Penetration testing

Kali Linux: Top 5 tools for sniffing and spoofing

Howard Poston
July 8, 2021 by
Howard Poston

Sniffing and spoofing

The network can be a valuable source of information and provides a wide range of potential attack vectors for a penetration tester. Sniffing network traffic can provide access to valuable intelligence, and spoofing traffic can enable a penetration tester to identify and exploit potential attack vectors.

Kali Linux is an operating system built for penetration testers and includes a large library of built-in tools. One of the tool categories within the Kali Linux operating system focuses on sniffing and spoofing network traffic.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Kali Linux tools for sniffing and spoofing

Kali Linux offers a long list of tools for sniffing and spoofing network traffic. These are some of the best sniffing and spoofing tools built into Kali.

1. Wireshark

Wireshark is one of the most well-known and commonly-used tools for sniffing and spoofing. Wireshark is a network traffic analysis tool with an extremely wide feature set.

One of the major differentiators of Wireshark is its large library of protocol dissectors. These enable the tool to analyze many common and uncommon protocols, break out the various fields in each packet and present them within an accessible graphical user interface (GUI). This makes it possible for users with even limited network knowledge to understand what they are looking at. On top of this, Wireshark also offers several different features for traffic analysis, including statistical analysis and the ability to follow network sessions or decrypt SSL/TLS traffic. 

Wireshark is a valuable tool for sniffing because it provides deep visibility into network traffic, either from a capture file or a live capture. This can help with understanding the network layout, capturing leaked credentials and other activities.

2. Mitmproxy

In a man-in-the-middle (MitM) attack, the attacker interjects themselves into communication between a client and a server. All traffic that flows over that connection passes through the attacker, potentially enabling them to eavesdrop on the traffic and modify the data flowing over the network.

Kali Linux’s mitmproxy makes it easier to perform MitM attacks on web traffic. It allows on-the-fly capture and modification of HTTP traffic, supports client and server traffic replay, and includes the ability to automate attacks with Python. mitmproxy also supports the interception of HTTPS traffic with SSL certificates created on the fly.

3. Burp Suite

Burp Suite is a suite of several different tools for penetration testing. It is focused on the security analysis of web applications.

One tool in Burp Suite that is useful for sniffing and spoofing attacks is the Burp Proxy. Burp Proxy allows interception and modification of HTTP connections and offers support for HTTPS interception as well.

Burp Suite works on a freemium model. The basic tools are available for free, but attacks need to be performed manually without the ability to save work. Paying for a license provides access to a wider suite of tools (such as a web vulnerability scanner) and support for automation.

4. Sslstrip

SSL/TLS is a protocol that provides several useful security and privacy features. It encrypts network traffic and authenticates the server in an HTTPS connection. However, these features that are useful for an internet user are a nuisance for a penetration tester or other cyberattacker.

Sslstrip is a tool built into Kali Linux to help mitigate the impacts of SSL/TLS on sniffing and spoofing. Sslstrip monitors the traffic flowing over the network and looks for HTTPS links and redirects contained within HTTP pages. It then modifies the traffic to remap these links to similar HTTP URLs or homograph-similar HTTPS links.

The use of Sslstrip can provide a couple of different benefits to an attacker. Stripping SSL/TLS from web traffic or switching it to a URL under the attacker’s control makes it possible to sniff this traffic for valuable data. Additionally, the URL remapping performed by Sslstrip can redirect users to phishing sites, setting up a second-stage attack.

5. Zaproxy

The executable named Zaproxy on Kali Linux is OWASP’s Zed Attack Proxy (ZAP). Like Burp Suite, ZAP is a penetration testing tool designed to help with the identification and exploitation of vulnerabilities within web applications.

ZAP is a useful tool for sniffing and spoofing due to its ability to perform interception and modification of HTTP(S) traffic. ZAP provides a wide range of features and is a completely free option for performing these attacks.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The best Kali Linux tools for sniffing and spoofing

Kali Linux is a great operating system for penetration testers and network defenders alike. The sniffing and spoofing tools built into the operating system can be used to collect intelligence and test defenses for either offensive or defensive purposes. While the tools listed here are some of the most widely used, Kali Linux also includes a variety of other sniffing and spoofing tools that are worth a try as well.



Kali Linux Tools Listing, Kali Linux

Homepage, Wireshark Foundation

Homepage, mitmproxy

Burp Suite, PortSwigger

sslstrip, Moxie

zaproxy, OWASP

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at