Whether you just installed Kali Linux for the first time or you are preparing for your OSCP exam, knowing the right commands is what separates someone who has a hacking OS from someone who can actually use it. This guide covers the 20 most essential Kali Linux commands every ethical hacker relies on — each explained in plain English, with real syntax, real examples, and pro tips you won’t find in a man page.
At the end you’ll find a complete quick-reference cheatsheet. Jump straight to the cheatsheet →
- Kali Linux installed — VirtualBox VM, VMware, or native install. Not set up yet? See our Kali Linux install guide.
- A legal practice target — DVWA, Metasploitable 2, or a TryHackMe/HackTheBox room. Never point these tools at live systems without written permission.
- Basic Linux navigation — you know how to open a terminal, use ls, cd, and sudo.
Reconnaissance is always Phase 1 of any penetration test. You cannot attack what you cannot see. These six commands form the complete recon toolkit — from port discovery to web server vulnerability scanning.
Nmap discovers live hosts, open ports, running services, version numbers, and operating systems. Every pentest starts here.
Queries domain registration databases to reveal the owner, registrar, name servers, and contact emails. First OSINT step when starting from a domain name.
Queries DNS records to reveal A records, MX mail servers, TXT records, and subdomains. A zone transfer attempt can dump the entire DNS map of a target in one command.
Searches public data sources (Google, Bing, LinkedIn, Shodan) to harvest emails, employee names, and subdomains — all without touching the target directly.
Brute-forces hidden directories, backup files, and subdomains using a wordlist. Significantly faster than dirb because it runs concurrent threads.
Scans a web server for 6,700+ known vulnerabilities, dangerous files, outdated software, and misconfigurations. Fast but noisy — easily detected by IDS/IPS.
After recon, you need to understand the network you are operating in. These five commands let you monitor connections, catch shells, capture packets, and discover every live host on a LAN.
Displays active connections, listening ports, and routing information. Answers the question: what is running and accepting connections on this machine right now?
Shows your IP address, interface, and subnet. You need this before running any network command — your IP is your LHOST in every reverse shell payload.
Reads and writes raw data across TCP/UDP connections. Used for catching reverse shells, banner grabbing, port scanning, and file transfers. Learning netcat is non-negotiable.
CLI packet analyser — essential when on a remote system with no GUI. Saves captures as .pcap files you can open in Wireshark later.
Sends ARP packets to every address on a subnet and reports which hosts respond. Faster and more reliable than Nmap ping sweep for local discovery — ARP cannot be blocked by a firewall.
Metasploit is the world’s most widely used penetration testing platform — thousands of exploits, payloads, and post-exploitation modules. msfconsole is its CLI interface.
CLI tool for the Exploit-DB archive. Works completely offline — critical in network-isolated pentest environments. Found exploits can be copied directly to your working directory.
Automates detection and exploitation of SQL injection vulnerabilities — identifies injection type, enumerates databases, dumps tables, and in some cases gains OS access.
Generates standalone reverse shell payloads for any platform — Windows EXE, Linux ELF, PHP shells, Python scripts, and more. Pairs with a Metasploit listener to catch the shell.
Weak passwords remain the most common attack vector in pentesting. These three tools cover the full spectrum: online brute force against live services, offline CPU cracking, and GPU-accelerated cracking.
Fast, parallelised online password cracker supporting 50+ protocols — SSH, FTP, HTTP forms, RDP, SMB, MySQL. Takes a username and wordlist and tries every combination.
Use -t 4 (4 threads) for SSH to avoid triggering account lockout policies on real systems.
John the Ripper cracks offline password hashes from /etc/shadow, database dumps, or captured NTLM hashes. Auto-detects hash format. Best for small-to-medium hash counts.
World’s fastest password recovery tool. Leverages GPU to crack billions of hashes per second. Supports 300+ hash types. Use for large-scale cracking jobs.
These two commands are built into every Linux system — but in a penetration tester’s hands they become privilege escalation and credential-hunting tools.
chmod changes file permissions; chown changes ownership. Essential for making exploit scripts executable — and for finding SUID misconfigurations during privilege escalation.
grep searches file content; find searches the filesystem. Combined with hacker-specific patterns, they find credentials and misconfigurations hiding on compromised systems in seconds.
