Top 10 Kali Linux Tools Ethical Hackers Use Daily But Never Talk About
Mr Elite ··
18 min read
Every Kali Linux tutorial covers Nmap, Metasploit, and Burp Suite. These are important tools and you should know them. But on a real engagement — an actual eight-day internal network assessment against a properly defended enterprise — the tools you use most are not the ones in the tutorials. They are the workflow tools: the session manager that keeps your twelve terminal windows organised, the wordlist repository that makes every scanner actually find something, the pivot tool that routes your attacks through the compromised machine to the isolated network segment, and the Windows protocol library that does in three commands what manual exploitation takes an hour to set up. These are the ten tools that professional penetration testers use on every engagement but that almost no beginner content covers.
🎯 What You’ll Learn
The top 10 kali tools that appear in professional penetration test workflows but rarely in tutorials
Specific real-world commands and use cases for each tool
How each tool fits into the assessment lifecycle
Installation commands for any not already present in Kali
⏱️ 40 min read · 3 exercises
📊 Which of these tools have you actually used?
✅ If you answered 0-3: this article will upgrade your Kali workflow significantly. If 4-7: the tools you haven’t used yet are likely the ones doing the most work in the real assessments — check the pivoting and Active Directory sections specifically. If 8-10: look for the workflow combination tips — how these tools work together is where the real efficiency gain is.
1. tmux — Terminal Multiplexer (The One That Changes Everything)
Tmux is the single tool that most dramatically changes how professional penetration testers work. It persists terminal sessions through SSH disconnections (your Nmap scan keeps running), splits a single terminal window into multiple panes, and organises parallel workflows across multiple named windows. On a real assessment you might have: one pane running a long Nmap scan, one pane with an active Meterpreter session, one pane showing BloodHound ingestor output, and one pane taking notes — all visible simultaneously in a single terminal.
TMUX — ESSENTIAL COMMANDS FOR PENETRATION TESTERS
# Install (usually pre-installed on Kali)
sudo apt install tmux -y
# Start new named session
tmux new -s assessment
# Split horizontally (top/bottom)
Ctrl+b then “
# Split vertically (left/right)
Ctrl+b then %
# Switch between panes
Ctrl+b then arrow keys
# Detach (session keeps running in background)
Ctrl+b then d
# Re-attach to your session
tmux attach -t assessment
# New window (tab)
Ctrl+b then c
# Switch windows
Ctrl+b then 0-9 (window number)
# Professional assessment layout: 4 panes
tmux new -s pentest && Ctrl+b ” && Ctrl+b % && Ctrl+b [arrow to top-left] && Ctrl+b %
🛠️ EXERCISE 1 — KALI TERMINAL (10 MIN)
Set Up a Professional 4-Pane tmux Layout for a Penetration Test
⏱️ Time: 10 minutes · Kali terminal
BUILD THE PROFESSIONAL PENTEST TMUX LAYOUT
# Create a new named assessment session
tmux new -s pentest2026
# Window 1: RECON (current window — rename it)
Ctrl+b then , (comma) → type “recon” → Enter
# Split into 2 panes: top=nmap, bottom=notes
Ctrl+b then ” (split horizontal)
# Label each pane by running a descriptive command
# Top pane: nmap scan placeholder
echo “[ NMAP SCAN OUTPUT ]”
# Bottom pane: notes file
Ctrl+b down → nano /tmp/assessment_notes.txt
# Create Window 2: SHELLS
Ctrl+b then c
Ctrl+b then , → type “shells” → Enter
# Create Window 3: EXPLOITATION
Ctrl+b then c → rename “exploit”
# Save this layout as your standard assessment start
# Test: detach and re-attach
Ctrl+b then d
tmux attach -t pentest2026
# All windows and panes still there
✅ What you just learned: This 3-window layout — recon, shells, exploitation — is the standard starting structure professional testers use. Nmap scan in one pane, notes in another, and separate windows for different phases means you never lose context switching between activities. The detach/re-attach in the last step demonstrates the feature that matters most on remote assessments: SSH to a remote Kali server, create a tmux session, detach, close your laptop, re-connect the next morning, and every running scan and shell is exactly where you left it.
📸 Screenshot your 4-pane tmux layout and share in #kali-tools on Discord.
