Kali Linux Commands — 2,941 Pentesting Commands Across 146 Tools
The complete Kali Linux command reference. Search by tool, flag, or description. Filter by attack phase. Copy any command with one click. Built for OSCP candidates, bug bounty hunters, CTF players, and working pentesters.
🐧 146tools
⚡ 0copied
📋 0viewed
🔍
What Is This Kali Linux Command Reference?
This is the most comprehensive Kali Linux command reference available — covering 150 major tools used by penetration testers, ethical hackers, OSCP students, bug bounty hunters, and security researchers. Every command is categorised and copyable with a single click.
Whether you are running your first CTF, preparing for the OSCP exam, or conducting a professional red team engagement, this reference eliminates the need to memorise syntax or dig through man pages mid-test.
How to Use This Tool
Use the category dropdown to filter by testing phase. Use the search box to find commands by tool name, flag, or description. Select a tool and click Show to view its full command library. Click Copy next to any command to copy it to your clipboard.
How this command reference is built
The reference covers 146 of the most-used Kali Linux tools with 2,941 individual commands, organised into 13 categories that mirror the standard penetration testing methodology: Reconnaissance, Scanning & Enumeration, Vulnerability Analysis, Web Application Testing, Wireless Attacks, Exploitation, Post-Exploitation, Privilege Escalation, Forensics, Reporting, Password Attacks, Sniffing & Spoofing, and Reverse Engineering.
Search across everything. The search box matches against tool names, command syntax, and command descriptions simultaneously. Search nmap to see every Nmap command across the reference. Search -sV to find every command that uses the service-version flag. Search brute to find every brute-forcing technique across all tools. Results show inline with one-click copy on each.
Tool-by-tool view. Selecting a category narrows the tool dropdown to that phase. Selecting a tool then loads its complete command library — typical tools surface 15-30 commands covering the common workflows, edge cases, and advanced flags. Each command has a description so you understand what it does before running it.
Copy with one click. Every command gets a copy button. The clipboard write goes through the modern Clipboard API where supported, with a textarea fallback for older browsers. The copy stat counter at the top of the page bumps each time you copy, which is mostly there for the small dopamine hit but also useful for tracking how command-heavy a session has been.
What this reference is NOT. It is not exhaustive — every tool has flags this reference does not cover, edge cases that are not documented, and version-specific behaviours that change over time. Always cross-reference with tool --help or man tool for the full picture, especially for less-common flags or when commands fail unexpectedly. The reference is a fast start, not a final answer.
Five real-world use cases
OSCP exam preparation: build muscle memory for the core toolset
The OSCP exam restricts automated tools — manual command-line proficiency is the entire skill being tested. Use this reference during your lab time to look up Nmap scan variants, Gobuster wordlist syntax, Hydra brute-force flags, Searchsploit usage, and Linpeas/Winpeas privilege-escalation checks. After 30+ box compromises in the lab, the muscle memory is built and you stop needing the reference for the basics — at which point it becomes a backup for the unusual cases.
nmap -sV -sC -p- -T4 target.htb
Real engagement quick reference for less-used tools
You use Nmap, Burp Suite, and Metasploit constantly — those commands are in muscle memory. But you might use Aircrack-ng twice a year, Volatility once a quarter, or hashcat with a specific rule file once every six months. For these less-frequent tools, the reference saves the 5-10 minutes you would otherwise spend re-reading documentation. Search the tool name, find the command pattern you need, copy and modify the target.
aircrack-ng -w wordlist.txt capture.cap
CTF challenge reconnaissance phase
Most CTF challenges follow the same opening sequence: nmap to map services, gobuster or feroxbuster for HTTP enumeration, smbclient if SMB is exposed, dnsenum if it is a domain-targeting box. Keep this reference open in a tab during a CTF — the search-by-flag pattern lets you instantly find the right command variant without breaking flow. The category tabs map directly to the standard pentest methodology so you can move through phases predictably.
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt
Training new team members on the tool ecosystem
When onboarding a junior pentester or security engineer, the volume of available tools is overwhelming. Walk them through this reference category by category — show how each tool maps to a phase of the methodology and what its core commands look like. Within an afternoon they have a mental map of the toolkit they will spend years deepening. The structure (category → tool → commands) makes the methodology itself visible, not just the syntax.
Bug bounty reconnaissance: subdomain enumeration and beyond
Bug bounty work concentrates heavily on the recon phase. Use the reference to chain the standard recon stack — Subfinder/Amass for subdomain discovery, httpx for live host probing, Nuclei for vulnerability templates, Gobuster/Feroxbuster for content discovery. Most bug bounty findings live in the gap between what target organisations think is in their attack surface and what is actually exposed. The faster your recon stack runs, the more of that gap you cover.
Treating cheat sheets as a substitute for understanding
The fastest way to fail OSCP (or any real engagement) is copy-pasting commands without understanding what they do. Each command on this reference has a description for a reason — read it. When a command fails or behaves unexpectedly, knowing the underlying mechanism is what lets you debug; cheat-sheet-only knowledge stops there. Use the reference as a starting point, not a substitute for learning each tool.
