TOOLS_GUIDE.mdβ’18.9 kB
```markdown
# Complete Tools Guide - MCP Kali Pentest Framework
## Overview
This framework now includes **80+ penetration testing tools** organized into 17 categories, covering every aspect of security testing.
## Tool Categories
### π‘ 1. Reconnaissance & OSINT (11 tools)
**Purpose**: Information gathering and target profiling
| Tool | Description | Key Features |
|------|-------------|--------------|
| **nmap_scan** | Network port scanner | Service detection, OS fingerprinting, NSE scripts |
| **masscan** | Ultra-fast port scanner | Internet-scale scanning, 10M packets/sec |
| **amass_enum** | Subdomain enumeration | OSINT, DNS, brute-force techniques |
| **theHarvester** | Email/subdomain harvester | Multiple OSINT sources, API integration |
| **recon-ng** | Reconnaissance framework | Modular, database-backed |
| **shodan_search** | IoT device search | Exposed services, vulnerability lookup |
| **whatweb** | Web technology fingerprinting | CMS, framework, library detection |
| **wafw00f** | WAF detection | Identify web application firewalls |
| **dns_enum** | DNS enumeration | Record lookup, zone transfers |
| **sublist3r** | Subdomain discovery | Passive enumeration |
| **fierce** | DNS reconnaissance | Brute-force, zone transfer attempts |
**Example Usage**:
```python
# Fast network reconnaissance
await nmap_scan(target="example.com", scan_type="quick")
# Subdomain enumeration
await amass_enum(domain="example.com", passive=True)
# Technology fingerprinting
await whatweb(target="https://example.com", aggression=3)
```
---
### π 2. Web Application Scanning (10 tools)
**Purpose**: Web vulnerability identification and content discovery
| Tool | Description | Best For |
|------|-------------|----------|
| **nikto_scan** | Web server scanner | Misconfigurations, outdated software |
| **nuclei_scan** | Template-based scanner | CVEs, known vulnerabilities |
| **wpscan** | WordPress scanner | Plugins, themes, core issues |
| **joomscan** | Joomla scanner | Joomla-specific vulnerabilities |
| **droopescan** | Drupal/SilverStripe scanner | CMS vulnerabilities |
| **gobuster_scan** | Directory brute-forcer | Hidden paths, files (Go-based, fast) |
| **dirb** | Directory scanner | Classic tool, good wordlists |
| **dirbuster** | Directory brute-forcer | Multi-threaded Java application |
| **wfuzz** | Advanced fuzzer | Parameters, headers, complex fuzzing |
| **ffuf_fuzz** | Fast fuzzer | Modern, very fast, flexible |
**Example Usage**:
```python
# Comprehensive web scan
await nikto_scan(target="http://example.com", ssl=True)
# CMS-specific scanning
await wpscan(target="http://wordpress-site.com", enumerate="vp")
# Directory discovery
await gobuster_scan(
target="http://example.com",
wordlist="/usr/share/wordlists/dirb/big.txt",
extensions=["php", "asp", "html"]
)
# Advanced fuzzing
await ffuf_fuzz(
target="http://example.com/FUZZ",
wordlist="/usr/share/wordlists/custom.txt"
)
```
---
### βοΈ 3. Web Application Exploitation (7 tools)
**Purpose**: Exploit web vulnerabilities
| Tool | Description | Attacks |
|------|-------------|---------|
| **sqlmap_scan** | SQL injection | Automatic SQLi detection and exploitation |
| **commix** | Command injection | OS command injection exploitation |
| **xsstrike** | XSS detection | Advanced XSS testing |
| **ssrf_detector** | SSRF testing | Server-side request forgery |
