Tools for Pentesting in Kali: The Only 6 You Actually Need

Kali Has 600+ Tools. You Need About 6.

Every Kali Linux install ships with an overwhelming menu of tools for pentesting. New testers open that Applications menu and freeze. The dirty secret? Most working pentesters rotate through a tiny subset for 90% of web app engagements.

I've watched junior testers waste entire days trying exotic tools when the basics, used well, would've found the same vulns in an hour. Here's the shortlist I actually use, with honest takes on each.

The Core 6 (And When Each One Wins)

1. Burp Suite (Community Edition)

Pre-installed in Kali. This is your home base for web app testing. The proxy intercepts every request, the repeater lets you surgically modify parameters, and the scanner (Pro only) catches low-hanging fruit automatically.

Best for: Manual testing, parameter tampering, auth bypass
Weakness: Community edition lacks the automated scanner. You're doing everything by hand.
Verdict: Non-negotiable. Learn the Repeater and Intruder tabs deeply before touching anything else.

2. Nmap

Port scanning is step one. Nmap's NSE scripts make it far more than a port scanner — you can detect service versions, check for specific CVEs, and enumerate subdomains.

# Quick service detection + common vuln scripts
nmap -sV --script=vuln -oN scan_results.txt target.com

Best for: Reconnaissance, service fingerprinting
Weakness: Noisy. Any decent WAF or IDS will flag aggressive scans.
Pro tip: Use -T2 timing and --randomize-hosts for slower, less detectable scans during authorized tests.

3. ffuf (Fuzz Faster U Fool)

Directory and parameter fuzzing. Gobuster was the standard, but ffuf is faster and more flexible. It handles directory brute-forcing, parameter discovery, and virtual host enumeration in one tool.

# Directory fuzzing with filtering
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404,403 -mc all

Best for: Finding hidden endpoints, admin panels, backup files
Weakness: Garbage in, garbage out. Your wordlist matters more than the tool.
Verdict: Replaced dirb, dirbuster, and gobuster in my workflow entirely.

4. sqlmap

Automated SQL injection detection and exploitation. Feed it a URL with a parameter, and it'll test every injection technique in the book.

Best for: Confirming and exploiting SQLi after you've identified a suspicious parameter manually
Weakness: Dangerous on production systems. The default behavior is loud and can corrupt data.
Critical: Always use --risk=1 --level=1 first. Escalate only when needed.

5. Nikto

Old-school web server scanner. It checks for outdated software, dangerous default files, and misconfigurations. Not glamorous, but it catches things other tools miss — like exposed .git directories and default credentials.

Best for: Quick baseline scan of web servers
Weakness: Extremely noisy, tons of false positives. Treat results as leads, not findings.

6. John the Ripper + Hashcat

Grouping these together because they solve the same problem: cracking captured hashes. John is CPU-based and great for quick checks. Hashcat leverages your GPU and is dramatically faster for serious cracking.

Best for: Post-exploitation password cracking
Verdict: Start with John for convenience, switch to Hashcat when speed matters.

What I Deliberately Left Out

Metasploit — essential for network pentesting, but overkill for most web app assessments. If you're testing APIs and web apps, the tools above cover 90% of your needs.

Wireshark — great for network analysis, rarely needed for web app testing when you have Burp's proxy.

Aircrack-ng — wireless testing is a different discipline entirely. Don't conflate it with web app pentesting.

The Real Workflow

Tools matter less than the order you use them. Here's the actual sequence:

Nmap — identify open ports and services
Nikto — baseline server scan for obvious misconfigs
ffuf — discover hidden endpoints and parameters
Burp Suite — manually test everything interesting you found
sqlmap — confirm and exploit injection points
John/Hashcat — crack any hashes you've captured

Each tool's output feeds the next. Skip a step and you'll miss context that makes the next tool effective.

