Kali NetHunter
Kali NetHunter is a free and open-source mobile penetration testing platform designed for Android devices, integrating the Kali Linux distribution to enable on-the-go security assessments, ethical hacking, and wireless attacks.[1] Developed by Offensive Security and the Kali Linux community, it originated in September 2014 with initial support for select Nexus devices and has since evolved into a comprehensive ecosystem supporting over 100 device models through pre-built images and custom kernels.[2][1] At its core, Kali NetHunter consists of a Kali Linux container providing access to hundreds of penetration testing tools, the NetHunter App Store for security-focused applications, an Android client for seamless integration, and the KeX client for a full Kali desktop experience via VNC.[1] It offers three primary editions to accommodate different user needs and device configurations: NetHunter Rootless, which requires no root access or custom recovery and runs on stock Android devices; NetHunter Lite, for rooted devices without needing a custom kernel; and the full NetHunter edition, which includes a custom kernel for advanced features like Wi-Fi injection and HID keyboard attacks on supported hardware.[1] Additionally, Kali NetHunter Pro serves as a standalone Kali Linux distribution for ARM64 devices such as the PinePhone and OnePlus 6 series, bypassing Android entirely to deliver a complete desktop-class penetration testing environment with HDMI output support.[3] Key features of Kali NetHunter emphasize mobility and versatility, including BadUSB for USB device emulation, MANA Evil Access Point for rogue Wi-Fi setups, and USB Arsenal for hardware-based attacks, all while maintaining compatibility with Kali's rolling release model for up-to-date tools.[1] Since its inception, the project has expanded through community contributions, with milestones such as the 2019 introduction of the NetHunter Store and KeX, ensuring it remains a vital tool for cybersecurity professionals conducting fieldwork.[2]Overview
Definition and Purpose
Kali NetHunter is a free and open-source mobile penetration testing platform designed for Android devices, derived from the Kali Linux distribution. It integrates Kali Linux's security-focused tools and applications into an Android environment, enabling users to perform advanced security assessments directly from mobile hardware. As an extension of Kali Linux's ecosystem, NetHunter supports activities such as penetration testing, digital forensics, and security research on the go, without requiring traditional desktop or laptop setups.[1] The primary purpose of Kali NetHunter is to facilitate ethical hacking and cybersecurity operations on mobile devices, including network attacks, device exploitation, and wireless auditing. By providing a portable alternative to full-scale computing environments, it allows professionals to conduct real-time security evaluations in field scenarios, such as auditing wireless networks or simulating attacks on embedded systems. This mobility enhances the efficiency of security tasks that might otherwise demand bulky hardware, making it particularly valuable for on-site assessments.[1][4] Built as an overlay on Android, Kali NetHunter utilizes a containerized Kali Linux environment accessed via chroot, granting users entry to hundreds of Kali tools within a dedicated container. Key components include the NetHunter App for managing attacks and terminals, the NetHunter App Store for additional security applications, the Kali Container for running Linux tools, and KeX for a full desktop experience through HDMI or wireless mirroring. This architecture ensures compatibility with Android's ecosystem while delivering the robust capabilities of Kali Linux in a lightweight, mobile form.[1][5] Kali NetHunter targets security professionals, ethical hackers, and researchers who require portable penetration testing solutions. It caters to individuals and teams needing flexible, device-agnostic tools for cybersecurity fieldwork, from vulnerability scanning to forensic analysis, thereby democratizing advanced security practices beyond stationary workstations.[1][4]Available Editions
Kali NetHunter is available in three primary editions—Rootless, Lite, and full—each tailored to different levels of device modification and functionality for penetration testing on Android devices. These editions allow users to access Kali Linux tools progressively, from basic command-line interfaces on unmodified devices to advanced hardware-based attacks on fully customized setups.[1] The Rootless edition enables installation on any stock, unrooted Android device without requiring root access or a custom kernel, primarily through the Termux application and the NetHunter Store app. It provides a chroot environment for running Kali CLI tools, the KeX client for a graphical desktop experience, and support for most Kali packages, though with limitations such as no database support in Metasploit and restricted access to certain system tools like "top" due to the lack of root privileges. Hardware-specific attacks, such as Wi-Fi injection, are not supported, making it suitable for users seeking basic penetration testing without altering their device.