Copy-pasting target IPs/hostnames without modifying them
Most commands in this reference use placeholder targets like target, 10.10.10.10, or example.com. Always check that the target field matches what you actually want to scan before running. The most embarrassing failure mode in pentesting is running an aggressive scan against the wrong IP because you forgot to change the placeholder.
Ignoring scan noise on real engagements
Many commands here use aggressive timing flags (-T4, -T5) or unfiltered brute-forcing that get caught instantly by competent defensive monitoring. Lab environments and CTFs do not care about noise; real engagements with active SIEM/SOC do. For real work, throttle scans, prefer targeted enumeration over broad sweeps, and consider what your traffic looks like in defender logs.
Forgetting the OSCP "no automated tools" rule
The OSCP exam explicitly bans automated vulnerability scanners (Nessus, OpenVAS, Burp Suite Pro's active scanner, Nuclei) and most exploitation frameworks beyond manual Metasploit usage. Many commands in this reference are perfectly valid for general pentesting but disallowed for OSCP. If you are studying for OSCP, cross-check each tool against the current exam rules.
Copying outdated syntax for tools that change frequently
Nmap, Metasploit, Burp Suite, Hashcat, and many other tools release new versions regularly with flag changes, deprecated options, and new defaults. The reference is maintained but always verify against tool --help if a command behaves unexpectedly. The mismatch between cheat-sheet syntax and current tool version is one of the most common sources of "this is supposed to work, why is it failing" frustration.
Skipping --help and man pages for unfamiliar tools
This reference covers the most common commands for each tool — typically 15-30 per tool. Each tool has dozens or hundreds more flags this reference does not include. When you need behaviour the reference does not show, tool --help and man tool are the authoritative sources. Build the habit of reading the help output for any new tool before using it; the cheat sheet is not a complete reference.
Frequently Asked Questions
Kali Linux is a Debian-based distribution designed for penetration testing, digital forensics, and security research. It comes pre-installed with over 600 security tools including Nmap, Metasploit, Burp Suite, Wireshark, and Aircrack-ng.
No. Professional penetration testers use cheat sheets and references throughout their work. The key is understanding what each tool does and when to use it — syntax can always be looked up. This reference is designed exactly for that pattern: keep it open, search by tool or flag, copy the command, modify the target, run it.
Yes, completely. No signup, no login, no rate limits. All 2,941 commands across 146 tools are accessible immediately.
For OSCP specifically, focus on Nmap (sV/sC scans), Gobuster/Feroxbuster (directory enumeration), Hydra (brute-forcing), Searchsploit (exploit lookup), Linpeas/Winpeas (privilege escalation enumeration), and Netcat (reverse shells). The OSCP exam restricts automated tools — manual command-line proficiency is the entire skill being tested.
No. Running these commands against systems you do not own or have explicit authorisation to test is illegal in most jurisdictions — violations of the UK Computer Misuse Act, US CFAA, and equivalent laws elsewhere. Use these commands in lab environments (Hack The Box, TryHackMe, OWASP Juice Shop, your own VMs) or against systems where you have written authorisation (bug bounty programmes with appropriate scope, contracted pentests).
Many penetration testing commands are easily logged by intrusion detection systems, firewalls, and SIEM platforms. Commands like aggressive Nmap scans (-T4, -T5), unfiltered Hydra brute-forcing, or noisy directory enumeration get caught by competent defenders. For real engagements, throttle scans, use timing flags conservatively, and prefer targeted enumeration over broad sweeps. The exam environments (CTF, OSCP) generally do not penalise noise but real engagements with active monitoring will.
Standard reconnaissance flow: nmap -sn for host discovery, nmap -sV -sC for service identification on live hosts, then tool-specific enumeration based on what you find (gobuster for HTTP services, smbclient for SMB shares, dnsenum for DNS reconnaissance, etc.). The category tabs in this tool reflect the standard penetration testing methodology — Reconnaissance → Enumeration → Exploitation → Privilege Escalation → Post-Exploitation → Reporting.
Both are Debian-based pentesting distributions with similar tool sets. Kali (maintained by Offensive Security) has tighter integration with OSCP and other Offensive Security certifications. Parrot (maintained by Frozenbox) has lower system requirements and includes more privacy-focused tools by default. For OSCP candidates, Kali is the canonical choice; for general pentesting, either works.
Most do — the underlying tools (Nmap, Metasploit, Burp Suite, etc.) are not Kali-specific. Ubuntu, Debian, Fedora, and Arch all support the same tools, though installation may require apt/dnf/pacman commands rather than Kali's pre-installed defaults. Some tools have Kali-specific paths (e.g., /usr/share/wordlists) that may differ on other distributions.
The reference is maintained continuously to reflect current tool versions and best practices. Major tool flag changes (Nmap, Metasploit, Burp Suite all release frequently) are reflected as they ship. If you spot a command that is outdated, broken, or missing for your favourite tool, the feedback loop runs through SecurityElites support.