Kali Linux is a Debian-based Linux distribution specifically tailored for digital forensics and penetration testing. It provides a comprehensive suite of tools and utilities used by cybersecurity professionals, ethical hackers, and penetration testers to identify, assess, and exploit vulnerabilities in systems. One of the most powerful features of Kali Linux is its command-line interface. Understanding how to use the terminal effectively can drastically improve the efficiency and depth of any cybersecurity operation.
The command line is not just a tool; it’s the gateway to full control over a Linux system. Unlike graphical interfaces, which are limited by design, the command line provides users with powerful and flexible options to manipulate files, manage users, configure networks, and run penetration testing tools. As ethical hacking involves precision and speed, mastering Kali Linux commands is crucial. These commands offer deep control over the system, automate repetitive tasks, and allow access to complex tools like Metasploit, Nmap, Hydra, SQLMap, and more.
For those just beginning their cybersecurity journey, learning these commands may seem intimidating. However, with consistent practice and usage, they become second nature. This guide introduces the 100 most useful Kali Linux commands and provides examples of how each command is applied in real-world scenarios.
This guide is structured into four comprehensive parts. Each part categorizes the commands for easy understanding and progressive learning. Whether you’re managing files, monitoring system performance, configuring a network, or launching a penetration test, each section provides detailed explanations and actual terminal outputs for better comprehension.
Why Mastering Kali Linux Commands is Crucial
Learning the graphical user interface alone is insufficient when it comes to ethical hacking. Professionals often rely on terminal commands because they are faster, more customizable, and enable complex tasks that cannot be done through GUI tools. Mastering these commands improves operational efficiency, reduces errors, and increases control over the environment.
Using commands in Kali Linux is also essential for automation. Security audits often require repeating similar tasks on different targets or networks. Writing scripts that use terminal commands allows these operations to be performed automatically and consistently, saving time and ensuring accuracy.
When working with sensitive systems, graphical tools may not always be available or secure. Many remote or headless environments only offer shell access, so command-line skills become indispensable. Professionals who understand these commands can easily adapt to different environments and troubleshoot issues more effectively.
Finally, understanding terminal commands in Kali Linux helps you better comprehend what security tools are doing in the background. GUI-based tools are often just wrappers around terminal programs. By mastering the terminal, you can understand, customize, and optimize the behavior of these tools.
Basic File and Directory Commands
Working with files and directories is a fundamental task in Linux. These commands allow you to navigate the file system, manage folders and files, and inspect their contents or properties.
pwd
This command displays the present working directory. It tells you where you are in the file system.
Example output:
/home/kali
ls
Lists all files and directories in the current location. You can use flags like -l for detailed listings or -a to show hidden files.
Example output:
Desktop Downloads Tools
cd
Used to change the current directory. If you want to move to a specific path like /etc, simply type cd /etc.
mkdir
Creates a new directory. If you need a folder named test, the command would be mkdir test.
touch
Creates an empty file. For example, touch file.txt creates a file named file.txt.
rm
Removes a file. Typing rm file.txt deletes the file.
rmdir
Deletes an empty directory. Use it only if the directory is empty.
cp
Copies a file from one location to another. cp file1 file2 will duplicate file1 as file2.
mv
Moves or renames a file. For example, mv file1 /tmp transfers the file to the /tmp directory.
cat
Displays the content of a file in the terminal. Using cat file.txt will show the contents of that file.
User Management Commands
User management is essential in any Linux system, especially in multi-user environments. These commands help you add, delete, and modify users and groups.
whoami
Displays the current logged-in user. It helps confirm which user context is being used during terminal operations.
id
Shows the user ID and group IDs associated with the current user. It’s useful for permission and ownership checking.
adduser
Adds a new user to the system. For example, adduser hacker creates a new user account named hacker.
passwd
Sets or changes the password for a user. The system will prompt for a new password.
deluser
Removes a user from the system. deluser hacker deletes the user account named hacker.
sudo su
Switches to the root user. After execution, you operate under administrative privileges, represented by the # prompt.
groups
Displays all the groups the current user is a member of. It’s often used to check whether a user belongs to the sudo group or others.