[6][1] NetHunter Lite requires a rooted Android device with a custom recovery like TWRP but does not need a custom kernel, offering broader capabilities than Rootless while maintaining relative simplicity. It includes all Rootless features, plus the full NetHunter App for managing chroots and services, and enables Metasploit with database support for more comprehensive exploitation workflows. However, it lacks support for advanced hardware interactions, such as Wi-Fi monitor mode or injection and HID keyboard/mouse emulation attacks, limiting its use for wireless or USB-based testing scenarios. This edition is compatible with any rooted device supporting custom recovery, providing a middle ground for users willing to root but not rebuild their kernel.[1] The full NetHunter edition demands both root access via custom recovery and a device-specific custom kernel, unlocking the platform's complete feature set for professional-grade mobile penetration testing. Building on Lite, it supports specialized attack modes including Wi-Fi monitor mode and injection for wireless auditing, HID attacks for keystroke injection, the Bluetooth Arsenal for low-energy device interactions, and the CARsenal for automotive hacking tools. These capabilities rely on kernel modifications to enable low-level hardware access, such as USB gadget modes and wireless chipset overrides. Pre-built kernels and images are available for over 100 devices, with more than 230 kernel variants hosted in the official GitLab repository, covering Android versions from KitKat to Fifteen.[1][7][8] In addition to these Android-based editions, Kali NetHunter Pro is a standalone Kali Linux distribution for select ARM64 devices, such as the PinePhone, PinePhone Pro, OnePlus 6 series, Poco F1, and others, bypassing Android entirely to provide a full desktop-class penetration testing environment. It includes nearly all Kali desktop tools and supports features like HDMI output for external displays, dual-booting with other operating systems, and direct hardware access without Android overlays, making it suitable for users seeking a pure Linux experience on mobile hardware.[3]| Edition | Root Required | Custom Kernel Required | Key Supported Features/Attacks |
|---|---|---|---|
| Rootless | No | No | CLI tools, KeX GUI, Metasploit (no DB), basic chroot |
| Lite | Yes | No | All Rootless + NetHunter App, Metasploit (with DB), full chroot |
| Full | Yes | Yes | All Lite + Wi-Fi injection/monitor mode, HID attacks, Bluetooth Arsenal, CARsenal |
History and Development
Origins and Early Releases
Kali NetHunter originated as a mobile penetration testing platform developed by Offensive Security in collaboration with the Kali Linux community, adapting the desktop-focused Kali Linux distribution for Android devices to enable on-the-go security assessments.[2] The project addressed the growing need for portable pentesting tools beyond traditional desktop setups, drawing inspiration from Android's built-in HID (Human Interface Device) gadget capabilities, which allow devices to emulate keyboards, mice, or other USB peripherals for conducting attacks such as BadUSB-style exploits.[2] This evolution built on earlier mobile extensions explored during the BackTrack Linux era, with Kali Linux itself emerging as a rebranded and refined successor to BackTrack in 2013.[9] Key early development efforts were led by developer g0tmi1k, who initiated the project to create a robust mobile hacking environment, supported by community contributors including BinkyBear, who focused on custom kernel modifications essential for features like wireless injection and HID emulation.[2][10] The platform integrated seamlessly with Kali Linux's rolling release model, ensuring continuous updates to its chroot environment and tools while maintaining compatibility with Android's architecture.[2] The initial public release, version 1.0, launched in September 2014 and was limited to Google Nexus 5, 7, and 10 devices, requiring custom kernels to support advanced pentesting functionalities such as HID attacks and monitor mode for wireless interfaces.[2][11] A subsequent minor update, version 1.1, arrived in January 2015, expanding device support to include the OnePlus One and Nexus 4, further solidifying NetHunter's foundation for broader Android compatibility.[2]Major Milestones and Updates