2. SecLists — The Wordlist Repository That Feeds Everything Else
SecLists is not a single tool — it is the wordlist collection that makes every other tool effective. Gobuster without a quality wordlist finds nothing. Hydra without realistic password lists is useless. Ffuf with a generic wordlist misses 80% of endpoints. SecLists provides: web content discovery wordlists tuned by technology stack (Apache, IIS, Spring, specific frameworks), credential lists sourced from real breach data, fuzzing payloads for SQL injection, XSS, and path traversal, and username formats for credential spraying.
SECLISTS — INSTALL AND KEY WORDLIST LOCATIONS
# Install SecLists
sudo apt install seclists -y
# All wordlists at:
/usr/share/seclists/
# KEY WORDLISTS — memorise these paths
/usr/share/seclists/Discovery/Web-Content/common.txt # web dirs — 4,727 entries
/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt # big web dirs
gobuster dir -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/common.txt
3. proxychains4 — Route Any Tool Through Any Proxy
Proxychains4 intercepts network calls from any command and routes them through a configured SOCKS or HTTP proxy chain. For penetration testers, this means routing Nmap, Metasploit, Impacket, or any other tool through a pivot point on a compromised host — reaching internal network segments that are not directly accessible from the attacker’s position. The setup: create a SOCKS proxy on the pivot host using SSH port forwarding or a tool like ligolo-ng, configure proxychains4.conf, then prefix any command with proxychains4.
PROXYCHAINS4 — PIVOTING CONFIGURATION
# Edit proxychains config
sudo nano /etc/proxychains4.conf
# Add SOCKS5 proxy at bottom (e.g., SSH tunnel on 1080)
Impacket is a Python library with standalone scripts for attacking Windows network protocols. It implements SMB, NTLM, Kerberos, MSRPC, LDAP, and others from scratch — enabling attacks against Windows infrastructure without needing a Windows machine. The scripts most commonly used in professional assessments: secretsdump for credential extraction, GetUserSPNs for Kerberoasting, GetNPUsers for AS-REP roasting, and ntlmrelayx for NTLM relay attacks.
5. pwncat — The Reverse Shell Handler You Should Be Using
pwncat is a post-exploitation framework and reverse shell handler that makes catching reverse shells significantly more capable than a raw netcat listener. Once a shell connects, pwncat automatically attempts to upgrade to a fully interactive TTY, supports file upload/download, can inject persistence mechanisms, and provides a structured command interface for post-exploitation tasks. It replaces the combination of netcat listener + manual TTY upgrade + manual file transfer that many testers do manually.
PWNCAT — INSTALL AND USAGE
# Install pwncat-cs
pip install pwncat-cs –break-system-packages
# Listen for incoming shell on port 4444
pwncat-cs -l -p 4444
# Once shell connects — pwncat automatically upgrades to full TTY
# Upload a file to the target
upload /local/file.sh /tmp/file.sh
# Download a file from the target
download /etc/shadow /tmp/shadow
# Background the shell (back to pwncat prompt)
Ctrl+d
# List open sessions
sessions
# Re-attach to a session
sessions -i 0
6. ligolo-ng — Modern Network Pivoting
Ligolo-ng has largely replaced chisel and SSH tunneling for network pivoting in professional assessments. It creates a TUN interface on the attacker machine that routes traffic to the internal network through a lightweight agent running on the compromised host — making the pivot transparent at the network level. Tools run normally without proxychains prefix; the internal network appears as directly reachable from the attacker machine. Setup is fast, traffic is encrypted, and it handles multi-hop pivoting for deeply segmented networks.
# Now reach internal hosts directly — no proxychains needed
nmap -sV 192.168.10.0/24 # routes through pivot transparently
🧠 EXERCISE 2 — THINK LIKE A HACKER (10 MIN)
Map Which Tools You Would Use at Each Phase of a Standard Internal Pentest
⏱️ Time: 10 minutes · No tools · text editor
Map each of the 10 tools from this article to the correct
phase of a standard internal network assessment:
PHASE 1 — INITIAL SETUP (before scanning):
Which 2 tools do you configure first, before any attack?
PHASE 2 — RECONNAISSANCE AND SCANNING:
Which tools process large IP ranges efficiently?
Which wordlist collection does your scanner need?
