Kali Linux is a Debian-based Linux distribution originally designed for offensive information security. It contains tools for penetration testing, network security, bug hunting, cybersecurity research, digital forensics, and reverse engineering.
At its 10th anniversary, Kali released Kali Purple 2023.1, a variation of the original build. It includes additional tools focused on defensive information security plus a new defensive menu structure:
| Identify | Protect | Detect | Respond | Recover |
|---|---|---|---|---|
![]() |
![]() |
![]() |
![]() |
![]() |
Note: Most of these tools were already part of Kali; they are simply organised in a way that makes sense for a blue/purple team rather than a purely red team approach.
FEATURED DEFENSIVE TOOLS
- Arkime
- CyberChef
- Elastic Security
- Security information and event management tool that combines SIEM, EDR, and cloud security capabilities [Link].
- Greenbone Vulnerability Manager
- TheHive
- Malcolm
- Suricata
- A network IDS appliance. As included in the Kali Purple build, it is NOT meant to be used as a router but in campaigns [Link].
- Zeek
- Kali Autopilot
- An attack script builder framework for automated attacks. It can share scripts for blue teams to run against, as well as practice packet captures for network analysis training [Link].
CHEAT SHEET
Identify
amass- OWASP Amass is an open source tool written in Go for network mapping, attack surface discovery, and asset discovery using both active and passive techniques [Link].
amass intelfor intelligence gathering.-activeenables active methods.-d,-addr,-asn, and-cidrdefine a list or range of in-scope targets.-dfand-deprovide file lists of domains to include and exclude from scope.-whoisand-orgsearch directories for reverse whois and organisation names respectively.-
amass intel -list amass intel -whois -d domain.com amass intel -org CompanyName
amass enumfor enumeration.-activeand-passiveenable active methods or define a purely passive scan.-df,-ef, and-blfspecify files for domains to include, exclude, root names, and blacklisted domains respectively.-dns-qps,-max-dns-queries, and-min-for-recursiveset limits.-ifacespecifies the interface to send traffic from (a VPN such astun0is recommended).-
amass enum -list amass enum -min-for-recursive 5 -ip -brute -v -src -d domain.com
amass vizcreates a visualisation graph to add structure to collected information.-oand-oAuse an existing output file as source and set the prefix for the output file name respectively.-graphistry,-maltego, and-dotdefine the graph output format.-
amass viz -graphistry -d domain.com amass viz -maltego -d domain.com
amass trackanalyses a target over time across logged enumerations.-
amass track -d domain.com
-
amass dbviews collected data stored in the database or output directory.-
amass db -d domain.com
-
- In all cases, additional flags are available for help (
-h), extra verbosity (-v), or quiet output (-silent). See the documentation for more [Link].
assetfinder- Passively finds related domains and subdomains for in-scope targets [Link].
-
sudo apt install assetfinder -y assetfinder -h assetfinder domain.com
cisco-auditing-tool- Scans Cisco devices and appliances for common vulnerabilities.
-hand-ffor a single host or a list of hosts.-pspecifies the port number.-wand-ause word and password lists.-
sudo apt install cisco-auditing-tool -y CAT --help CAT 192.168.1.1
- Scans Cisco devices and appliances for common vulnerabilities.
defectdojo- A vulnerability management platform for DevSecOps teams [Link], with triage support and integrations for Jira and Slack.
-
sudo apt install defectdojo -y defectdojo start defectdojo stop
- Navigate to http://127.0.0.1:42003 and use the following command to create an admin user:
-
cd /usr/lib/defectdojo && sudo -u _defectdojo -- python3 manage.py createsuperuser

hb-honeypotmaltego- Maltego graphically illustrates and analyses output from intelligence and forensics tools [Link], making it easy to spot patterns that might otherwise go unnoticed.
-
sudo apt install maltego -y

maryam- OWASP Maryam is an OSINT-based framework for data acquisition and aggregation [Link].
-
sudo apt install maryam -y maryam -e show modules maryam -e crt -q "domain.com" maryam -e github -q "userName"
nipper- Audits the configuration of Cisco routers, firewalls, switches, and other network devices for security issues [Link]. Note: this tool appears to be unmaintained.