Networking Commands
Networking is the core of penetration testing and ethical hacking. Kali Linux offers numerous commands to inspect, configure, and troubleshoot network connections.
ifconfig
Displays current network interface configurations such as IP addresses and MAC addresses. Useful for identifying active interfaces like eth0 and wlan0.
ip a
A modern replacement for ifconfig, this shows detailed network interface information, including IPv4 and IPv6 addresses.
ping
Tests connectivity to another device or server. For example, ping 8.8.8.8 checks connectivity with Google’s DNS server.
traceroute
Maps the path packets take to reach a remote system. traceroute google.com shows all intermediary hops.
netstat
Displays active network connections and ports. The -tuln flag lists TCP and UDP ports being used.
ss
A faster and more informative tool than netstat. ss -tuln displays listening ports and associated services.
nmap
Used for network scanning and port discovery. For example, nmap 192.168.1.1 will show open ports and services on that target.
wget
Downloads files via HTTP or FTP protocols. wget http://example.com/file saves the file locally.
curl
Fetches data or headers from a server. curl -I http://example.com returns HTTP headers from the target website.
dnsenum
Performs DNS enumeration to discover hostnames and domain information. dnsenum domain.com helps in subdomain reconnaissance.
System Monitoring and Process Management
Monitoring system performance and managing processes are critical during ethical hacking to ensure stability and control over system resources.
top
Displays active processes and system statistics like CPU usage, memory usage, and running time.
htop
An enhanced version of top with a color interface and easier navigation using arrow keys.
ps aux
Lists all active processes in the system along with their user, PID, and command information.
kill
Terminates processes based on their PID. For example, kill 1234 will stop the process with that ID.
df -h
Shows disk space usage in a human-readable format. Useful for checking storage availability.
du -sh *
Displays the size of all folders in the current directory. Helps identify large directories.
free -m
Displays memory usage in megabytes. It’s essential for analyzing system load.
uptime
Shows how long the system has been running and the current load average.
who
Lists all users currently logged into the system. It’s helpful in multi-user or remote sessions.
uname -a
Displays detailed system information including the kernel version, hostname, and hardware type.
File Permissions and Ownership Commands
Understanding file permissions and ownership in Linux is crucial for ethical hackers. It allows proper access management and can also expose vulnerabilities during penetration tests.
chmod
The chmod command is used to change file permissions. For instance, typing chmod 755 script.sh gives the file’s owner full read, write, and execute permissions, while other users get only read and execute access. This is commonly used to make shell scripts executable.
chown
To change file ownership, use the chown command. Executing chown user:user file.txt will set both the owner and group of the file to “user.” This is helpful when transferring files between users or fixing incorrect ownership.
chgrp
The chgrp command changes only the group ownership of a file. Typing chgrp admin file.txt assigns the file to the “admin” group, allowing all group members to access it according to the current permissions.
umask
Use the umask command to define the default permissions for new files and directories. For example, setting umask 022 ensures that new files are created with permissions that allow the owner full access while limiting group and public access to read and execute only.
stat
To view detailed file information, the stat command displays attributes such as access time, ownership, size, and permissions. Running stat file.txt helps verify changes or investigate file metadata during an audit.
ls -l
One of the most commonly used commands for viewing file information is ls -l, which lists files in a detailed format showing permission bits, ownership, file size, and last modified date. Using this helps confirm current permission settings after modifying them.
Package Management with APT
Kali Linux uses APT, the Advanced Package Tool, for managing software installations. Knowing how to use APT effectively is vital for installing, updating, or removing hacking tools and system packages.
apt update
Before installing anything new, use the apt update command. It updates your local package index with the latest available versions from the repositories, ensuring you don’t install outdated software.
apt upgrade
Once your package index is updated, use apt upgrade to upgrade all currently installed packages to their latest available versions. This is crucial for maintaining security and compatibility.
apt install
To add new tools, use the apt install command followed by the package name. For example, typing apt install nmap will download and install the Nmap tool directly from the official repositories.
apt remove
If a package is no longer needed, use the apt remove command to uninstall it while keeping its configuration files. Removing unneeded packages helps keep your system clean and efficient.
apt purge
For a more complete uninstallation, use apt purge, which removes both the software and its configuration files. This is helpful when a clean reinstall is needed.
apt autoremove
Over time, the system accumulates unused dependencies. Running apt autoremove removes those leftover packages that are no longer required, freeing up space and reducing clutter.
apt search
To look for tools or packages without installing them, use apt search followed by a keyword. For example, apt search sqlmap displays all packages related to SQLMap.
apt list
You can use the apt list command to view packages. Adding –installed will list all currently installed packages on the system, useful for creating reports or documentation.