PHASE 3 — INITIAL COMPROMISE AND SHELL:
Which tool handles the incoming reverse shell better than nc?
Which tool supports post-exploitation file transfer?
PHASE 4 — LATERAL MOVEMENT / ACTIVE DIRECTORY:
Which Python library handles Kerberoasting and hash dumping?
Which tool maps AD attack paths?
PHASE 5 — PIVOTING TO ISOLATED SEGMENTS:
Which modern tunneling tool replaces chisel?
Which tool routes existing tools through a proxy without changes?
PHASE 6 — LONG OPERATIONS (multi-day assessment):
Which tool keeps all sessions alive if your SSH drops?
Which API tool helps test internal web services quickly?
Write the tool name for each phase answer.
✅ Answer key: Phase 1 = tmux (session management) + SecLists (wordlists ready). Phase 2 = xargs (parallel scanning) + SecLists directory wordlists. Phase 3 = pwncat (shell handling + file transfer). Phase 4 = Impacket (Kerberoasting, secretsdump) + bloodhound-python (AD mapping). Phase 5 = ligolo-ng (transparent pivot) + proxychains4 (when quick proxy needed). Phase 6 = tmux (persistent sessions) + curl (manual API/web testing). The exercise reveals that the tools in this article are not alternatives to the “famous” tools — they are the infrastructure layer that makes the famous tools work effectively across a real multi-day engagement.
📸 Share your tool-to-phase mapping in #kali-tools on Discord.
7. netcat (nc) — The Swiss Army Knife They Forgot to Remove
Netcat is in every Kali install and every list of “basic tools.” It is here because professionals use it in ways tutorials do not cover. Beyond the standard reverse shell catch (nc -lvnp 4444), experienced testers use netcat for: direct TCP banner grabbing without a full port scanner, file transfer between machines on networks where no other protocol is available, testing that specific ports are reachable through firewalls, and as the backend for manual protocol debugging when something more specialised is broken.
8. curl — The API Testing Tool Hiding in Plain Sight
Every security professional knows curl exists. Almost no tutorial covers how much actual penetration testing work happens in curl rather than Burp Suite. For rapid API testing, custom header injection, multipart form uploads, cookie manipulation, and testing authentication bypasses — curl with the right flags is faster than opening Burp for anything that does not require visual inspection of responses. The flags professionals use constantly: -H for custom headers, -b for cookies, -d for POST data, -k for self-signed certificates, and -x for proxy through Burp.
for i in {1..100}; do curl -s -b “session=TOKEN” https://target.com/api/user/$i; done
9. bloodhound-python — Active Directory Ingestor Without the GUI
BloodHound is covered in the ethical hacking course and is well known. bloodhound-python is the Python-based ingestor that most tutorials gloss over in favour of SharpHound. The advantage: it runs entirely from your Kali machine with only domain credentials — no binary to drop on a Windows host, no AV trigger from executing a .exe on the target. From an attacker machine with credentials and network access to the domain controller, bloodhound-python collects the full Active Directory object graph that BloodHound needs to map attack paths to Domain Admin.
BLOODHOUND-PYTHON — COLLECT AD DATA FROM KALI
# Install
pip install bloodhound –break-system-packages
# Collect all AD data (requires domain credentials)
# Outputs JSON files: users.json, groups.json, computers.json, etc.
# Start Neo4j (BloodHound backend)
sudo neo4j start
# Start BloodHound GUI
bloodhound &
# Import the JSON files via drag-and-drop in BloodHound
# Run “Shortest Path to Domain Admins” query
10. xargs — Running Anything at Scale
Xargs converts standard input into arguments for another command and can run those commands in parallel. For penetration testers, this means: running an Nmap scan against a list of hosts concurrently, running Gobuster against every web server found on a subnet simultaneously, extracting usernames from enum4linux output and feeding them directly into a password spraying tool. One-liner shell pipelines using xargs replace what would otherwise require Python scripts to accomplish efficiently.