-
sudo apt install nipper-ng -y nipper --ios-switch --input=/PATH/switch.config --xml --output=audit.xml
osrframework- A set of libraries for OSINT collection tasks [Link].
usufyidentifies social media sites containing a given username.mailfysearches for a given email address or username.phonepylooks for a phone number in popular directories.domainfyfinds domains matching a query that resolve to an IP.searchfysearches all sources for a given string or name.checkfyfinds potential email addresses based on known aliases and patterns.-
sudo apt install osrframework -y usufy -n userName mailfy -n userName phonefy -n phoneNumber domainfy -n domainPrefix searchfy -q 'Full Name'
searchsploit- A CLI tool to query the Exploit Database [Link]. It searches for exploits by query string or filter against a local copy of the database.
- This database is maintained by the Kali team, but other relevant databases should also be considered during a thorough campaign (not all are equally trustworthy):
-
sudo apt install exploitdb -y searchsploit sftp windows searchsploit sftp windows --json searchsploit -p 40828 searchsploit sftp --exclude="(PoC)|/dos/" searchsploit --cve 2021-44228
tiger- A collection of tools for internal security auditing and intrusion detection on UNIX-based systems [Link].
- Run
sudo tigerfor a full audit.-lspecifies the output directory.-Ggenerates MD5 signatures for binary files to detect tampering.-eand-Eprovide explanations for findings.-qlimits output to security issues only.-
sudo apt install tiger -y sudo tiger tiger -l /PATH/ tiger -G
- Kali’s documentation also mentions the alternatives
checksecurity,lsat, andyasat.
wapiti- A web application dynamic tester [Link] that fuzzes and injects well-known exploits for SQL, XSS, Shell, XXE, CRLF, CSRF, and more.
-
sudo apt install wapiti -y wapiti -u http://domain.com/app
witnessme- This tool is not listed on the Kali tools page and has no
manfile. It appears to take screenshots of remote hosts, possibly via VNC.
- This tool is not listed on the Kali tools page and has no
zap- OWASP ZAP is a proxy tool similar to Burp Suite, used for web application pentesting [Link].
- It may not be my favourite tool, but it gets the job done without feature throttling (unlike Burp Community Edition for non-paying users).

Protect
clamav- ClamAV is probably the most widely used open source antivirus for Linux [Link].
- This signature-based AV engine is the default in many open source projects for scanning email, traffic, and files.
-
sudo apt install clamav clamav-daemon -y sudo clamscan --infected --remove --recursive /PATH
cryptsetupfwbuilder- Firewall Builder is a GUI for creating, editing, and auditing firewall policies across various vendors and platforms [Link].
- It displays rules and policies as objects in a directory structure.
-
sudo apt install fwbuilder -y

Detect
grokevt- GrokEVT uses multiple scripts to parse legacy Microsoft Windows event logs [Link]. It appears to be unmaintained.
-
sudo apt install grokevt -y grokevt-parselog -l /var/db/grokevt/mysystem grokevt-parselog /var/db/grokevt/mysystem System grokevt-findlogs dumpDisk.img
sentrypeer- A decentralised project for protecting SIP/VoIP servers without relying on centralised infrastructure [Link].
- It uses a peer-to-peer method to share suspicious IPs and phone numbers between servers to detect fraud and trigger notifications.
-
sudo apt install sentrypeer -y sentrypeer -w -j -f /PATH/sentrypeer.db -l /PATH/json.log
Respond
dc3dd- A forensics tool similar to
ddbut with additional features such as automatic bad sector skipping, hash generation over the copied data stream, compression, and encryption [Link]. -
sudo apt install dc3dd -y dc3dd -i dc3dd if=/dev/sda of=image.dd hash=sha512
- A forensics tool similar to
ewf-tools- A set of forensics tools and libraries with support for EWF (Expert Witness Format) image files [Link].
ewfacquirewrites device storage to EWF files.ewfacquirestreamwrites data from standard input to EWF files.ewfexportexports storage media data from EWF files to RAW or a specific EWF version.ewfinfodisplays EWF metadata.ewfmountmounts EWF files.ewfrecovercreates a new set of EWF files from a corrupt set.ewfverifyverifies EWF integrity and authenticity.-
sudo apt install ewf-tools -y ewfinfo image.E01 ewfverify image.E01 ewfmount image.E01 /PATH ewfrecover image.E01 /PATH sudo ewfacquire /dev/sda image.E01 sudo ewfacquirestream /dev/sda - | ssh [email protected] "cat > /PATH/image.E01" ewfacquirestream image.raw | ssh [email protected] remote.example.com "cat > /PATH/image.E01" ewfexport image.E01 -f raw -t image.dd
- A set of forensics tools and libraries with support for EWF (Expert Witness Format) image files [Link].
foremost- A file recovery tool that reads from image files or directly from a storage device [Link].
