Open In App

Kali Linux – Web Penetration Testing Tools

Last Updated : 17 Dec, 2021
Like Article

By 2016, there were around 3424971237+ internet users over the world. Being a hub of many users, there comes a responsibility of taking care of the security of these many users. Most of the Internet is the collection of websites or web applications. So in order to prevent these web applications, there is a need of testing them again payloads and malware and for that purpose, we have a lot of tools in Kali Linux.

Kali Linux comes packed with 300+ tools out of which many are used for Web Penetration Testing. Though there are many tools in Kali Linux for Web Penetration Testing here is the list of most used tools.

1. Burp Suite

Burp Suite is one of the most popular web application security testing software. It is used as a proxy, so all the requests from the browser with the proxy pass through it. And as the request passes through the burp suite, it allows us to make changes to those requests as per our need which is good for testing vulnerabilities like XSS or SQLi or even any vulnerability related to the web. Kali Linux comes with burp suite community edition which is free but there is a paid edition of this tool known as burp suite professional which has a lot many functions as compared to burp suite community edition.

To use burp suite:

  • Read this to learn how to setup burp suite.
  • Open terminal and type “burpsuite” there.
  • Go to proxy tab and turn the interceptor switch to on.
  • Now visit any URL and it could be seen that the request is captured.


2. Nikto

Nikto is an Open Source software written in Perl language that is used to scan a web-server for the vulnerability that can be exploited and can compromise the server. It can also check for outdated version details of 1200 servers and can detect problems with specific version details of over 200 servers. It comes packed with many features, a few of them are listed below.

  • Full support for SSL
  • Looks for subdomains
  • Supports full HTTP Proxy
  • Outdated component report
  • Username guessing

To use nikto, download nikto and enter the following command.

perl -H


3. Maltego

Maltego is a platform developed to convey and put forward a clear picture of the environment that an organization owns and operates. Maltego offers a unique perspective to both network and resource-based entities which is the aggregation of information delivered all over the internet – whether it’s the current configuration of a router poised on the edge of our network or any other information, Maltego can locate, aggregate and visualize this information. It offers the user with unprecedented information which is leverage and power.

Maltego’s Uses:

  • It is used to exhibit the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of the infrastructure.
  • It is used in the collection of information on all security-related work. It will save time and will allow us to work more accurately and in a smarter way.
  • It aids us in thinking process by visually demonstrating interconnected links between searched items.
  • It provides a much more powerful search, giving smarter results.
  • It helps to discover “hidden” information.

To use Maltego, Go to applications menu and then select “maltego” tool to execute it.


4. SQLMap

SQLMap is an open-source tool that is used to automate the process of manual SQL injection over a parameter on a website. It detects and exploits the SQL injection parameters itself all we have to do is to provide it with an appropriate request or URL. It supports 34 databases including MySQL, Oracle, PostgreSQL, etc.

To use sqlmap tool:

  • sqlmap comes pre-installed in Kali Linux
  • Just type sqlmap in the terminal to use the tool.


5. Whatweb

Whatweb is an acronym of “what is that website“.It is used to get the technologies which a website is using, these technologies might me content management system(CMS), Javascript Libraries, etc. It is used for many purposes, a few of them are listed below.

  • To get the Content Management System is used by a web application
  • To get the Web Server details being used by the web application
  • To get the embedded devices attached to the web application
  • It consists of 1700+ plugins and every plugin is used to recognize something different.

To run whatweb, execute the following command and replace with the domain name of your choice.



6. whois lookup

whois is a database record of all the registered domain over the internet. It is used for many purposes, a few of them are listed below.

  • It is used by Network Administrators in order to identify and fix DNS or domain-related issues.
  • It is used to check the availability of domain names.
  • It is used to identify trademark infringement.
  • It could even be used to track down the registrants of the Fraud domain.

To use whois lookup, enter the following command in the terminal.


Replace with the name of the website you want to lookup.


Similar Reads

Gobuster - Penetration Testing Tools in Kali Tools
One of the primary steps in attacking an internet application is enumerating hidden directories and files. Doing so can often yield valuable information that makes it easier to execute a particular attack, leaving less room for errors and wasted time. There are many tools available to try to do this, but not all of them are created equally. Gobuste
10 min read
Hacking Tools for Penetration Testing - Fsociety in Kali Linux
Fsociety is a free and open-source tool available on GitHub which is used as an information-gathering tool. Fsociety is used to scanning websites for information gathering and finding vulnerabilities in websites and web apps. Fsociety is one of the easiest and useful tools for performing reconnaissance on websites and web apps. The Fsociety tool is
4 min read
Yuki Chan - Automated Penetration Testing and Auditing Tool in Kali Linux
Yuki Chan is a free and open-source tool available on GitHub. Yuki Chan is an Automated Penetration Testing tool. This tool is very useful for security researchers. Yuki Chan is used for information gathering and testing of the security of websites and web servers. Yuki Chan is the easiest and one of the best tools for penetration testing. Yuki Cha
4 min read
Skipfish - Penetration Testing tool in Kali Linux
Skipfish is a free, open-source Automated Penetration Testing tool available on GitHub made for security researchers. Skipfish is used for information gathering and testing the security of websites and web servers. Skipfish is the easiest and one of the best tools for penetration testing. It provides many integrated tools to perform penetration tes
2 min read
Unicornscan - Penetration Testing Tool in Kali Linux
Unicornscan is a free and open-source Automated Penetration Testing tool available on GitHub which is very useful for security researchers for information gathering and testing of the security of websites and web servers.Unicornscan provides many integrated tools to perform penetration testing on the target system. This tool is also known as an act
3 min read
XERXES – Penetration Testing Tool using Kali Linux
XERXES is a free and Open source tool available on GitHub. You can install and download the tool free of cost. A denial of service attack can be performed by using this tool. Xerxes is written in C. The framework works by maintaining a full TCP connection. After making full TCP Connection it only requires a few hundreds of requests at long term in
1 min read
linkedin2username - Penetration Testing Tools
Linkedin2Username tool is an automated tool developed in the Python3 Language used as an OSINT tool to generate username lists from companies on the LinkedIn platform. This tool is a pure web-scraper tool that doesn't require any API-key for its usage. Linkedin2Username tool is available on the GitHub platform for free. You need to specify your val
2 min read
DARKARMY - Penetration Testing Tools
The Darkarmy provides you with a list of tools used for penetration testing all in one place. It saves time for searching for tools under different circumstances. It makes pen testing more straightforward and more user-friendly. It doesn't have built-in tools, but tools will be installed according to user input. The tool is getting more popular day
7 min read
D-TECT - Web Applications Penetration Testing Tool
Information Gathering and Vulnerability Scanning are the processes of Penetration Testing that must be performed by every Security Individual. This can be done via automated tools. A D-TECT tool is an automated tool that can be helpful in this Information Collection and Finding Vulnerabilities in Web applications. D-TECT tool includes subdomains en
3 min read
Uniscan – Web Application Penetration Testing Tool
With the rapid growth in the development of Web-based applications, there is also growth in vulnerabilities for which hackers are awaiting from all sides. Finding those vulnerabilities can be difficult if we use a manual approach, but with the help of automated plenty of tools makes the process easier. Vulnerability Scanners are game-changing tools
3 min read
Article Tags :