |
It only extracts version info from data packets, keep your effectiveness expectations low |
|
regon-ng |
Information Gathering |
Shell |
Information reconnaissance framework mimicking msf |
Similar to turning webmaster tools into command-line; a good idea but not very intuitive to use |
|
sparta |
Brute Force |
GUI |
Graphic version of Hydra with added port service scanning functionality |
Not bad, a GUI is better than nothing |
|
zenmap |
Information Gathering |
GUI |
Graphical interface version of nmap |
Not bad, a GUI is better than nothing |
|
golismero |
Web Scanning |
Cmd-Line |
Essentially a text-based web scanner similar to AWVS |
Feels like it can enhance understanding of scanner principles |
|
lynis |
System Audit |
Feels a bit like “Experience Now” on 360 homepage, but only scans and alerts, cannot repair automatically |
Written with shell scripts, quite interesting | |
|
nikto |
Web Scanning |
Web scanner |
Just love the type that directly reports vulnerabilities (though rarely usable vulnerabilities) | |
|
unix-privesc-check |
System Audit |
Audits the permissions of key files in the system for abnormalities |
Still lacks summary display and repair functionalities | |
|
bed |
System Scanning |
Tool for testing buffer overflow vulnerabilities of various services by sending fuzzed data |
May be pretty good | |
|
burpsuite |
Web Proxy |
A commonly used web proxy and packet capture tool |
Powerful, cannot ask for more | |
|
commix |
Injection Detection |
SQLmap detects SQL injection, this tool detects system command injection |
Combined, they cover most types of injection | |
|
httrack |
Website Cloning |
Clones a website locally |
Useful for phishing and other purposes | |
|
owasp-zap |
Web Proxy |
GUI |
Tool developed by OWASP |
Compared to Burpsuite, it weakens packet capture and strengthens web vulnerability scanning, but doesn’t seem to find much |
|
paros |
Web Scanning |
GUI |
A web crawling and vulnerability scanning tool |
Similar to OWASP-ZAP |
|
skipfish |
Web Scanning |
Cmd-Line |
A fully automated web vulnerability scanner |
First crawls site pages, analyzes page vulnerabilities, then generates HTML reports |
|
sqlmap |
SQL Injection Scanning |
Cmd-Line |
A powerful SQL injection scanning tool | |
|
w3af |
Web Scanning |
Shell/GUI |
A web vulnerability scanning framework |
The so-called framework has many scanning modules, and you choose some to scan a website; feels not as good as advertised |
|
webscarab |
HTTP Proxy |
GUI |
More professional website tree structure analysis tool | |
|
wpscan |
Web Scanning |
Vulnerability scanning tool targeting WordPress | ||
|
bbqsql |
Blind Injection Scanning |
Shell |
A highly configurable interactive SQL blind injection tool | |
|
hexorbase |
Database Management |
GUI |
A client supporting various databases with multiple password cracking capabilities |
As a client, it’s usable. For brute-force password cracking, you need to prepare a dictionary yourself |
|
jsql |
Database Detection |
GUI |
Detects database type via URL/parameter injection testing/detects background pages/detects important files | |
|
mdb-sql |
Database Management |
Cmd-Line |
Can connect to Access database files (MDB) and query data with SQL statements | |
|
oscaner |
Database Enumeration |
Cmd-Line |
Uses a dictionary to probe if an Oracle database is listening and enumerate services |
Few parameters. Testing SID and default user works. The default dictionary is poor, better to write your own |
|
sidguesser |
Database Enumeration |
Cmd-Line |
Uses a dictionary to detect existing SIDs in an Oracle database |
Few parameters. If the dictionary contains SIDs, you can detect them. You still need your own dictionary for dictionary-based tools |