File Searching and Archiving
File management becomes essential when analyzing logs, compressing results, or locating hidden files in a penetration test.
find
The find command is a powerful tool to search the entire file system for files and directories. For instance, typing find / -name passwd searches the entire system for any file named “passwd.”
locate
An alternative to find is the locate command, which is much faster because it searches an indexed database of files. For example, locate sshd_config will instantly find all paths containing that file name. However, the database needs to be updated first.
updatedb
To make sure the locate command works accurately, run updatedb to refresh the file index. This is often done manually before running a locate search.
grep
Use the grep command to search inside files for specific patterns. For example, grep root /etc/passwd looks for any line containing the word “root” within the passwd file. It’s invaluable during audits or forensics.
tar
The tar command handles .tar archive files. Running tar -xvf archive.tar extracts the contents of the archive, while tar -cvf archive.tar folder/ compresses a directory into a tarball. This is often used to bundle files for transfer or storage.
zip and unzip
To compress files into a .zip format, use zip followed by the desired archive name and files. For extraction, the unzip command retrieves the original files from the archive. This format is more compatible with Windows systems.
gzip and gunzip
For file compression, gzip compresses individual files into .gz format. To decompress them, use gunzip. This is useful when reducing file size for logs, data dumps, or payloads.
Penetration Testing Tools and Commands
Kali Linux is renowned for its built-in penetration testing tools. Mastering their terminal usage gives you full control over scans, enumeration, and exploitation.
nmap
To scan a network or system, use nmap. A command like nmap -sS -A 192.168.1.1 performs a stealth SYN scan along with OS and service detection. This helps identify open ports, running services, and possible vulnerabilities.
netdiscover
For identifying live hosts in a local network, use netdiscover. Running netdiscover -r 192.168.1.0/24 shows all devices connected in the specified IP range, including MAC addresses and vendors.
nikto
To scan web servers for known vulnerabilities and misconfigurations, use nikto. Executing nikto -h http://target.com reveals information like outdated software, directory listings, and insecure headers.
sqlmap
To detect and exploit SQL injection vulnerabilities, use sqlmap. For instance, sqlmap -u “http://target.com/page.php?id=1” –dbs will test for injectable parameters and list the available databases.
hydra
For password cracking via brute force, hydra is a powerful tool. Typing hydra -l admin -P rockyou.txt ftp://192.168.1.5 attempts to login using the username “admin” and a list of passwords from rockyou.txt.
metasploit
Metasploit is a comprehensive exploitation framework. Launch it with msfconsole to begin working with modules, payloads, and exploits. It provides a command-driven interface to conduct full exploit chains.
armitage
For those who prefer a graphical interface, armitage offers a visual layer on top of Metasploit. It can be started from the terminal by typing armitage, offering point-and-click exploitation and team collaboration features.
enum4linux
Use enum4linux for enumerating information from Windows systems using SMB. Typing enum4linux -a 192.168.1.10 performs a full enumeration to extract usernames, shares, and domain info.
Password Cracking and Privilege Escalation Tools
Password cracking is a critical phase in penetration testing. Gaining unauthorized access often starts with exploiting weak credentials. Kali Linux includes a wide range of tools for brute-forcing, dictionary attacks, and hash analysis.
john
John the Ripper, commonly invoked as john, is a powerful password cracker. To crack a password hash, first place it inside a text file (for example, hashes.txt) and run the command john hashes.txt. John uses default wordlists and smart rule-based guesses to uncover weak passwords. Once the cracking finishes or is interrupted, you can view the cracked results using john –show hashes.txt.
hashcat
Hashcat is a high-performance password recovery tool that utilizes GPU acceleration. To use it, specify the hash type, hash file, and wordlist. For example, hashcat -m 0 -a 0 hashes.txt rockyou.txt attempts a straight dictionary attack using the popular rockyou wordlist. Hashcat supports hundreds of hash formats and modes, making it extremely versatile.
unshadow
To crack both /etc/passwd and /etc/shadow files with John the Ripper, use the unshadow command to combine them into a single file. For instance, unshadow passwd shadow > combined.txt prepares the file for password cracking.
sudo -l
To check for privilege escalation opportunities on a compromised system, use sudo -l. This command lists the commands the current user can run with elevated privileges. Misconfigured sudo permissions are one of the most common escalation paths.
linux-exploit-suggester
This script helps find local privilege escalation vulnerabilities by comparing your system’s kernel version to a database of known exploits. Download it and execute it with perl linux-exploit-suggester.pl, and it will return a list of matching kernel-level exploits.