-
sudo apt install foremost -y foremost -t jpg,png -i /dev/sdb1 -o /PATH/RECOVERED/ foremost -c custom.conf -i image.dd -o /PATH/RECOVERED/ foremost -t pdf -i /dev/sdc1 -o /PATH/RECOVERED/ -s /usr/share/foremost/pdf.confidential
galleta- A tool to extract cookies from the defunct Microsoft Internet Explorer.
-
sudo apt install galleta -y galleta -d";" output.txt galleta example.cookie > output.txt
ghidra- Ghidra is an open source GUI tool for software reverse engineering, developed by the NSA [Link]. It supports disassembly, decompilation, and debugging, among other features for analysing binary files and software including malware, firmware, and compiled programs.

guymager- A graphical forensic imaging tool for media acquisition that supports multiple image formats (
dd,ewf, andaff, plus disk cloning) and a multi-threaded engine for fast parallel compression [Link]. 
- A graphical forensic imaging tool for media acquisition that supports multiple image formats (
hashrat- Hashrat generates hashes using md5, sha1, sha256, sha512, whirlpool, jh-244, jh256, jh-384, jh-512, and other algorithms, useful for password generation, file integrity checking, and duplicate detection [Link].
-
sudo apt install hashrat -y cat fileName | hashrat -md5
- Note: the example above is equivalent to
md5sum fileName, but Hashrat offers much more functionality.
sleuthkit- TSK (The Sleuth Kit) is a digital forensics library and collection of command line tools for analysing disk volumes and file systems [Link].
-
sudo apt install libtsk-dev libtsk19 sleuthkit -y
blkcalcblkcatblklsblkstatfcatffindfiwalkflsfsstathfindicatifindilsimg_catimg_statistatjcatjlsjpeg_extractmactimemmcatmmlsmmstatpstatsigfindsortersrch_stringstsk_comparedirtsk_gettimestsk_imageinfotsk_loaddbtsk_recoverusnjls
mac-robber- A sibling project of TSK and Autopsy. Mac-Robber is a digital investigation and incident response tool that collects metadata from allocated files and directories in a mounted file system [Link].
-
sudo apt install mac-robber -y mac-robber /PATH/ mac-robber /PATH/ | mactime -z EST
impacket-scripts- Impacket is a Python library with tools for interacting with network services such as SMB, MSSQL, and LDAP. It is commonly used for password cracking, network sniffing, packet manipulation, password spraying, and privilege escalation by security researchers [Link]. Impacket-Scripts can be used for both offensive (pentesting) and defensive (network monitoring, detection, and incident response) purposes.
-
sudo apt install impacket-scripts -y
-
impacket-addcomputerimpacket-atexecimpacket-dcomexecimpacket-dpapiimpacket-esentutlimpacket-exchangerimpacket-findDelegationimpacket-GetADUsersimpacket-getArchimpacket-Get-GPPPasswordimpacket-GetNPUsersimpacket-getPacimpacket-getSTimpacket-getTGTimpacket-GetUserSPNsimpacket-goldenPacimpacket-karmaSMBimpacket-keylistattackimpacket-kinterceptimpacket-lookupsidimpacket-machine_roleimpacket-mimikatzimpacket-mqtt_checkimpacket-mssqlclientimpacket-mssqlinstanceimpacket-netviewimpacket-nmapAnswerMachineimpacket-ntfs-readimpacket-ntlmrelayximpacket-pingimpacket-ping6impacket-psexecimpacket-raiseChildimpacket-rbcdimpacket-rdp_checkimpacket-regimpacket-registry-readimpacket-rpcdumpimpacket-rpcmapimpacket-sambaPipeimpacket-samrdumpimpacket-secretsdumpimpacket-servicesimpacket-smbclientimpacket-smbexecimpacket-smbpasswdimpacket-smbrelayximpacket-smbserverimpacket-sniffimpacket-snifferimpacket-splitimpacket-ticketConverterimpacket-ticketerimpacket-wmiexecimpacket-wmipersistimpacket-wmiquery
-
netsniff-ng- Netsniff-ng is a free Linux networking toolkit for network development, analysis, debugging, auditing, and reconnaissance [Link]. Source code available at [Link].