XARGS — PARALLEL OPERATIONS FOR PENETRATION TESTING
# Run Nmap against 50 hosts simultaneously (10 at a time)
✅ What you just learned: Having all 10 tools verified and ready is the professional’s starting checklist before any assessment. The time spent installing and testing tools during an actual engagement is time not spent finding vulnerabilities. Many professional testers maintain a hardened Kali VM image with all these tools pre-installed and verified — the “assessment-ready” VM that gets cloned for each new engagement. Building this habit now means you will never find yourself stuck at the wrong moment because a tool wasn’t installed or a wordlist wasn’t in the expected location.
📸 Screenshot all 10 “✓” verification outputs and share in #kali-tools on Discord. Tag #kalitools2026
🧠 QUICK CHECK — Professional Kali Tools
You are on a penetration test with a compromised host on a DMZ network. You need to scan the internal 10.10.10.0/24 network that is only reachable from the DMZ host, not directly from your Kali machine. Which combination of tools from this article do you use?
curlAPI and web testing from command line — custom headers, cookies, auth tokens
bloodhound-pythonAD ingestor from Kali — no Windows binary needed, collects full AD graph
xargsParallel execution — run any tool against large lists concurrently
❓ Frequently Asked Questions
What Kali tools do professionals use that beginners don’t know about?
tmux (session management), proxychains4 (pivoting), pwncat (reverse shell handling), Impacket (Active Directory attacks), ligolo-ng (modern pivoting), SecLists (wordlists), bloodhound-python (AD mapping without Windows binary), and xargs (parallel operations). These are workflow and infrastructure tools that make the well-known attack tools actually work in complex real-world environments.
What is tmux and why do penetration testers use it?
Terminal multiplexer — persists sessions through SSH disconnections, splits terminal into multiple panes, organises parallel workflows. Long scans keep running if your connection drops. Multiple simultaneous shells stay organised. Essential for multi-day assessments.
What is proxychains and when do testers use it?
Routes any tool through a SOCKS proxy. Used when pivoting through a compromised host to reach isolated internal network segments. Configure proxychains4.conf with the SOCKS proxy address, then prefix any command with proxychains4 to route it through the pivot.
What is Impacket and what attacks does it enable?
Python library for Windows protocol attacks — secretsdump (credential extraction), GetUserSPNs (Kerberoasting), GetNPUsers (AS-REP roasting), wmiexec/smbexec (remote execution), ntlmrelayx (NTLM relay). The core Active Directory attack toolkit for Linux-based testers.
What is SecLists and why is it essential?
The standard wordlist repository — directory discovery, password cracking, fuzzing payloads, usernames. Without SecLists, tools like Gobuster, Hydra, and Hashcat lack the quality input they need. sudo apt install seclists. All wordlists at /usr/share/seclists/.
← Related
180-Day Kali Linux Mastery Course
Related →
Kali Linux Commands Tool — 2,955+ Commands
📚 Further Reading
180-Day Kali Linux Mastery Course— The complete Kali Linux course where many of these tools appear in their assessment context — from initial recon through Active Directory attacks and post-exploitation.
Kali Linux Commands Tool— 2,955+ Kali Linux commands across 150 tools in 13 categories — the complete command reference that complements these tool overviews with every flag and syntax option.
BloodHound Tutorial 2026— Day 27 of the Ethical Hacking course covers full BloodHound setup and attack path analysis — the GUI tool that bloodhound-python from this article feeds its data into.
ligolo-ng GitHub Repository— Official ligolo-ng source, precompiled releases, and documentation covering TUN interface setup, multi-hop pivoting, and comparison with alternative pivoting tools.
SecLists GitHub Repository— The official SecLists repository — full wordlist catalogue, contribution guidelines, and the specific list categories covering every penetration testing and bug bounty use case.
ME
Mr Elite
Owner, SecurityElites.com
The tool on this list that changed my workflow most dramatically was tmux. I was on a week-long assessment, SSH’d into a remote Kali server, running a large Nmap scan and a BloodHound collection simultaneously. My internet connection dropped — a routing issue at home that lasted 45 minutes. Before tmux, this would have killed both running processes and I would have needed to restart them, losing potentially hours of scan time. With tmux, I reconnected, ran tmux attach, and both processes were exactly where I left them — the Nmap scan 73% complete, BloodHound showing 12,000 objects collected. That 45 minutes of interrupted connection cost me nothing. I have used tmux on every assessment since. It is the first thing I install on any new Kali machine. If you take nothing else from this article, take tmux.
Leave a Reply