| **burpsuite_scan** | Professional scanner | Comprehensive web testing (Pro) |
| **owasp_zap_scan** | OWASP ZAP | Active/passive scanning |
| **wfuzz** | Payload fuzzing | Custom payload delivery |
**Example Usage**:
```python
# SQL injection testing
await sqlmap_scan(
target="http://site.com/page.php?id=1",
level=3,
risk=2
)
# XSS detection
await xsstrike(target="http://site.com/search?q=test")
# SSRF testing
await ssrf_detector(
target="http://site.com/api/fetch",
callback_url="http://your-server.com"
)
```
---
### π» 4. Wireless Security (5 tools)
**Purpose**: Wi-Fi penetration testing
| Tool | Description | Attacks |
|------|-------------|---------|
| **aircrack_suite** | Complete Wi-Fi toolkit | Monitor mode, capture, crack |
| **reaver** | WPS attack | WPS PIN brute-force |
| **wifite** | Automated Wi-Fi auditor | Auto-detect and attack networks |
| **bettercap** | Network attack framework | MITM, sniffing, Wi-Fi attacks |
| **kismet** | Wireless detector | Network discovery, IDS |
**Example Usage**:
```python
# WPA/WPA2 cracking workflow
await aircrack_suite(
interface="wlan0",
target_bssid="00:11:22:33:44:55",
channel=6
)
# Automated wireless audit
await wifite(interface="wlan0", wpa_only=True)
# WPS attack
await reaver(interface="wlan0mon", bssid="00:11:22:33:44:55")
```
---
### π 5. Brute Force & Authentication (6 tools)
**Purpose**: Password attacks and credential testing
| Tool | Description | Protocols |
|------|-------------|-----------|
| **hydra_bruteforce** | Network login brute-forcer | SSH, FTP, HTTP, RDP, SMB, MySQL, etc. |
| **crackmapexec** | AD exploitation | SMB, MSSQL, SSH, WinRM |
| **medusa** | Parallel brute-forcer | 21+ services |
| **patator** | Multi-purpose brute-forcer | Modular approach |
| **crowbar** | Brute-forcing tool | RDP, SSH, VNC |
| **ncrack** | Network auth cracker | Nmap-style syntax |
**Example Usage**:
```python
# SSH brute-force
await hydra_bruteforce(
target="192.168.1.100",
service="ssh",
username="admin",
password_list="/usr/share/wordlists/rockyou.txt"
)
# Active Directory attacks
await crackmapexec(
target="192.168.1.0/24",
username="admin",
password="password123",
module="smb"
)
```
---
### π 6. Password Cracking (4 tools)
**Purpose**: Hash cracking and password recovery
| Tool | Description | Speed |
|------|-------------|-------|
| **john_crack** | John the Ripper | CPU-based, versatile |
| **hashcat_crack** | GPU password recovery | Fastest available |
| **ophcrack** | Rainbow tables | Windows LM/NTLM |
| **rainbowcrack** | Rainbow table generator | Pre-computed hashes |
**Example Usage**:
```python
# Hash cracking with John
await john_crack(
hash_file="/tmp/hashes.txt",
wordlist="/usr/share/wordlists/rockyou.txt",
format="md5"
)
# GPU-accelerated cracking
await hashcat_crack(
hash="5f4dcc3b5aa765d61d8327deb882cf99",
hash_type=0, # MD5
wordlist="/usr/share/wordlists/rockyou.txt",
attack_mode=0 # Straight
)
```
---
### π₯ 7. Exploitation Frameworks (5 tools)
**Purpose**: Exploit search and execution
| Tool | Description | Database Size |
|------|-------------|---------------|
| **metasploit_search** | Metasploit Framework | 2000+ exploits |
| **searchsploit** | Exploit-DB search | 40,000+ exploits |
| **exploit_db_search** | Online Exploit-DB | Latest exploits |
| **commix** | Command injection | Automated exploitation |
| **crackmapexec** | Post-exploitation | AD-focused |
**Example Usage**:
```python