Beginning in 2015, Kali NetHunter expanded its device compatibility beyond initial Nexus support to include models from manufacturers such as OnePlus, with further additions from Samsung and others through 2018, enabling broader adoption for mobile penetration testing on Android devices running versions 5 through 8. This period saw the release of NetHunter version 3.0 in January 2016, which included a complete rewrite of the NetHunter app for improved control and added build scripts tailored for Android 5 and 6, supporting devices like the OnePlus One alongside various Nexus models.[2] In 2019, the project introduced the NetHunter App Store in July as a public beta, providing a dedicated repository for installing and updating third-party penetration testing and forensics applications on Android devices, serving as an alternative to general app stores. December 2019 marked the release of Kali NetHunter 2019.4, which premiered the Lite edition for rooted devices with custom recovery but without full kernel modifications, alongside initial rootless capabilities to enhance accessibility without requiring device rooting. Additionally, NetHunter KeX was launched in this release, allowing users to access a full Kali Linux desktop experience via VNC or HDMI on Android phones.[12][2][13] Between 2020 and 2023, Kali NetHunter integrated KeX for seamless VNC and HDMI-based desktop sessions, with the rootless edition formalized in Kali Linux 2020.1 in January 2020 to support unrooted devices without warranty voids. Support for Android 11 and later versions was added in June 2021, covering devices such as the Nokia 6.1, OnePlus Nord, and Samsung Galaxy S20 FE 5G. The Bluetooth Arsenal feature was introduced in August 2020 with Kali Linux 2020.3, providing a centralized interface for Bluetooth Low Energy (BLE) attacks, including device discovery, sniffing, and injection capabilities via compatible adapters.[14][15][16] In 2024 and 2025, updates aligned with Kali Linux's quarterly release cycle emphasized automotive security and expanded compatibility. Kali 2025.1a in March 2025 introduced the CAN Arsenal tab, a dedicated toolset for car hacking including CAN bus utilities like can-utils and Caribou for VIN decoding and interface configuration. Kali 2025.2 in June 2025 renamed it to CARsenal with UI improvements, bug fixes, and additional features such as hlcand, VIN Info, and CaringCaribou modules; 2025.3 in September 2025 further enhanced CARsenal with a new MSF tab for automotive Metasploit modules and an updated simulator. Rootless enhancements extended support to Android 15, while the project now maintains over 230 custom kernels hosted on GitLab for more than 100 devices. Offensive Security continues to oversee development, synchronizing NetHunter updates with Kali's quarterly releases to ensure timely security patches and tool integrations.[17][18][19][1][20]Core Features
Integrated Tools and Components
Kali NetHunter's chroot environment serves as the foundational component, providing a full Kali Linux filesystem within a containerized setup on the Android device. This allows users to access both command-line interface (CLI) and graphical user interface (GUI) tools directly from the mobile platform. The chroot can be installed in a minimal variant (approximately 100 MB) for basic functionality or a full variant (approximately 600 MB), which includes a comprehensive set of pre-installed penetration testing utilities. Examples of these tools include Metasploit for exploitation frameworks, Nmap for network scanning and reconnaissance, and Wireshark for packet analysis and network protocol dissection.[21] The KeX client enhances the usability of the chroot by offering a VNC-based application that mirrors the Kali Linux desktop experience onto the Android screen or an external display connected via HDMI or USB-C. Users initiate the KeX server through the NetHunter app, configure a session password, and then launch the client to connect, enabling full desktop interaction with support for touch input, external keyboards, mice, or monitors. This setup facilitates seamless GUI access to Kali tools, with options for resolution adjustments and session reconnection to maintain productivity during penetration testing sessions.[22] NetHunter services operate as a background daemon within the Android app, managing various chrooted Kali Linux services essential for penetration testing workflows. This includes starting and stopping services such as SSH for remote access, Apache for web server simulations, and OpenVPN for secure tunneling. Integrated into these services is the Kali Chroot Manager, which handles backups, restores, and installations of additional tools within the chroot environment. The daemon ensures these services can be enabled or disabled at boot time, with security recommendations like changing default passwords to mitigate risks.[23] At the heart of the integrated toolset is a collection of over 600 pre-installed utilities inherited from the Kali Linux distribution, covering reconnaissance, exploitation, and digital forensics tasks. Representative tools include Aircrack-ng for wireless network auditing, though its monitor mode capabilities are constrained by the specific NetHunter edition and device kernel support. This extensive arsenal enables comprehensive pentesting on mobile devices without requiring immediate additional downloads.[21][24] Updates to the NetHunter environment are synchronized with Kali Linux's rolling release repository, ensuring access to the latest security patches and tool enhancements through standard package management commands within the chroot. The Kali Chroot Manager facilitates these updates by allowing users to refresh the repository and install packages via apt, maintaining alignment with upstream Kali developments for ongoing reliability and feature improvements.[23][25]Specialized Attack Capabilities