|
sqllite database |
Database Management |
GUI |
SQLite database client | |
|
sqlinja |
Database Enumeration |
Cmd-Line |
Used to enumerate MS SQL | |
|
sqlsus |
SQL Injection Detection |
Cmd-Line |
Used for blind SQL injection detection in MySQL | |
|
tnscmd10g |
Database Detection |
Cmd-Line |
Used to detect if an Oracle database is listening and other information | |
|
cewl |
Password List Creation |
Cmd-Line |
Crawls a given URL and extracts words from the webpage based on constraints to generate a password list |
This idea is viable. But it’s a pity it only extracts words without intelligent transformation like a to @ |
|
crunch |
Password List Creation |
Cmd-Line |
Generates a password list based on specified constraints | |
|
hashcat |
Hash Cracking |
Cmd-Line |
Brute-force cracking tool for various hashes, fast and consumes little CPU (relatively) | |
|
john |
System Password Cracking |
Cmd-Line |
Used for cracking system password files (like /etc/passwd) to recover plain passwords | |
|
johnny |
System Password Cracking |
GUI |
GUI version of John | |
|
medusa |
Password Guessing |
Cmd-Line |
Can perform password guessing for IMAP, rlogin, SSH, etc., similar to Hydra | |
|
ncrack |
Password Guessing |
Cmd-Line |
Can perform password guessing for IMAP, rlogin, SSH, etc., similar to Hydra | |
|
ophcrack |
System Password Cracking |
GUI |
Windows password cracker based on rainbow tables | |
|
pyrit |
WiFi Cracking |
Cmd-Line |
WPA/WPA2 encrypted WiFi password cracker | |
|
rainbowcrack |
Hash Cracking |
Cmd-Line |
Features generating, sorting, and using preordered rainbow tables for cracking | |
|
rcracki_mt |
Hash Cracking |
Cmd-Line |
Hash cracking tool based on rainbow tables, possibly part of rainbowcrack | |
|
wordlist |
Password Files |
Cmd-Line |
Prints the locations of some password files included in Kali | |
|
aircrack-ng |
WiFi Cracking |
Cmd-Line |
WiFi password cracking suite for WEP, WPA | |
|
chirp |
Radio Interception |
GUI |
A tool for intercepting various radio packets (probably) | |
|
cowpatty |
WiFi Cracking |
Cmd-Line |
Password guessing for WPA-PSK encrypted WiFi based on captured handshake packets and password dictionary |
Can’t intercept packets by itself, can only crack WPA-PSK encryption, features are somewhat limited |
|
Fern WIFI Cracker |
WiFi Cracking |
GUI |
Dictionary-based cracking tool for WEP and WPA encrypted WiFi |
Automatically discovers WiFi, intercepts packets, GUI operation is easy to use |
|
Ghost Phiser |
AP Spoofing |
GUI |
Can discover APs and disconnect devices connected to APs, then spoof AP to let devices reconnect |
Beyond AP, can also spoof DNS, HTTP servers, etc., and is quite useful |
|
giskismet |
Visualization |
GUI |
Visualization tool for Kismet output results in various formats like text, HTML | |
|
kismet |
AP Discovery |
Shell |
Interactive AP discovery tool listing various information of surrounding APs | |
|
MDK3 |
AP Disruption |
Cmd-Line |
Can send lots of connect, disconnect requests to APs or inform nearby devices of many non-existent APs |
This tool’s attack methods are insanely aggressive |
|
mfor |
IC Card Cracking |
Cmd-Line |
IC card key cracking program |
A tool used in those free meal recharge tutorials, interested in learning? |
|
mfterm |
IC Card Cracking |
Shell |
Interactive IC card file writing tool |
Modifying card data is the ultimate IC card cracking |
|
pixiewps |
WiFi Cracking |
Cmd-Line |
Cracks WiFi using WPS by exploiting a bug in WPS random number generation |
Some say it’s fast, others say the success rate is relatively low |
|
reaver |
WiFi Cracking |
Cmd-Line |
A brute force cracking tool for WPS-enabled WiFi |
Ranks second to aircrack-ng in WiFi cracking tools |