# Find exploits
await metasploit_search(query="apache 2.4", type="exploit")
# Search Exploit-DB
await searchsploit(query="wordpress 5.0")
```
---
### π» 8. Post-Exploitation (6 tools)
**Purpose**: Privilege escalation and lateral movement
| Tool | Description | Platform |
|------|-------------|----------|
| **mimikatz** | Credential dumping | Windows |
| **bloodhound_ingest** | AD attack paths | Active Directory |
| **empire_agent** | PowerShell post-exploitation | Windows |
| **crackmapexec** | Lateral movement | Windows/Linux |
| **linpeas** | Linux privilege escalation | Linux |
| **winpeas** | Windows privilege escalation | Windows |
**Example Usage**:
```python
# Active Directory enumeration
await bloodhound_ingest(
domain="company.local",
username="user",
password="pass"
)
# Linux privilege escalation enumeration
await linpeas(target_ip="192.168.1.100")
# Windows privilege escalation enumeration
await winpeas(target_ip="192.168.1.101")
```
---
### π£ 9. Social Engineering (3 tools)
**Purpose**: Phishing campaigns and social manipulation
| Tool | Description | Features |
|------|-------------|----------|
| **setoolkit** | Social Engineering Toolkit | Phishing, credential harvesting |
| **gophish** | Phishing framework | Campaign management, tracking |
| **king_phisher** | Phishing campaign tool | Professional campaigns |
**Example Usage**:
```python
# Phishing campaign
await gophish_campaign(
name="Security Awareness Test",
template="credential_harvest",
targets=["user@company.com"]
)
```
---
### π± 10. Mobile Application Security (4 tools)
**Purpose**: Android and iOS app testing
| Tool | Description | Platform |
|------|-------------|----------|
| **mobsf_scan** | Mobile Security Framework | Android, iOS |
| **drozer_scan** | Android security framework | Android |
| **frida_trace** | Dynamic instrumentation | Android, iOS |
| **objection** | Runtime mobile exploration | Android, iOS |
**Example Usage**:
```python
# Android app security scan
await mobsf_scan(apk_path="/path/to/app.apk")
# Dynamic analysis
await drozer_scan(package="com.example.app")
# Runtime hooking
await frida_trace(
package="com.example.app",
function="crypto.decrypt"
)
```
---
### π 11. API Security Testing (4 tools)
**Purpose**: REST, GraphQL, and API vulnerabilities
| Tool | Description | API Type |
|------|-------------|----------|
| **postman_scan** | API testing with Newman | REST |
| **rest_api_fuzzer** | RESTful API fuzzer | REST |
| **graphql_scanner** | GraphQL security scanner | GraphQL |
| **nuclei_scan** | Template-based API testing | All |
**Example Usage**:
```python
# API security testing
await postman_scan(
collection_path="/path/to/collection.json",
environment="production"
)
# GraphQL testing
await graphql_scanner(endpoint="https://api.example.com/graphql")
```
---
### π 12. Digital Forensics (4 tools)
**Purpose**: Memory and disk forensics
| Tool | Description | Purpose |
|------|-------------|---------|
| **volatility_analyze** | Memory forensics | RAM dump analysis |
| **autopsy_case** | Digital forensics | Disk analysis, timeline |
| **foremost** | File carving | Recover deleted files |
| **scalpel** | File carving | Fast recovery |
**Example Usage**:
```python
# Memory forensics
await volatility_analyze(
memory_dump="/path/to/memory.dmp",
profile="Win10x64",
plugin="pslist"
)
# Firmware analysis
await binwalk_extract(firmware_file="/path/to/firmware.bin")