Action Items

Pick one tool and go deep. Spend a week mastering Burp's Repeater before adding more tools. Shallow knowledge across 20 tools is worse than deep knowledge of 5.
Build your own wordlists. Combine SecLists (GitHub) with target-specific terms scraped from the app itself. Custom wordlists in ffuf dramatically improve hit rates.
Automate your recon chain. Write a simple bash script that runs Nmap → Nikto → ffuf in sequence and consolidates output. You'll reuse it on every engagement. If you want a faster first pass on your own apps, tools like PreBreach can automate web app scanning without the Kali setup overhead.

Kali Has 600+ Tools. You Need About 6.

I've watched junior testers waste entire days trying exotic tools when the basics, used well, would've found the same vulns in an hour. Here's the shortlist I actually use, with honest takes on each.

The Core 6 (And When Each One Wins)

1. Burp Suite (Community Edition)

Best for: Manual testing, parameter tampering, auth bypass
Weakness: Community edition lacks the automated scanner. You're doing everything by hand.
Verdict: Non-negotiable. Learn the Repeater and Intruder tabs deeply before touching anything else.

2. Nmap

Port scanning is step one. Nmap's NSE scripts make it far more than a port scanner — you can detect service versions, check for specific CVEs, and enumerate subdomains.

# Quick service detection + common vuln scripts
nmap -sV --script=vuln -oN scan_results.txt target.com

Best for: Reconnaissance, service fingerprinting
Weakness: Noisy. Any decent WAF or IDS will flag aggressive scans.
Pro tip: Use -T2 timing and --randomize-hosts for slower, less detectable scans during authorized tests.

3. ffuf (Fuzz Faster U Fool)

Directory and parameter fuzzing. Gobuster was the standard, but ffuf is faster and more flexible. It handles directory brute-forcing, parameter discovery, and virtual host enumeration in one tool.

# Directory fuzzing with filtering
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404,403 -mc all

Best for: Finding hidden endpoints, admin panels, backup files
Weakness: Garbage in, garbage out. Your wordlist matters more than the tool.
Verdict: Replaced dirb, dirbuster, and gobuster in my workflow entirely.

4. sqlmap

Automated SQL injection detection and exploitation. Feed it a URL with a parameter, and it'll test every injection technique in the book.

Best for: Confirming and exploiting SQLi after you've identified a suspicious parameter manually
Weakness: Dangerous on production systems. The default behavior is loud and can corrupt data.
Critical: Always use --risk=1 --level=1 first. Escalate only when needed.

5. Nikto

Best for: Quick baseline scan of web servers
Weakness: Extremely noisy, tons of false positives. Treat results as leads, not findings.

6. John the Ripper + Hashcat

Best for: Post-exploitation password cracking
Verdict: Start with John for convenience, switch to Hashcat when speed matters.

What I Deliberately Left Out

Metasploit — essential for network pentesting, but overkill for most web app assessments. If you're testing APIs and web apps, the tools above cover 90% of your needs.

Wireshark — great for network analysis, rarely needed for web app testing when you have Burp's proxy.

Aircrack-ng — wireless testing is a different discipline entirely. Don't conflate it with web app pentesting.

The Real Workflow

Tools matter less than the order you use them. Here's the actual sequence:

Nmap — identify open ports and services
Nikto — baseline server scan for obvious misconfigs
ffuf — discover hidden endpoints and parameters
Burp Suite — manually test everything interesting you found
sqlmap — confirm and exploit injection points
John/Hashcat — crack any hashes you've captured

Each tool's output feeds the next. Skip a step and you'll miss context that makes the next tool effective.

Action Items

Pick one tool and go deep. Spend a week mastering Burp's Repeater before adding more tools. Shallow knowledge across 20 tools is worse than deep knowledge of 5.
Build your own wordlists. Combine SecLists (GitHub) with target-specific terms scraped from the app itself. Custom wordlists in ffuf dramatically improve hit rates.
Automate your recon chain. Write a simple bash script that runs Nmap → Nikto → ffuf in sequence and consolidates output. You'll reuse it on every engagement. If you want a faster first pass on your own apps, tools like PreBreach can automate web app scanning without the Kali setup overhead.