Kali NetHunter's specialized attack capabilities leverage the mobile device's hardware interfaces to enable advanced, targeted exploits that go beyond standard software-based penetration testing. These features, available primarily in the full NetHunter edition, require custom kernels and compatible hardware to activate USB gadget modes, wireless monitor functionality, and other peripherals for real-world attack simulations. By emulating peripherals or manipulating wireless protocols, users can conduct proximity-based and physical access attacks directly from an Android device.[1] One key capability is HID (Human Interface Device) and BadUSB attacks, which transform the NetHunter device into a malicious USB peripheral when connected via OTG cable to a target system. In HID keyboard attacks, the device emulates a USB keyboard to automatically inject predefined payloads, such as command sequences or scripts, mimicking the behavior of devices like the Teensy microcontroller. This allows rapid execution of exploits, like opening a reverse shell or downloading malware, without physical interaction beyond plugging in the cable. BadUSB extends this by reconfiguring the device as a network interface, forcing the target's traffic through the NetHunter device to facilitate man-in-the-middle (MitM) interception and manipulation, as demonstrated in early USB vulnerability research. Both rely on the Linux USB gadget driver framework and are controlled via the NetHunter app's USB Arsenal interface for selecting modes like HID or RNDIS.[26][27][28] The Wi-Fi Arsenal provides robust wireless attack tools enabled by external adapters supporting monitor mode and packet injection, addressing Android's native limitations in wireless stack capabilities. With compatible chipsets like Atheros ATH9K_HTC or Realtek RTL8812AU connected via OTG, NetHunter activates monitor mode to capture packets and inject crafted frames for deauthentication, ARP spoofing, or evil twin attacks. Tools such as hostapd facilitate the creation of rogue access points (Evil APs) that mimic legitimate networks, luring devices into connecting for credential harvesting or traffic redirection. Additionally, WifiPumpkin3 integrates as a framework for MitM over these rogue APs, automating phishing portals and session hijacking. These features demand custom kernel modifications to enable promiscuous mode on supported hardware.[29][30] Bluetooth Arsenal equips NetHunter for low-energy (BLE) and classic Bluetooth exploits, focusing on proximity-based reconnaissance and disruption. The arsenal includes tools like L2ping for flooding and crashing Bluetooth stacks, Redfang for discovering hidden devices, and Blueranger for ranging attacks to map device locations. Spoofing capabilities allow impersonation of device addresses, names, and classes, while Carwhisperer enables audio interception from car kits or injection into speakers. Bad Bluetooth supports HID attacks over Bluetooth by setting up spoofed keyboard interfaces for remote payload delivery, such as triggering commands on paired targets. These attacks operate through the NetHunter app's Bluetooth menu, requiring Bluetooth to be enabled and compatible hardware.[31] Introduced in 2025 as part of Kali Linux updates, CARsenal adds automotive hacking support for CAN (Controller Area Network) bus analysis and manipulation, targeting vehicle infotainment and diagnostic systems. It requires kernel configurations with CAN protocol support and interfaces like OBD-II adapters via USB OTG for physical access. Key tools include can-utils for sniffing (candump), sending (cansend), and generating traffic (cangen), alongside VIN decoding and checksum validation with vininfo. CaringCaribou provides modules for fuzzing ECUs, UDS diagnostics, and signal dumping, while simulators like ICSim emulate vehicle networks for testing without hardware. Metasploit integration offers modules for CAN flooding and ECU resets, enabling exploits like unauthorized control commands. CARsenal is accessed via the NetHunter app's dedicated interface for configuring services like slcand.[32]Installation and Setup
Hardware and Software Requirements