-
sudo apt install netsniff-ng
netsniff-nga zero-copy analyser and pcap capture/replay tool compatible withtcpdumpandwireshark.trafgena multi-threaded, low-level, zero-copy network packet generator (including raw 802.11 frames).mausezahna high-level packet generator for network appliances with a Cisco-style CLI, useful for stress testing, malformed packets, and malicious packet tests.bpfca BPF (Berkeley Packet Filter) compiler and disassembler with support for undocumented Linux filter extensions.ifppsa top-like kernel networking statistics tool.-dor--devspecifies the device.-nor--num-cpusspecifies the number of CPUs/cores to display in ncurses mode (default: 10).-tor--intervalsets the refresh interval (default: 1000ms).-cor--csvoutputs data in CSV format.-oor--omit-headeromits headers when used with-c.-lor--loopcontinuously outputs data to the terminal after each refresh interval. Requires-c.-mor--medianshows median values across all CPUs/cores for load and interrupts.-por--promiscenables promiscuous mode on the NIC. May also require hypervisor-level changes in virtualised environments.-Por--percentageshows values relative to the line rate.-Wor--no-warnsuppresses warnings.-
ifpps eth0 sudo ifpps -pd eth0 sudo ifpps -lpcd eth0 > eth0raw.data sudo ifpps -lpcd wlan0 > wlan0raw.data
flowtopa top-like netfilter connection tracking tool.-4or--ipv4for IPv4 only.-6or--ipv6for IPv6 only.-Tor--tcpfor TCP traffic only.-Uor--udpfor UDP traffic only.-Ior--icmpfor ICMP traffic only.-Dor--dccpfor DCCP traffic only.-Sor--sctpfor SCTP traffic only.-nor--no-dnsdisables reverse DNS lookups.-sor--show-srcshows the source IP.-bor--bitsshows speed in bits/s instead of bytes/s.-Gor--no-geoipdisables the GeoIP database (recommended; known to be buggy).-uor--updateupdates the local GeoIP database.-tor--intervalsets the refresh interval in seconds (default: 1). All flags can be combined.-
sudo flowtop -4UTIGs
-
- For the GeoIP database:
-
sudo mkdir /usr/share/netsniff-ng sudo flowtop --update
- You may encounter a missing
GeoIP.dat.gzfile that can no longer be retrieved from mirrors. As a workaround, download and place the file in the specified directory manually, or disable GeoIP with-G.
-
curvetuna lightweight Curve25519-based IP tunnel using TUN/TAP to transfer IPv4/IPv6 TCP/UDP traffic over IPv4/IPv6.astraceroutean autonomous system (AS) traceroute utility that provides additional AS and GeoIP information compared totracerouteandtcptraceroute.
ollydbg- OllyDbg is a 32-bit assembler-level debugger and decompiler for Microsoft Windows binaries [Link]. It requires
wineto run on Linux and is useful for malware analysis. Note: it is not open source. -
sudo dpkg --add-architecture i386 && sudo apt update && sudo apt -y install wine32 ollydbg
- It may fail if
winecannot loadkernel32.dll.
- It may fail if
- OllyDbg is a 32-bit assembler-level debugger and decompiler for Microsoft Windows binaries [Link]. It requires
rkhunter- Rootkit Hunter is an open source Unix-based tool that scans for rootkits, backdoors, and local exploits [Link].
- It compares hashes of important local files against known-good values in online databases.
- It also searches for rootkits, incorrect permissions, hidden files, suspicious strings in kernel modules, and performs specific tests for Linux and FreeBSD.
-
sudo apt install rkhunter -y sudo rkhunter --update sudo rkhunter --propupd sudo rkhunter -c --enable all --disable none --rwo sudo rkhunter --check sudo tail -f /var/log/rkhunter.log
- Note: There is limited value in running it directly on Kali unless it has a secondary drive mounted (cloned from a production server) and you use
chrootto scan that system instead. It is most useful when run periodically on production environments as a cronjob with email notifications enabled (e.g.0 3 * * * root /usr/bin/rkhunter --cronjob --update --quiet).