Wireless and Bluetooth Attacks
Kali Linux includes robust tools for wireless testing, including sniffing, spoofing, and cracking Wi-Fi encryption. These tools help ethical hackers assess network vulnerabilities in the airspace.
airmon-ng
Start by enabling monitor mode using airmon-ng. Typing airmon-ng start wlan0 switches the wireless card to monitor mode, allowing passive packet capture and injection.
airodump-ng
Once monitor mode is enabled, run airodump-ng wlan0mon to scan for wireless access points and connected clients. This tool shows information such as BSSID, channel, signal strength, and encryption type.
aireplay-ng
To deauthenticate clients from a network, use aireplay-ng. For example, aireplay-ng -0 5 -a [BSSID] -c [ClientMAC] wlan0mon sends five deauthentication packets, which is useful for capturing handshake data or forcing reconnects.
aircrack-ng
After capturing a WPA or WPA2 handshake, use aircrack-ng to attempt password cracking. A command like aircrack-ng capturefile.cap -w wordlist.txt uses a dictionary attack to try known passwords against the captured handshake.
wash
To detect WPS-enabled access points, use the wash command. Run wash -i wlan0mon to scan nearby networks for vulnerabilities related to WPS brute-force attacks.
reaver
For attacking WPS-enabled routers, use reaver. A command like reaver -i wlan0mon -b [BSSID] -vv initiates a brute-force attack against the router’s WPS PIN, potentially recovering the WPA2 passphrase.
hcxdumptool
This tool allows advanced Wi-Fi packet capturing, often used in combination with Hashcat. Run it with arguments to capture PMKID or handshakes for offline cracking.
Bluetooth Hacking Tools
Bluetooth attacks target insecure or misconfigured Bluetooth devices, often found in mobile phones, headphones, or IoT devices. Kali Linux provides tools to assess these threats.
hciconfig
To interact with Bluetooth hardware, use hciconfig. Run it alone to view your Bluetooth devices and their statuses. You can enable or disable interfaces using hciconfig hci0 up or hciconfig hci0 down.
hcitool
This command scans for discoverable Bluetooth devices. Running hcitool scan sends out inquiry requests and lists nearby devices by name and MAC address.
l2ping
The l2ping command is used to send ping requests to Bluetooth devices, testing connectivity. Typing l2ping [MAC] sends a ping to the device with the specified address.
btmon
To monitor Bluetooth traffic in real time, use btmon. It captures packets between devices and is useful for debugging or analyzing insecure protocols.
bluesnarfer
This tool attempts to extract information from vulnerable Bluetooth-enabled devices. Running bluesnarfer -r 1-100 -b [MAC] can try reading the first 100 phonebook entries from the targeted device.
Exploitation and Post-Exploitation Techniques
Once initial access is gained, the next steps often involve deeper exploitation, data extraction, privilege escalation, or pivoting to other systems. Post-exploitation is just as critical as the initial breach.
searchsploit
Use the searchsploit command to search for local exploits from the Exploit Database. For example, typing searchsploit samba returns known exploits related to Samba services. This helps quickly identify potential attack paths.
msfconsole
After finding a matching exploit, launch msfconsole to open the Metasploit Framework. Within this console, you can select exploit modules, set targets and payloads, and initiate the attack. Typing use exploit/windows/smb/ms17_010_eternalblue begins configuring the infamous EternalBlue exploit.
use
Inside Metasploit, the use command selects a module. For example, use exploit/unix/ftp/vsftpd_234_backdoor loads an exploit module targeting a vulnerable FTP server.
set
To configure options in Metasploit, use set. You might type set RHOST 192.168.1.10 to define the target’s IP address, followed by set LHOST 192.168.1.5 to set your listener address.
exploit
After everything is configured, type exploit to launch the attack. If successful, you’ll gain access to a shell or meterpreter session.
shell
Within Metasploit, typing shell drops you into a command-line interface on the victim’s machine, allowing command execution just like a regular terminal session.
background
To keep a session running while returning to the Metasploit console, type background. This is useful when managing multiple sessions or pivoting between targets.
sessions
To view active meterpreter sessions, type sessions. You can then interact with a session by typing sessions -i 1, where 1 is the session number.
getsystem
Inside a meterpreter session, the command getsystem attempts to elevate privileges using known methods such as token impersonation or exploit modules.
hashdump
Still within a meterpreter session, hashdump extracts password hashes from the target system, which can later be cracked offline using tools like John or Hashcat.