Kali NetHunter requires compatible Android devices running version 4.4 (KitKat) or later, up to Android 15, with support for over 100 device models including Google Nexus series, OnePlus, Samsung Galaxy, and Pixel devices; a complete list of supported kernels and pre-built images is maintained in the official Kali NetHunter GitLab repository.[33][8] Devices should have sufficient RAM and internal storage to run the Kali chroot and tools, which varies by device model and edition.[1][21] For rooted editions such as NetHunter Lite and Full, the device bootloader must be unlocked, and installation necessitates root access via Magisk along with a custom recovery like TWRP; these modifications are essential for integrating the Kali chroot and device-specific kernel.[33][1] In contrast, the Rootless edition operates on unmodified stock Android devices starting from version 4.4, relying on the Termux app for a chroot environment without any rooting or recovery alterations.[6][34] Setup preparation involves enabling Developer Options and USB debugging on the device, with tools such as ADB and Fastboot required for bootloader unlocking and file transfers on rooted installations.[33] Image integrity verification is mandatory using SHA256 checksums provided on the official download page to ensure secure and unaltered files before proceeding.[1]Preparation
Before installing Kali NetHunter, users must prepare their Android device by enabling Developer Mode, which is accessed through Settings > About phone and tapping the Build number seven times. Once enabled, in Developer options, activate USB debugging and Advanced rebooting to facilitate connections and recovery modes. Download the appropriate NetHunter images from the official Kali website at https://www.kali.org/get-kali/#kali-mobile, ensuring compatibility with the device's Android version, which ranges from 4.4 to 15 as of 2025. It is essential to back up all device data, as installation processes, particularly those involving rooting, can lead to data loss or void warranties. Enable USB debugging to allow ADB connections for file transfers and commands.[33]Rootless Installation
The rootless edition allows installation on any stock, unrooted Android device without requiring custom recovery or rooting, providing access to most Kali tools via a chroot environment. Begin by installing the NetHunter Store app from https://store.nethunter.com. Within the NetHunter Store, install Termux, the NetHunter KeX client for GUI access, and the Hacker's Keyboard for enhanced input. Open Termux and execute the following commands sequentially:termux-setup-storage to grant storage permissions, pkg install [wget](/page/Wget) to install the wget package, wget -O install-nethunter-termux https://offs.ec/2MceZWr to download the installer script, chmod +x install-nethunter-termux to make it executable, and finally ./install-nethunter-termux to set up the Kali chroot automatically. This process creates a minimal Kali environment without modifying the host system.[6]
Lite Installation
For the lite edition, suitable for rooted devices with custom recovery but without a pre-built custom kernel, root the device using Magisk, available from its official XDA thread, and install a custom recovery like TWRP from https://twrp.me/Devices/. Transfer the NetHunter lite ZIP file to the device storage. Reboot into recovery mode, select the option to install the ZIP, and flash it, ensuring the screen remains awake during the process to avoid interruptions. Upon completion, reboot the device and launch the NetHunter app from the app drawer to initialize the chroot environment. This edition offers core penetration testing tools but lacks advanced hardware integrations like HID attacks. For Android 9-11 devices, additionally flash the Universal DM-Verity & ForceEncrypt Disabler ZIP from its XDA thread and format the data partition in recovery to prevent boot issues.[33]Full Installation
The full edition requires a rooted device with custom recovery and a compatible custom kernel for complete hardware support, including wireless injection and BadUSB features. First, flash a device-specific custom kernel ZIP from https://nethunter.kali.org/device-kernels.html via recovery or as a Magisk module. Next, install the NetHunter full ZIP as a Magisk module: open the Magisk app, navigate to Modules > Install from storage, select the NetHunter installer ZIP, and proceed, keeping the screen on until installation finishes, then reboot. Alternatively, flash the ZIP directly in TWRP recovery. After rebooting, open the NetHunter app to configure and start the chroot manager, completing the setup. Select the appropriate kernel variant during flashing to match the device's architecture and avoid incompatibilities. This method provides the complete NetHunter experience with all specialized capabilities.[33]Post-Installation Steps
Following any edition's installation, update the Kali chroot by launching the NetHunter CLI with thenethunter command and running sudo apt update && sudo apt full-upgrade -y to fetch the latest packages. For GUI access, use the NetHunter KeX client installed via the store, connecting via nethunter kex & in Termux or the app. Install essential tools if needed with sudo apt install -y kali-linux-default. Common issues like bootloops can be resolved by verifying kernel compatibility from the official kernels page and reflashing the correct variant; additionally, for Android 10 and 11, update the NetHunter app post-install to handle scoped storage changes. Backup the rootfs periodically using tar -cJf kali-arm64.tar.xz kali-arm64 in Termux for recovery purposes.[6][33]