|
wifite |
WiFi Cracking |
Cmd-Line |
A relatively automated WiFi cracking tool | |
|
apktool |
Android Reverse Engineering |
Cmd-Line |
Restores XML and graphic resources from APK files | |
|
clang |
Compiler |
Cmd-Line |
A compiler similar to GCC, it’s lighter and can compile C, C++, Objective-C | |
|
clang++ |
Compiler |
Cmd-Line |
C++ compiler, similar relationship to clang as g++ is to gcc | |
|
dex2jar |
Android Reverse Engineering |
Cmd-Line |
APKTool restores APK to resources and DEX, dex2jar converts DEX to JAR (.class files) | |
|
edb-debug |
Dynamic Debugging |
GUI |
Software reverse engineering dynamic debugging tool |
Linux version of OllyDbg |
|
flashm |
Disassembly |
Cmd-Line |
SWF disassembler tool, can disassemble script code in .swf | |
|
jad |
Decompilation |
Cmd-Line |
Dex2Jar restores files to .class, JAD further restores files to .java | |
|
javasnoop |
Fuzz Testing |
GUI |
Java vulnerability assessment tool | |
|
nasm shell |
Assembly |
Shell |
NASM is a 32-bit assembly compiler, and this is a NASM shell | |
|
ollydbg |
Dynamic Debugging |
GUI |
Famous dynamic debugging tool for Windows platform, uses Wine on Linux, has compatibility issues | |
|
radare2 |
Static Analysis |
Cmd-Line |
Static disassembly analysis tool similar to IDA, highly functional and open-source |
Command-line operation adds some difficulty |
|
armitage |
Exploit Utilization |
GUI |
GUI interface for Metasploit |
Seems better than the original MSF-GUI, but having to start MSF yourself and log in makes it less appealing |
|
beef |
Exploit Utilization |
Cmd-Line |
Combines MSF exploits with XSS to create a malicious HTML page. When the browser visits, it gets attacked and gets shell |
This is quite impressive, but not sure how effective it is on modern browsers |
|
metasploit |
Exploit Utilization |
Shell |
Just start up msfconsole | |
|
msf payload center |
Exploit Utilization |
Cmd-Line |
Generates executable files for Windows/Android, etc., with built-in exploits, useful for making trojans |
What’s the difference with MSFVenom? |
|
searchsploit |
Exploit Utilization |
Cmd-Line |
Used to search exploit scripts downloaded from ExploitDB to local storage |
You can understand MSF’s executables as written in Ruby, while exploits may not be Ruby or just descriptions instead of code |
|
Social-Engineering |
Exploit Utilization |
Shell |
Generally used for creating files with embedded exploits to bait the target into opening and getting hit |
Social engineering is always said to be mighty, but I always feel social engineering and DDOS are the most overrated |
|
termineter |
Exploit Utilization |
Shell |
Smart meter attack framework |
This probably requires hardware support; I’ve never tried it |
|
bdfproxy |
Man-in-the-Middle Attack |
Can insert payloads into traffic while in a man-in-the-middle position | ||
|
driftnet |
Image Sniffing |
Cmd-Line |
Sniffs images in traffic and displays them on X-Window |
With ARP spoofing as a man-in-the-middle, it can be powerful, otherwise, it’s just fun to sniff your own |
|
ettercap |
Traffic Interception |
GUI |
Heard it can intercept traffic on the same subnet, extremely powerful, what’s the principle? | |
|
hampster |
Proxy |
Cmd-Line |
Seems to forwards traffic as a proxy | |
|
macchanger |
MAC Spoofing |
Cmd-Line |
Changes MAC address for identity hiding or to bypass WiFi MAC blacklist |
It’s probably just software-based alteration, can’t be written for real, right? |
|
mitmproxy |
Proxy |
Cmd-Line |
Seems to forwards traffic as a proxy |
Doesn’t feel very special |
|
netsniff-ng |
Traffic Capture |
Cmd-Line |
High-performance traffic capture suite with stable performance at high traffic volume | |
|
responder |
Host Sniffing |