```
---
### π¬ 13. Reverse Engineering (5 tools)
**Purpose**: Binary analysis and decompilation
| Tool | Description | Features |
|------|-------------|----------|
| **ghidra_decompile** | NSA's reverse engineering tool | Decompilation, analysis |
| **radare2_analyze** | RE framework | Disassembly, debugging |
| **binwalk_extract** | Firmware analysis | Extract embedded files |
| **strings_extract** | String extraction | Quick analysis |
| **ida_pro** | Professional disassembler | Industry standard |
**Example Usage**:
```python
# Binary analysis
await radare2_analyze(
binary_path="/path/to/binary",
command="aaa" # Analyze all
)
# Extract strings
await strings_extract(
file_path="/path/to/binary",
min_length=8
)
```
---
### βοΈ 14. Cloud Security (5 tools)
**Purpose**: AWS, Azure, GCP security
| Tool | Description | Platforms |
|------|-------------|-----------|
| **scout_suite** | Multi-cloud auditor | AWS, Azure, GCP, OCI |
| **cloudfox_enum** | AWS enumeration | AWS |
| **pacu_module** | AWS exploitation | AWS |
| **prowler** | AWS security best practices | AWS |
| **cloudmapper** | AWS visualization | AWS |
**Example Usage**:
```python
# Multi-cloud audit
await scout_suite(provider="aws", profile="default")
# AWS enumeration
await cloudfox_enum(profile="default", service="ec2")
```
---
### π³ 15. Container Security (4 tools)
**Purpose**: Docker and Kubernetes security
| Tool | Description | Purpose |
|------|-------------|---------|
| **trivy_scan** | Container vulnerability scanner | CVE detection |
| **docker_bench_security** | Docker CIS benchmark | Best practices |
| **clair_scan** | Container scanner | Vulnerability database |
| **kube_hunter** | Kubernetes pentesting | K8s security |
**Example Usage**:
```python
# Container scanning
await trivy_scan(image="nginx:latest")
# Docker security audit
await docker_bench_security()
```
---
### π 16. Network Analysis (6 tools)
**Purpose**: Traffic analysis and network testing
| Tool | Description | Purpose |
|------|-------------|---------|
| **tcpdump_capture** | Packet capture | Network monitoring |
| **wireshark_analyze** | Protocol analyzer | Deep packet inspection |
| **snmp_check** | SNMP enumeration | Device information |
| **enum4linux** | SMB enumeration | Windows/Samba |
| **dns_enum** | DNS reconnaissance | Domain information |
| **ssl_scan** | SSL/TLS testing | Certificate, cipher analysis |
**Example Usage**:
```python
# Packet capture
await tcpdump_capture(
interface="eth0",
filter="tcp port 80",
duration=60
)
# SSL/TLS analysis
await ssl_scan(target="example.com", port=443)
```
---
### π€ 17. Autonomous Testing (4 tools)
**Purpose**: AI-powered automated pentesting
| Tool | Description | Features |
|------|-------------|----------|
| **start_autonomous_pentest** | Full autonomous pentest | AI decision-making |
| **get_ai_suggestion** | AI recommendations | Next-step suggestions |
| **vulnerability_assessment** | Comprehensive scan | Multi-tool assessment |
| **generate_report** | Report generation | Professional reports |
**Example Usage**:
```python
# Start autonomous pentest
await start_autonomous_pentest(
target="example.com",
depth="vulnerability_scan",
rules_of_engagement={
"allow_exploitation": False,
"rate_limit": True
}
)
# Get AI suggestions
await get_ai_suggestion(
session_id="pentest_123",
context="Found SQLi vulnerability. What next?"