- Note: There is limited value in running it directly on Kali unless it has a secondary drive mounted (cloned from a production server) and you use
unhide- Unhide is a forensics tool that detects processes and open ports hidden by rootkits, LKMs (loadable kernel modules), or other techniques [Link].
-
sudo apt install unhide -y
unhidereveals processes hidden from the process list.brutean aggressive method that checks areas not covered by default.procchecks a specific process ID.procalluses all available methods includingbrute.procfsrelies on/procto obtain the process list.quicka faster, less intrusive check.reverseruns checks in reverse order, starting frombrute.sysrelies onsyscallto obtain the process list.-
sudo unhide proc sudo unhide procall sudo unhide -v brute
unhide-linuxlooks for processes hidden via Linux kernel modules.-
sudo unhide-linux reverse
-
unhide-posixchecks for hidden TCP/UDP ports (backdoors).-
sudo unhide-posix sys sudo unhide-posix proc
-
unhide-tcpalso checks for hidden TCP/UDP ports (backdoors).-
sudo unhide-tcp -v
-
unhide_rbchecks for hidden processes using C functions commonly found in rootkits, written in Ruby.-
sudo unhide_rb
-
- Note:
unhide-guiis not included in Kali and does not appear to be functional.
wireshark- Wireshark is a network protocol analyser that captures traffic in real time, commonly used for troubleshooting, monitoring, and identifying security vulnerabilities [Link].
xplico- Xplico is a network forensics tool that extracts content from PCAP files [Link]. For example, it can reconstruct web pages, transferred files, and VoIP calls. It also offers a web interface at http://127.0.0.1:9876 (default credentials: admin:xplico).
-
sudo xplico-webui

-
- Command-line usage:
-
xplico -m pcap -f file.pcap sudo xplico -m rltm -i eth0
-
- Xplico is a network forensics tool that extracts content from PCAP files [Link]. For example, it can reconstruct web pages, transferred files, and VoIP calls. It also offers a web interface at http://127.0.0.1:9876 (default credentials: admin:xplico).
yara- YARA rules identify patterns in malware binaries to aid in signature-based classification [Link].
-
sudo apt install yara libyara9 libyara-dev -y
Recover
ddrescue- A widely used tool for recovering data from drives with damaged sectors or blocks [Link]. Other options include SpinRite (not open source, but widely regarded as the most powerful) [Link], MyRescue, Testdisk, Photorec, Foremost, and Scalpel.
-
sudo ddrescue -f --no-split /dev/sdb1 /dev/sdc1 output.log
ext3grep- A forensics tool for recovering deleted files [Link]. Note: unmaintained, as ext3 is considered obsolete.
-
sudo apt install ext3grep -y ext3grep --dump-names /dev/sdb1 | grep 'fileName' ext3grep --ls --group 1000 /dev/sdb1 ext3grep --restore-all /dev/sdb1
ext4magic- ext4magic was inspired by ext3grep and extundelete and can restore deleted files from ext3/ext4 file systems using the journal [Link].
-
sudo apt install ext4magic -y sudo ext4magic /dev/sdb1 -M -d /PATH/Recovered/
extundelete- ExtUndelete attempts to recover deleted files using clues found in the partition journal [Link].
-
sudo apt install extundelete -y sudo extundelete /dev/sdb1 --restore-all
myrescue- MyRescue is an alternative to ddrescue that makes a best effort to recover data from defective drives [Link].
-
sudo apt install myrescue -y
recoverdm- RecoverDM recovers data from bad sectors by reading in raw mode while ignoring errors. It is a defunct, discontinued application with no official website.
-
sudo apt install recoverdm -y
recoverjpeg- RecoverJPEG attempts to recover deleted JPEG and MOV files (using
recovermov) from a partition [Link]. -
sudo apt install recoverjpeg -y
- RecoverJPEG attempts to recover deleted JPEG and MOV files (using
scrounge-ntfs- Scrounge NTFS reads each block of a disk and attempts to rebuild the original file system structure into an output directory [Link].
-
sudo apt install scrounge-ntfs -y sudo scrounge-ntfs -l /dev/sdb scrounge-ntfs -m
-c -o /PATH/Recovered/ /dev/sdb
undbx- UnDBX recovers deleted emails from MS Outlook
.dbxfiles [Link] and can also recover emails or fragments from corrupted files. -
sudo apt install undbx -y
- UnDBX recovers deleted emails from MS Outlook