Logging, Reporting, and System Cleanup
After a penetration test, documentation is just as important as the technical process itself. Ethical hackers are expected to present clear, professional reports based on their findings. Proper cleanup ensures the target environment is left stable and secure.
script
To record a terminal session, use the script command. When you type script log.txt, everything displayed in the terminal — including inputs and outputs — is saved to the file log.txt. This is useful for evidence, reports, or future reference. Type exit to stop recording.
tee
To display command output and write it to a file simultaneously, use tee. For example, nmap -A 192.168.1.1 | tee scan.txt will show the scan results on-screen and save them to scan.txt at the same time.
history
Typing history shows a numbered list of all previously used commands in the session. This can help recreate an activity timeline or generate part of your report.
last
The last command displays a history of user logins and reboots. It can be useful to see how long a system has been active, or to detect any unauthorized access during your assessment.
clear
Use clear to wipe the visible terminal history from the screen. This doesn’t remove commands from the history file but is useful before handing a system back.
shred
For securely deleting files, use shred. Typing shred -u sensitive.txt overwrites the file with random data before removing it, making recovery nearly impossible.
history -c
To delete all command history from the current user, run history -c. This clears the .bash_history file and is sometimes used during red team operations or when conducting live system tests.
Scripting and Automation with Bash
Automation is critical for scaling up security assessments. Using Bash scripts, repetitive tasks can be completed quickly, consistently, and silently — ideal for ethical hacking engagements.
echo
The echo command prints a line of text to the terminal or into a file. For example, echo Hello World displays the phrase, while echo “scan started” >> log.txt appends it to a file.
for
The for loop allows you to automate commands across many targets. A simple example might be for ip in $(cat ips.txt); do nmap -F $ip; done, which runs a fast Nmap scan on every IP listed in the ips.txt file.
while
A while loop runs commands as long as a condition is true. For example, while true; do echo monitoring…; sleep 5; done will repeat the phrase every five seconds until manually stopped.
if
Using if statements allows decision-making within your scripts. A structure like if [ -f file.txt ]; then echo “Found”; fi checks if a file exists and echoes “Found” if it does.
cron
To schedule tasks, use the cron system. Typing crontab -e lets you edit scheduled jobs. For example, you can run a script every day at midnight to check server health or system status.
chmod +x
When writing scripts, you must make them executable with chmod +x script.sh. After that, the script can be run using ./script.sh.
Tips for Beginners in Ethical Hacking
Learning Kali Linux takes patience and practice. Begin with mastering basic file handling, then gradually learn about users, networking, services, and finally dive into security tools. Don’t rely only on tools — understand how they work, what protocols they touch, and how real-world systems behave.
Start by practicing in safe, legal environments like virtual machines or penetration testing labs. Platforms such as TryHackMe, Hack The Box, or your own virtual test networks are great starting points. Focus on one tool at a time, and run it with various options to see how the outputs change.
As you grow more confident, begin chaining tools together. For example, use nmap to find open ports, then nikto to scan those services, followed by searchsploit to check for known vulnerabilities. Document every step, not just for your own learning but because reporting is part of the job.
Always remember that ethical hacking is about permission, legality, and responsibility. Never test systems you don’t have explicit permission to assess. Ethical hackers are professionals — not criminals — and your skill should be used to protect and improve systems, not break them.
Quick Command Reference Cheat Sheet
Here is a quick summary of some of the most useful Kali Linux commands you have learned throughout this guide. Each of these commands is foundational and widely used in real-world ethical hacking and security testing:
pwd shows your current directory.
ls -l lists files with detailed information.
cd changes directory.
mkdir creates a new folder.
touch creates an empty file.
rm deletes a file.
cp copies a file or folder mv moves or renames a file.
chmod changes file permissions.
chown changes file ownership.
apt update refreshes package lists.
apt install installs a new tool.
nmap scans networks for open ports.
hydra performs password brute-forcing.
sqlmap tests for SQL injection flaws.
msfconsole launches the Metasploit Framework.
airmon-ng sets up Wi-Fi monitor mode.
john cracks password hashes.
script records a terminal session.
bash runs shell scripts for automation.
Conclusion
Mastering Kali Linux is a journey, not a race. With these 100 powerful commands and practical examples, you now have a strong foundation for ethical hacking, cybersecurity research, and penetration testing. The more you use these commands, the more fluent you will become — not only in syntax but in strategy.
Stay curious, keep practicing in safe environments, and always work ethically and legally. The command line in Kali Linux is not just a tool — it’s your weapon, your compass, and your voice in the world of cybersecurity.