)
```
---
## π Tool Statistics
```
Total Tools: 80+
Categories: 17
Reconnaissance: 11 tools
Web Testing: 17 tools
Wireless: 5 tools
Exploitation: 11 tools
Mobile: 4 tools
Cloud: 5 tools
Container: 4 tools
Forensics: 9 tools
Network: 6 tools
Autonomous: 4 tools
```
---
## π§ Adding New Tools
### Step-by-Step Guide
#### 1. Create Tool Function (in `tools_extended.py`)
```python
async def your_new_tool(
target: str,
option1: str = "default",
option2: Optional[int] = None
) -> Dict[str, Any]:
"""Your tool description"""
# Build command
cmd = ["your-tool", "-t", target]
if option1:
cmd.extend(["--option1", option1])
# Run command
result = await run_command(cmd, timeout=300)
# Parse results
findings = parse_your_tool_output(result["stdout"])
return {
"tool": "your_new_tool",
"target": target,
"success": result["success"],
"findings": findings
}
```
#### 2. Register in Tool Registry (in `tool_registry.py`)
```python
Tool(
name="your_new_tool",
description="Detailed description of what your tool does",
inputSchema={
"type": "object",
"properties": {
"target": {
"type": "string",
"description": "Target description"
},
"option1": {
"type": "string",
"description": "Option 1 description"
}
},
"required": ["target"]
}
),
```
#### 3. Add to Tool Category
```python
"your_category": ToolCategory(
name="Your Category",
description="Category description",
tools=[
"existing_tool",
"your_new_tool" # Add here
]
),
```
#### 4. Import in Server (update `server.py`)
```python
from tools_extended import (
# ... existing imports ...
your_new_tool
)
# Add to handle_call_tool function
elif name == "your_new_tool":
result = await your_new_tool(**arguments)
```
#### 5. Update Documentation
Add to `TOOLS_GUIDE.md` and `API.md`
---
## π― Advanced Usage Patterns
### Pattern 1: Chained Reconnaissance
```python
# 1. Subdomain discovery
subdomains = await amass_enum(domain="example.com")
# 2. Port scan each subdomain
for subdomain in subdomains:
await masscan_scan(target=subdomain, ports="80,443,8080")
# 3. Technology fingerprinting
for subdomain in web_services:
await whatweb(target=f"https://{subdomain}")
```
### Pattern 2: Comprehensive Web Assessment
```python
# 1. Technology detection
tech = await whatweb(target="https://example.com")
# 2. CMS-specific scanning
if "WordPress" in tech:
await wpscan(target="https://example.com")
# 3. Vulnerability scanning
await nuclei_scan(target="https://example.com", severity=["critical", "high"])
# 4. Directory discovery
await gobuster_scan(target="https://example.com")
# 5. SQL injection testing
await sqlmap_scan(target="https://example.com/page?id=1")
```
### Pattern 3: Network Penetration
```python
# 1. Network discovery
hosts = await masscan_scan(target="192.168.1.0/24", ports="top-ports")
# 2. Detailed service detection
for host in hosts:
await nmap_scan(target=host, scan_type="full")
# 3. SMB enumeration
await enum4linux(target=host)
# 4. Brute-force weak services
await hydra_bruteforce(target=host, service="ssh")
```
---
## π Tool Selection Matrix
| Goal | Recommended Tools | Time |
|------|-------------------|------|
| Quick web scan | nikto, nuclei | 5-10 min |
| Deep web test | burpsuite, sqlmap, xsstrike | 1-2 hours |
| Network recon | nmap, masscan, shodan | 10-30 min |
| Password audit | hydra, john, hashcat | Varies |
| Wireless test | wifite, aircrack-ng | 30-60 min |
| Full pentest | autonomous_pentest | 1-4 hours |
---
## π Security Best Practices
1. **Always obtain authorization** before testing
2. **Configure rules of engagement** in config
3. **Use rate limiting** to avoid DoS
4. **Test in isolated environments** first
5. **Keep tools updated** regularly
6. **Review AI suggestions** before executing
7. **Generate reports** for documentation
8. **Clean up artifacts** after testing
---
## π Additional Resources
- [Kali Linux Tools](https://www.kali.org/tools/)
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [PTES Technical Guidelines](http://www.pentest-standard.org/)
- [NIST SP 800-115](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf)
---
## π Getting Help
```bash
# List all tools
python3 -c "from tool_registry import get_all_tool_definitions; print([t.name for t in get_all_tool_definitions()])"
# Get tool categories
python3 -c "from tool_registry import get_all_categories; print(get_all_categories().keys())"
# Check tool availability
which nmap nikto sqlmap metasploit nuclei
```
---
**Remember**: Ethical hacking requires authorization. Use responsibly! π‘οΈ
```