Cmd-Line |
Passively sniffs operating system version information of hosts interacting with the host | |
|
wireshark |
Traffic Capture |
GUI |
Intercepts all traffic passing through a specified network card |
No need to elaborate as it’s long ranked first in Sectools |
|
backdoor | ||||
|
exe2hex |
Encoding Conversion |
Cmd |
As the name suggests, converts exe files to hexadecimal files |
What is the purpose of this if hex files can be opened directly? |
|
Intersect |
Script Generation |
Shell |
Seems to be a tool for generating SQL with aggressive Intersect statements | |
|
mimikatz |
Password Extraction |
Cmd-Line |
Used to extract passwords from Windows memory | |
|
nishang |
Post-exploitation |
Cmd-Line |
A post-exploitation attack tool based on PowerShell | |
|
PowerSploit |
Post-exploitation |
Cmd-Line |
Another post-exploitation attack tool based on PowerShell | |
|
proxychains |
Multiple Proxies |
Cmd-Line |
Seems to be used for configuring multiple proxies | |
|
weevely |
Webshell |
Shell |
Webshell connection tool, although it seems you need to use your own small trojan | |
|
autopsy |
Web Analysis |
Web |
Launches a service accessed through a browser, seems to analyze various web elements, not fully understood | |
|
binwalk |
File Identification |
Cmd-Line |
Used to analyze if there are multiple files within a single file |
Commonly used for extracting key files in CTFs |
|
bulk_extractor |
Element Extraction |
Cmd-Line |
Scans a given directory or file, outputs files if it finds key information like phone numbers, URLs, etc. | |
|
chkrootkit |
System Check |
Cmd-Line |
Scans the host to check for areas affected by rootkits |
Similar to 360’s malware scan |
|
foremost |
File Recovery |
Cmd-Line |
File recovery tool for recovering deleted files, like the file recovery function in apps like 360 | |
|
galleta |
Cookie Files |
Cmd-Line |
Used to analyze IE cookie files and output useful information | |
|
hashdeep |
Hash Calculation |
Cmd-Line |
Calculates file hash values, supports multiple hashing algorithms | |
|
volafox |
Memory Analysis |
Cmd-Line |
Memory analysis tool for Mac OS X, can read the process list and other host information from memory images |
Capture current memory with tools first, then analyze; memory data is easily corrupted so this is quite meaningful |
|
volatility |
Memory Analysis |
Cmd-Line |
Extension of VolaFox, supports Mac OS X/Linux/Windows | |
|
casefile |
Report Writing |
GUI |
Drawing tool, used for scene topology like Packet Tracer is for network topology |
Creates impressive reports |
|
cutycapt |
Webpage Screenshot |
Cmd-Line |
Webpage screenshot tool based on WebKit engine, captures the interface of a specified URL |
Similar tools are used in scanners for screenshots without using a browser |
|
dradis |
Report Generation |
Web |
Can parse scan files generated by Burp Suite/Nmap, and convert scan results to PDF or HTML | |
|
faraday IDE |
Report Management |
GUI | ||
|
keepnote |
Notebook |
GUI |
Compared to Notepad, it allows creating folders, supports rich text, and can export to other formats | |
|
magictree |
Report Management |
GUI | ||
|
pipal |
Word Frequency Statistics |
Cmd-Line |
Word frequency statistics might be inaccurate; the command analyzes and sorts “various mosts” of words in a given file | |
|
recordmydesktop |
Screen Recording |
Cmd-Line |
Screen recording, outputs in .ogv format |
The video format seems to take up a lot of disk space |
|
maltegoce |
Relationship Analysis |
GUI |
Obtains the topological relationship between an IP or email and other IPs or emails through web searches |
It claims to be strong, but social engineering stuff isn’t that strong, and it’s a foreign tool on Chinese networks |