Bookmark this section. Every command, category, and core syntax in one table.
| # | Command | Category | What it does |
|---|---|---|---|
| nmap | Recon | Port scanning, OS & service detection | nmap -sV -sC |
| whois | Recon | Domain owner and registration info | whois |
| dig | Recon | DNS record enumeration and zone transfers | dig ANY |
| theHarvester | Recon | Passive email and subdomain OSINT | theHarvester -d |
| gobuster | Recon | Web directory and subdomain brute force | gobuster dir -u |
| nikto | Recon | Web server vulnerability scanner | nikto -h |
| netstat | Networking | Show open ports and active connections | netstat -tulnp |
| ip a | Networking | Show interfaces and IP addresses | ip a |
| nc | Networking | Banner grabbing and reverse shell listener | nc -lvnp 4444 |
| tcpdump | Networking | CLI packet capture and analysis | tcpdump -i eth0 -w out.pcap |
| arp-scan | Networking | Discover all live hosts on LAN via ARP | arp-scan -l |
| msfconsole | Exploitation | Launch Metasploit Framework | msfconsole → search → use → run |
| searchsploit | Exploitation | Search Exploit-DB offline | searchsploit |
| sqlmap | Exploitation | Automated SQL injection detection | sqlmap -u “ |
| msfvenom | Exploitation | Generate custom reverse shell payloads | msfvenom -p |
| hydra | Password | Online brute force against live services | hydra -l admin -P rockyou.txt |
| john | Password | Offline CPU hash cracking with wordlists | john –wordlist=rockyou.txt hashes.txt |
| hashcat | Password | GPU-accelerated offline hash cracking | hashcat -m 1000 -a 0 hashes.txt wordlist |
| chmod | File & System | Change permissions, find SUID binaries | chmod +x file / find / -perm -4000 |
| grep/find | File & System | Search content and filesystem for credentials | grep -ri “password” /var/www/ |
- DVWA (Damn Vulnerable Web App) — deliberately vulnerable PHP/MySQL web app. Perfect for gobuster, nikto, sqlmap, Burp Suite. Install: apt-get install dvwa
- Metasploitable 2 — deliberately vulnerable Linux VM with dozens of misconfigured services. Perfect for Nmap, Metasploit, Hydra, John. Download free from SourceForge.
- TryHackMe — browser-based guided rooms. Free tier includes beginner rooms covering every command in this list. No VM setup needed.
- HackTheBox — more challenging. Several free “Starting Point” machines are ideal for practising the exploitation section (commands 12–15).
- VulnHub — downloadable offline vulnerable VMs. Great for building a personal lab with no internet connection.
For a full lab setup guide: How to set up a hacking lab with Kali Linux →
⚡ What to learn next — your learning path
- Web application pentesting — now that you know these commands, intercept and manipulate web traffic. Burp Suite tutorial for beginners →
- Deep-dive Metasploit — go beyond msfconsole basics: post-exploitation, pivoting, Meterpreter. Full Metasploit tutorial →
- Start bug bounty hunting — use these skills on real programs and get paid legally. Bug bounty beginners guide →
- Get certified — CEH validates your knowledge; OSCP proves you can actually exploit systems. Both are recognised by employers worldwide.
The most essential commands fall into four groups: recon (nmap, whois, dig, theHarvester, gobuster, nikto), networking (netstat, netcat, tcpdump, arp-scan), exploitation (msfconsole, searchsploit, sqlmap, msfvenom), and password attacks (hydra, john, hashcat). Start with nmap and work outward.
Learn nmap first. It is used in every single penetration testing engagement to discover live hosts, open ports, running services, and operating system versions. Every other tool on this list builds on what nmap reveals about your target.
Kali Linux is completely legal to install and use. The commands become illegal only when run against systems you do not own or have explicit written permission to test. Always practise on legal environments such as DVWA, Metasploitable 2, TryHackMe, or HackTheBox.
Basic navigation and the 20 core commands in this guide can be learned in 1–2 days of focused practice. Becoming proficient enough to run a full penetration test typically takes 2–4 weeks of daily hands-on lab work. CEH and OSCP certifications provide structured 3–6 month learning paths.
Both crack offline hashes but use different hardware. John the Ripper uses the CPU and is excellent for automatic hash detection on small datasets. Hashcat uses the GPU and is 10–100× faster for large hash batches. Use John for quick wins; switch to Hashcat for intensive cracking jobs.
Metasploit Framework (launched via msfconsole) is widely regarded as the most powerful tool in Kali Linux. It contains thousands of exploits, payloads, and post-exploitation modules covering every major platform, and is the industry standard used by professional penetration testers worldwide.